Data Protection (GDPR)
ARCHDEACONRY OF NORTH WEST EUROPE
SYNOD
EXECUTIVE COMMITTEE FOR
THE ANGLICAN CHURCHES IN THE NETHERLANDS
RULES FOR THE PROCESSING AND PROTECTION OF PERSONAL DATA CONCERNING PERSONS ON THE ELECTORAL ROLL AND OTHER ADMINISTRATIVE RECORDS
The Archdeaconry of North-West Europe is one of six Archdeaconries in the Diocese in Europe of the Church of England. It is the body into which the local Anglican churches are united. In accordance with Netherlands law, it is registered in the Handelsregister (Company Register) with the Kamer van Koophandel (Chamber of Commerce) Midden Nederland insofar as it is geographically situated on Netherlands territory. It is also registered under the name of Anglicaanse Kerk in Nederland.
The first and supreme mission of the worldwide Christian Church is to proclaim Jesus Christ as the embodiment of God’s love. This mission is carried out through a number of activities requiring, in turn, an organisation, clergy and other ministers and lay workers, both paid and unpaid, and other volunteers. The Archdeaconry is a subdivision of the organised Church, the Church of England, an organised community of Christian people. An important function of the Church is to shape, build up and maintain community life, found largely in the local churches referred to above.
Organisation and administration of the life of the church community require the processing of personal data, including special categories of (sensitive) personal data concerning religious beliefs, of persons associated with that church community.
Introduction of the General Data Protection Regulation has caused the church to be aware of the risk of breaches of the privacy of persons associated with the church, and of the need for proper measures to be taken in order to limit such risk as much as possible.
In order for the processing of personal data to be carried out according to the requirements of the law, and to limit as much as possible the risk of breach of privacy, the following rules are deemed necessary in processing personal data of persons associated with the church:
Article 1 Definitions
Terms
What they are deemed to mean for the purpose of these Rules
Article
Article of these present Rules
Associated person
Natural person who has entered upon an association with the church, either through canonical membership or through personal interest
Autoriteit Persoons- gegevens
Personal Data Protection Authority/Regulator chaplaincy local church, formally constituted body, including congregations and church plants
Chaplaincy registers
Registers held by the chaplaincy, containing particulars of the administration of sacraments or other sacred acts to associated persons
Church
The Archdeaconry of North-West Europe, or any local church forming part of it, as the case may be, all insofar as they are situate within the borders of The Netherlands
Church
Church of England
Controller
Person or body of persons responsible for processing personal data
Data protection coordinator
Person appointed by the controller, charged with protecting data security and oversight of records holding personal data as well as the coordination of communication between subjects and controller
Data leak
Breach of protection of personal data, exposing such data to loss or unlawful processing
GDPR (AVG)
General Data Protection Regulation (Algemene Verordening Gegevensbescherming)
Holder of parental responsibility
Person exercising parental responsibility over a minor
Personal data
Any data referring to an identified or identifiable natural person
Processing of personal data
Any action or any whole of actions relative to personal data, including in any case collecting, recording, ordering, keeping, correcting, amending, claiming, consulting, using, forwarding,transmitting, distributing or any other form of making available, amalgamating, matching, as also masking, erasing or destroying of personal data
Record
Structured body of personal data of people associated with the church, relative to the objectives as stated in Article 2
Rules
These present Rules for Processing and Protection of Personal Data concerning Persons on the Electoral Roll and other administrative records
Special categories of personal data
Personal data concerning a person’s religion or philosophical beliefs, race, political standpoints, health, sexual life, and personal information concerning the causing of nuisance and unlawful behaviour relative to any injunction resulting from such behaviour, and also personal data regarding trade union membership. These present rules serve as a basis for the processing of the special category of personal data concerning religious beliefs, exclusively
Subject
Data subject; person whose personal data have been or are being recorded or otherwise processed by or on behalf of the church
Third party
Person not associated or not in a canonical relation with the church, or entity outside the structures of the Church of England
UAVG
Uitvoeringswet Algemene Verordening Gegevensbescherming (GDPR Implementation Act)
Article 2 Objectives of processing personal data by the church
The canon law and statutes of the Church state and imply its objective of shaping the church life of the associated persons. Church life is particularly expressed in the chaplaincies. An important part of this church life is found in building and maintaining of a community of believers. Such community building and the administration and organisation of church life require the processing by the church of personal data, including the special category of data about the religious life, of associated persons.
Article 3 Applicability
These rules are applicable to any form of processing of personal data of associated persons by the church, irrespective of whether this be the local churches or the body in which they are united. The Rules apply to digitally processed data and (type)written records alike.
Article 4 Responsibilities of the controller
The controller as the responsible person or body shall attend to the following: – that no more personal data are recorded or otherwise processed than are strictly necessary to the attainment of the objective as stated in Article 2; – that associated persons are accurately and completely informed about the object and the nature of the data processed by the church, about the identity of the controller, and about the rights which are exercisable by them concerning the processing of their data;
– that precautions are taken to improve correctness and completeness of the personal data recorded; – that sufficient precautions are taken to provide for the secure keeping and processing of personal data; during the period that these Rules will be in force the controller shall identify the risks to the privacy of associated persons through lacking or failing protection of personal data, and will take proper precautions thereto; the controller will publicise those precautions in a separate plan appended to these Rules; (Appendix 1 – reserved) – that a data leak involving considerable risk of serious and damaging consequences for the protection of the privacy of associated persons is immediately reported to the Autoriteit Persoonsgegevens, in accordance with the provisions of the GDPR; – that of the processing of personal data according to these Rules a log is kept, in accordance with the GDPR.
Article 5 Basis for processing of data and exemption from the ban on processing of data concerning religion
- The basis for the processing of personal data by the church is found in the justifiable interest of the church in such processing. The justifiable interest in the stated and implied objective of the church to make possible and facilitate the church life of associated persons. An essential part of this is the shaping and building of a community. Conditional upon such community building is that persons associated with the church should be known. Beside this, the shaping of church life requires a certain measure of organisation and administration of the church. This, likewise, is conditional upon processing a certain amount of personal data of associated persons.
- The controller comes to the conclusion that the justifiable interest of the church, as stated in paragraph 1, outweighs the interests of the privacy of associated persons , on the basis of the following arguments: – associated persons have made a free choice in electing to be associated with the church. Thereby they express the wish to be part of a faith community. Before making this decision they are fully informed about the processing of their data, neccessitated by their association; – the church records only such data of associated persons wich are deemed necessary for the objective as stated in Article 2; – the data of associated persons are removed immediately upon their notification of terminating their association with the church. The church makes sure that the manner of terminating their association with the church is made sufficiently known; – access to the data on record is regulated by means of authorisations, as stipulated in Article 8 of these Rules; – data recorded by the church shall not be disclosed to third parties, unless subjects have freely and on the basis of sufficient information unambiguously, clearly and distinguishably consented thereto.
- The processing of the special category of personal data relating to religion is based on an exemption from the ban as defined in article 9 GDPR. No such special personal data shall be processed except on condition that such data shall not be disclosed to third parties except on the basis of explicit , clear and distinguishable consent by the subject, in accordance with the provisions of Article 9 of these Rules.
Article 6 Informing subjects about the processing of their personal data
- The controller is attentive to informing subjects of the following: content and nature of the recorded data, the objectives thereof, the rights which are exercisable by them over such data, as well as the identity of the controller. Likewise, subjects are informed that processing of their personal data will be terminated immediately upon their notification of ending their association with the church, and that their data will not be disclosed to third parties without their unambiguous, clear and distinguishable consent thereto.
- Informing as stated in paragraph 1 is done: – prior to joining or registration as an associated person; – on the occasion of baptism; – in the case of associated persons who have been so registered by the holders of parental responsibility over them, on completion of their 16th year.
- Informing associated persons whose data are being processed on the date of coming into force of these Rules is effected by a personal (digital) letter addressed to each associated person individually. In the case of such letters being addressed to associated persons not having attained the age of 16 years they are sent to the holders of parental responsibility over them.
Article 7 Personal data included on record
No more personal data of associated persons shall be included than are required for the objectives as stated in Article 2. These data may include, at the least: – Christian and family names, address and place of residence including postal code, date and place of birth, e-mail address, telephone number, marital or civil status, name of spouse or registered civil partner (if also associated with the church), bank account number; – codes for degree of participation and for circulation of church magazine; – dates of administration of sacraments; – duties, offices and memberships within the local church or at any level within the Church, with dates of commencement and termination.
Article 8 Access to personal data on record
The controller accords authorisations to officers for access to personal data on record. The following points shall be observed: – granting an authorisation to an officer is based upon a need-to-know, considering the tasking of that officer; – the controller will appoint one officer, with one deputy, to have write-access concerning all personal data on record; – access – as opposed to write-access – to the personal data on record is granted to up to three officers, with a minimum of one;
– authorised officers of a church may make data of associated persons available to members of the governing body of that church. It is for that body to decide whether data should be disclosed and, if so, to which persons within that particular church, taking into account of their tasks and duties. Under no circumstances will there be disclosure to all associated persons of all subjects en bloc, e.g. in the form of a membership guide or address list.
Article 9 Disclosure or transmission to third parties of personal data from the records
- No personal data from a record shall be disclosed or transmitted to third parties, except where the law is binding on the controller to do so.
- Should the controller be of the opinion that by way of exception disclosure or transmission of personal data ought to be considered, not being under any legal obligation to do so, he shall first obtain the unambiguous , clear and distinguishable consent of the subject concerned.
- The controller shall not request consent as referred to in paragraph 2 until after he has fully informed the subject concerning nature and content of the data to be so disclosed or transmitted, the aim of the disclosure or transmission, and the identity of the recipient. The controller shall also advise the subject of his right at all times to withdraw his consent by way of notification by telephone, by electronic message or in writing.
- The controller shall log the consent received, as well as a withdrawal thereof, on the record.
Article 10 Removal of data from the record
- Personal data on a record shall be removed immediately upon receiving notification by a subject of termination of the association of that subject with the church. Such removal may be postponed if obligations of a financial nature or otherwise between the subject and the church so require.
- In case of the death of associated persons their data shall be removed at the end of the year of their death. If the deceased at the time of death was married to or had entered upon a civil registered partnership with another associated member, such data shall be removed at the end of the year in which the death occurs of that surviving spouse or partner.
Article 11 Supplying data for purposes of policy and research
The controller may decide to supply data from the records for purposes of policy and research to third parties charged with such policy or research, but only insofar as this policy or research is related to the objectives as defined in Article 2. The controller gives due heed to the requirement that such data have been so edited that they may no longer be used to identify individual persons.
Article 12 Rights of subjects
- With regard to data pertaining to subjects which are being processed by the church such subjects may exercise the rights as defined in articles 15 (inspection and information), 16 (correction), 17 (erasure), 18 (restriction) and 19 (complaint). For the exercise of these rights the subject shall communicate in writing with the controller.
- The controller shall without delay, but no later than one month after receipt of the request, advise the subject of the effect given to the request. In the case of the controller refusing to comply with the request, he shall without delay, but no later than one month after receipt of the request, advise the subject of his decision to refuse. He shall also advise the subject of the possibility to lodge a complaint with the Autoriteit Persoonsgegevens, or to appeal to the court having jurisdiction in the matter.
Article 13 The position of subjects under the age of 16
Rights exercisable by subjects based on GDPR,UAGV and these Rules are exercised by the holders of parental responsibility in the case of subjects under 16 years of age.
Article 14 Secrecy
Anyone taking cognizance of personal data on the basis of this regulation is under an obligation to preserve the secrecy of such data, except where the law or these Rules require that personal data be disclosed or transmitted.
Article 15 Specific stipulations regarding church registers
- The chaplain of the chaplaincy, or, in the absence of a chaplain, such other priest as shall hold the Bishop’s charge or permission to carry out the functions and ministrations of a chaplain, keeps record of the administration of sacraments and other recordable ministrations to persons associated with the church in the chaplaincy registers.
- These Rules are applicable to the processing of personal data for such registers, except where the provisions of this Article allow for derogation from these Rules.
- Access to the chaplaincy registers is the exclusive privilege of the Bishop; the person who holds the Bishop’s commission to oversee the archdeaconry; the chaplain, or, in the absence of a chaplain, such other priest as shall hold the Bishop’s charge or permission to carry out the functions and ministrations of a chaplain; any assistant-chaplain; and the secretary of the church council of the chaplaincy.
- In view of the provisions of article 17, paragraph 3 sub d GDPR – the provisions of Article 10 regarding the removal of personal data are not applicable to personal data recorded in the chaplaincy registers. There are two main reasons for this non-applicability. The first reason is that the registers contain a record of factual actions and situations which, with the personal data recorded therein, are significant to the history of the chaplaincy, the church and the Church of England. The second reason for this non-applicability lies in the facts that have been recorded in the said registers are sacraments or sacred actions. The sacraments and sacred actions as understood in these Rules are of an indelible and unrepeatable nature, or at the least of such importance to those whom they concern, and also the church and – indeed – the wider Church, that they need to be kept on record, notwithstanding the wish of any person to have them removed; – a request for removal of personal data from the said registers under the provisions of Article 12 shall be refused, with a view on the significance of the sacraments and actions recorded therein with the personal data for the life of the chaplaincy, the church, and the wider Church, and also for their significance for the history of the chaplaincy, the diocese or the Church, or research into such history.
Article 16 Concluding provision
- These Rules will be deemed to be in force as from 25th May, 2018 for an indefinite period.
- The controller has authority to vary or rescind these Rules.
- These Rules may be cited as the ‘Rules for Processing and Protection of Personal Data 2018’.
Utrecht, 6th June, 2018
Acknowledgement: These rules are largely structured and based on the ‘Privacyregeling persoonsgegevens (gast)ledenvan de Oud-Katholieke Kerk van Nederland’ of the Old-Catholic Church of The Netherland