General Privacy Notice

Important information and who we are

The Purpose of this Privacy Notice is to give you information on how St Johns the Evangelist church collects and processes your data including any data you provide when you interact with us in person, online, orally or in writing. This notice applies to both adults and children. The appendices provide further information specific to children, volunteers, employees, and those in various roles.

Your duty to inform us of change
It is important that the personal data we hold on you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

The data controller – who we are
This privacy notice is provided by the Parochial Church Council (PCC) of St John the Evangelist, Blackheath, which serves as the data controller for your personal data. The notice is based on standard wording set out by the Church of England.

The Church of England consists of various organisations and officeholders working together to carry out the church’s mission. The PCC of St John the Evangelist, Blackheath, collaborates with:

  • The incumbent of the parish, as listed under the Diocese of Southwark;
  • The bishops of the Diocese of Southwark;
  • The Southwark Diocesan Board of Finance, responsible for financial and administrative matters within the diocese.

Since the Church is made up of these persons and organisations working together, we may need to share personal data with them so they can fulfil their responsibilities to the Church and our community. These organisations are joint data controllers, meaning they are all responsible for processing your data. This privacy notice applies to the PCC and the other data controllers listed above. In this notice, “we” refers to each data controller, as appropriate.

1. The data we collect about you

“Personal data” refers to any information about a living individual that enables them to be identified, such as a name, photographs, videos, email address, or postal address. This identification can occur either through this information alone or in combination with other information. The processing of personal data is governed by the Data Protection Act 2018 and other relevant legislation, including the Human Rights Act 1998.

We may process some, or all, of the following information where necessary to fulfil our tasks:

  • Identity Data includes first name, maiden name, last name, username (or similar identifier), marital status, title, date of birth, gender, photograph, video footage, and any other biographical information you may provide us.
  • Contact Data includes billing address, delivery address, email address and telephone numbers.
  • Financial Data includes bank account and payment card details.
  • Transaction Data includes details about payments to and from you and other details of events, products or services you have purchased from us or gifts you have donated to us.
  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
  • Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
  • Usage Data includes information about how you use our website, events, and services.
  • Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

Some of this information may be considered to come within the definition of Special Categories of Personal Data. Special Categories of Personal Data includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data. By completing our consent form, you are consenting to the collection and processing of your special category personal data.

If you fail to provide personal data
Where we need the personal data to perform our contract with you, and you fail to provide that data when requested, we may not be able to perform the contract we are trying to enter into.

2. How we collect your data

We use different methods to collect data from and about you which include:

  • Direct interactions: You may give us your Identity, Contact and Financial Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
    o participate in the life of the church through one of our services, groups, or activities;
    o are photographed or filmed during our services or events;
    o apply to volunteer with us;
    o when we ask you to undertake a DBS check before volunteering with us;
    o donate online, via the card machine or completing a giving envelope;
    o create an account on our website;
    o register for an event or course;
    o subscribe to our services or publications;
    o request information to be sent to you;
    o respond to a survey or give us feedback.
  • Automated technologies or interactions: As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs, and other similar technologies. Please see our Cookie Policy for further details.

3. How we use your personal data

As a church, we hold records of the people in our congregation, volunteers, guests, and service users. We use this information to coordinate church activities and keep you informed of things happening in the life of the church. We also collect and use information about our suppliers, contractors, Church of England Diocesan staff and personnel working for relevant public bodies. We use this information to manage and administer the church and to carry out our charitable purposes.

We will only use your data where the law allows us to. We will comply with legal obligations to keep your personal data up to date, secure, and only retain it for as long as necessary. We use your data for the following purposes:

  • Fulfilling legal and statutory obligations (e.g., maintaining the electoral roll);
  • Conducting safeguarding procedures;
  • Administering parish, deanery, archdeaconry, and diocesan membership records;
  • Providing pastoral and spiritual care, including performing ecclesiastical services such as baptisms, weddings, and funerals;
  • Delivering the church’s mission to our community and carrying out charitable activities;
  • Maintaining our accounts and records;
  • Processing donations (including Gift Aid information), legacies and pledges;
  • Notifying you of changes to our services, events, and personnel;
  • Managing communication preferences;
  • Inviting you to courses or events and enabling event participation
  • Seeking your views or comments;
  • Fundraising and promoting the interests of the church and related charities;
  • Develop case studies and reports tracking progress on our church mission;
  • Recruit and support volunteers; recruit, employ and manage members of staff;

Legal Basis for Processing Your Personal Data
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. These include:

Consent: your consent, freely given. You can ask to withdraw your consent at any time. You have the right to withdraw consent at any time by clicking on an unsubscribe link in one of our emails to you or by emailing yourdata@stjohnsblackheath.org.uk.

Legitimate Interests: The church may process personal data based on legitimate interests, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

Legal Obligations: The church may process data to comply with legal obligations, such as safeguarding requirements, maintaining records of baptisms and confirmations, or complying with statutory reporting duties.

Vital Interests: In situations where processing is necessary to save someone’s life

Please email yourdata@stjohnsblackheath.org.uk if you need details about the specific legal ground that we are relying on to process your personal data.

Mailing list preferences
We strive to provide you with choices regarding certain personal data uses, particularly around mailing lists and advertising. You will receive communications from us if you have requested information from us, attended an event or course with us and, in each case, you have not opted out of receiving such information. You can ask us to stop sending you marketing messages by emailing yourdata@stjohnsblackheath.org.uk at any time.

4. Sharing Your Personal Data

Your personal data will be treated as strictly confidential and only shared with third parties where necessary for performing our tasks or where you have given prior consent. We may need to share your data with:
• The appropriate bodies within the Church of England, and Diocese including other data controllers;
• Our agents and contractors
• Other clergy or laypersons licensed by the bishops of the Diocese of Southwark;
• On occasion, other churches or para-church organisations with whom we conduct joint events or activities.
• Third party data management systems (e.g. Churchsuite)
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

5. Transfer of Data Abroad

Any electronic personal data transferred outside the UK will only be placed on systems with equivalent protection for personal rights. Our website and social media are accessible from overseas, so some personal data (e.g., in newsletters) may be accessed internationally.

6. Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered or disclosed.

We have procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

7. Data Retention

How Long Do We Keep Your Personal Data?
We will keep your data only as long as necessary to fulfil the purposes we collected it for, following the Church of England’s policies and any legal requirements. Data will be deleted when it is no longer needed.

8. Your Rights and Your Personal Data

You have rights under data protection laws regarding your personal data. You can:

  • Request access to your personal data
  • Request correction of your personal data
  • Request erasure of information:
  • Object to processing of your personal data.
  • Request restriction of processing personal data
  • Request transfer of your personal data.
  • Right to withdraw consent where data processing is based on your consent.If you wish to exercise any of the rights above, please email us at: yourdata@stjohnsblackheath.org.uk
  • Right to lodge a complaint: You can lodge a complaint with the

Information Commissioner’s Office: https://ico.org.uk/global/contact-us/

Making a Subject Access Request

A Subject Access Request (SAR) in the UK is your legal right to ask the church for a copy of the personal information they hold about you, or your child, including why they have it and who they share it with. You can make a SAR verbally, by email or in writing and we will respond promptly.

No fee usually required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We will inform you if we can comply with your request or if we have legitimate grounds to continue processing, for example explaining why data cannot be deleted or the legitimate grounds we have, to continue processing your data.

Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally, it may take us longer than a month if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.

Email: yourdata@stjohnsblackheath.org.uk
Write to: Churchwardens, St. John the Evangelist Church, Stratheden Road, Blackheath, SE3 7TH

Change of purpose
If we wish to use your personal data for a new purpose not covered by this notice, we will provide a new notice explaining the new use and seek your consent where necessary. If you wish to have an explanation of how the processing for the new purpose is compatible with the original purpose, please email us at yourdata@stjohnsblackheath.org.uk

9. Contact Details

If you have questions about this privacy notice or the data we hold on you or your child, or to exercise your rights or the rights of your children, please contact: yourdata@stjohnsblackheath.or.uk

The Churchwardens
St John the Evangelist, Stratheden Road, Blackheath, London, SE3 0RW.

NOTE: the church uses database software to manage personal data. You can find more information here:
https://churchsuite.com/privacy-notice/
https://churchsuite.com/terms-of-service-third-party-sub-processors/

Appendix A: Photography and images

This information supplements and must be read together with the General Privacy Notice of St John the Evangelist, Blackheath (the “Church”).

1. Introduction
The church is committed to protecting your privacy and ensuring that your personal data is handled in a safe and responsible manner. This appendix outlines how we collect, use, and protect personal data in relation to filming and photography activities. This privacy notice applies to all events and activities organised by the church where filming and photography may take place.

2. Legal Framework
We comply with the retained EU law version of the General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We use the following lawful basis for capturing images and footage at our events.
Consent: When you provide us with personal data, this includes images and video (see Section 1).
Legitimate Interest: We will provide clear information on prominently displayed notices where we intend to capture footage or images. Whenever it is possible to do so, we will provide “no film zones” where you can enjoy our events without being captured. Your presence in those areas is taken as your consent.

3. Our Use of Images and Filming
Purpose: Images will only be used for promotional, fundraising, marketing, and our general charitable purposes, unless otherwise specified at the time within We live stream and record services and share photos and videos of our activities on social media and on the website.

Please note: Live video streaming does not take place during those moments of our worship where in order to take full part, the congregation as a whole is required to enter the filming zone for example, taking communion. Both the live stream and the subsequent footage are covered by a holding screen for those worshipping remotely.

Storage: Images will be stored securely and only be accessible to authorised personnel.

Duration: Images will be retained for as long as necessary to fulfil the purposes we collected it for, after which they may be retained for archival purposes. Further details are available within this document.

4. Your Rights
Your rights to access images we hold are the same as for any other personal data – see Privacy Notice (See section 8).

This means that you can request a copy of the images we hold, request corrections to any inaccurate or incomplete data, request the deletion of your images at any time, or object to object to the processing of your images for specific purposes.

Where consent has previously been given, you can withdraw the consent and we will stop using your images within future projects, but owing to the nature of the internet and social media it may not always be possible to remove existing materials.

If you wish to exercise any of the rights set out above, please email yourdata@stjohnsblackheath.org.uk

5. Children and consent to images and filming
Parents of children under 13 complete a consent form regarding the capture and use of images of their children in publications, the church website and internal noticeboards. This includes options to consent to the internal or external sharing of a child’s image.

As a matter of best practice, young people over the age of 13 but not yet adult, can give their own consent through a straightforward, and accessible process.

If you or your child would like to exercise your right (section 8) by asking us to delete any images or footage we are using containing your child, please email yourdata@stjohnsblackheath.org.uk.

Appendix B: Privacy Policy Relating to Children

This information supplements and must be read together with the General Privacy Notice of St John the Evangelist, Blackheath (the “Church”).

The Data Protection Act 2018 (DPA 2018) places a high level of responsibility on organisations to protect the personal data of individuals, including children. This is particularly important at St John the Evangelist, where children’s data may be processed for various activities such as Sunday School, youth groups, baptisms, confirmations, and other religious or community events.

Legal Basis for Processing Children’s Data
Under DPA 2018, processing children’s personal data must be lawful, fair, and transparent. The most relevant legal bases for processing children’s data in a church setting include:
1. Consent: For children under the age of 13, consent must be obtained from the parent or guardian. For children aged 13 and over, they can provide their own consent, but it should be clear, informed, and specific to the activity in question.
2. Legitimate Interests: The church may process children’s data based on legitimate interests, provided it does not override the rights and freedoms of the child. This includes activities like managing church records, organizing events, and providing pastoral care.
3. Legal Obligations: The church may process data to comply with legal obligations, such as safeguarding requirements, maintaining records of baptisms and confirmations, or complying with statutory reporting duties.
4. Vital Interests: In situations where processing is necessary to protect the vital interests of a child, such as in emergencies, data may be processed without consent.

What Data Is Collected?
The Church may collect and process various types of personal data related to children, including but not limited to:
• Personal Identifiers: Name, date of birth, gender, and photographs.
• Contact Information: Address, phone number, and email (where appropriate).
• Religious Information: Details related to baptisms, confirmations, Sunday School attendance, and other religious activities.
• Health Information: Medical conditions, allergies, or other relevant health information necessary for the child’s care during church activities.
• Parental or Guardian Information: Contact details and consent records.

How Is Children’s Data Used?
Children’s data is used in the church environment to:
• Administer and organise religious ceremonies such as baptisms, confirmations, and first communions.
• Provide pastoral care and support tailored to the child’s spiritual development.
• Communicate with parents or guardians about events, activities, or changes to church services that affect their children.
• Safeguard the welfare of children during church events and activities.
• Maintain accurate church records for legal and historical purposes.

Sharing Children’s Data
Children’s personal data will be treated as strictly confidential and will only be shared with specific parties under certain conditions:
• Within the Church: Data may be shared with clergy, Sunday School leaders, youth group coordinators, and other relevant church officers who need the information to carry out their roles.
• Third Parties: Data may be shared with third-party service providers who assist with church activities (e.g., event organisers, safeguarding advisors), but only where it is necessary and where appropriate safeguards are in place.
• Legal Requirements: Data may be shared with statutory bodies or agencies in compliance with legal obligations, particularly in safeguarding contexts.

Safeguarding and Data Security
The Church places a strong emphasis on safeguarding children. Appropriate technical and organisational measures are in place to ensure that children’s personal data is protected against unauthorized access, loss, or misuse. These measures include:
• Access Controls: Limiting access to children’s data to authorized personnel only.
• Data Minimization: Collecting only the necessary data required for the specific purpose.
• Secure Storage: Storing physical and electronic data securely, with encryption used where appropriate.
• Training: Providing data protection and safeguarding training to staff and volunteers who handle children’s data.

Parental Rights and Children’s Rights
Under DPA 2018, both parents (or guardians) and children have rights regarding their personal data. These rights are the same as those for adults (see above section 8).

Retention of Data
Children’s data will be retained only for as long as necessary to fulfil the purposes for which it was collected, in accordance with the Church of England guidelines and statutory requirements. For example:
• Sacramental Records: Information relating to baptisms and confirmations may be retained indefinitely for historical and ecclesiastical purposes.
• Event Registration: Data collected for specific events (e.g., holiday clubs) will be deleted once the event and any related follow-up activities are completed unless there is a legal reason to retain it longer.
• Attendance register data: for safeguarding reasons

Appendix C: Privacy Notice relating to Volunteers, Role Holders and Employees

This information supplements and must be read together with the General Privacy Notice of St John the Evangelist, Blackheath (the “Church”).

As a trustee including a member of the PCC, church warden, PCC secretary and deanery synod representative:
• Your contact details will be processed to enable registration and update of the Diocesan directory and or with the Charity Commission, which is processing under lawful bases of legal obligation and legitimate interests.
• We may collect and process data relating to your ability and suitability regarding the trustee role as part of our due diligence, which is processing under the lawful basis of legitimate interests.

As a person requiring a Disclosure and Barring Service (DBS) check due to working with children or vulnerable adults:
• Your contact details and any other relevant documents as required for a DBS check will be processed under the lawful bases of legitimate interests and processing necessary for the safeguarding of children and of individuals at risk.

As a volunteer, if you sign up as a volunteer on a rota your contact information may be shared with others on the list to enable volunteers to swap duties which is processing under the lawful basis of legitimate interests.

As a paid employee or contractor working on behalf of the PCC:
• We will process your data under lawful bases of legitimate interest, contractual and legal obligations for legal, personnel, administrative and management purposes. Where we process sensitive personal data, we may rely on a number of lawful bases, including (but not limited to) your consent, or processing necessary for the purposes of exercising or performing any right or obligation relating to your employment.
• We may process sensitive personal data including, as appropriate:
o information about your physical or mental health or condition in order to
monitor sick leave and take decisions as to your fitness for work;
o your racial or ethnic origin or religious or similar information to monitor compliance with equal opportunities legislation;
o information to comply with legal requirements and obligations to third parties.
• We will process data relating to your work, performance, ability, and suitability for the role.
• We will process your financial information and other employment related information.

Appendix D: Privacy Notice relating other users of the building

This information supplements and must be read together with the General Privacy Notice of St John the Evangelist, Blackheath (the “Church”). As a user of a church building:

Where you are enquiring about or using our buildings, we will process your contact information and payment information under the lawful bases of legitimate interest, or, in cases where you hire our facilities, contractual necessity.