This Data Protection and Privacy Policy outlines the principles and guidelines for the collection, use, storage, and protection of personal data within the Archdiocese of Baltimore. This policy applies to all employees, volunteers, contractors, and any individuals involved in processing personal data on behalf of the organization.
The purpose of this policy is to ensure that personal data is handled in compliance with applicable data protection laws and regulations, including but not limited to the General Data Protection Regulation (GDPR) and other relevant privacy laws. By adhering to this policy, we aim to safeguard individuals’ privacy rights, maintain the confidentiality of personal data, and foster trust with our stakeholders.
3. 1. Lawful Basis: Personal data will only be collected and processed when there is a lawful basis for doing so, such as with the individual’s consent, to fulfill a contract, to comply with legal obligations, or for legitimate interests pursued by the organization.
3.2. Data Minimization: Personal data collected will be limited to what is necessary for the intended purpose and will be kept accurate. up to date, and relevant.
3.3. Purpose Limitation: Personal data will only be used for the specific purposes for which it was collected, unless additional consent is obtained or as required by law.
3.4. Sensitive Data: Special categories of personal data, such as religious beliefs, health information, or criminal records. will be processed in accordance with applicable legal requirements and with explicit consent, unless otherwise permitted by law.
4.1. Right to Access: Individuals have the right to request access to their personal data held by the organization and to receive info1111ation about how their data is being processed.
4.2. Right to Rectification: Individuals have the right to request the correction of inaccurate or incomplete personal data.
4.3. Right to Erasure: Individuals have the right to request the deletion of their personal data in certain circumstances, such as when the data is no longer necessary or when consent is withdrawn.
4.4. Right to Restriction of Processing: Individuals have the right to request the restriction of processing their personal data under specific circumstances. such as when the accuracy of the data is contested.
4.5. Right to Data Portability: Where technically feasible. individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit that data to another data controller.
5. 1. Data Protection Measures: Appropriate technical and organizational measures will be implemented to ensure the security and confidentiality of personal data, including access controls, encryption, regular data backups, and staff training.
5.2. Data Breach Response: In the event of a data breach or unauthorized disclosure of personal data, the organization will follow a documented incident response plan to mitigate the impact, notify affected individuals and relevant authorities, and take necessary corrective actions.
6.1. Third-Party Data Processors: When personal data is shared with third-pa11y service providers or processors, appropriate data processing agreements or contracts will be in place to ensure compliance with data protection requirements.
6.2. International Data Transfers: If personal data is transferred to countries outside the European Economic Area (EEA), appropriate safeguards and mechanisms will be implemented to ensure an adequate level of data protection as required by applicable laws.
7.1. Data Retention Periods: Personal data will be retained only for as long as necessary to fulfill the purposes for which it was collected, unless longer retention is required by law or legitimate organizational purposes.
7.2. Data Disposal: Personal data that is no longer needed will be securely and permanently deleted or disposed of in accordance with applicable legal requirements.
8.1. Training and Awareness: Staff members involved in the processing of personal data will receive appropriate training and awareness programs to ensure their understanding of data protection responsibilities and best practices.
8.2. Confidentiality Obligations: All staff members are required to maintain the confidentiality and security of personal data they handle during their employment or engagement with the organization.
9.1. Data Protection Officer: Archdiocese of Baltimore will appoint a Data Protection Officer (DPO) or designate a responsible individual to oversee data protection compliance and act as a point of contact for data subjects and supervisory authorities.
9.2. Data Protection Impact Assessments: Where necessary, Archdiocese of Baltimore will conduct Data Protection Impact Assessments (DPIAs) to assess and mitigate privacy risks associated with data processing activities.
9.3. Policy Review and Updates: This policy will be reviewed periodically to ensure its continued relevance and compliance with evolving data protection laws and best practices.
For any inquiries, requests, or concerns related to this Data Protection and Privacy Policy or the organization’s data protection practices, please contact the Data Protection Officer at dpo@archbalt.org.
All individuals associated with the Archdiocese of Baltimore are required to read, understand, and adhere to this Data Protection and Privacy Policy. Failure to comply may result in disciplinary actions, as outlined in the organization’s code of conduct or employment agreements.
This Data Protection and Privacy Policy is effective as of[policy effective date] and supersedes any previous policies or guidelines related to data protection and privacy.
By implementing this policy, Archdiocese of Baltimore aims to demonstrate its commitment to protecting personal data and respecting the privacy rights of individuals.