General Data Protection Regulation
General Data Protection Regulation
ARCHDEACONRY OF NORTH WEST EUROPE
EXECUTIVE COMMITTEE FOR
THE ANGLICAN CHURCHES IN THE NETHERLANDS
RULES FOR THE PROCESSING AND PROTECTION OF PERSONAL DATA CONCERNING PERSONS ON THE ELECTORAL ROLL AND OTHER ADMINISTRATIVE RECORDS
The Archdeaconry of North-West Europe is one of six Archdeaconries in the Diocese in Europe of the Church of England. It is the body into which the local Anglican churches are united. In accordance with Netherlands law, it is registered in the Handelsregister (Company Register) with the Kamer van Koophandel (Chamber of Commerce) Midden Nederland insofar as it is geographically situated on Netherlands territory. It is also registered under the name of Anglicaanse Kerk in Nederland.
The first and supreme mission of the worldwide Christian Church is to proclaim Jesus Christ as the embodiment of God’s love. This mission is carried out through a number of activities requiring, in turn, an organisation, clergy and other ministers and lay workers, both paid and unpaid, and other volunteers. The Archdeaconry is a subdivision of the organised Church, the Church of England, an organised community of Christian people. An important function of the Church is to shape, build up and maintain community life, found largely in the local churches referred to above.
Organisation and administration of the life of the church community require the processing of personal data, including special categories of (sensitive) personal data concerning religious beliefs, of persons associated with that church community.
Introduction of the General Data Protection Regulation has caused the church to be aware of the risk of breaches of the privacy of persons associated with the church, and of the need for proper measures to be taken in order to limit such risk as much as possible.
Although there is much in the following Rules that may remind us of digitally processed data, they equally apply, with the necessary changes, to (type)written records.
In order for the processing of personal data to be carried out according to the requirements of the law, and to limit as much as possible the risk of breach of privacy, the following rules are deemed necessary in processing personal data of persons associated with the church:
Article 1 Definitions
Terms What they are deemed to mean for the purpose of these Rules
article > article of these present Rules
Article > Article of GDPR (AVG)
associated person > natural person who has entered upon an association with the church, either through canonical membership or through personal interest
Autoriteit Persoonsgegevens > Personal Data Protection Authority/Regulator
chaplaincy > local church, formally constituted body, including congregations and church plants
chaplaincy registers > registers held by the chaplaincy, containing particulars of the administration of sacraments or other sacred acts to associated persons
church > the Archdeaconry of North-West Europe, or any local church forming part of it, as the case may be, all insofar as they are situate within the borders of The Netherlands
Church > Church of England
controller > person or body of persons responsible for processing personal data
data protection coordinator > person appointed by the controller, charged with protecting data security and oversight of records holding personal data as well as the coordination of communication between subjects and controller
data leak > breach of protection of personal data, exposing such data to loss or unlawful processing
GDPR (AVG) > General Data Protection Regulation (Algemene Verordening Gegevensbescherming)
holder of parental responsibility > person exercising parental responsibility over a minor
personal data > any data referring to an identified or identifiable natural person
processing of personal data any action or any whole of actions relative to personal data, including in any case collecting, recording, ordering, keeping, correcting, amending, claiming, consulting, using, forwarding,transmitting, distributing or any other form of making available, amalgamating, matching, as also masking, erasing or destroying of personal data
record > structured body of personal data of people associated with the church, relative to the objectives as stated in Article 2
Rules > these present Rules for Processing and Protection of Personal Data concerning Persons on the Electoral Roll and other administrative records
special categories of personal data > personal data concerning a person’s religion or philosophical beliefs, race, political standpoints, health, sexual life, and personal information concerning the causing of nuisance and unlawful behaviour relative to any injunction resulting from such behaviour, and also personal data regarding trade union membership. These present rules serve as a basis for the processing of the special category of personal data concerning religious beliefs, exclusively
subject > data subject; person whose personal data have been or are being recorded or otherwise processed by or on behalf of the church
third party > person not associated or not in a canonical relation with the church, or entity outside the structures of the Church of England
UAVG > Uitvoeringswet Algemene Verordening Gegevensbescherming (GDPR Implementation Act)
Article 2 Objectives of processing personal data by the church
The canon law and statutes of the Church state and imply its objective of shaping the church life of the associated persons. Church life is particularly expressed in the chaplaincies. An important part of this church life is found in building and maintaining of a community of believers.
Such community building and the administration and organisation of church life require the processing by the church of personal data, including the special category of data about the religious life, of associated persons.
Article 3 Applicability
These rules are applicable to any form of processing of personal data of associated persons by the church, irrespective of whether this be the local churches or the body in which they are united
Article 4 Responsibilities of the controller
The controller as the responsible person or body shall attend to the following:
Article 5 Basis for processing of data and exemption from the ban on processing of data concerning religion
1. The basis for the processing of personal data by the church is found in the justifiable interest of the church in such processing. The justifiable interest in the stated and implied objective of the church to make possible and facilitate the church life of associated persons. An essential part of this is the shaping and building of a community. Conditional upon such community building is that persons associated with the church should be known. Beside this, the shaping of church life requires a certain measure of organisation and administration of the church. This, likewise, is conditional upon processing a certain amount of personal data of associated persons.
2. The controller comes to the conclusion that the justifiable interest of the church, as stated in paragraph 1, outweighs the interests of the privacy of associated persons , on the basis of the following arguments:
3. The processing of the special category of personal data relating to religion is based on an exemption from the ban as defined in article 9 GDPR. No such special personal data shall be processed except on condition that such data shall not be disclosed to third parties except on the basis of explicit , clear and distinguishable consent by the subject, in accordance with the provisions of Article 9 of these Rules.
Article 6 Informing subjects about the processing of their personal data
Article 7 Personal data included on record
No more personal data of associated persons shall be included than are required for the objectives as stated in article 2. These data may include, at the least:
Article 8 Access to personal data on record
The controller accords authorisations to officers for access to personal data on file. The following points shall be observed:
Article 9 Disclosure or transmission to third parties of personal data from the records
Article 10 Removal of data from the record
Article 11 Supplying data for purposes of policy and research
The controller may decide to supply data from the records for purposes of policy and research to third parties charged with such policy or research, but only insofar as this policy or research is related to the objectives as defined in Article 2. The controller gives due heed to the requirement that such data have been so edited that they may no longer be used to identify individual persons.
Article 12 Rights of subjects
1.With regard to data pertaining to subjects which are being processed by the church such subjects may exercise the rights as defined in Articles 15 (inspection and information), 16 (correction), 17 (erasure), 18 (restriction) and 19 (complaint). For the exercise of these rights the subject shall communicate in writing with the controller.
2. The controller shall without delay, but no later than one month after receipt of the request, advise the subject of the effect given to the request. In the case of the controller refusing to comply with the request, he shall without delay, but no later than one month after receipt of the request, advise the subject of his decision to refuse. He shall also advise the subject of the possibility to lodge a complaint with the Autoriteit Persoonsgegevens, or to appeal to the court having jurisdiction in the matter.
Article 13 The position of subjects under the age of 16
Rights exercisable by subjects based on GDPR, UAGV and these Rules are exercised by the holders of parental responsibility in the case of subjects under 16 years of age.
Article 14 Secrecy
Anyone taking cognizance of personal data on the basis of this regulation is under an obligation to preserve the secrecy of such data, except where the law or these Rules require that personal data be disclosed or transmitted.
Article 15 Specific stipulations regarding church registers
Article 16 Concluding provision
Utrecht, 6th June, 2018
(amended and corrected 27th March, 2019)
Acknowledgement: These rules are largely structured and based on the ‘Privacyregeling persoonsgegevens (gast)leden van de Oud-Katholieke Kerk van Nederland’ of the Old-Catholic Church of The Netherlands