Privacy Notice - CAC GMPM UKEU

Grace of Mercy Prayer Mountain

(Charity No. 1200902)

Contact details:

Post: Unit 4, No1. Selina lane, Dagenham, Essex, RM8 1QH, London
Telephone: 07474725409
Email: info@gmpmukeu.org

Data Protection Policy
Effective Date: October 2025
Review Date: October 2026
Approved by: Board of Trustees

This privacy notice tells you what to expect us to do with your personal information.

Contact details
What information we collect, use, and why
Lawful bases and data protection rights
Where we get personal information from
How long we keep information
Who we share information with
How to complain

1. Introduction

Grace of Mercy Prayer Mountain (“the Charity”) is a UK-registered Christian charity (Charity No. 1200902) dedicated to advancing the Christian faith, supporting education, and relieving poverty worldwide.

The Charity is committed to ensuring that all personal data handled by the organisation is processed lawfully, fairly, and transparently, in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Purpose and Scope

This policy sets out how the Charity collects, uses, stores, shares, and protects personal data of its members, donors, volunteers, event participants, and other individuals connected with its activities.

It applies to all staff, trustees, volunteers, contractors, and anyone else who handles personal data on behalf of the Charity.

3. Data Protection Principles

The Charity follows the seven key principles of the UK GDPR. Personal data shall be:

Lawfulness, fairness, and transparency – Processed lawfully, fairly, and transparently.
Purpose limitation – Collected for specified, explicit, and legitimate purposes.
Data minimisation – Adequate, relevant, and limited to what is necessary.
Accuracy – Kept accurate and up to date.
Storage limitation – Kept only as long as necessary.
Integrity and confidentiality – Processed securely to prevent unauthorised access or loss.
Accountability – The Charity is responsible for demonstrating compliance with these principles.

What information we collect, use, and why

We collect or use the following information to receive donations or funding and organise fundraising activities:

• Names and contact details

• Addresses

• Payment or banking details

• Donation history

We collect or use the following personal information for dealing with queries, complaints or claims:

• Names and contact details

• Address

• Payment details

• Account information

• Witness statements and contact details

• Financial transaction information

Lawful bases and data protection rights

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

Which lawful basis we rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

• Your right of access – You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. Read more about the right of access.

• Your right to rectification – You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. Read more about the right to rectification.

• Your right to erasure – You have the right to ask us to delete your personal information. Read more about the right to erasure.

• Your right to restriction of processing – You have the right to ask us to limit how we can use your personal information. Read more about the right to restriction of processing.

• Your right to object to processing – You have the right to object to the processing of your personal data. Read more about the right to object to processing.

• Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. Read more about the right to data portability.

• Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time.

If you make a request, we must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

Our lawful bases for the collection and use of your data

Our lawful bases for collecting or using personal information to receive donations or funding and organise fundraising activities are:

• Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

• Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

Our lawful bases for collecting or using personal information for dealing with queries, complaints or claims are:

Where we get personal information from

• Directly from you

• Charities or voluntary sector organisations

Data Security

Technical measures:

Secure cloud storage (Google Workspace)
Password protection, encryption, and firewall/antivirus systems

Organisational measures:

Access restricted to authorised personnel
Confidentiality agreements for staff and volunteers
Training on data protection and confidentiality
The Charity plans to conduct regular internal reviews and security checks

How long we keep information

Data Type Retention Period

Donor and financial records 6 years (HMRC requirement)

Volunteer/member records Active + 2 years after departure

Event registration data 1 year

Prayer requests Until pastoral purpose fulfilled

Data is securely deleted using digital erasure or shredded when no longer required

Who we share information with

Others we share personal information with

• Relevant regulatory authorities

• External auditors or inspectors

• Organisations we’re legally obliged to share personal information with

Third parties:

• Accountants, HMRC, event platforms, hotels, and venue providers

Payment processors (e.g., Stripe) for donations

Data Breach Management

Any suspected or actual data breach must be reported immediately to the Data Protection Lead.

The Lead will:

. Record and investigate the breach

. Notify the ICO within 72 hours (if required)

. Inform affected individuals where there is a high risk to their rights and freedoms

. Staff training on breach identification and response will be conducted annually.

All staff and volunteers receive data protection training during onboarding.

Refresher sessions and policy updates will be provided at least annually.

Monitoring and Review

The Charity will conduct periodic reviews of this policy and its compliance practices. This policy will be reviewed annually or sooner if legal or organisational changes require.

How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.

If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.

The ICO’s address:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

Last updated: 31/10/2025

Board of Trustees: Overall accountability for data protection compliance.

Manages data subject requests and breach notifications.
- Email: info@gmpmukeu.org. | Phone: 07474 725409

Approved by: Trustees