Delete requests and the right to be forgotten
For organisations governed by the EU General Data Protection Regulation or UK Data Protection Act - and where Consent is relied on as a lawful basis for processing data - the Right to object to processing doesn't apply (although an individual always has the right to object to processing for direct marketing, whatever lawful basis applies). However, data subjects can invoke their Right to be forgotten by requesting that their ChurchSuite account be deleted. In this article, we outline the deletion request user experience and see how requests are processed. You should also follow the processes outlined in your Data Protection policy when considering whether a deletion request applies to other systems in which you might store or process someone's data.
Important: The Delete account functionality is only available if your organisation's Data Protection statement has first been added to ChurchSuite (In Settings > Profile). See our related support article: Customising your ChurchSuite account
ChurchSuite and the Right to be Forgotten
As a Data Controller, your Data Protection Statement - sometimes referred to as a Privacy Notice - should make clear to data subjects your organisation's expected processes for requesting and actioning a Right to be Forgotten request.
Since the scope of the Right extends beyond your organisation's processing of personal data within ChurchSuite, the Delete account functionality outlined in this article is designed to facilitate a request from a data subject to have their details removed from your organisation's ChurchSuite account.
No personal data is automatically deleted by a "Delete account" request but a request notification is sent to your designated Data Protection Contact (set in Settings > Profile > Contacts) alerting them that the person has requested their data be deleted from your ChurchSuite account. It is then up to you, as the Data Controller, to action the request as appropriate and to confirm back to the data subject when the process is completed. Requests should be actioned within the timeframes prescribed by the relevant legislation. Remember, you may have an overriding lawful basis that permits you to continue processing some or all of their information.
Where a Data Protection Statement has been added a Delete account option is available in My ChurchSuite on the My Details page...
...on the My Consent form...
...and on the Communication page accessible through the Unsubscribe and Manage communication links in the footer of emails sent by Users through ChurchSuite.
Clicking Delete account opens a confirmation page or pop-up explaining what will happen if they proceed:
If the person proceeds and they are currently logged in to My ChurchSuite:
Additionally, all My ChurchSuite Login & Privacy options and Communication options are opted out, preventing further login or communication, and also preventing any of their details from being visible to others in My ChurchSuite:
Changes logs are added:
"Delete Requested" and "Unsubscribe" Key Dates are added:
A "Delete Account" Notification is sent to the designated Data Protection Contact (set in Settings > Profile), alerting them that a person has requested their account be deleted from ChurchSuite. That sent notification is shown logged in the Profile section of your ChurchSuite AccountSettings.
You can now follow any prescribed pastoral and administrative workflows for removing personal data held on ChurchSuite, before confirming back to the data subject that their request has been actioned.
Note: 'Delete account' will never auto-delete or auto-archive a person. All data - event sign-ups, ministry and group membership, linked family members etc. remains intact. Where an account deletion request has been received, you may still be able to rely on another lawful basis for continuing to process some or all of the information - for example, a 'legitimate interest' may apply to maintaining membership lists such as an Electoral Roll or a 'legal obligation' may apply in respect of donations and Gift Aid records - the lawful basis for processing personal data and the scope of processing will be defined by your Data Protection Policy and outlined in your Data Protection Statement (Privacy Notice).