· Web viewFrequently Asked Questions about the General Data Protection Regulation (GDPR)(April 2018) Privacy Notice and Consent. Introduction. The GDPR comes into force on 25/5

Frequently Asked Questions about the General Data Protection Re gulation (GDPR)(April 2018)

Privacy Notice and Consent

Introduction

The GDPR comes into force on 25/5/2018. It sets out how data controllers such as PCCs and incumbents should deal with personal information. Training has been provided by VWV solicitors to individuals with data protection responsibilities in a parish setting. There are some frequently asked questions and this document records the most commonly asked questions with brief answers. Please do visit the diocese’s GDPR website page for more information. http://www.gloucester.anglican.org/parish-resources/gdpr/ where you will find:

GDPR information and overview Frequently Asked Questions Our [email protected] so you can get in touch with specific questions. A link to the national parish resources website page where you can also find information about setting up a

Privacy Notice, and how to complete your own data audit/checklist. A link to the Information Commissioner website https://ico.org.uk/for-organisations/guide-to-the-general-data-

protection-regulation-gdpr

This document provides guidance when assessing what information you hold, share, process, and store, and the legal reasons you have for processing information, set out in a helpful guide.

1

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr

mailto:[email protected]

http://www.gloucester.anglican.org/parish-resources/gdpr/

A reminder (and some technical terms)

The GDPR sets out how personal data (ie personal information) should be used/processed. Personal data should be processed lawfully, fairly and transparently . The PCC and the incumbents are each separate 'data controllers'. A data controller decides what personal information (data) should be collected and how it is to be used

('processed') A “Privacy Notice” sets out how a data controller is going to process data

Processing data - Lawful bases and Special Category Data

The ICO Guide to the GDPR sets out that: "The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:

1 Consent The individual has given clear consent for you to process their personal data for a specific purpose

2 Contract The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

3 Legal obligation

The processing is necessary for you to comply with the law (not including contractual obligations).

4 Vital interests

The processing is necessary to protect someone’s life.

5 Public task The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

6 Legitimate interests

The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

2

Special Category Data

'Special Category Data' (SCD)

Is personal data which the GDPR says is more sensitive. If this data is to be used then not only must there be a lawful basis for the processing (please see above for the only six lawful bases) BUTalso a specific condition must be satisfied.

SCD includes information about an individual's religion, health or sexual orientation

Specific conditions for processing data in the GDPR

The most relevant specific conditions are set out at Article 9(2)(a),(b), (c),(d) and (e) of the GDPR:

Article 9 (2)a The data subject has given explicit consent

b Processing is necessary for the purposes of carrying out the obligations... of the[data] controller eg in the field of employment

c Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent

d Processing is carried out in the course of its legitimate activities with appropriate safeguards by ..................a not-for-profit body with a............, religious ... aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects

3

e Processing relates to personal data which are manifestly made public by the data subject

PRIVACY AND CONSENT

No

Question Should this be set out/included in our Privacy Notice (PN)

Yes (Y) or No (N)

Do we have a lawful reason for processing this information/data?

Yes (Y) or No (N)

1 We send out an anonymous ‘flier’ via pupils school bags at school advertising services

NA PN sets out how personal information ('data') will be processed. This would not constitute processing data

Y 1)Legal Analysis

Personal Data:The flyers are sent out without using any personal data. Therefore, the GDPR is not engaged.

2)Practical Advice:Whilst the GDPR is not engaged here, consideration should be given as to how useful or effective such a practice may really be.

2 We send an anonymous ‘dear resident’ parish magazine out to everyone in our

N A PN sets out how personal information('data') will be processed . This

Y1) Legal Analysis

Personal Data:The flyers are sent out without using any personal

4

parish would not constitute processing data

information. Therefore, the GDPR is not engaged.

2)Practical AdviceWhilst the GDPR is not engaged here, consideration should be given as to how useful or effective such a practice may really be.

3 We use the electoral roll for letting people know about services or other events/fundraising that is going on in the church

Y Information should be set out in the PN as to how this information will be used

N 1) Legal Analysis

Personal DataThe information on the electoral register is personal data.You must have a valid lawful basis in order to process personal data .

Processing:1) The legal basis for processing the data for the purpose of the election is "legal obligations"

2) There is national church advice that consent is required to use the Electoral Roll membership for any sort of general marketing or information sharing, services, newsletters or stewardship campaigns

Special Category DataThe information on the electoral roll constitutes Special Category data .

Therefore, any use of this data requires a legal basis to 5

apply and that the processing also satisfies a further condition

2)Practical Advice

It will be contrary to national church advice to use the electoral roll for letting people know about services or other events/fundraising that is going on in the church

4 The parish sends an anniversary card to baptism families, can we still do this without consent


Y 1) Legal Advice

Personal Data:The names and addresses of the baptism families constitute personal data .It is assumed that the baptism family is limited to the parents. You must have a valid lawful basis in order to process personal data

Processing;The legal basis for the sending of anniversary cards is "legitimate interest".

Special Category Data:It is likely that this personal data is special category data as it constitutes information about religious beliefs. Therefore, a further condition must be satisfied

The relevant condition for the sending of anniversary cards is Art 9(2)(d) see p3.

2) Practical AdviceSending anniversary cards does not require consent. If a parent requests that they no longer receive a card then they should not, if

6

a parent ceases “regular contact” with the church then they should not continue to be sent a card

5 We send an invitation to a family that has had a funeral to attend a remembrance service, do we need consent


Y 1) Legal Analysis

Personal Data: The names and addresses of the family members constitute personal data. You must have a valid lawful basis in order to process personal data

Processing:The legal basis for sending out invitations to family members is "legitimate interests".

Special Category Data: The individuals are being written to as members of the deceased's family and not directly in connection with their religious beliefs therefore there is no need to consider the specific conditions for processing special category data

2) Practical AdviceThe sending out of invitations to a remembrance service does not need express consent. As always, sensitivity and judgement is required

6 The parish puts fliers around the village/parish advertising anything happening at the church, that’s ok isn’t it

N Y 1) Legal Analysis

Personal Data:The flyers are placed without using any personal data. Therefore, the GDPR is not engaged.

2) Practical AdviceWhilst the GDPR is not engaged, consideration should be given as to how useful or effective such a practice is

7

7 An email is sent to people on PCC letting them know about changes to a meeting/sending paperwork


Y 1) Legal Analysis

Personal Data: The names and addresses of members of the PCC constitute personal data. You must have a valid lawful basis in order to process personal data

Processing: The legal basis for writing to members of the PCC and sending them information about the PCC is "legal obligation". Members of a PCC need to be updated about meetings and need paperwork to undertake their legal obligations.

Special Category Data:The personal data (ie names and addresses) plus their membership of the PCC constitutes special category data as it reveals information about religious beliefs. Therefore, a further condition must be satisfied

The relevant condition for writing to members of the PCC is Art 9(2)(d) see p3

2) Practical AdviceThis does not require express consent. A PCC may find it helpful if members have dedicated email addresses for their PCC work eg [email protected]. Care must be taken not to disclose personal email addresses etc unless this has been agreed to by PCC members

8 We email people the parish/ pew sheet where they have given their email to be on an email


Y 1) Legal Analysis

Personal data: The names and emails on the email circulation list constitute personal data. You must have a valid lawful basis in order to

8

mailto:[email protected]

circulation list process personal data

Processing: The legal basis for emailing the parish pew sheet is "legitimate interest"

Special Category Data: The personal data (ie names and addresses) constitutes special category data as it reveals information about religious beliefs. Therefore, a further condition must be satisfied

The relevant condition for emailing people the parish/pew sheet -Art 9(2)(d) see p3

2) Practical AdviceThe sending of this information does not require express consent

9 We currently email baptism families to remind them of church time for their baptism service


Y1) Legal Analysis

Personal Data:The names and addresses of the baptism families constitutes personal data .It is assumed that the baptism family is limited to the parents. You must have a valid lawful basis in order to process personal data

Processing;The legal basis for the e-mails reminding them of the church time "legitimate interest".

Special Category Data:It is likely that this personal data is special category data as it constitutes information about religious beliefs. Therefore, a further condition must be satisfied

9

The relevant condition for the sending of anniversary cards is Art 9(2)(d) see p3.

2) Practical AdviceSending reminder emails does not require express consent.

10 We email wedding family setting out details of their service


Y 1) Legal Analysis

Personal data: The names and addresses of family members constitute personal data ( it is assumed that the emails are being sent to the bride and groom). You must have a valid lawful basis in order to process personal data

Processing The legal basis for emailing the bride and groom is "contract".

Special Category Data:This processing relates purely to the bride and groom and in itself does not constitute special category data.

2) Practical AdviceEmailing details of the wedding service does not require express consent

11 Do we need permission to put someone’s name on the intercession list


Y 1) Legal Analysis

Personal DataThe names and the health conditions of persons constitute personal data. You must have a valid lawful basis in order to process personal data.

10

Processing:The legal basis for putting someone's name on the intercession list will depend upon the particular circumstances. The usual legal basis will be "legitimate interest". In some cases, the legal basis will be "consent". This may arise, for example, if a non-parishioner makes a specific request to be entered onto the intercession list

Special Category Data:Special Category Data (SCD) includes information about a person's health or religion. Therefore, reading out a person's name and seeking intercession will be processing SCD. Therefore, a further condition needs to be satisfied

The relevant conditions will either be

Art9(2)(a) -- the data subject has given explicit consent or

Art 9(2)(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by ..................a not-for-profit body with a............, religious ... aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects (see p3).

2) Practical AdviceIn certain cases consent will be required, in all cases sensitivity and judgement will be mandatory

12 We have various rotas for the church

Y Information should be set out in the PN

Y 1) Legal Analysis

11

ie mower, money, serving, leaders, refreshments do we need consent to email those on the lists.

as to how this information will be used

Personal data: The names and email addresses of the members on the rotas constitute personal data. You must have a valid lawful basis in order to process personal data.

Processing:The legal basis for emailing the rota members is "legitimate interest".

Special Category DataThe information about the various rotas etc constitutes religious data. Therefore , a further condition needs to be satisfied

The relevant condition is Art 9(2)(d) Art 9(2)(d) see p3.

2) Practical AdviceExpress consent is not required before emailing those on rotas.

13 We put a list of ‘anniversary of death’ people on a monthly list in the church

N Y 1) Legal Analysis

Personal data:Personal data is identifying information about living persons. . Therefore, putting up an anniversary of death does not engage with the GDPR.

2) Practical AdviceWhilst express consent is not required , if there is reason to think that family members (for instance) might object then this should be taken into account

14 Can we send emails to multiple parish recipients eg on the

Y Information should be set out in the PN as to how this

Y 1) Legal Analysis

Personal data:12

fabric working group with details of a donor who has just given £10,000 to the church tower appeal

information will be used

The name/address of the donor constitutes personal data. You must have a valid lawful basis in order to process personal data.

Processing: The legal basis for sending details of the donor to eg members of the fabric working group is "consent"

Special category dataDonating to a church tower appeal does not in itself constitute information about, for example, religious beliefs. Therefore, no additional condition needs to be satisfied

2) Practical AdviceProviding personal information about the donor requires the express consent of the donor. The consent (as always) must be clear, unambiguous, freely given and should be recorded

15 We send details of several contractors to the four church wardens as a group of people who might use for a ? project


Y 1) Legal Advice

Personal data:The identifying information about the contractors constitutes personal data about the contractors (unless the contractor is a limited company). You must have a valid lawful basis in order to process personal data.

Processing:The legal basis for sending details to the four church wardens ie either1) "consent",( in particular, as an example, if the contractor would not have reasonably foreseen that their information would be used in this way) or2) "legitimate interests".

Special category data:13

The names, email addresses, addresses etc of contractors would not, normally, constitute information about, for example, religious beliefs. Therefore, no extra condition needs to be satisfied

2) Practical AdviceIf the contractor would reasonably expect you to use their information in this way and there is a minimal impact upon their privacy then you can require upon the legal basis "legitimate interest".

In exceptional cases the legal basis may be "consent". As an example : consider a contractor who has made clear that they regard details about their address as "confidential". You could not then rely upon the legal basis of "legitimate interest". Instead, you would need express consent. The consent (as always) must be clear, unambiguous, freely given and should be recorded

16 What do we do about DBS records/dates for renewal

1) Legal Analysis

Personal dataThe information on the DBS is personal data. You must have a legal basis for processing personal data

Processing: the legal basis for processing this data is "legal obligation" and "legitimate interest"

2) Practical Advice

Nominated people should keep all records of who had DBS checks, the reference and date code and the date of renewal (every 5yrs), and indicate where individuals are registered on the Online Update service. This information should be stored securely and retained in line with national church requirements i.e currently for 70+yrs.

14

17 Can we put electoral roll membership on a memory stick shared with the person taking over and the incumbent

N N 1) Legal Analysis

Personal data:The information on the electoral register is personal data. You must have a valid lawful basis in order to process personal data

Processing:The use of this data is controlled by law. Please see the answer to the question concerning other use of electoral data at (3) above

2) Practical adviceThis is not recommended.

18 What happens about personnel file information from a GDPR point of view


Y 1) Legal Analysis

Personal data:There will be personal data on the personnel file. You must have a valid lawful basis in order to process personal data

ProcessingThe legal basis for processing the employment data is "contract". There may be other processing where the legal basis is "legal obligation" for example supplying certain information to HMRC

Special category dataSpecial category data includes information about a person's religion or their health. Being an employee within the church does not constitute information about a person's religion. If the personnel file contains information about a person's health that a futher condition must be satisfied before that data can be processed

The relevant conditions is Art 9(2)(b) processing is necessary for the purposes of carrying out the obligations...of the[data] controller in the field of employment. See p3.

15

2) Practical AdviceCare must be taken that the personnel file only contains information which is relevant to the employment contract. If it contains other information then consideration must be given as to the legal basis of processing this data

19 What do we do about a safeguarding record of an offender with an ‘agreement’ at our church

Practical Advice

All offender agreements are managed centrally in the diocese by the Safeguarding Team so there will always be a record kept. Locally individuals will sign up to an agreement as there will be a select few people signed up to help manage the situation.

The Nominated Person/parish safeguarding rep should keep a record of these stored securely locally, and as /when the individual concerned moves on, they should pass any records to the diocese for confidential shredding.

There will always be clear central records stored. Nominated People/clergy should not email personal email addresses regarding meetings or information about an offender. These should only be managed through PCCemail addresses and with the diocesan central @glosdioc.org.uk addresses. The Safeguarding Team are currently considering alternative confidential communication mechanisms.

20 Can we still publish wedding banns

Information should be set out in the PN as to how this information will be used

Y 1) Legal Analysis

Personal data:Wedding banns constitute personal data. You must have a valid lawful basis in order to process personal data

Processing:16

The legal basis for publishing wedding banns is "legal obligation"

Special Category DataThe personal data in the wedding banns does not constitute special category data and therefore no additional condition needs to be satisfied

2) Practical AdviceWedding banns must be published as a matter of law

21 Can we still keep wedding records as they are official registers


Y 1) Legal Analysis

Personal data:The wedding records constitute personal data. You must have a valid lawful basis in order to process personal data

Processing:The legal basis for keeping the wedding records is "legal obligation"

Special Category DataThe personal data in the wedding records does not constitute special category data and therefore no additional condition needs to be satisfied

2) Practical AdviceWedding records should be kept

22 We hold records electronically of all children baptised 0-18 so we send a birthday card every year – can we still


Y 1) Legal Analysis

Personal data:The names and addresses of the children constitutes personal data . You must have a valid lawful basis in order to process personal data

17

do this. Processing; The legal basis for the sending of anniversary cards is "legitimate interest".

Special category data:Information as to who has been baptised is special category data. Therefore this data cannot be processed unless a further condition is satisfiedThe relevant condition will be Art 9(2)(d) see p3.

2) Practical AdviceBirthday cards can be sent but only if the child has regular contact with the church. This requires a certain degree of judgement

23 We put the details of churchwardens, pcc secretary/treasurer, hall hirer and other clergy in parish magazines with their phone numbers for people to contact them and put them through letterboxes, is this still ok to do.


Y 1) Legal Analysis

Personal dataThe names and details of churchwardens, PCC secretary/treasurer, hall hirer and other clergy constitutes personal data. You must have a valid lawful basis in order to process personal data

ProcessingThe legal basis for putting this information into parish magazines in "legitimate expectation".

Special category dataThe information about the individuals does constitute special category data as it constitutes information about religious beliefs. Therefore, a further condition needs to be satisfied. The relevant condition is Art 9(2)(d) see p3.

2) Practical AdviceIt is useful and helpful to put details of certain individuals in the parish magazine. Those individuals should understand that that is

18

how their personal information is going to be used (and this should be explained in the Privacy Notice. If an individual requests that this information is not put into the magazine then this request should be considered as having considerable weight. As always, sensitivity and judgement is required

24 We hold personal details of the young people at youth club and their parents phone numbers for emergencies, do we need consent to do this


Y 1) Legal Analysis

Personal dataThe personal details of the young people at youth club and their parents does constitute personal data. . You must have a valid lawful basis in order to process personal dataProcessingThe legal basis for processing this information is "legitimate interest"

Special category dataThe personal details of the young people and their parents do not fall into the category of special data therefore no further condition needs to be met

2) Practical AdviceIt is important that this data is accurate, and that relevant people know where the information is. The data should only be used for this purpose. If it is to be used for another purpose then a separate legal basis needs to be found

25 Do we need consent to hold any information on ‘health’ issues of Sunday School or youth club eg asthma, nut allergy


Y 1) Legal Analysis

Personal dataThe personal details about the health of the young people/children at youth club/Sunday constitutes personal data. . You must have a valid lawful basis in order to process personal data

19

and permission for medical intervention for children with a medical emergency

ProcessingThe legal basis for processing this information is "legitimate interest"

Special category dataInformation about the health of the children/young people constitutes Special Category Data and therefore a further condition needs to be met before the data can be processed. The relevant condition is Art 9(2)(c)

" processing is necessary to protect the vital interests of the data subject"

2) Practical AdviceThe Youth Club/Sunday School owes a duty of care to the children /young people. Accurate health information to enable emergencies to be dealt with is essential.

26 We send personalised cards/letters inviting everyone in the village to the church summer fayre – we know everyone in the village, can we carry on doing that

N 1) Legal Analysis

Personal dataThe names and addresses of everyone in the village is personal data. It is not clear why all this information is held. In any event, you must have a legal basis to process personal data

ProcessingThere is no obvious legal basis for such a practice

Special Category DataThe names and addresses of everyone in the village does not constitute Special Category Data

2) Practical Advice20

A fundamental principle of the GDPR is that information should only be collected for specified, explicit and legitimate purposes and also kept no longer than is necessary

Consideration should be given as to whether all of this personal information should be kept at all

If it is desired to write to everyone in the village then this could be done without using their personal data at all

27 Do we need to do privacy notice or consent form for copies of funeral service sheets

1) Legal analysis

Personal dataIf the funeral service sheets contain personal information about living people then you must have a legal basis for processing that data

ProcessingThe legal basis will be either "consent" or "legitimate interest" depending on who is named

2) Practical adviceJudgement and sensitivity is required as to what is put into the funeral service sheet.

28 Do we need consent for doing gift aid in our parish as parishoners give us their bank details for direct debit

Information should be set out in the PN as to how this information will be used

1) Legal Analysis

Personal dataPersonal data is supplied when a person submits the gift aid form. The completion of a direct debit form is a provision of personal data to the church. You must have a valid lawful basis in order to process personal data

21

ProcessingThe legal basis for processing this direct debit form is consent. It is presumed that the processing simply amounts to forwarding the information to the bank data

Special category dataFurther data held will be the name, whether the person is a UK tax payer etc (as required by HMRC). This does not constitute special category data so no further condition needs to be satisfied before processing

2) Practical AdviceThe bank details etc should be used for the purpose for which they were provided i.e the setting up of a direct debit. They should not be retained, or used for any other purpose unless there is a clear legal basis

Consent is provided by the provision of this information

29 Do we need permission to publish photographs of group of adults at a church event which we put in our parish magazine or on our website

Personal dataPhotographs (insofar as they enable an individual to be identified ) do constitute personal data. You must have a valid lawful basis in order to process personal data.

ProcessingThe first issue which needs to be considered is how 'privacy intrusive' the photograph is (eg is it in any way personally embarrassing, or does it reveal information about the health of a person). The next issue to be considered is where the photograph is to be displayed. The legal basis will be either1) "legitimate interests" - for example a photograph of a large group of people or2) "consent" - for example if a photograph of a particular individual

22

is to be on the front of the parish magazine or if the photograph is privacy intrusive

Special category dataAttending a church event need not constitute special category data thus attending a summer fete does not reveal information about a person's religious beliefs. However, attending at an Alpha Course does

The relevant special condition will be either Art 9(2)(a) or Art 9(2)9(d)

30 Do we need permission to publish photographs of group of children at a church event which we put in our parish magazine or on our website

The same principles apply as set out in the answer above plus the need to be sensitive to any safeguarding issues

31 What are the guidelines with staff HR and volunteer data in a personnel file

1) Legal Analysis

Personal DataIt is unclear as to what data is kept on the personnel files. It is likely to contain personal data. You must have a valid and lawful basis to process personal data

Processing1) The legal basis for processing employment contractual information will be "contract" or "legal obligation"2) The legal basis for processing non employment contractual information may be "legitimate interest" or even " consent"

23

depending upon the processing

Special Category Data

It is possible that the processing might be of special category data. If it is then an additional condition will need to be satisfied

32 What are the guidelines for gdpr with safeguarding records

Practical advice

The central Diocesan Safeguarding Team can advise on any issue. Generally however, safeguarding records kept locally should be kept by the Nominated Person and Incumbent securely and information sent by email minimised. All DBS records should be kept, and all personnel files for those working with/volunteering with children/vulnerable adults kept in line with national church guidelines. (we can put the link in here)

33 Can I email the school asking if they could ask any teachers/volunteers who might be willing to help at possible summer play scheme - we haven’t got any firm plans yet we want to see who’s out there.


Y 1) Legal analysis

Personal dataIf the email is to a named person at the school then this will involve using personal data. There must be a legal basis for processing personal data

ProcessingThe legal basis will be "legitimate interest"

2) Practical adviceAnyone applying to volunteer or work with such a scheme should be recruited under safer recruitment processes, so its fine to advertise and see who might be available and to ask for expressions of interest so that you can send them an application form. Then follow up recruitment as normal. If the decision is not to proceed with a scheme all applications should be confidentially shredded/deleted.

24

34 Should we update personal records on an annual basis

There is a requirement that any personal data should be accurate. There should be regular audits of any personal data held. It is a matter of judgement as to how frequent this should be

37 Can we use Church Suite as an information system

We cant promote a single product, but there are products out there that might be worth looking into!

42 Do we need a privacy notice now for information held and do we need consent for marketing

These are two very different issues !Yes – a privacy notice is about how you hold, store, keep secure and process information anyway.Consent for marketing is an additional requirement where this is either electronic, or sent to someone personally, so consent must be freely given from information that is clear, specific, unambiguous and with clarity on how consent can be withdrawn, and how concerns/complaints etc would be dealt with.

43 I’ve been asked to send the email of someone I know who I think would be a helpful contact – a retired doctor who might be interested to go be our safeguarding group – can I do this

3) Legal analysis

Personal dataIf the email is to a named person so there must be a legal basis for processing personal data.

ProcessingThe legal basis will be "legitimate interest"

4) Practical adviceWe do have a number of retired professional people on our various boards and working groups and its often by word of mouth that we hear of someone. If you are emailing them with such an invitation

25

make sure that its clear that if the person doesn’t wish to become involved, or doesn’t respond to your email that you simply delete their email address and don’t use it again. If they say yes, then that info falls within your privacy notice and documented evidence about what an individual has agreed to so you can be in touch with papers, minutes, details of meetings etc.

A warning

The answers to these FaQs apply to general enquiries . The answers are simplified responses to what can be complex issues which require thought, judgement and sensitivity. It is the responsibility of the data controller to consider the requirements of the GDPR on particular cases. If the data controller has concern about a particular case then they should seek further advice by reading through other FAQs or contacting the VWV helpline where parishes in Gloucester Diocese are able to have a cumulative hour of GDPR related advice.

VWV/JK GDPR doc3 2018

26

· Web viewFrequently Asked Questions about the General Data Protection Regulation (GDPR)(April 2018) Privacy Notice and Consent. Introduction. The GDPR comes into force on 25/5

Documents