Notice: This document is for information purposes only and not meant as legal advice.
Application: This article applies only to those churches/customers storing Personally Identifiable Information of citizens within the European Union.
Transferring data outside of the EU? Sign the Breeze LLC, Controller-Processor Standard Contractual Clause Here.
Breeze and General Data Protection Regulations
At Breeze, data security has always been a top priority. GDPR laws have only strengthened our resolve and commitment to providing you the highest security standards.
As a Data Processor, Breeze (along with its sub-processors) processes personal data with the sole purpose of providing and improving the site. All PII processed by Breeze is in relation to this purpose.
Updates made, driven by the GDPR.
- Standard Contractual Clause agreement is available by the link above.
- Designated contact for compliance inquires related to GDPR matters | Julie Schweihofer, firstname.lastname@example.org.
Additionally, we are committed to helping you manage through the new GDPR regulations with as much ease as possible. With that in mind, here is the functionality within Breeze to help with your compliance efforts.
Features available within Breeze to help in your compliance:
- Right to Access - Invite Members to Create an Account; Comprehensive view of personal information available through individual profile records
- Right to Rectify - allow authorized users and or members to Edit Personal Information as necessary
- Right to Erasure - Delete People, and don't forget to delete their user account; delete restore by navigating to Gear Icon>Manage Account>Restore>toggle "delete forever options">"delete forever."
- Right to Restrict Processing - Give Varying Levels of Permission to personal information or Archive member.
- Right to Data Portability - Account-level information can be exported by navigating to the gear icon>Manage Account>View More>Export. Individual-level information can be exported from each of the features within Breeze including Export People, Export Tags, Printing Contributions (also available for download), Attendance, Notes (sort export for pertinent information), Follow-ups, Forms, Volunteering (people tab > individual profile > volunteering > ctrl+p > save as pdf)
- Consent - enhanced features available through Marking Data as Private and Viewing & Restricting Private Data; Create consent forms.
Here's to achieving strong compliance goals together!
Understanding the General Data Protection Regulation (GDPR)
The General Data Protection Regulation, going into effect May 25, 2018, aims to provide greater transparency, protection, and control to those living in the European Union related to the processing of personal information. This regulation replaces the Data Protection Directives previously in place and provides consistent data privacy laws for all EU member states.
What is the territorial scope of the GDPR?
Any organization processing the personal information of individuals living in the EU is subject to these regulations, regardless of whether the processing is happening in the EU or not.
What information is protected under the GDPR?
The regulation applies to the processing of personal data by automated or manual means.
Data processing refers to the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, of personal data.
Personal data refers to any information related to an identified natural person or can be used as an identifier of a natural person. Examples include name, contact, identification numbers, gender, etc. Also, special categories of personal information have been identified by the GDPR and require additional care and safeguard protection.
What are the Principles behind processing Personal Information under the GDPR?
- Organizations must show lawfulness, fairness, and transparency in the processing.
- Personal Information should be collected for specified and legitimate purposes.
- Information should be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
- Accurate and up-to-date, erasing or rectifying inaccurate data without delay.
- Kept for no longer than necessary based on the original purpose
- Protected against unauthorized or unlawful processing, accidental loss, destruction, or damage
Where are your server(s) located?
We’re big fans of focusing on what we do well (software) and letting others focus on what they do well (hardware). As a result, we use the leader in cloud hosting: Amazon Web Services, to provide state-of-the-art consistency in terms of performance and security.
Must I gain consent from my membership before collecting PII?
Not always. Start by determining under which lawful purpose you will be collecting data, as you may have alternative options to consider (with much less administrative burden.) One such option to consider is Legitimate Interest. The ICO has a few tools to help you with Lawful Basis Interactive Guidance Tool and your local council should confirm your assessment.
I've determined consent as lawful purpose, what's the easiest way to record consent in Breeze?
Forms would be a great option. Start with a simple form posted on your website asking for name, phone, and email with communication preference. Follow that with a more detailed consent form listing all of your profile fields captures. The completed form can be attached directly to the individual profile for record-keeping.
Will Breeze communicate directly with my membership for any reason?
Only if they call or email us directly. And, while we will answer their general questions, we will not give church account or even their personal profile account information to them. All such callers will be directed to call the church directly for assistance.
How can I, or my membership, exercise privacy rights granted under GDPR?
If you are a Breeze customer (representative of the Church), complete this form, and one of our representatives will respond within 24 hours.
*We will also accept requests from church members but instead of reaching out with action, we will reach out with directions to contact the Church which acts as the Data Controller.
Does Breeze use subprocessors?
Yes, we share information, including personal information, with our third-party service providers that we use to provide hosting for and maintenance of our Websites, application development, backup, storage, payment processing, analytics, and other services for us. These third-party service providers may have access to or process your personal information for the purpose of providing these services for us. We do not permit our third-party service providers to use the personal information that we share with them for their marketing purposes or for any other purpose than in connection with the services they provide to us. To get a list of subprocessors, reach out to email@example.com.