Esher Green Baptist Church

DATA PRIVACY NOTICE

Last reviewed: June 2026

Your personal data – what is it?

Personal data relates to a living individual who can be identified from that data, either on its own or together with other information in our possession or likely to come into our possession. The processing of personal data is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as amended by the Data (Use and Access) Act 2025 (together, “the Data Protection Legislation”).

Who are we?

The Trustees of Esher Green Baptist Church (“EGBC”, “we”, “us”) are the data controller (contact details below). This means they decide how your personal data is processed and for what purposes. Esher Green Baptist Church is a registered charity, number 1133504.

What information do we collect?

EGBC complies with its obligations under the Data Protection Legislation by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure; and by ensuring that appropriate technical and organisational measures are in place to protect personal data.

Directly from you. We collect personal information each time you deal with us, for example when you provide your contact details to church staff or volunteers; request information; sign up for an event; make a donation; complete a form; or otherwise provide your personal details (including through our church management system, ChurchSuite, and its member-facing area, My ChurchSuite).

From your interaction with our website. We collect non-personal data such as IP addresses, details of pages visited and files downloaded. Website usage information is collected using cookies – see the section on cookies below.

Emergency contact (next of kin) details. If you choose to provide them, we collect the name, relationship and telephone number of a person you would like us to contact on your behalf in an emergency. Providing this information is entirely voluntary. Please make sure the person you name is aware that you have given us their details and why. See the “Emergency contact details” section below for how this information is used and protected.

Sensitive (special category) data. Where you provide it, we may collect special category personal data, including but not limited to information about your religious beliefs or your physical or mental health (for example, to support pastoral care or to keep you safe at church activities).

How do we process your personal data?

We use your personal data for the following purposes:

  • To inform you of news, events, activities and services running at EGBC;
  • To enable us to provide a voluntary service for the benefit of the public;
  • To provide pastoral care to our members and attendees;
  • To administer attendance and membership records;
  • To contact your nominated emergency contact on your behalf in the event of an emergency;
  • To provide an interactive website where email is used to communicate with users;
  • To raise funds and promote the interests of the charity;
  • To manage our employees and volunteers;
  • To maintain our own accounts and records, including the processing of Gift Aid claims.

What is the lawful basis for processing your personal data?

We rely on different lawful bases depending on the purpose:

  • Consent: where you have given clear consent for a specific purpose, for example the use of your photograph in church publicity. You may withdraw your consent at any time.
  • Legitimate interests: for the general administration of the church and our relationship with you, including maintaining membership and attendance records, providing pastoral care, holding the emergency contact details you choose to give us, and sending you our news and information about church life, events and activities where you would reasonably expect this as someone connected with the church. You can opt out of communications at any time, including via the unsubscribe link in every email newsletter.
  • Legal obligation: where processing is necessary to comply with the law, for example retaining Gift Aid declarations and financial records for HM Revenue & Customs, and carrying out obligations under employment, social security or social protection law.
  • Not-for-profit bodies condition (UK GDPR Article 9(2)(d)): for special category data (such as information about religious beliefs or health), we rely on the condition for processing carried out, with appropriate safeguards, by a not-for-profit body with a religious aim, provided the processing relates only to members or former members (or those who have regular contact with the church in connection with those purposes) and the data is not disclosed to a third party without consent.

Emergency contact details

Through My ChurchSuite, you can choose to give us the name, relationship and telephone number of a next of kin or other emergency contact. We hold this information on the basis of legitimate interests – namely your interest in being helped, and your loved ones being informed, if something happens to you while you are connected with church life.

This information is treated with particular care:

  • It is visible only to you, the Trustees and the Church Administrator; it is never visible to other church members;
  • It is used solely to make contact on your behalf in a genuine emergency, and for no other purpose – your emergency contact will not be added to any mailing list or contacted for any other reason;
  • You can view, update or remove the information yourself at any time through My ChurchSuite, or by contacting the church office;
  • We ask that you let the person you have named know that you have provided their details to us and why.

Sharing your personal data – where is your data stored?

Your personal data will be treated as strictly confidential. We do not sell your data to anyone. Personal data will only be shared with other members of the church where necessary to carry out a service to other church members or for purposes connected with the church, and subject to your privacy settings.

We make use of a number of secure ‘cloud-based’ systems provided by trusted third parties (“data processors”), who process personal data on our behalf under contracts that comply with the Data Protection Legislation. Access to these systems is granted only to those within the church who need it for their role, and is removed when that need no longer exists. The systems we use are:

  • ChurchSuite – for church administration, our contact database, communications and event management. Members and regular attendees may receive a My ChurchSuite login to view and update their own details and privacy settings;
  • Mailchimp – for our email newsletter (unsubscribe at any time via the link in every email);
  • Microsoft 365 – for church email, documents and calendaring;
  • QuickBooks – for our accounting and financial records, including records of donations;
  • TotalGiving, Wonderful and SumUp – for processing online donations and card payments;
  • Barclays – for banking;
  • Thirtyone:eight – for safeguarding services, including DBS checks;
  • Church123 – for hosting our website, which we manage ourselves; website usage is analysed using Google Analytics (see the cookies section below).

For donations, unless you give cash without a Gift Aid envelope, we will store records of your transaction in order to comply with financial regulations and, where applicable, to claim Gift Aid.

How long do we keep your personal data?

We hold your data for varying lengths of time depending on the type of information, and in doing so we always comply with the Data Protection Legislation. We periodically review the information we hold and invite you to check that it is accurate. In particular:

  • Gift Aid declarations and associated paperwork are kept for up to 6 years after the calendar year to which they relate;
  • Electoral/membership records are kept while you remain a member or regular attendee, and removed within a reasonable period after you leave or ask us to remove them;
  • Emergency contact details are kept while you remain connected with the church or until you remove or replace them;
  • Marriages are registered electronically by the local register office (since 4 May 2021 churches no longer hold marriage registers); we may keep a record of marriage services conducted at the church.

Cookies

What are cookies? A cookie is a small amount of data that is sent to your browser and stored on your computer’s hard drive. Our website uses cookies to collect information about our visitors through Google Analytics. This information is processed in a way that does not identify anyone, and we do not attempt to find out the identities of those visiting our website.

How we use them. We may use cookie data to customise the content of our website and to help us understand visitors’ current and future needs.

Managing cookies. Most browsers allow you to turn off the cookie function via your browser’s help settings.

Third-party cookies. We use third-party suppliers such as Google Analytics, and these providers may set cookies. For more information about how Google Analytics uses your data, see their website. You can opt out of Google Analytics by installing their browser add-on.

Your rights and your personal data

Unless subject to an exemption under the Data Protection Legislation, you have the following rights with respect to your personal data:

  • The right to be informed about how your data is used (which this notice provides);
  • The right to request a copy of the personal data which EGBC holds about you;
  • The right to request that EGBC corrects any personal data found to be inaccurate or out of date;
  • The right to request that your personal data is erased where it is no longer necessary for EGBC to retain it;
  • The right to withdraw your consent to processing at any time, where consent is the basis we rely on;
  • The right to request that a restriction is placed on further processing where there is a dispute about the accuracy or processing of your personal data;
  • The right to object to processing carried out on the basis of legitimate interests, including the right to object at any time to your data being used for direct marketing;
  • The right to data portability – to receive personal data you have provided to us in a structured, commonly used and machine-readable format, where processing is based on consent and carried out by automated means;
  • The right to lodge a complaint with the Information Commissioner’s Office (ICO).

Complaints

If you have a concern or complaint about the way we handle your personal data, please contact us first using the details below – by email, post, telephone or in person. We take all complaints seriously: we will acknowledge receipt of your complaint within 30 days, take appropriate steps to look into it and keep you informed, and tell you the outcome without undue delay. If you remain dissatisfied, you have the right to complain to the Information Commissioner’s Office.

Further processing

If we wish to use your personal data for a new purpose not covered by this notice, we will provide you with a new notice explaining the new use before the processing begins, setting out the relevant purposes and processing conditions. Where necessary, we will seek your prior consent to the new processing.

Contact details

To exercise any of your rights, or for any queries or complaints, please in the first instance contact:

The Church Administrator (Data Privacy Contact), Esher Green Baptist Church, 6 Park Road, Esher, KT10 8NP. Telephone 01372 468255, email [email protected].

You can contact the Information Commissioner’s Office on 0303 123 1113, via ico.org.uk/global/contact-us, or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5A