[FEATURE] GDPR Compliance #763
Description
Platform
Web
Application
B1.church
Description
We've held off on this because we were under the belief that separate hosting within the EU was a requirement. I user has looked into this and it appears that is not the case. Here are those notes:
If I've understood correctly, I can reassure you that this does not require EU servers, major technical or legal work, especially since you’re already using AWS because aws in america has GDPR compliance as a contractual feature.
From a UK ICO perspective, the minimum steps would be:
Processor–controller clarity
– Churches are the data controllers
– ChurchApps is the data processor
Accept AWS’s standard Data Processing Addendum
– In practice this is done via the AWS Console (AWS Artifact)
– AWS’s DPA already includes the EU Standard Contractual Clauses and the UK ICO International Data Transfer Addendum
– This is a click-through acceptance, not a negotiation
Keep a short internal note (Transfer Risk Assessment)
– Simply recording that data is hosted on AWS, encrypted, access-controlled, and logged
– This isn’t published or submitted anywhere; it’s just kept on file
Minor wording updates
– A short Data Processing Agreement for churches (click-through at sign-up is fine)
– A brief update to the privacy policy noting AWS US hosting and the SCCs / UK Addendum
Once those are in place, UK churches would not need to deal with SCCs, AWS, or international transfer issues themselves — everything sits at platform level and becomes straightforward for trustees here.
Beyond that we need to make sure the app provides easy ways for churches to meet these requests:
- Right of access - Export a person’s data
- Right to rectification - Edit incorrect data
- Right to erasure - Delete a person (“right to be forgotten”)
- Right to restriction - Disable without deleting
- Right to portability - Machine-readable export
- Right to object - Suppress processing
Additional Context
No response