Privacy Notice Declaration of Transactions with General Trustees, Charity Trustees and Key Management Personnel – Senior Management Team (SMT)
Church of Scotland Stewardship & Finance department is providing you with this information to comply with data protection law and to ensure that you are fully informed and we are transparent in how we collect and use your personal data.
Who is collecting the information?
Church of Scotland is the Data Controller. We have an appointed Data Protection Officer (DPO), Alice O'Sullivan, who can be contacted by emailing:
Why are we collecting it and what are we doing with it (Purpose)?
The Declaration of Transactions is legally required for statutory audit and accounting purposes. It is therefore necessary to carry out an annual declaration of transactions for the key people in the Senior Management Team and of the Assembly Trustees and the General Trustees.
What personal data do we collect?
Name, whether you are General Trustee, Assembly Trustee or Senior Management Team (SMT) member, the details of any transactions made during the year which you received from the Church or that you owe the church is required to be recorded in the declarations. These include the description of the transaction and the amount received.
There is also additional data collected where individuals are connected with the individual, this is as follows:
- The trustee's/employee's spouse, partner, children or dependants;
- The trustees of any private trust of which the beneficiaries or potential beneficiaries include the trustee/employee or anyone mentioned above;
- Business partners of the trustee/employee or anyone mentioned above;
- Organisations in which the trustee/employee or anyone mentioned above, taken together have control or significant influence over or is a member of the key management personnel.
How are we collecting this information? What is the source?
The forms are issued to the Trustees and SMT by email. The information is provided by the individuals by completing the form and returning it to the Deputy Treasurer (for responses from Assembly Trustees and UE SMT) and returning to the Finance Manager (for responses from General Trustees and GT SMT). All Trustees and SMT will have sight of the draft statutory accounts before they are signed and can therefore comment or question any disclosures made.
The lawful basis for the processing
Under UK GDPR Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject" As the Church is required to comply with the requirements under charity and accounting legislation.
Who we share the information with:
The external auditors will view the forms as part of the statutory audit process. RSM are our official auditors and there is an appropriate contract in place. The information is provided to them via a secure audit portal.
The Office of the Scottish Charity Regulator (OSCR) requires that there is a Charities Statement of Recommended Practice (SORP). OSCR will receive the relevant points as required to be disclosed in the statutory accounts. Where the Charities Statement of Recommended Practice (SORP) requires disclosure of specific transactions/balances these will be disclosed in the statutory accounts.
Details of data transfers to any third countries or international organisations
This does not apply for this processing activities.
How long do we hold the personal data?
As this data backs up the information disclosed in the statutory accounts and may be required in future years. We will hold it for 6 years along with all other financial records. Once this period passes then the data will be destroyed securely following Church procedures.
Do we use automated decision making processes, including profiling?
The Church does not process data in this way
Individuals' rights in relation to this processing
Individuals have a number of rights under data protection laws. These are detailed here. Not all rights are absolute and some only apply in relation to the lawful basis for processing the data. For this purpose, the only rights that do not apply are the right to erasure, the right of data portability and the right to object. All other rights apply. If you want to exercise any of your rights please contact the DPO at