Data Protection Policy

1 Introduction

1.1 Kings Road Church (KRC) is committed to a policy of protecting the rights and privacy of individuals in accordance with the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018. This policy applies to all members of staff and volunteers of KRC.

1.2 KRC needs to collect certain types of information (Personal Data) about the individuals or service users (past and present) who are in contact with KRC. This policy sets out how KRC processes the Personal Data of its attendees, mission partners, suppliers, employees, workers, business contacts, service users and other third parties.

1.3 This Data Protection Policy applies to all Personal Data which must be collected and processed appropriately regardless of the media (computer database, manual filing systems, emails, CCTV records or internet logs) on which it is stored.

1.4 KRC is the Data Controller and determines what personal information it collects and for what purpose. It is therefore responsible for notifying the Information Commissioner’s Office (ICO) of the type of data it holds and for what purposes.

1.5 This Data Protection Policy sets out what is expected of you when handling Personal Data to enable KRC to comply with the applicable law. This policy also sets out your obligations with regard to any Personal Data you may have access to in the course of your day-to-day contact (voluntary or employment) with KRC. It is your duty to familiarise yourself with this policy and ask yourself how it may apply to you.

1.6 Any breach of this policy by you may result in disciplinary action (which may include dismissal). If you would like further information about any aspects of this policy, please contact the Trustees and church administrator (details below). If you consider that the policy has not been followed with respect to Personal Data about you, you should raise the matter with the Trustees and church administrator.

1.7 This policy may be amended by KRC from time.

2 Data protection principles

2.1 KRC respects the confidentiality of the Personal Data it collects and complies with the governing principles:

  • Processed lawfully, fairly and transparently.
  • Collected only for specific, legitimate purposes.
  • Adequate, relevant and limited to what is necessary.
  • Accurate, and where necessary kept up to date.
  • Stored only for as long as is necessary.

2.2 Personal Data shall be processed in a manner which ensures the appropriate security of that data in accordance with the rights of data subjects under data protection legislation; appropriate technical or organisational measures shall be taken against unauthorised or unlawful processing of Personal Data and against accidental loss, destruction of, or damage to Personal Data;

2.3 Personal Data shall not be transferred to another country without appropriate safeguards in place;

2.4 Personal information should be made available to Data Subjects who are allowed to exercise certain rights in relation to their Personal Data (in a data request).

3 Fair and lawful processing

3.1 Personal Data is any information that on its own, or with other information, can be used to identify an individual.

3.2 “Special categories of Personal Data” specifically refers to information on the data subject’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health condition, sexual life, or commission or alleged commission of any offence and proceedings relating to any such offence.

3.3 “Processing” includes anything that can be done with or in relation to Personal It includes obtaining, recording or holding the data or carrying out any operation or set of operations on the data including organising, amending, erasing, disclosing or consulting on it.

3.4 No Personal Data will be processed unless the requirements for fair and lawful processing can be met and no Personal Data will be processed unless the individual either gives their consent to the processing or the processing is necessary for specified reasons, such as compliance with a legal obligation, or for the purposes of legitimate interests of KRC.

4 Data Security Breach

4.1 All incidents of a data security breach must be reported to the Trustees and the Church Administrator who will record them on a central All evidence relating to the potential Personal Data beach will be logged from the date on which the breach was realised. A data security breach could be the result of sending an email to the wrong person, the loss of a laptop or the loss of files from a church laptop. Reference to the ICO’s guidance on data security breach management will be made as a guide to taking further appropriate steps. KRC are required to notify the ICO of Personal Data breaches and in certain circumstances to the Data Subject.

5 Rights of the Individual

5.1 In accordance with the Data Protection Act and GDPR, KRC processes Personal Data in full compliance with the rights of the individual and will comply with procedures to handle requests in relation to these rights:

  • The right to be informed.
  • The right of access.
  • The right to rectification.
  • The right to erasure.
  • The right to restrict processing.
  • The right to data portability.
  • The right to object.
  • Rights in relation to automated decision making and profiling.

Contact

For any questions about this Data Protection Policy or information KRC holds about you please contact:

  • By email: admin@krc.org.uk
  • By phone: 01442 864393
  • By post: Kings Road Church, Kings Road, Berkhamsted, Herts HP4 3BD

Additionally: If KRC has been unable to resolve a complaint, you have the right to contact the Information Commissioner’s Office on 0303 123 1113 or via email: https://ico.org.uk/global/contact-us/email at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF


Version: 3.0
Date: 2026