12/07/2024
What is it?
This is the right to get your data deleted. If an organisation holds personal data about you and you don’t want them to, you can contact them and request that they delete that data.
When does it apply?
While this right does not always apply (there are a set of exceptions), for churches it most likely will apply. Data held by churches is most commonly used to send communications or organise rotas. In these cases, if you hold data about someone in your church for these reasons and they request that you delete their data, you will most likely need to comply with GDPR and act upon their wishes.
If you are not sure about whether this applies to you or wish to know more about the exceptions, we recommend that you seek legal advice.
Example scenario
Example scenario: Mary, who attends St. Peter’s, is moving to another country and when she does, she will be leaving her current church.. St. Peter’s currently holds her email address, phone number, home address and birthdate in their records so they can send her the church newsletter, contact her about rotas and volunteering opportunities and send her a card on her birthday.
When Mary first joined St. Peter’s, she gave consent for them to hold this data for these purposes. However, now that Mary is moving she no longer wants to be contacted by St Peter’s. She writes an email to St. Peter’s asking them to delete the data they hold about her as she has withdrawn her consent for them to communicate with her. The staff at St Peter’s assess her request, see that the right to be forgotten applies in this circumstance and delete her data from their system and records.
They then confirm the deletion has occurred successfully and reply to Mary to confirm that her data has been deleted and that she will no longer receive communications from St Peter’s in any form.
What does it mean for my church?
If you hold data about a person and they request for it to be deleted from your system and/or records and the right applies in this circumstance (if in doubt, it is best to assume it does apply), then you must delete their data. You must delete without undue delay and within one month of the date the request was first made.
Your church should already have a privacy policy in place if you collect data. Review your privacy policy to ensure it covers the right to be forgotten. Get more advice here.
How do I prepare for someone making a request to be forgotten?
Make sure you do some further reading to understand GDPR fully, so that when someone makes a request you can:
Know how to recognise a request to be forgotten.
Understand when the right applies.
Have a policy for how to record verbal requests (e.g. ask the individual to make a written request following their verbal request, log the verbal request in your records, etc.).
Understand when you may be able to refuse a request. It's important to be aware of circumstances where this would be the case and you can see the exceptions here.
Be aware of the information that you need to communicate to an individual if you can refuse their request.
What should our process look like?
Processes may vary depending on each church and its governance structure, but the process should follow this arc:
Request is received -> Assess whether the right to be forgotten applies -> if yes, delete data -> confirm deletion -> inform individual that their request is granted and the data is deleted.
Your process will be different if you can refuse the request. These circumstances should be dealt with on a case-by-case basis and you may need to seek legal advice.
Important notes:
You should keep written evidence of each step of your process.
If you receive a digital request (e.g. email, text message, Facebook message, etc.) you should confirm that the person sending the request is who they say they are, even if it looks like them. Call or speak to them face-to-face to receive confirmation before you continue the process.
If you receive a request and it is unclear whether they want their data completely deleted, ask them to confirm that they want to exercise their right to be forgotten. They may only want you to update their details or remove one type of information.
How does this apply to children?
The best way to deal with this is to not collect personal data about children. However, there are circumstances in church life where it will be necessary, for example when running children’s groups or holiday clubs. If you do collect personal data about children, you must get consent from their parent or guardian to hold that data.
The right to be forgotten applies to children as well as adults. It also applies to adults whose data was collected when they were children and were not able to give proper consent.
You should treat any request for erasure relating to children very seriously. We recommend that you read more about this and seek legal advice if it applies to you.
Read more:
- Laura Bligh, CRM & Analytics Manager