General Data Protection Regulation
General Data Protection Regulation
ARCHDEACONRY OF NORTH WEST EUROPE
EXECUTIVE COMMITTEE FOR
THE ANGLICAN CHURCHES IN THE NETHERLANDS
RULES FOR THE PROCESSING AND PROTECTION OF PERSONAL DATA CONCERNING PERSONS ON THE ELECTORAL ROLL AND OTHER ADMINISTRATIVE RECORDS
The Archdeaconry of North-West Europe is one of six Archdeaconries in the Diocese in Europe of the Church of England. It is the body into which the local Anglican churches are united. In accordance with Netherlands law, it is registered in the Handelsregister (Company Register) with the Kamer van Koophandel (Chamber of Commerce) Midden Nederland insofar as it is geographically situated on Netherlands territory. It is also registered under the name of Anglicaanse Kerk in Nederland.
The first and supreme mission of the worldwide Christian Church is to proclaim Jesus Christ as the embodiment of God’s love. This mission is carried out through a number of activities requiring, in turn, an organisation, clergy and other ministers and lay workers, both paid and unpaid, and other volunteers. The Archdeaconry is a subdivision of the organised Church, the Church of England, an organised community of Christian people. An important function of the Church is to shape, build up and maintain community life, found largely in the local churches referred to above.
Organisation and administration of the life of the church community require the processing of personal data, including special categories of (sensitive) personal data concerning religious beliefs, of persons associated with that church community.
Introduction of the General Data Protection Regulation has caused the church to be aware of the risk of breaches of the privacy of persons associated with the church, and of the need for proper measures to be taken in order to limit such risk as much as possible.
In order for the processing of personal data to be carried out according to the requirements of the law, and to limit as much as possible the risk of breach of privacy, the following rules are deemed necessary in processing personal data of persons associated with the church:
Article 1 Definitions
Terms What they are deemed to mean for the purpose of these Rules
Article > article of these present Rules
associated person > natural person who has entered upon an association with the church, either through canonical membership or through personal interest
Autoriteit Persoonsgegevens > Personal Data Protection Authority/Regulator
chaplaincy > local church, formally constituted body, including congregations and church plants
chaplaincy registers > registers held by the chaplaincy, containing particulars of the administration of sacraments or other sacred acts to associated persons
church > the Archdeaconry of North-West Europe, or any local church forming part of it, as the case may be, all insofar as they are situate within the borders of The Netherlands
Church > Church of England
controller > person or body of persons responsible for processing personal data
data protection coordinator > person appointed by the controller, charged with protecting data security and oversight of records holding personal data as well as the coordination of communication between subjects and controller
data leak > breach of protection of personal data, exposing such data to loss or unlawful processing
GDPR (AVG) > General Data Protection Regulation (Algemene Verordening Gegevensbescherming)
holder of parental responsibility > person exercising parental responsibility over a minor
personal data > any data referring to an identified or identifiable natural person
processing of personal data any action or any whole of actions relative to personal data, including in any case collecting, recording, ordering, keeping, correcting, amending, claiming, consulting, using, forwarding,transmitting, distributing or any other form of making available, amalgamating, matching, as also masking, erasing or destroying of personal data
record > structured body of personal data of people associated with the church, relative to the objectives as stated in Article 2
Rules > these present Rules for Processing and Protection of Personal Data concerning Persons on the Electoral Roll and other administrative records
special categories of personal data > personal data concerning a person’s religion or philosophical beliefs, race, political standpoints, health, sexual life, and personal information concerning the causing of nuisance and unlawful behaviour relative to any injunction resulting from such behaviour, and also personal data regarding trade union membership. These present rules serve as a basis for the processing of the special category of personal data concerning religious beliefs, exclusively
subject > data subject; person whose personal data have been or are being recorded or otherwise processed by or on behalf of the church
third party > person not associated or not in a canonical relation with the church, or entity outside the structures of the Church of England
UAVG > Uitvoeringswet Algemene Verordening Gegevensbescherming (GDPR Implementation Act)
Article 2 Objectives of processing personal data by the church
The canon law and statutes of the Church state and imply its objective of shaping the church life of the associated persons. Church life is particularly expressed in the chaplaincies. An important part of this church life is found in building and maintaining of a community of believers.
Such community building and the administration and organisation of church life require the processing by the church of personal data, including the special category of data about the religious life, of associated persons.
Article 3 Applicability
These rules are applicable to any form of processing of personal data of associated persons by the church, irrespective of whether this be the local churches or the body in which they are united. The Rules apply to digitally processed data and (type)written records alike.
Article 4 Responsibilities of the controller
The controller as the responsible person or body shall attend to the following:
Article 5 Basis for processing of data and exemption from the ban on processing of data concerning religion
1. The basis for the processing of personal data by the church is found in the justifiable interest of the church in such processing. The justifiable interest in the stated and implied objective of the church to make possible and facilitate the church life of associated persons. An essential part of this is the shaping and building of a community. Conditional upon such community building is that persons associated with the church should be known. Beside this, the shaping of church life requires a certain measure of organisation and administration of the church. This, likewise, is conditional upon processing a certain amount of personal data of associated persons.
2. The controller comes to the conclusion that the justifiable interest of the church, as stated in paragraph 1, outweighs the interests of the privacy of associated persons , on the basis of the following arguments:
3. The processing of the special category of personal data relating to religion is based on an exemption from the ban as defined in article 9 GDPR. No such special personal data shall be processed except on condition that such data shall not be disclosed to third parties except on the basis of explicit , clear and distinguishable consent by the subject, in accordance with the provisions of Article 9 of these Rules.
Article 6 Informing subjects about the processing of their personal data
1. The controller is attentive to informing subjects of the following: content and nature of the recorded data, the objectives thereof, the rights which are exercisable by them over such data, as well as the identity of the controller. Likewise, subjects are informed that processing of their personal data will be terminated immediately upon their notification of ending their association with the church, and that their data will not be disclosed to third parties without their unambiguous, clear and distinguishable consent thereto.
2. Informing as stated in paragraph 1 is done:
3. Informing associated persons whose data are being processed on the date of coming into force of these Rules is effected by a personal (digital) letter addressed to each associated person individually. In the case of such letters being addressed to associated persons not having attained the age of 16 years they are sent to the holders of parental responsibility over them.
Article 7 Personal data included on record
No more personal data of associated persons shall be included than are required for the objectives as stated in Article 2. These data may include, at the least:
Article 8 Access to personal data on record
The controller accords authorisations to officers for access to personal data on record. The following points shall be observed:
Article 9 Disclosure or transmission to third parties of personal data from the records
1. No personal data from a record shall be disclosed or transmitted to third parties, except where the law is binding on the controller to do so.
2. Should the controller be of the opinion that by way of exception disclosure or transmission of personal data ought to be considered, not being under any legal obligation to do so, he shall first obtain the unambiguous , clear and distinguishable consent of the subject concerned.
3. The controller shall not request consent as referred to in paragraph 2 until after he has fully informed the subject concerning nature and content of the data to be so disclosed or transmitted, the aim of the disclosure or transmission, and the identity of the recipient. The controller shall also advise the subject of his right at all times to withdraw his consent by way of notification by telephone, by electronic message or in writing.
4. The controller shall log the consent received, as well as a withdrawal thereof, on the record.
Article 10 Removal of data from the record
1. Personal data on a record shall be removed immediately upon receiving notification by a subject of termination of the association of that subject with the church. Such removal may be postponed if obligations of a financial nature or otherwise between the subject and the church so require.
2. In case of the death of associated persons their data shall be removed at the end of the year of their death. If the deceased at the time of death was married to or had entered upon a civil registered partnership with another associated member, such data shall be removed at the end of the year in which the death occurs of that surviving spouse or partner.
Article 11 Supplying data for purposes of policy and research
The controller may decide to supply data from the records for purposes of policy and research to third parties charged with such policy or research, but only insofar as this policy or research is related to the objectives as defined in Article 2. The controller gives due heed to the requirement that such data have been so edited that they may no longer be used to identify individual persons.
Article 12 Rights of subjects
1. With regard to data pertaining to subjects which are being processed by the church such subjects may exercise the rights as defined in articles 15 (inspection and information), 16 (correction), 17 (erasure), 18 (restriction) and 19 (complaint). For the exercise of these rights the subject shall communicate in writing with the controller.
(Note: Clarification on the articles in red, not existing in this document, has been requested from the originator.)
2. The controller shall without delay, but no later than one month after receipt of the request, advise the subject of the effect given to the request. In the case of the controller refusing to comply with the request, he shall without delay, but no later than one month after receipt of the request, advise the subject of his decision to refuse. He shall also advise the subject of the possibility to lodge a complaint with the Autoriteit Persoonsgegevens, or to appeal to the court having jurisdiction in the matter.
Article 13 The position of subjects under the age of 16
Rights exercisable by subjects based on GDPR,UAGV and these Rules are exercised by the holders of parental responsibility in the case of subjects under 16 years of age.
Article 14 Secrecy
Anyone taking cognizance of personal data on the basis of this regulation is under an obligation to preserve the secrecy of such data, except where the law or these Rules require that personal data be disclosed or transmitted.
Article 15 Specific stipulations regarding church registers
1. The chaplain of the chaplaincy, or, in the absence of a chaplain, such other priest as shall hold the Bishop’s charge or permission to carry out the functions and ministrations of a chqplain, keeps record of the administration of sacraments and other recordable ministrations to persons associated with the church in the chaplaincy registers.
2. These Rules are applicable to the processing of personal data for such registers, except where the provisions of this Article allow for derogation from these Rules.
3. Access to the chaplaincy registers is the exclusive privilege of the Bishop; the person who holds the Bishop’s commission to oversee the archdeaconry; the chaplain, or, in the absence of a chaplain, such other priest as shall hold the Bishop’s charge or permission to carry out the functions and ministrations of a chaplain; any assistant-chaplain; and the secretary of the church council of the chaplaincy.
4. In view of the provisions of article 17, paragraph 3 sub d GDPR
Article 16 Concluding provision
1. These Rules will be deemed to be in force as from 25th May, 2018 for an indefinite period.
2. The controller has authority to vary or rescind these Rules.
3. These Rules may be cited as the ‘Rules for Processing and Protection of Personal Data 2018’.
Utrecht, 6th June, 2018
Acknowledgement: These rules are largely structured and based on the ‘Privacyregeling persoonsgegevens (gast)leden van de Oud-Katholieke Kerk van Nederland’ of the Old-Catholic Church of The Netherlands