Back to Home

GDPR Compliance

Last updated: January 1, 2025

Effective date: January 1, 2025

1. GDPR Overview

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. Church Compliance Manager is committed to full GDPR compliance and protecting the rights of EU data subjects.

2. Our Role Under GDPR

Church Compliance Manager typically acts as a Data Processor when processing personal data on behalf of our customers (churches and religious organizations), who act as Data Controllers. In some cases, we may act as a Controller for our own legitimate business purposes.

3. Legal Basis for Processing

We process personal data under the following legal bases:

  • Contract (Article 6(1)(b)): Processing necessary for contract performance
  • Legitimate Interest (Article 6(1)(f)): For service improvement and security
  • Legal Obligation (Article 6(1)(c)): For compliance with legal requirements
  • Consent (Article 6(1)(a)): For marketing communications (where applicable)

4. Data Subject Rights

Under GDPR, individuals have the following rights:

4.1 Right of Access (Article 15)

  • Right to know what personal data we process
  • Right to receive a copy of personal data
  • Right to know the purposes and legal basis of processing

4.2 Right to Rectification (Article 16)

  • Right to correct inaccurate personal data
  • Right to complete incomplete personal data

4.3 Right to Erasure (Article 17)

  • Right to deletion when data is no longer necessary
  • Right to withdrawal of consent
  • Right to object to unlawful processing

4.4 Right to Restrict Processing (Article 18)

  • Right to limit processing under certain circumstances
  • Right to pause processing while disputes are resolved

4.5 Right to Data Portability (Article 20)

  • Right to receive personal data in a structured format
  • Right to transmit data to another controller

4.6 Right to Object (Article 21)

  • Right to object to processing based on legitimate interests
  • Right to object to direct marketing

5. Exercising Your Rights

To exercise your GDPR rights, please contact us at:

  • Email: gdpr@churchcompliancemanager.com
  • Subject Line: "GDPR Rights Request"
  • Include: Your full name, email address, and specific request

Response Time: We will respond to your request within 30 days (extendable to 60-90 days for complex requests).

6. Data Processing Activities

6.1 Categories of Personal Data

  • Identity data (name, username, title)
  • Contact data (email address, telephone numbers, addresses)
  • Technical data (IP address, browser type, time zone)
  • Usage data (information about how you use our service)
  • Marketing data (preferences for receiving communications)

6.2 Sources of Personal Data

  • Directly from data subjects
  • From our customers (as data controllers)
  • From publicly available sources
  • From analytics providers

7. International Transfers

When we transfer personal data outside the EEA, we ensure adequate protection through:

  • Adequacy Decisions: Transfers to countries with adequate protection
  • Standard Contractual Clauses: EU Commission approved contracts
  • Binding Corporate Rules: Internal data transfer agreements
  • Derogations: Specific situation exemptions under Article 49

8. Data Retention

We retain personal data only for as long as necessary:

  • Account Data: Until account deletion + 30 days
  • Compliance Records: As required by applicable regulations
  • Log Data: Maximum 12 months
  • Marketing Data: Until consent withdrawal + reasonable period

9. Data Protection by Design and Default

We implement data protection principles through:

  • Privacy impact assessments for new features
  • Data minimization in collection and processing
  • Purpose limitation and storage limitation
  • Transparency and accountability measures
  • Technical and organizational security measures

10. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee GDPR compliance:

  • Email: dpo@churchcompliancemanager.com
  • Role: Monitor compliance, provide advice, act as contact point
  • Independence: Reports directly to senior management

11. Data Breach Procedures

In case of a personal data breach:

  • Detection: Automated monitoring and incident response
  • Assessment: Risk assessment within 24 hours
  • Notification to Supervisory Authority: Within 72 hours (if required)
  • Notification to Data Subjects: Without undue delay (if high risk)
  • Documentation: Full incident records maintained

12. Automated Decision Making

We do not engage in automated decision-making or profiling that produces legal effects or similarly significant effects for individuals.

13. Children's Data

Our service is not directed at children under 16. We do not knowingly collect personal data from children without appropriate parental consent.

14. Supervisory Authority

You have the right to lodge a complaint with your local data protection authority. For EU residents, you can find your local authority at:

15. Changes to GDPR Compliance

We regularly review and update our GDPR compliance measures. Significant changes will be communicated to data subjects and made available on this page.

16. Contact Information

For GDPR-related questions or concerns:

  • General Inquiries: gdpr@churchcompliancemanager.com
  • Data Protection Officer: dpo@churchcompliancemanager.com
  • Address: [Your Business Address]
  • Phone: [Your Phone Number]