DATA PRIVACY NOTICE
The Parish of St. Francis Xavier’s Gardiner Street
- Your personal data – what is it?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation or the GDPR.
- Who are we?
The Parish of St. Francis Xavier’s, Gardiner Street is the data controller (contact details below). This means it decides how your personal data is processed and for what purposes.
- How do we process your personal data?
The Parish of St. Francis Xavier’s, Upper Gardiner Street, Mountjoy, Dublin 1 complies with its obligations under the “GDPR” by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
We use your personal data for the following purposes: –
- To administer records held by us on members of the congregation;
- To fundraise and promote the interests of the parish;
- To manage our employees and volunteers;
- To maintain our own accounts and records (including the processing of donations and tax back applications);
- To inform you of news, events, activities and services running at the Parish of Francis Xavier’s, Upper Gardiner Street, Mountjoy, Dublin 1;
- To share your contact details with the Diocesan offices so they can keep you informed about news in the diocese and events, activities and services that will be occurring in the diocese and in which you may be interested.
- What is the legal basis for processing your personal data?
- Explicit consent of the data subject so that we can keep you informed about news, events, activities and services and process your donations and keep you informed about diocesan events.
- Processing is necessary for carrying out obligations under employment, financial, canon law, or other legal requirements;
- Processing is carried out by a not-for-profit body with a religious aim provided: –
- the processing relates only to members of the congregation or former members (or those who have regular contact with it in connection with those purposes); and
- there is no disclosure to a third party without consent.
- Sharing your personal data
Your personal data will be treated as strictly confidential and will only be shared with other clergy or staff of the parish for purposes connected with the parish. We will only share your data with third parties outside of the parish with your consent.
- How long do we keep your personal data?
We keep data in accordance with the guidance set out in the guide Administrative Regulations and Guidelines for Parishes for Parish Priests of the Archdiocese of Dublin.
Specifically, we retain donation declarations and associated paperwork for up to 6 years after the calendar year to which they relate and parish registers permanently (baptisms, marriages, confirmations and in some instances burials).
- Your rights and your personal data
Unless subject to an exemption under the GDPR you have the following rights with respect to your personal data: –
- The right to request a copy of your personal data which the Parish of Francis Xavier’s, Upper Gardiner Street, Mountjoy, Dublin 1 holds about you
- The right to request that the Parish of Francis Xavier’s, Upper Gardiner Street, Mountjoy, Dublin 1 corrects any personal data if it is found to be inaccurate or out of date
- The right to request your personal data is erased where it is no longer necessary for the Parish of Francis Xavier’s, Upper Gardiner Street, Mountjoy, Dublin 1 to retain such data
- The right to withdraw your consent to the processing at any time
- The right to request that the data controller provide the data subject with his/her personal data and where possible to transmit that data directly to another data controller, (known as the right to data portability), (where applicable) [Only applies where the processing is based on consent or is necessary for the performance of a contract with the data subject and in either case the data controller processes the data by automated means].
- The right where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing
- The right to object to the processing of personal data, (where applicable) [Only applies where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics]
- The right to lodge a complaint with the Data Protection Commissioners Office.
- Further processing
If we wish to use your personal data for a new purpose not covered by this Data Privacy Notice we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary we will seek your prior consent to the new processing.
- Contact Details
To exercise all relevant rights, queries or complaints please contact the Parish Receptionist of the Parish of St. Francis Xavier’s Gardiner Street.
You can contact the Data Protection Commissioners Office on 00353 57 8684800 or Lo-Call 1890 252 231 or by email at firstname.lastname@example.org.
The postal addresses are:
Data Protection Commissioner
R32 AP23 Co. Laois
CCTV (Close Circuit Television) captures images of identifiable living people (data subjects), whether for security, monitoring or health and safety purposes. Identifiable imagery is considered as personal data under the GDPR and therefore, at a data protection level, requires the same level of care that is paid to paper and electronic files.
“Surveillance camera system” means
(a) closed circuit television
(b) any other systems for recording or viewing visual images for surveillance purposes
(c) any systems for storing, receiving, transmitting, processing or checking images or information obtained by systems falling within paragraph (a) or (b)
(d) any other systems associated with, or otherwise connected with, systems falling within paragraph (a), (b) or (c).
The GDPR requires the processing of personal data to be lawful, fair and transparent. CCTV is in use in our parish for security purposes only.
We inform the parishioners, staff, volunteers and visitors (data subjects) of the existence of CCTV by placing signs near entrances and other areas where the cameras are located. The signs are easy to read and contain the name of the security operator and their contact details. The signs state the CCTV is being used for security purposes only.
The images are captured onto a secure server which is only accessible to the Parish Priest or those whom he authorises for security purposes. The images are deleted every 28 days. In instances where a crime had been committed the images may need to be retained longer as evidence. If An Garda Siochana ask to take copies of CCTV footage they have to provide us with a written authorisation from the local Superintendent. This ensures the chain of evidence is not compromised if the images are needed for legal purposes. It is permitted to allow An Garda Siochana to view the footage if a crime has been committed and this does not pose any data protection issue.
As with any other aspect of personal data, data subjects have a right to access any images captured of them. A Subject Access Request Form needs to be completed and if possible information should be gathered from the individual on dates/times their image may have been captured. The parish and the security operators will need to ensure that the requester is present in the footage and that by supplying the footage they do not disclose any personal data of another data subject. This may involve blurring parts of the footage such as figures or license plates.
Any act of storage or access is considered processing and it is imperative that the Parish and security operators uphold the confidentiality and integrity of any footage. Screens displaying live or recorded footage should only ever be viewed by authorised individuals and not members of the public who stray past a security guard post or CCTV operation room.
Back-up tapes/discs should be stored in a secure environment with an access log maintained. Access should be restricted to authorised personnel only. [If back-ups are being stored on the Cloud then you need to know where the Cloud data centre is based. If it is in an EU country there is no problem but if it is located outside of the European Union then you will have to get your system operators to move it].
Subject Access Request
The Parish St. Francis Xavier’s, Gardiner Street has procedures in place to ensure that data subjects will have the right of access to their personal data which was collected concerning him/her and can exercise that right easily and free of charge, in order to be aware of, and verify, the lawfulness of any processing which is being conducted. The Parish must respond within one calendar month of receiving the written, valid request.
Every Data Subject has the right to know from the Data Controller:-
- Who processed their personal data
- When was it processed
- How was it processed
- Why was the data processed
- For how long was the data processed
- The recipient of the personal data
- Where applicable, the logic involved in automatic processing, including profiling and the consequences of such processing
The Data Subject is entitled to a copy of their personal information. Where a third party is processing the information on behalf of the Data Controller, the Data Controller needs to ensure the Data Processor contract covers any circumstance where the third party will be obliged to assist in responding to a Subject Access Request. There can be no delay in getting this information.
As with previous Data Protection laws some exemptions apply to Subject Access Requests.
To make a Subject Access Request the data subject must apply in writing to the Parish Priest Fr. Gerard J. Clarke sj, St. Francis Xavier’s, Upper Gardiner Street, Mountjoy, Dublin (D01 RK07),using the applicable form.
Subject Access Request Form
(Please complete in BLOCK CAPITALS)
Name & Address
Is the information about you? If yes, you will need to provide a copy of photographic ID, bearing your signature, for example, a passport or driving licence. Please do not send original documents and copies should be sent by registered post to ensure their safety.
Please describe what information you require with any additional facts that may help us with the search. This will help us greatly in responding to you in the allotted time.
Declaration to be completed by all applicants.
I, _______________________________________ (name), certify that the information given on this application to Parish St. Francis Xavier’s, Gardiner Street is correct. I understand that it is necessary for the Parish St. Francis Xavier’s, Gardiner Street to confirm my identity and it may be necessary to obtain more detailed information in order to locate the correct personal data.
Signed ______________________________ Date ________________
Note: The Parish St. Francis Xavier’s, Gardiner Street must respond to your request within one calendar month. This time frame will not begin until your identity has been established and any relevant details obtained.
Please return the completed form and any necessary documentation to the Parish Priest Gerard J. Clarke sj, St Francis Xavier’s
Gardiner Street, Dublin (D01 RK07).
Documents which must accompany this application include evidence of identity and stamped address envelope for return of the above mentioned documents. Please do not send original documents.
The Parish will process the personal information included on this form in accordance with the Data Protection Act (1988) and Amendment Act (2003) and from 25th May 2018 in accordance with the General Data Protection Regulation. The information will only be used in order to process your request, will only be shared with those who can provide the information required and will be retained no longer than is necessary.