This procedure covers all personal data that is processed by Unity Church, Orpington, except for personal data that is routinely requested by data subjects.
Note: a data subject is a person whose data is processed by Unity Church Orpington. For ease of reading this document and others within the GDPR regulations we will refer to a data subject as a person or anyone or everyone.
It is the right of anyone to ask Unity Church, Orpington the following:
- What personal data Unity Church, Orpington is being processed about that person, if any;
- To be provided with a description of the personal data processed Unity Church, Orpington about that person;
- The purpose or purposes for which the personal data is being processed;
- Confirmation of who will have access to the personal data; and
- To be provided with a copy of the personal data, as well as a confirmation of where Unity Church, Orpington acquired that personal data.
All SARs are made using form Subject Access Request Form (see form below).
The person is required to provide evidence of his or her identity by way of a current passport or driving license and his or her signature must be cross-referenced with the signature provided on the Subject Access Request form.
The following information must be provided by the data subject on the Subject Access Request Form: the personal data that is being requested, whether specific data or all data held by Unity Church, Orpington and where it is being held.
Unity Church, Orpington is required to record the date on which the Subject Access Request Form, with the accompanying identification evidence, is submitted.
Unity Church, Orpington has one month from this date to provide to the data subject the personal data requested. Should Unity Church, Orpington fail to provide the requested information, within the one-month window, this shall be in direct breach of the GDPR. No extension shall be allowed under any circumstances.
At no time may personal data ever be altered or destroyed to avoid disclosure.
The Unity Church, Orpington trustees and directors are responsible for the following:
- Keeping a record of all SARs made, including the date on which the SAR was received;
- Reviewing all the documents provided to a person pursuant to a SAR to check for the mention of any third parties and if a third party is mentioned, to prevent the disclosure of the identity of the third party to the data subject, or to seek written consent from the third party as to the disclosure of their identity.
3.1 Personal data exemption categories
The following data exemption categories apply, meaning that Unity Church, Orpington does not have to provide personal data covered below:
- The prevention and detection of crime;
- Negotiations with the data subject request maker;
- Management forecasts;
- Confidential references provided by Unity Church, Orpington however not references provided to Unity Church, Orpington
- Data covered by legal professional privilege;
- Data used for research, statistical or historical reasons.
4. Document owner
The data controller is the owner of this policy document and must ensure that it is periodically reviewed according to the review requirements contained herein.
This policy document was approved by Unity Church, Orpington’s Board of Trustees and Directors and is issued by the Chair on a version-controlled basis.