This information sheet tells you how Grace Church Brockley (GCB) uses personal data. Personal data means information about you from which you can be identified such as your name and address.

Why is my data being collected?

The main reasons that we use your personal data are to provide you with information about our current and future program of activities and to facilitate administration of the church and the Debt Centre that we run. Here are other reasons:

  • To meet our legal and statutory obligations (e.g. employment data)
  • For safeguarding procedures, including DBS checks
  • To organize our services, events, courses and activities
  • To maintain accounts and records, including processing of gift aid
  • To operate our website and social media
  • To manage our employees and volunteers
  • To provide you with pastoral care
  • To include you in GCB’s searchable Church Directory
  • To include you in WhatsApp groups to share information
  • To tell you about news, events and services at GCB, at our Debt Centre, in the local community or occasionally in the wider Christian community.
  • To help publicise the work of GCB and the Debt Centre by sharing photos, films or personal stories on our website or social media sites

How is my data collected?

In most cases, you have given us your personal data. For example, you may have filled in a ‘Keep in Touch’ card or a ‘Contact Details’ form with information such as your name, email and telephone number.  You may also have given us personal data about your children, for example on a Children’s Church registration form. You may have provided us with financial data, for example to purchase items, facilitate gift-aid or receive salary payments.

We may have taken photographs or film clips of you (or your children) if you gave your consent.

If you (or your children) are part of any church groups such as fellowship groups we will record this information. Data relating to safeguarding, (e.g. safeguarding checks for our team, children’s church registers), will be collected by staff, group leaders or safeguarding coordinators. Pastoral information may be recorded by individuals providing pastoral care.

What is the legal basis for processing my data?

Most data is processed because it is necessary for our legitimate interests. For example you may be helping to run a church activity and we are contacting you about this. Some data processing is necessary for compliance with a legal obligation, such as safeguarding data. Some data is processed for performance of a contract (e.g. employment). We will ask for your consent to use your data if use is not covered by one of these legal bases. Examples of this include asking for consent to use your data in GCB’s searchable Church Directory and WhatsApp groups. You can remove your consent at any time by contacting us (details at the end of this document). In many cases, data we process is categorised as sensitive personal data because it can be linked to religious belief.

Who is my data shared with?

In general, your data is shared with the staff team and individuals providing leadership, administrative and/or organisational support to the staff team. This includes the Church Council, Fellowship Group leaders, Debt Coaches, our safeguarding team and (for children’s data) Children’s Church leaders. Sensitive data such as financial, safeguarding or pastoral data is shared on a need-to-know basis.

If you help on the church rotas your name is visible to members of GCB’s congregation.

If you give consent to being included in the Church Directory then your name, address, telephone and email can be found by others in the directory. You can choose to hide some of this information. If you join a WhatsApp group your name and mobile number is visible to others in the group.

With consent, information about you may be visible to the public via our website and social media (e.g. photographs, film clips, biographies). Please be aware that we have no control over subsequent storage, copying and sharing of information once it is in the public domain.

We may use a range of different third parties acting as processors in order to provide database, website, social media, media, IT and system administration services. Our main church database is run by ChurchBuilder, a UK-based company. Our third-party providers include:

  • Website platforms, website design companies, databases and event management systems including ChurchBuilder (part of Concordant Systems Ltd), Tiger Finch Creatives Limited, WordPress and WooCommerce (Part of Automattic).
  • Companies processing payments (e.g. ticket sales) including PayPal and Stripe.
  • Debt Centre Christian’s Against Poverty (CAP) head office.
  • Social Media and communication platforms including Gmail, WhatsApp, Facebook, Spotify, Twitter and Instagram.
  • Organisation coordinating our DBS safeguarding checks, thirtyone:eight
  • Professional advisers including lawyers, bankers, auditors, pension advisors and insurers based in the UK who provide consultancy, banking, legal, insurance and accounting services.
  • HM Revenue & Customs, regulators and other authorities based in the UK who require reporting of processing activities in certain circumstances.

See the following websites for GDPR/privacy information for third party providers:

How long will my data be held?

We keep different categories of personal data for different lengths of time. These are summarised below.

If you filled in a Keep in Touch card, booked onto one of our events or completed a feedback form, the data you gave us will be held for up to 2 years. It will then be destroyed unless you consent to us keeping your data to contact you again.

If you filled in a church Contact Details form (A4 page) the data from this will be held until you leave GCB and will then be destroyed within 1 year unless you have opted-in to staying in touch.

You can choose to stay in touch, for example, you can join our prayer supporters or asked to be informed of future guest events. We will then keep your name, email and mobile number until you ask us not to contact you anymore.

If your child or children joined any of our children’s activities, information from registration and consent forms will be held for up to 2 years after they leave the group or finish the activity. For safeguarding, we will keep their name and date of birth indefinitely and these will be included on our attendance registers.

For staff and volunteers involved in children’s work, your contact details and a minimum data set relating to DBS checks will be retained indefinitely. Pastoral data may be retained indefinitely. Safeguarding data, and staff personnel records will be retained indefinitely. Finance-related personal data will be retained for up to 8 years.  If you gave consent for us to use photographs and film clips of you, these will be retained indefinitely. You can withdraw your consent at any time.

Your data protection rights

Under data protection law, you have rights including:

Your right of access – You have the right to ask us for copies of your personal information.

Your right to rectification – You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing – You have the right to ask us to restrict the processing of your information in certain circumstances.

Your right to object to processing – You have the the right to object to the processing of your personal data in certain circumstances.

Your right to data portability – You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.

Please contact us if you wish to make a request (details at the end of this document).

Debt Centre data

Personal data relating to Debt Centre clients is covered by CAP Head Office Data Protection policies and procedures. GCB does not process Debt Centre client data. Please refer to CAP policies for permitted temporary exceptions to this rule.

What if there is a problem?

If you are unhappy with how we have used your data you can complain to the Information Commissioner’s Office via their website or by telephone on 0303 123 1113. We encourage you to come and talk to us about the problem first so we can try and resolve it.

Who can I speak to for more information?

If you would like more information about data protection, please speak to Nic Srinivasan,, tel. 07484 878 077.

Last updated May 2024