Data privacy

DATA PRIVACY NOTICE

Based on the applicable Swiss law on the protection of personal data (the ‘Swiss Data Protection Act’), this notice sets out the Data Privacy Policy (the ‘Policy’) of the English-Speaking Congregation of the Evangelical Lutheran Church of Geneva, established in Geneva, Switzerland (the ‘Church’). This notice will be updated as necessary.

DEFINITIONS

Personal data
‘Personal data’ is all information relating to an identified or identifiable person (the ‘data subject’). Identification can occur through the information alone, or in conjunction with any other information under, or likely to become under, the control of the data controller (as defined below). Examples of personal data are a data subject’s name, postal or email addresses.

Data controller
The ‘data controller’ is the person that determines the purpose(s) for which, and the way in which personal data is processed. The Church acts as data controller in relation to the personal data that it processes.

Processing of personal data
‘Processing of personal data’ is any action involving personal data, including collecting, using, transmitting, storing, archiving, or deleting personal data.

PRINCIPLES

  1. What personal data does the Church process?

1.1 As the data controller, the Church processes personal data regarding the following categories of individuals:

  • Members and former members, including donors;
  • Applicants to any positions, and current and former staff and volunteers; and:
  • Individuals requesting that the Church hosts a baptism, confirmation, wedding, blessing, funeral, or other event.

1.2 The Church processes the following categories of personal data:

  • For all categories of individuals: contact details, such as postal address, email address and phone numbers; personal details, such as first and last name and, depending on the category, nationality, date of birth, and home congregation;
  • For donors: financial information;
  • For staff: health and social insurance information, pension fund information, bank details and tax information;
  • For persons working with children: copies of background checks as mandated by the Church’s safeguarding policy;
  • In the context of the hosting of events: the information set out in the registers of baptisms, confirmations, weddings, funerals, and other events; and
  • In the context of Church services, meetings and activities, and the hosting of events: images and audio-visual recordings.
  1. Where does the personal data come from?

Except for images and audio-visual recordings, which are collected and produced by staff and members of the Church’s outreach team, the personal data processed by the Church is provided by the data subjects.

  1. For what purposes does the Church process personal data?

The Church processes personal data to:

  • Announce, hold and transmit Church services, meetings, and activities;
  • Manage relationships with and between members and former members;
  • Enable the Church to assist the local community;
  • Plan and manage the Church’s resources;
  • Fulfil financial obligations towards staff and other counterparties;
  • Host events;
  • Maintain historical records;
  • Provide competent bodies with information about the staff, officers and other persons carrying out specific duties for the Church.

  1. On what legal basis does the Church process personal data?

The legal basis for the processing of personal data is the consent, which is obtained prior to the collection of personal data, by way of the membership form, the documentation related to the event concerned, or other dedicated documentation, such as the job application form.

Specifically, with respect to the processing of personal data of the staff, the legal basis is the performance of the agreement entered into with the data subject concerned, and the legal obligations applicable to the Church, in particular with respect to social insurance and taxation.

Under the Swiss Data Protection Act, in addition to consent and legal obligations, the Church may process personal data based on an overriding interest of the Church. Please note, however, that the Church will in any event not collect or otherwise process personal data through images and audio-visual recordings of a readily identifiable individual without his/her consent.

  1. How does the Church process personal data?

The processing of personal data is made only for, and consistent with, the purposes listed in response to Question 3 above.

The Church applies good faith and proportionality as part of the processing of personal data, including in determining retention periods. The Church takes the technical and organisational measures that are necessary for ensuring that personal data is stored, processed, transferred and, where applicable, destroyed or deleted, in a secure manner. The Church performs ad-hoc and periodic checks to make sure personal data is accurate and up-to-date and, where applicable, takes corrective action.

  1. Does the Church transfer personal data to third parties outside of Switzerland?

The Church transfers personal data to members residing outside Switzerland, principally in France, for the purpose of managing relationships with and between members and former members.

The consent forms of the Church acknowledge that in some instances, personal data are transferred to recipients located in a country outside Switzerland that may not necessarily provide for a level of data protection equivalent to the Swiss rules.

The Church relies on the following tools, which are operated by service providers located in the United States:

  • Images are stored in Google Photos;
  • Images and audio-visual recordings are posted on YouTube, Vimeo and Facebook;
  • Email addresses of data subjects who signed up to be included in its mailing list, announcing the services, meetings, and activities of the Church to such data subjects, are uploaded in MailChimp; and
  • The Church’s website is hosted by the WordPress platform.

  1. How long does the Church keep personal data?

The Church keeps personal data for no longer than necessary to fulfil the purpose for which the personal data was collected. However, the Church may retain personal data for a longer period of time, due to specific statutory retention periods and for purposes of historical record keeping (for example as regards the registers of baptisms, confirmations, weddings, blessings, funerals, and other events).

  1. What are the data subject’s rights in respect of his/her personal data?

Subject to the provisions of applicable law, a data subject may request access to and rectification or erasure of his/her personal data, request the restriction of, and object to, the processing of his/her personal data and exercise his/her right to data portability. If the processing of personal data by the Church is based on the consent of the data subject, the data subject has the right to withdraw his/her consent. Additionally, the data subject may lodge a complaint with the data protection authority of the place of his/her habitual residence or place of the alleged infringement if the data subject considers that the Church has not given an adequate response to his/her request.

The competent authority in Switzerland for data privacy matters is the Federal Data Protection and Information Commissioner, located at Feldeggweg 1, 3003 Berne (https://www.edoeb.admin.ch/edoeb/en/home.html).

  1. Contact details for questions and concerns

The Church makes every effort to engage responsibly in all matters concerning data privacy. Should you nevertheless have a question or concern with respect to the data processing activity of the Church, kindly contact office@genevalutheran.ch, so that the Church may properly follow up.

Revised July 2021

Original document docx file.