Privacy Policy

COVID-19 Privacy Notice

Online List of Clergy, Staff and Visitors to Church buildings


This notice explains how information about you will be used temporarily by the PCCs of Elstead, Thursley, Shackleford and Peper Harow during the Covid-19 pandemic crisis so we can take your booking and at the same time put in place a list of clergy, staff and visitors to the church building/s, as requested by the Government in support of NHS Test and Trace.


  1. Who we are

The PCCs of Elstead, Thursley, Shackleford and Peper Harow, The Rectory, Thursley Rd, Elstead, GU8 6DG are the data controller (contact details in section 7. below).  This means we decide how your personal data is used and why.


  1. The information we collect about you and why we need it

We collect your data in order to process your booking of a visit to the [St James or St Michael’s or St Nicholas or St Mary’sq.  However, we are also collecting your data for the purpose of supporting NHS Test and Trace, as requested by the Government.


Although we may have your contact details already the Covid-19 pandemic has created a unique situation and additional reasons for us to collect the name and contact telephone number of all clergy, staff and visitors who use/visit our church building/s in order to support NHS Test and Trace.


This is specifically in relation to contact tracing, which is the process of identifying, assessing, and managing people who have been exposed to a disease to prevent onward transmission and the investigation of local outbreaks.

In summary, Test and Trace:

  • provides testing for anyone who has symptoms of coronavirus to find out if they have the virus;
  • gets in touch with anyone who has had a positive test result to help them share information about any close recent contacts they have had; and
  • alerts those contacts, where necessary, and notifies them they need to self-isolate to help stop the spread of the virus.

This is voluntary, and you can opt out of letting us share your details with NHS Test and Trace.  We will still accept your booking.


  1. Lawful basis

We will use your information lawfully, as explained below:

  • Consent – We need your consent in order to collect your name and contact details to process your booking, and to share this with NHS Test and Trace if requested. You will give us your consent by providing your details by completing the on-line booking.
  • Explicit consent – We need your explicit consent to collect your data on the basis that you may have revealed a religious belief by using/visiting our church building/s. You will give us your explicit consent by completing the on-line booking and opting in/indicating “Yes” where requested, or “No” if you do not want us to share you data with Test and Trace.

You can withdraw your consent at any time after giving your details by letting us know you no longer want us to keep or share your personal data for the  purpose of Test and Trace, however, once we have given your details to Test and Trace we will no longer be able to prevent processing.  To contact us, please see our contact details at 7. below.  We will continue to process your booking data, unless told otherwise.


  1. Sharing your data

Personal data that is collected for bookings will be used only to share with NHS Test and Trace if requested. It will not be used for other purposes outside of those specified in this Privacy Notice.


  1. Data Retention

We will keep your name and contact details for 21 days and will dispose of it after this period.


  1. Your Legal Rights

Unless subject to an exemption under the GDPR or DPA 2018, you have the following rights with respect to your personal data: –

  • The right to be informed about any data we hold about you;
  • The right to request a copy of your personal data which we hold about you;
  • The right to withdraw your consent at any time, while the church body still has your data;
  • The right to request that we correct any personal data if it is found to be inaccurate or out of date;
  • The right to request your personal data is erased where it is no longer necessary for us to retain such data;
  • The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
  • The right to obtain and reuse your personal data to move, copy or transfer it from one IT system to another. [only applicable for data held online]
  1. Complaints and queries

If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact us using the details set out below.

Revd Hannah Moore

If you do not feel that your complaint has been dealt with appropriately, please contact Revd Hannah Moore

You also have the right to lodge a complaint with the Information Commissioners Office. You can contact the Information Commissioners Office on 0303 123 1113 or online: or

Your Privacy: Our General Data Protection Regulation Compliance Statement

We are committed to safeguarding and preserving the privacy of our visitors. This is a statement of the Data Protection compliance policy that is adopted for delivering our services.

We will, when delivering our services, collect and use personal information only which is relevant to the work that we are undertaking and which will be controlled, stored and processed in accordance with the General Data Protection Regulations (GDPR), however it is collected, recorded and used; whether it be on paper, in electronic media form (e.g. in a computer system), or recorded by other means.

We consider the lawful and correct treatment of personal information by the churches as critical in maintaining the confidence of our community; we therefore manage and process personal information lawfully and correctly.

We will review and update this Policy from time to time so please do check back.

What is personal information?

Information is defined under the GDPR as being Personal Information if any of the following criteria are met:

    • Can a living individual be identified from the data, or, from the data and other information in the possession of, or likely to come into the possession of, the data controller?
    • Does the data relate to the identifiable living individual, whether in their personal or family life, business or profession?
    • Is the data obviously about a particular individual?
    • Is the data linked to an individual so that it provides particular information about that individual?
    • Is the data used, or is it to be used, to inform or influence actions or decisions affecting an identifiable individual?
    • Does the data have any biographical significance in relation to the individual?
    • Does the data focus or concentrate on the individual as its central theme rather than on some other person, or some object, transaction or event?
    • Does the data impact or have the potential to impact on an individual, whether in a personal, family, business or professional capacity?

We adhere to the Principles of Data Protection, as set out in The Data Protection Act 2018 and the General Data Protection Regulations (GDPR) 2018.

Principles of collecting personal data

Specifically, these Principles require that personal information:

    • Shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met.
    • Shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
    • Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
    • Shall be accurate and, where necessary, kept up to date.
    • Shall not be kept for longer than is necessary for that purpose or those purposes.
    • Shall be processed in accordance with the rights of data subjects under the Act.
    • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
    • Shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Collection of data

We will, through appropriate management and by strict application of criteria and controls:

    • Observe fully the conditions regarding fair collection and use of information.
    • Meet its legal obligations to specify the purposes for which information is used.
    • Collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements.
    • Ensure that the quality and accuracy of information used is adequate and is maintained.
    • Apply strict checks to determine the length of time information is held and that it is stored for no longer than is necessary.
    • Ensure that the rights of people about whom information is held are able to be fully exercised under the Act and Regulations. These include: the right to be informed that processing is being undertaken, the right of access to one’s personal information, the right to prevent processing in certain circumstances and the right to correct, rectify, block or erase information.
    • Take appropriate technical and organisational security measures to safeguard personal information.
    • Ensure that personal information is not transferred abroad to countries to which transfers are not permitted under the GDPR.

Storing of personal data

All information storage and processing systems used by us are designed to ensure that:

    • Everyone handling, managing and working with personal information understands that they are responsible for following the GDPR and good data protection practice.
    • Everyone handling, managing and working with personal information is appropriately trained to do so.
    • Everyone handling, managing and working with personal information is appropriately supervised.
    • Anyone wanting to make enquiries about personal information knows how to do so.
    • Queries about personal information are promptly and courteously dealt with, in accordance with the GDPR.
    • Methods of handling, managing and working with personal information are clearly described.
    • A regular review and audit are made of the way personal information is managed.
    • Methods of handling, managing and working with personal information are regularly reviewed, assessed and evaluated.
    • The performance of the methods and process is regularly reviewed, assessed and evaluated.


GDPR Compliance Policy for Marketing and General Information

Information processing – General

We do not undertake automated decision making about or profiling of personal data.

Data subjects have a right, as set out in the GDPR, to obtain the personal information which is stored and used by us and can obtain this information by contacting the Data Protection Officer whose details are given in this document. The data comprising the personal information will be delivered to the data subject in a secure manner and in a format which is readily accessible using common proprietary data access tools (such as word processor document or spreadsheet viewer programs).

Unfortunately, the sending of information via the internet is not totally secure and on occasion, such information can be intercepted. We cannot guarantee the security of data that you choose to send us electronically, sending such information is entirely at your own risk.

What information we collect

We acquire and use information relating to commercial organisations and individuals for use in our marketing activities; some of this information is supplied directly when providing services or when contacting us for the purposes of making an enquiry.

We also obtain information by recording how persons use our websites by means of embedded technology such as cookies, and by receiving written enquiries and usage data from relevant forms hosted on our website.

If you are requested by us to provide your personal data, you may of course decline to do so. However, if you do choose not to provide data that is necessary to enable us to provide a service to you, we may not be able to deliver that service to you.

The information that we obtain may be dependent upon the nature and context of your enquiry. The information that we collect can include the following:

Name and contact data

We collect your first and last name, postal address, phone number and e-mail address.

Demographic data

We may on occasion collect data about you such as your profession, country and preferred language.

Location data

Our online services may obtain imprecise location data: e.g. a location derived from your IP address or data, that indicates where you are located with low precision, such as at a city or postcode level.


We may collect the content of any data files and communications that you may send us, together with any physical documents that you may give us when these are necessary to provide you with the service. Data we collect may include:

    • the address, subject line and body of an email,
    • text or other content of an instant message,
    • audio and video recording of a video message or attachment, and
    • audio recording and transcript of a telephone call or voice message you send to us or receive from us.

What we use the data we collect for

We use the information that we collect from you to provide our services to you. In addition to this we may use the information for one or more of the following purposes:

    • To provide information to you that you request from us relating to our activities.
    • To provide information to you relating to other information that may be of interest to you. Such additional information will only be provided where you have consented to receive such information.

For information about how to manage, edit or to delete contact data which contains your personal information, please see the How to access & control your personal data below.

How to access and control your personal data

You can submit a request to view, edit or delete any personal data that we hold.

You may do so by submitting a request in writing; we will respond to requests to access or delete your personal data within 30 days.

Your marketing choices

You may opt out of receiving marketing information by unsubscribing using the link incorporated into all our e-mail communication.

Disclosing your information

We will not disclose your personal information to any other party other than in accordance with this Privacy Policy and in the circumstances detailed below:

    • Where we are legally required by law to disclose your personal information.
    • To further fraud protection and reduce the risk of fraud.

Third party links

On occasion, we include links to third parties on this website. Where we provide a link it does not mean that we endorse or approve that site’s policy towards visitor privacy. You should review their privacy policy before sending them any personal data.

Contacting us

In accordance with the Data Protection Act 2018, you have the right to access any information that we hold relating to you by making a Subject Access Request to our Data Protection Officer. You may also contact them with any enquiry relating to data protection.