Data Protection Policy

May 2018

If you have any queries concerning this policy please email us or contact us on 01434 673248.

Some Key Definitions

Data protection and Privacy Law

This includes the Data Protection Act, the EU General Data Protection Regulation, the Privacy and Electronic Communication Regulations, the EU e-Privacy Regulation and other related legislation as may be enacted in parallel with or to replace these laws.

Personal Data

This is information that can identify a living person that is held either electronically or in paper form. This can include staff employment details, volunteer details and retreatant records as well as images such as those collected for the newsletter or other forms of advertising or promotion.

Data Controller

It is the duty of the data controller to decide how and why personal data is to be used and which is legally required to comply with the law. The data controller is Minsteracres Retreat Centre for the data it uses.

Data Subject

This is an identifiable living individual who is the subject of personal data.


In relation to personal data, this means obtaining, recording or holding the data or carrying out any operation or set of operations on the data.

Principles and Duties


Whenever we collect personal data, we will take appropriate measure to provide data subjects with the information required to ensure they understand the nature of the processing and how to exercise their rights in relation to that processing.


Where we are relying on consent as a legal basis for processing personal data, individual’s consent will be collected in a manner that ensures it is freely given, specific, informed and unambiguous.

Purpose Limitation/Data Minimisation/Storage Limitation/ Accuracy

We will only collect and use personal data for specific legitimate purposes, and it will only be kept for so long as we need it for those purposes. We will not collect excessive or irrelevant information. We will ensure that personal data we collect and process will be accurate and kept up to date, where necessary.


  • We will have appropriate security measures in place to protect personal data, taking account of the nature of the data and the harm that might be caused if it was lost. These security measures will be regularly tested, assessed and evaluated to ensure they maintain an appropriate level of security for personal data.
  • Personal data will be accessible only to those people who need to use it as part of their work for MRC. Unauthorised or unlawful access to, use or disclosure of personal data may lead to disciplinary action and in some cases could be considered as gross misconduct. In serious cases it could also be a criminal offence.
  • We will provide prompt and effective notification to the relevant supervisory authority and to data subjects, where necessary, in the event of a personal data breach. We will cooperate fully with any regulatory investigations which result from a breach.


Data subjects will be able to exercise fully their rights to automated decision making and profiling.


Electronic, telephone and other marketing will be carried out in accordance with the law. Guidance is available to staff and volunteers to enable them to meet these requirements.

Data Protection by Design and Default

  • We will implement appropriate technical and organisational measures to ensure that data protection principles are incorporated into the development and operation of personal data processing activities.
  • Data protection impact assessments will be carried out for any new processing activity that is likely to result in high risk to the rights of the data subjects whose personal data is involved in the processing.
  • Accountability

We will maintain appropriate records to allow us to demonstrate our compliance with these principles and duties, including records of processing activities under our control. A Data Protection Officer will be designated to fulfil the tasks set out in law. Staff and volunteers involved in processing data will receive appropriate training in the principles and duties.

International Transfers

Transfers of personal data outside of the European Economic Area will be subject to appropriate safeguards in accordance with the law.

Roles and Responsibilities

  • The Board has overall responsibility for ensuring that MRC’s legal obligations are met.
  • The Operations Manager has been designated as the Data Protection Officer with responsibility for the statutory tasks of the data protection officer and promoting and monitoring compliance and reporting on compliance to the Board.
  • The Data Protection Officer is also responsible for responding to requests and queries received from data subjects and for facilitating appropriate training for all relevant staff and volunteers.
  • All staff and relevant volunteers must be aware of data protection requirements, follow the policy and procedures for handling personal data and report any breaches as soon as possible to the Data Protection Officer. A breach of this policy could result in disciplinary action.