Privacy Notice

Introduction

The Diocese of Arundel and Brighton (the "Diocese") is a charity registered with the Charity Commission in England and Wales. Charity number: 252878. Registered address: The St. Philip Howard Centre, 4 Southgate Drive, Crawley, RH10 6RP.

References to 'we' and 'us' mean the Diocese.

When you provide us with personal data in order to engage with us or benefit from our activities, we will keep a record of the data you give to us in order to comply with our statutory obligations and to achieve our charitable objects of advancing and maintaining the Roman Catholic religion.

For the purpose of the General Data Protection Regulation 2016/679 (GDPR), the Diocese through its Trustees will be a Data Controller in respect of your personal data. Please be aware that our parishes form part of the Diocese and are not separate legal entities. Parishes are not Data Controllers nor do they process personal data on behalf of the Diocese as a Data Processor.

The Diocese is committed to ensuring that personal data is properly and securely managed in accordance with applicable data protection laws. This Notice applies to information about living identifiable individuals only.

What personal data do we hold about you?

We may hold the following types of personal data:

• Name and contact details
• Gender, age, date of birth, marital status and nationality
• Information about your education, work history and professional qualifications
• Information about your family and any dependants
• Information about your current involvement in Diocese activities and events
• Financial information (e.g. bank details) and details of any donations you have made
• Information obtained as a result of any background checks on volunteers
• CCTV recordings and photographs
• Information collected through your use of our website(s), such as IP addresses and cookies
• Any other information you choose to provide or that we receive from others

We may also hold Special Categories of personal data, including information about religious beliefs, health and wellbeing, racial or ethnic origins, sexual orientation, or criminal records.

We may receive personal data about you from third parties, for example family members, other parishioners, other dioceses, medical professionals, or law enforcement.

Dealing with reports of abuse

We take all reports of abuse in the Diocese very seriously. If a report is made, we will handle it in accordance with our established safeguarding procedures. This may involve processing personal information about victims and survivors, alleged perpetrators and witnesses. Where necessary, we will share personal information with appointed investigators or assessors and with statutory authorities. We have prepared a separate privacy notice for victims and survivors. To make a report of abuse, please contact our Safeguarding Office at safeguarding@abdiocese.org.uk.

How and why do we process your personal data?

Personal data we hold may be processed in a number of ways, including:

• To communicate with you about news, activities and events in the Diocese or any Diocesan parish
• To improve our activities and communications, including our website
• To carry out our activities, from weddings and funerals to general pastoral and spiritual care
• To process donations or other payments (e.g. facility hire)
• To administer, support, improve and develop Diocesan and parish administration and records
• To process applications, including grant applications and applications for roles within the Diocese
• For audit and statistical purposes (e.g. for the annual audit by the Bishops' Conference of England and Wales)
• To comply with our legal obligations (e.g. providing information to the Charity Commission or HMRC, or carrying out safeguarding activities)
• In the case of CCTV, to prevent or detect crime and to help create a safer environment
• To address and respond to reports of abuse in accordance with our safeguarding procedures
• To address and respond to complaints in accordance with our complaints policy

Information gathered through cookies on the Diocesan or parish website is used to analyse visits and improve the website. We will not use this data to identify you personally or make decisions about you.

On what grounds do we process your personal data?

We must have a lawful basis for processing your information. Typical examples include:

• Legitimate interests — advancing and maintaining the Roman Catholic religion, providing information about Diocesan activities, and raising charitable funds
• Consent — where you have given consent (which can be withdrawn at any time) to receive marketing or fundraising communications
• Contract — where processing is necessary for steps prior to entering into a contract, e.g. a facility hire agreement
• Legal obligation — where we are required to pass information to a local authority for safeguarding or other reasons
• Public task — where processing is necessary for a task in the public interest, e.g. maintaining the register of marriages
• Vital interests — to protect your vital interests, e.g. passing information to the NHS if you were taken ill on our premises

Where we process Special Categories of personal data, we must have a further lawful basis, such as explicit consent, vital interests, your having made the information public, the establishment or defence of legal claims, or substantial public interest.

Where we process personal data comprising criminal convictions or offences, further bases apply, including safer recruitment obligations, prevention or detection of unlawful acts, safeguarding, or your explicit consent.

Who will we share your information with?

We will only use your personal data within the Diocese for the purposes for which it was obtained, unless you have explicitly agreed otherwise or we are permitted or required to by law.

We may share your information with:

• Other members of the Church and ecclesiastical bodies as permitted under Canon Law
• Government bodies for tax purposes or law enforcement agencies for the prevention and detection of crime
• The Charity Commission and, for safeguarding matters, the Catholic Safeguarding Standards Agency
• Our insurers (the Catholic Insurance Service Ltd) and legal advisors where relevant — see their privacy notice at catholicinsuranceservice.co.uk/privacy
• Appointed investigators or assessors in the event of a safeguarding report, and with statutory authorities where necessary
• Third-party data processors we contract with (e.g. IT consultants, newsletter distributors) who are required to comply strictly with our instructions and GDPR
• HMRC, where you have made a Gift Aid nomination

We have administrative, technical and physical measures in place to guard against loss, misuse or unauthorised disclosure of personal data.

Where transfers outside the UK are necessary, we take steps to ensure compliance with GDPR and appropriate protection of your data.

How long will we keep your information?

Your information will be kept in accordance with our Retention & Disposal of Records Policy, available at www.abdiocese.org.uk. We will only keep personal data for as long as necessary and delete it when it is no longer required.

Your rights

You have the following rights in respect of personal data we hold about you:

• The right to request a copy of the personal data we hold about you (free of charge)
• The right to withdraw consent where processing is based on consent
• The right to ask that inaccuracies in your personal data are corrected
• The right to restrict our processing of your personal data
• The right to ask that we delete your personal data where there is no compelling reason for us to continue processing it
• The right to object to processing for direct marketing purposes
• The right not to be subject to significant decisions made solely by automated processes

These rights may be limited in certain situations — for example, where we have a legal requirement to retain data. We may also ask for proof of identity before fulfilling a request.

Rights may only be exercised by the individual whose data is held, or with that individual's express permission. Children from around 12 years upwards may make their own requests where we reasonably consider they have an appropriate understanding of the request.

Changes to this notice

We may make changes to this notice from time to time as our practices or applicable laws change. We will not use your personal data in ways inconsistent with the original purpose(s) for which it was collected without notifying you in advance wherever possible.

Contact details

If you have any questions, wish to exercise any of the above rights, or would like to make a complaint about the use of your information, please contact:

Data Protection Officer The St Philip Howard Centre 4 Southgate Drive Crawley RH10 6RP

Email: DPO@abdiocese.org.uk Telephone: 01293 651145

If you have unresolved concerns, you also have the right to complain to the Information Commissioner's Office (ico.org.uk).

Cookies

Cookies are small text files placed on your device when you visit a website. They are sent back to the website's server on each subsequent visit, allowing it to recognise your device.

We may use the following cookies:

• Google Analytics — used in anonymous form to understand traffic patterns and improve the website. This does not identify you personally.
• Privacy preferences — a cookie to remember your cookie preferences.
• Event registration — where you register for parish events, an essential cookie may be placed on your device by our database.

To opt in or out of cookies, use your browser settings. You can review your preferences at any time. Essential cookies required for delivery of the website cannot be opted out of.

For further information about cookies, visit allaboutcookies.org or youronlinechoices.eu. If you have questions, email itsupport@abdiocese.org.uk.

Glossary

Data Controller — a person, organisation or body that determines the purposes and manner of processing personal data, and is responsible for complying with data protection laws.

Data Processor — a person, organisation or body that processes personal data on behalf of and on the instruction of the Diocese.

Data Subject — a living individual about whom personal data is processed and who can be identified from that data.

Personal Data — any information relating to a living individual who can be identified from it. Can be factual (name, address, date of birth) or an opinion (e.g. a performance appraisal).

Processing — any activity involving personal data: obtaining, recording, holding, organising, amending, retrieving, using, disclosing, erasing or destroying it. Includes transferring data to third parties.

Special Categories of Personal Data — information about racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexuality, genetic data or biometric data. Can only be processed under strict conditions.

This policy is due for review by the end of October 2026.