top of page

Data Protection Policy 

 
1. About this policy
​

1.1 This Data Protection Policy sets out how Freedom Church (“we”, “our”, “us”) collects, handles, stores and processes Personal Data relating to staff, volunteers, members (past, present and prospective), attendees, suppliers, and other individuals.

We are committed to processing Personal Data in accordance with applicable data protection laws, including the General Data Protection Regulation and Cyprus Law 125(I)/2018.

1.2 This policy applies to all personnel. Compliance is mandatory.

1.3 This is an internal policy and should not be shared externally without appropriate authorisation, unless required by law or regulatory request.

​

2. Data Protection Law

“Data Protection Law” means:

  • the General Data Protection Regulation

  • Cyprus Law 125(I)/2018

  • guidance issued by the Office of the Commissioner for Personal Data Protection
     

3. Roles and responsibilities

3.1 Freedom Church acts as a Data Controller.

3.2 A Data Protection Officer (DPO) will be appointed where required by law, or where deemed appropriate.

3.3 The DPO (or designated responsible person) oversees compliance.

3.4 The supervisory authority is:
→ Office of the Commissioner for Personal Data Protection

​

4. Special category data

As a church, we process Special Categories of Personal Data, including information about religious beliefs.

We rely on Article 9(2)(d) of the General Data Protection Regulation, which permits processing by a not-for-profit body with a religious aim, provided:

  • processing relates only to members or regular contacts

  • appropriate safeguards are in place

  • data is not disclosed outside the organisation without consent

​

5. Data protection principles

We comply with GDPR principles:

  • Lawfulness, fairness and transparency

  • Purpose limitation

  • Data minimisation

  • Accuracy

  • Storage limitation

  • Security

  • Accountability

​
6. Lawful bases for processing

We process Personal Data under the following lawful bases:

  • Consent

  • Contract

  • Legal obligation

  • Vital interests

  • Legitimate interests

We ensure a lawful basis is identified and documented.

​

7. Consent

  • Must be freely given, informed and unambiguous

  • Must be withdrawable at any time

  • Must be recorded

Explicit consent is required for certain sensitive data.

​

8. Transparency

We provide Privacy Notices explaining:

  • what data we collect

  • why we collect it

  • how it is used

  • how long it is kept

  • individuals’ rights

​

9. Data minimisation

We only collect data that is necessary and relevant.​

​

10. Accuracy

We keep data accurate and up to date.

​
11. Data retention

We retain Personal Data only as long as necessary.

Retention periods are defined based on:

  • legal obligations

  • safeguarding requirements

  • operational needs

​

12. Data security

We implement appropriate safeguards including:

  • access controls

  • encryption where appropriate

  • secure storage systems
     

13. Data breaches

All data breaches must be reported immediately.

Where required, breaches will be reported to the
Office of the Commissioner for Personal Data Protection within 72 hours.

​

14. Data sharing (FIXED)

We may share Personal Data where there is a lawful basis, including:

  • legal obligations

  • contractual necessity

  • legitimate interests

  • consent (where required)

All third parties must implement appropriate safeguards.

​

15. International transfers

Transfers outside the EEA will only occur where:

  • adequacy decisions exist

  • safeguards (e.g. SCCs) are in place

  • or other lawful mechanisms apply

​

16. Data subject rights

Individuals have the right to:

  • access their data

  • correct inaccuracies

  • request deletion

  • restrict processing

  • object to processing

  • data portability

  • lodge a complaint with the Office of the Commissioner for Personal Data Protection

​

17. Children’s data (NEW)

Where we process children’s data:

  • parental/guardian consent will be obtained where required

  • additional safeguards will apply

​

18. Direct marketing

We will only send electronic marketing where:

  • consent has been obtained, or

  • another lawful basis applies under applicable law
     

Opt-outs are honoured immediately.

​

19. Accountability

We maintain:

  • records of processing

  • staff training

  • audits and reviews

  • DPIAs where required

​

20. Review

This policy is reviewed annually.

bottom of page