16. Sharing information with other organisations
16.1 We will only share personal data with other organisations or people when we have a legal basis to do so and if we have informed the data subject about the possibility of the data being shared (in a Privacy Notice), unless legal exemptions apply to informing data subjects about the sharing. Only authorised and properly instructed Minister and Trustees (Deacons) are allowed to share personal data with other organisations.
16.2 We will keep records of information shared with a third party, which will include recording any exemptions which have been applied, and why they have been applied. We will follow the ICO’s statutory Data Sharing Code of Practice (or any replacement code of practice) when sharing personal data with other data controllers. Legal advice will be sought as required.
17. Data processors
17.1 Before appointing a contractor who will process personal data on our behalf (a data processor) we will carry out due diligence checks. The checks are to make sure the processor will use appropriate technical and organisational measures to ensure the processing will comply with data protection law, including keeping the data secure, and upholding the rights of data subjects. We will only appoint data processors who can provide us with sufficient guarantees that they will do this.
17.2 We do not envisage appointing contractors to process personal data except on an exception basis.
17.3 We will only appoint data processors on the basis of a written contract that will require the processor to comply with all relevant legal requirements. We will continue to monitor the data processing, and compliance with the contract, throughout the duration of the contract.
18. Transferring personal data outside the European Union (EU)
18.1 Personal data cannot be transferred (or stored) outside of the European Union unless this is permitted by the GDPR. This includes storage on a “cloud” based service where the servers are located outside the EU.
18.2 We will only transfer data outside the EU where it is permitted by one of the conditions for non-EU transfers in the GDPR
18.3 We do not envisage any circumstances where the Church will transfer (or store) personal data outside the EU.