Data Protection Policy



The Pastoral Leadership of Saints Community Church is committed to protecting personal data and respecting the rights of our partners, workers, members, and everyone that has contact with us (“data subjects” – people whose personal data we collect and use). Saints Community Church (or “the Church” values the personal information entrusted to us and we respect that trust, by complying with all relevant laws, and adopting good practice.


We process personal data to help us:

  1. Maintain a database of our church members and the activities they are involved in
  2. Provide pastoral support for members and others connected with our church
  3. Reach Christians and non-Christians with the word of God
  4. Safeguard children, young people and adults at risk
  5. Recruit, support and manage staff and volunteers
  6. Maintain our church accounts and records
  7. Communicate our vision and fulfill our commitments
  8. Maintain the security of property and premises
  9. Respond effectively to enquirers and handle any complaints
  10. And for any matter that might require this


This policy has been approved by the Board of Trustees of Saints Community Church who are responsible for ensuring that we comply with all our legal obligations. It sets out the legal rules that apply whenever we obtain, store or use personal data.


Why this policy is important:

  1. We’re committed to protecting personal data from being misused, or being inaccurate, as we’re aware that people can be upset or harmed if any of these things was to
  2. This policy sets out the measures we’re committed to taking as an organization and, what each of us will do to ensure we comply with the relevant
  3. For instance, we’ll make sure that all personal data is:
    1. Processed lawfully, fairly and done transparently



  1. Processed for specific, explicit and legitimate purposes and not in a manner that’s incompatible with those purposes
  2. Adequate, relevant and limited to what is necessary for the purposes for which it’s being processed
  3. Accurate and, where necessary, up-to-date
  4. Not kept longer than necessary for the purposes for which it’s being processed
  5. Processed in a secure manner, by using appropriate technical and organizational means
  6. Processed in keeping with the rights of data subjects regarding their personal


How this policy applies to you and what you need to know:

  1. As member, an employee, volunteer or trustee processing personal information on behalf of the Church, you’re require to comply with this If you think that you’ve accidentally breached the policy, it’s important that you contact our Data Protection Officer immediately so that we can take swift action to try and limit the impact of the breach.


Anyone who breaches the Data Protection Policy may be subject to disciplinary action, and where that individual has breached the policy intentionally, recklessly or for personal benefit they may also be liable to prosecution or to regulatory action.

  1. As a leader and/or manager you’re required to make sure that any procedures that involve personal data, that you’re responsible for in your area, follow the rules set out in this Data Protection
  2. As a data subject: We will handle your personal information in line with this
  3. As an appointed data processor/contractor: Companies who are appointed by us as a data processor are require to comply with this policy under the contract with Any breach of this policy will be taken seriously and could lead to us taking contract enforcement action against the company or terminating the contract. Data processors have direct obligations under the Nigerian Data Protection Regulation (“NDPR”) and the General Data Protection Regulation (“GDPR”), primarily to only process data on instructions from the controller (us) and to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk involved.
  4. Our Data Protection Officer is responsible for advising the Church’s leadership and members about their legal obligations under data protection law, monitoring compliance with data protection law, dealing with data security breaches and with the development of this Any questions about this policy or any concerns that the policy has not been followed should be referred to them at
  5. Before you collect or handle any personal data as part of your work (paid or otherwise) for the Church, it’s important that you take the time to read this policy carefully and understand exactly what is required of you, as well as the organization’s responsibilities when we process
  6. Our procedures will be in line with the requirements of this policy, but if you’re unsure about whether anything you plan to do, or are currently doing, might breach this policy you must first speak to the Data Protection


Training and Guidance:

  1. In line with the NDPR, we will provide general training at least annually for all members and staff to raise awareness of their obligations and our responsibilities, as well as to outline the
  2. We may also issue procedures, guidance or instructions from time to Leaders must set aside time for their team to look together at the implications for their work.]




What personal information do we process?

  1. In the course of our work, we may collect and process information (personal data) about many different people (data subjects). This includes data we receive straight from the person it’s about, for example, where they complete forms or contact We may also receive information about data subjects from other sources including, for example, previous employers, next-of-kin.
  2. We process personal data in both electronic and paper form and all this data is protected under data protection The personal data we process can include information such as names and contact details, education or employment details, and visual images of people.
  3. In some cases, we hold types of information that are called “sensitive” in the NDPR or “special categories” of data in the This personal data can only be processed under strict conditions.




  1. We will hold information relating to criminal proceedings or offenses or allegations of offenses on a clear lawful basis to process this data such as where it fulfils one of the substantial public interest conditions in relation to the safeguarding of children and individuals at risk or one of the additional conditions relating to criminal This processing will only ever be carried out on the advice of the Zonal Pastor.
  2. Other data may also be considered ‘sensitive’ such as bank details, but will not be subject to the same legal protection as the types of data listed


Making sure processing is fair and lawful:

  1. Processing of personal data will only be fair and lawful when the purpose of the processing meets a legal basis, as listed below, and when the processing is transparent. This means we will provide people with an explanation of how and why we process their personal data at the point we collect data from them, as well as when we collect data about them from other sources.


How can we legally use personal data?

  1. Processing of personal data is only lawful if at least one of these legal conditions:
    1. The processing is consented to by the data subject
    2. The processing is necessary for a contract with the data subject
    3. The processing is necessary for us to comply with a legal obligation
    4. The processing is necessary to protect someone’s life (this is called “vital interests”)
    5. The processing is necessary for us to preform a task in the public interest, and the task has a clear basis in law
    6. The processing is necessary for legitimate interests pursued by the Church or another organization, unless these are overridden by the interests, rights and freedoms of the data subject. (exclusive to data subjects which the GDPR applies to).
    7. If none of the other legal conditions apply, the processing will only be lawful if the data subject has given their clear consent.


How can we legally use ‘special categories’ of data?

  1. Processing of ‘special categories’ of personal data is only lawful when, in addition to the conditions above, one of the extra conditions is These conditions include where:
    1. The processing is necessary for carrying out our obligations under employment and social security and social protection law
    2. The processing is necessary for safeguarding the vital interests (in emergency, life or death situations) of an individual and the data subject is incapable of giving consent
    3. The processing is carried out in the course of our legitimate activities and only relates to our members or persons we are in regular contact with in connection with our purposes
    4. The processing is necessary for pursuing legal claims
    5. If none of the other legal conditions apply, the processing will only be lawful if the data subject has given their explicit consent
  2. Before deciding which condition should be relied upon, we may refer to the original text of the NDPR or GDPR (as applicable) as well as any relevant guidance, and seek legal advice as


What must we tell individuals before we use their data?

  1. If personal data is collected directly from the individual, we will inform them; our identity/contact details, the reasons for processing, and the legal bases, explaining out legitimate interests, and explaining where relevant, who we will share the data This information is commonly referred to as a ‘Privacy Notice’. This information will be given at the time when the personal data is collected.


When we need consent to process data:

  1. Where none of the other legal conditions apply to the processing, and we’re required to get consent from the data subject, we will clearly set out what we’re asking consent for, including why we’re collecting the data and how we plan to use i Consent will be specific to each process we’re requesting consent for and we will only ask for consent when the data subject has a real choice whether or not to provide us with their data.
  2. Consent can however be withdrawn at any time and if withdrawn, the processing will Data subjects will be informed of their right to withdraw consent and it will be as easy to withdraw consent as it is to give consent.


Processing for specified purposes:

  1. We’ll only process personal data for the specific purposes explained in our privacy notices or for other purposes specifically permitted by law. We’ll explain those other purposes to data subjects unless there are lawful reasons for not doing so.


Data will be adequate, relevant and not excessive:

  1. We’ll only collect and use personal data that’s needed for specific purposes which will normally be explained to the data subjects in the privacy notices. We’ll not collect more than is needed to achieve those purposes.


Accurate data:

  1. We’ll make sure that personal data held is accurate and, where appropriate, kept up-to-date. The accuracy of data will be checked at the point of collection.



Keeping data and destroying it:

  1. We’ll not keep personal data longer than is necessary for the purposes that it was collected for.


Security of personal data:

  1. We’ll use appropriate measures to keep personal data secure at all points of the Keeping data secure includes protecting it from unauthorized or unlawful processing or from accidental loss, destruction or damage.
  2. Security measures will include technical and organizational security In assessing what measures are the most appropriate we will take into account the following, and anything else that is relevant:
    1. The quality of the security measure
    2. The costs of implementation
    3. The nature, scope, context and purpose of processing
    4. The risk to the rights and freedoms of data subjects
    5. The risk which could result from a data
  3. Measure may include:
    1. Technical systems security
    2. Measures to restrict or minimize access to data
    3. Measures to ensure our systems and data remain available, or can be easily restored in the case of an incident
    4. Physical security of information and of our premises
    5. Organizational measures such as policies, procedures, training and audits
    6. Regular testing and evaluating of the effectiveness of security


Keeping records of our data processing:

  1. To show we comply with the law we’ll keep clear records of our processing activities and of the decisions we make concerning personal data.





Data subjects’ rights:

  1. We’ll process personal data in line with data subjects’ rights, including their right to:
    1. Request access to any of their personal data held by us (known as a Subject Access Request)
    2. Ask to have inaccurate personal data changed
    3. Restrict processing, in certain circumstances
    4. Object to processing, in certain circumstances, including preventing the use of their data for direct marketing
    5. Data portability, which means to receive their data, or some of their data, in a format that can be easily used by another person (including the data subject themselves) or organization
    6. Not be subject to automated decisions, in certain circumstances, and
    7. Withdraw consent when we are relying on consent to process their data
  2. If a colleague receives any request from a data subject that relates or could relate to their data protection rights, this will be forwarded to our Data Protection Officer
  3. We’ll act on all valid requests as soon as possible, and at the latest within one calendar month, unless we have reason to, and can lawfully extend the This can be extended by up to two months in some circumstances.
  4. All data subjects’ rights are provided free to
  5. Any information provided to data subjects will be concise and transparent, using clear and plain




Sharing information with other organizations:

  1. We will only share personal data with other organizations or people when we have a legal basis to do so. Only authorized and properly instructed staff/Trustees are allowed to share personal
  2. We will keep records of information shared with a third party, which will include recording any exemptions which have been applied, and why they have been

Data processors:

  1. Before appointing a contractor who will process personal data on our behalf (a data processor) we will carry out due diligence The checks are to make sure the processor will use appropriate technical and organizational measures to ensure the processing will comply with data protection law, including keeping the data secure, and upholding the rights of data subjects. We will only appoint data processors who can provide us with sufficient guarantees that they will do this.
  2. We’ll only appoint data processors on the basis if a written contract that will require the processor to comply with all relevant legal We will continue to monitor the data processing, and compliance with the contract, throughout the duration of the contract.


Transferring personal data outside of Nigeria or the European Union (EU):

  1. To facilitate cohesion and accountability in the Church, your personal data may be transferred out of Nigeria or the EU, as the case may be.
  2. We’ll only transfer data outside Nigeria or the EU where it’s permitted by one of the conditions in the NDPR or GDPR, as applicable.




Data protection impact assessments:

  1. When we’re planning to carry out any data processing which is likely to result in a high risk we’ll carry out a Data Protection Impact Assessment (DPIA). These include situations when we process data relating to vulnerable people, trawling of data from public profiles, using new technology, and transferring data outside Nigeria or the Any decision not to conduct a DPIA will be recorded.
  2. We may also conduct a DPIA in other cases when we consider it appropriate to do


Dealing with data protection breaches:

  1. Where members, staff or volunteers, or contractors working for us, thing that this policy has not been followed, or data might have been breached or lost, this will be reported immediately to the Data Protection
  2. We will keep records of personal data breaches, even if we do not report them to the National Information and Technology Development Agency (“NITDA”) or the ICO.
  3. We will report all data breaches which are likely to result in a risk to any person, to NITDA or the Reports will be made to the ICO within 72 hours from when someone in the church becomes aware of the breach.
  4. In situations where a personal data breach causes a high risk to any person, we will (as well as reporting the breach to NITDA or the ICO), inform data subjects whose information is affected, without undue


This can include situations where, for example, bank account details are lost or an email containing sensitive information is sent to the wrong recipient. Informing data subjects can enable them to take steps to protect themselves and/or to exercise their rights.