CRS Data Protection Policy
1) Introduction
We take the privacy of your personal data very seriously and take reasonable care to comply with the requirements of the applicable laws and regulations that relate to the protection and processing of personal data and privacy in the United Kingdom (including the Data Protection Act 2018, UK GDPR and Privacy and Electronic Communication (EC Directive) Regulations 2003, all as amended, replaced, or superseded from time to time) (‘Data Protection Legislation’) including relating to the personal data you supply to be a member of Cardiff Reform Synagogue ( ‘CRS’, ‘our’ or ‘we’) or when you visit the CRS website. For the purpose of the Data Protection Legislation, CRS is the controller and are registered as a controller with the Information Commissioner’s Office under number ZA316359.
Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
If you have any questions about this privacy policy, including any requests to exercise legal rights, please contact us using the contact details in section 12.
2) Your Personal Data
The types of information we collect for your membership are described below. By becoming a member of CRS you consent to the collection and use of any personal data in the manner described.
When subscriptions are renewed, re-consent will be sought to ensure compliance with Data Protection Legislation. The information we gather (‘Information’) may include your name, address, email address, telephone number, level of membership and any other personal data you submit to CRS. This includes information about children under the age of 16 which we need to hold to deliver our objectives, e.g. the advancement of Judaism through educational activities.
As CRS is a constituent member of the Movement for Reform Judaism, we may wish to share your data with them so that you can be informed of national events and news. We shall only share your data with them if you have opted-in to this service. As part of your membership you are invited to opt-in to our mailing lists so that we can send you newsletters and announcements.
We may from time to time offer you the opportunity to sign up to a mailing list and/or additional newsletter, to participate in a survey or a competition and to receive information by email about third parties’ products and services or any other products and services which we provide.
We may also contact you in relation to fund-raising. You may change your options to receive these communications at any time by notifying us at dataprotection@cardiffreformsynagogue.uk. We use the Information we collect from you to keep you informed about events and activities, which we believe will be of interest to you. As an integral part of your membership we use the Information to draw up and circulate lists of names towards fulfilment of our objectives as we practice and develop Judaism, e.g. lists of yahrzeits and lists to promote the safety and security of members. As a communal organisation we have members and friends who volunteer their services to organise activities and functions. They may have access to your personal data so that they can contact you and facilitate your involvement.
Your personal data may be shared by us with external third parties who provide support integral to the provision of our goods and/or servicesand allow us to operate as a religious organisation such as: our cloud hosting provider; other service providers in the UK who provide IT, software and system administration services; (depending on what you have requested us to do) financial processors such as payment system providers and banks who manage direct debit payments in connection with your membership. We may also share your personal data with external third parties if we are under a duty to disclose or share personal data to comply with any legal obligation.
We endeavour to ensure that any person who has such access to your data is committed to limiting the use of your data to CRS activities and functions. We do not permit the use of your data for any purpose outside the remit of CRS. We will not sell, distribute or disclose your Information without your consent or where otherwise permitted to do so by the Data Protection Legislation. In some circumstances the law may require us to disclose special categories of personal data.
We do not generally process any special categories of personal data, meaning personal data revealing:
- racial or ethnic origin;
- political opinions
- religious or philosophical beliefs or trade union membership
- genetic or biometric data that uniquely identifies you; or
- data concerning your health, sex life or sexual orientation.
Nor do we collect data relating to criminal convictions or offences or related security measures.
However, we may process certain special categories of personal data in the event you have an accident in or near the synagogue and / or then logged in our accident record book.
Generally we will require your explicit consent to process such special categories of data. Otherwise, we may need to process such personal data to protect your vital interests if you are incapable of consent or to comply with specific laws requiring us to collect such personal data.
3) Updating your Information and Retention
It is important that the personal information we hold about you is accurate and current. You should keep us informed if your personal data changes during your membership or of dealings with us. If any of your information is inaccurate or if it changes, please notify us by email (please see section 12).
We will retain personal data for the duration of your membership of CRS and any additional legally required period, e.g. 7 years for Charity Commission requirements and HM Revenue and Customs (HMRC) and otherwise only whilst it serves to support your membership of CRS. On termination of membership or a member’s death, the information will normally be retained for five years for demographic and statistical purposes or to ensure that we are able to assist you should you have any questions or feedback in relation to your membership or to protect, or defend our legal rights.
4) Your Legal Rights
4.1 Right of access – You have the right to receive confirmation as to whether your personal data is being processed by us, as well as various other information relating to our use of your personal your personal data. You also have the right to access your personal data which we are processing. You can exercise this right by making contact with us directly (please see section 12). You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee to cover the costs of administration if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. The information will generally be provided within one month of the request. Should an extension of up to two months be required we will inform you of the reason.
4.2 Right to rectification – You have the right to require us to rectify any inaccurate personal data we hold about you. You also have the right to have incomplete personal data we hold about you completed, by providing a supplementary statement to us.
4.3 Right to restriction – You have the right to restrict our processing of your personal data where:
4.3.1 the accuracy of the personal data is being contested by you;
4.3.2 the processing by us of your personal data is unlawful, but you do not want the relevant personal data erased;
4.3.3 we no longer need to process your personal data for the agreed purposes, but you want to preserve your personal data for the establishment, exercise or defence of legal claims; or
4.3.4 we are processing your data on the basis of our legitimate interest and you (a) object to our processing on the basis of our legitimate interest and (b) want processing of the relevant personal data to be restricted until it can be determined whether our legitimate interest overrides your legitimate interest.
4.4 Where any exercise by you of your right to restriction determines that our processing of particular personal data are to be restricted, we will then only process the relevant personal data in accordance with your consent and, in addition, for storage purposes and for the purpose of legal claims.
4.5 Right to data portability – You have the right to receive your personal data in structured, standard machine readable format and the right to transmit such personal data to another controller.
4.6 Right to erasure – You have the right to require we erase your personal data which we are processing where one of the following grounds applies:
4.6.1 the processing is no longer necessary in relation to the purposes for which your personal data was collected or otherwise processed;
4.6.2 our processing of your personal data is based on your consent, you have subsequently withdrawn your consent and there is no other legal ground we can use to process your personal data;
4.6.3 you object to the processing in your personal data that is undertaken using legitimate interests as the legal basis for processing and we have no overriding legitimate interest for our processing;
4.6.4 the personal data have been unlawfully processed; and
4.6.5 the erasure is required for compliance with a law to which we are subject.
4.7 Right to object – You have the right to object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
4.8 You have the right to lodge a complaint with the Information Commissioner’s Office, the supervisory authority for data protection issues in England and Wales.
5) Links to Third Parties’ Sites
We may provide links to other websites. If you follow a link to any of these websites, please note that you have left our website and these websites have their own privacy policies. Before you supply any personal information to any other website, we recommend that you check their privacy policy. We do not accept responsibility for the protection of any data you supply to other sites.
6) Cookies
6.1 Our website uses cookies to distinguish you from other users of our website. This helps us to give you a better experience when you browse our website and to monitor how you are using the website, as this will help us make improvements for the future. By continuing to browse the website, users are agreeing to our use of cookies.
6.2 A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer. We only use (and store) non-essential cookies on your computer’s browser or hard drive if you provide your consent.
| Cookie | Purpose | Expiration | More information |
|---|---|---|---|
| cookielawinfo-checkbox-necessary | This cookie is used to record the user consent for the cookies in the “Necessary” category. | 1 year | Set by the GDPR Cookie Consent plugin |
| cookielawinfo-checkbox-functional | This cookie is used to record the user consent for the cookies in the “Functional” category. | 1 year | Set by the GDPR Cookie Consent plugin |
| cookielawinfo-checkbox-performance | This cookie is used to record the user consent for the cookies in the “Performance” category. | 1 year | Set by the GDPR Cookie Consent plugin |
| cookielawinfo-checkbox-analytics | This cookie is used to record the user consent for the cookies in the “Analytics” category. | 1 year | Set by the GDPR Cookie Consent plugin |
| cookielawinfo-checkbox-advertisement | This cookie is used to record the user consent for the cookies in the “Advertisement” category. | 1 year | Set by the GDPR Cookie Consent plugin |
| cookielawinfo-checkbox-others | This cookie is used to record the user consent for the cookies in the “Others” category. | 1 year | Set by the GDPR Cookie Consent plugin |
6.3 You may refuse to accept cookies by activating the setting on your browser which allows you to refuse the setting of cookies, but if you do so, parts of the website may not work correctly and you may not be able to access all or parts of our website. Find out how to disable/enable cookies by clicking on the “Manage Cookies” section of the Interactive Advertising Bureau UK website on the following link, https://allaboutcookies.org. To opt out of being tracked by Google Analytics across all websites visit https://tools.google.com/dlpage/gaoptout.
For further information about how to restrict, remove, and refuse to accept cookies, visit www.aboutcookies.org or www.allaboutcookies.org. If you still require more information and to find out more about cookies and Google Analytics read information and advice for members of the public regarding Cookie Laws on the UK Government’s Information Commissioner’s Office website.
6.4 Unless you have adjusted your browser settings so that it will refuse cookies, or confirmed to us that you do not accept our cookies, our system will issue cookies when you visit our website.
6.5 Except for essential cookies, all cookies will expire as outlined under the expiration column included in section 6.2.
7) Internet and Data Storage
The CRS website uses a security system that protects your Information from unauthorised use. However, as no data transmissions over the Internet can be guaranteed to be secure, we cannot take responsibility for any unauthorised access or loss of personal data that is beyond our control, e.g. whilst in transit. Any data you send is at your own risk, we cannot guarantee the security of your data transmitted to our website.
We have appropriate procedures and security features in place to keep your data secure once we receive it. Your data is held in the UK only and only shared with the third parties mentioned in sections 2 and 3 above. Please remember that other methods of Internet communication, such as emails and messages sent via a website, are not secure, unless they are encrypted. We take no responsibility for any unauthorised access or loss of personal information that is beyond our control.
8) Complaints about your personal data
When we receive a complaint from a person we shall make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint. The complaint will be allocated to Council of CRS to investigate. We will only use the personal data we collect to process the complaint and to check on the level of service we provide. We may have to disclose the complainant’s identity to a person or persons who might have been responsible for the alleged breach. This may be necessary when, for example, the accuracy of a person’s record is in dispute. If a complainant does not want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis. We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for two years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
9) Data Breach
In the event of a personal data breach, CRS will adhere to the mandatory regulation to report it to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the personal data breach unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. High-risk situations would be where there is the potential of people suffering significant detrimental effect such as discrimination, damage to reputation, financial loss, or any other significant economic or social disadvantage. We shall notify the relevant supervisory authority about a loss of personal details where the breach leaves individuals open to identity theft.
11) Changes to Privacy Policy
Our Privacy Policy may change from time to time. The latest version will be published on the CRS website. Please check back frequently to see any updates or changes to our Privacy Policy.
12) CONTACT
Questions, comments and requests regarding this privacy policy are welcomed.
You can contact us by: emailing dataprotection@cardiffreformsynagogue.uk; or writing to us at Cardiff Reform Synagogue, Moira Terrace, Cardiff, CF24 0EJ.
This privacy policy was last updated on 26th July 2022.