Skip to main content  


Data Protection Policy

See also:

The City Corporation Data Protection Policy (145KB) details its obligations under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018). The Data Protection Officer for the City Corporation is the Comptroller and City Solicitor.

Internal Policies

Privacy Notice

Our Privacy Notice includes all required information on how and why the City Corporation processes personal data.


The Privacy and Electronic Communications (EC Directive) Regulations 2003 have an impact on the work of the City Corporation because of the wide definition of ‘Direct Marketing’ decided by the Information Commissioner's Office, and also because the City Corporation operates websites and contacts people by email.

In complying with the legal requirements we will ensure that:

  • the proposed recipients of our eMarketing information have given their prior consent to receive the information
  • even after prior consent has been given, that the recipients of our eMarketing information are provided with the option to opt-out of further receipt of marketing information at any time
  • the personal data which we collect relating to the recipients of our eMarketing information is processed in accordance with the Data Protection Act, and in particular that: no more personal data is collected than is required, and that regular surveys are conducted to ensure that the personal data is accurate and kept up to date
  • any recipient of our eMarketing information is issued with a ‘Fair Processing Notice’ explaining what the City of London does with the information.

As the City Corporation's eMarketing is directed at both individuals and corporate subscribers, and their employees, a policy decision has been taken to apply the same principles to both sorts of subscribers on the basis of simplicity, consistency and efficiency, even though the law does not require prior consent from corporate subscribers with regard to marketing by email.

Contact us

If you have concerns about direct marketing contact:

Information Compliance Team
Comptroller and City Solicitor’s Department
City of London
PO Box 270 Guildhall
London EC2P 2EJ
020 7332 1209
Email: Information Officer

More information about...

Data Protection Rights and Requests

​Your rights

Under the General Data Protection Regulation (GDPR) and Data Protection Act 2018, data subjects have various rights in relation to the processing of their personal data.

What these rights are, and how they apply to the City Corporation are detailed in the Data Subject Rights Policy.

Making a Request

A data subject wishing to exercise any of the rights detailed in this policy should make their request in writing.

You can email the Information Officer or send a letter to:

Information Compliance Team
Comptroller and City Solicitor’s Department
Guildhall, PO Box 270
London EC2P 2EJ

Although requests do not have a standard format, data subjects should be as precise as possible and specify (if known) which service area(s) within City of London Corporation their request relates to. This will enable the City of London Corporation to liaise with the relevant Department responsible for coordinating a response. Requests must be made either by the data subjects themselves, or by someone properly authorised to act on their behalf.

Proofs of identity

In some circumstances, the City of London Corporation may require data subjects to provide proof of their identity, such as a passport, a driving licence or a recent utility bill. These can be provided in person, by post, or by sending scanned, certified copies by email. Certification should confirm that the copy is ‘a true copy’, and give the certifying person’s name, address and telephone number.

Where a request is being made by a third party, on a data subjects behalf, the City of London Corporation will also require proof of authority that they are acting on another's behalf.

Where this is necessary, the City of London Corporation will inform the data subject and request the additional information without undue delay.

Response time

The City of London Corporation shall process all requests without undue delay, and in any event within one month of receipt of the request, beginning the day after the request is received, and ending on the corresponding day of the following month, or the next working day.

This period may, where considered necessary, be extended by a further two months, taking into account the complexity and number of requests. Where this occurs, the data subject will be informed without undue delay, and within one month.


In some cases, where a restriction, exemption or other constraint within the GDPR or DPA 2018 applies, the City Corporation may be unable to comply with a request by a data subject. When that happens, the City Corporation will inform the data subject or their representative.

Further information

For more details about the GDPR and DPA 2018 (including the restrictions), see the published guidance on the Information Commissioner's office. The Information Commissioner is appointed by the Crown and is the supervisory authority responsible for ensuring data protection compliance.

Contact us

Information Compliance Team
Comptroller and City Solicitor’s Department
City of London
PO Box 270 Guildhall
London EC2P 2EJ
020 7332 1209
Email: Information Officer

Making a complaint

​If you wish to make a complaint about how the City Corporation processes personal data, write to

Complaints Officer
Town Clerk’s Department
City of London, PO Box 270
London EC2P 2EJ
Email: Complaints Team.

If you are still dissatisfied, or you would prefer not to use our complaints procedure, you may complain to:

Information Commissioner’s Office
Wycliffe House
Water Lane
Cheshire SK9 5AF
01625 545700
Website: Information Comissioner's Office

Data Protection Notification

The Data Protection Act 1998 came into force on 1 March 2000 and replaced the Data Protection Act 1984. It gives individuals (‘data subjects’) a general right of access to ‘personal data’ (personal information) about themselves held by ‘data controllers’ within the United Kingdom. It also lays down principles for the way personal data must be managed.

A ‘Data Controller’ is a person who determines the purposes of the processing of personal data, and the manner of the processing. The City of London is a data controller.

Data Controllers have to notify the Information Commissioner's Office of the purposes for which they process personal data by electronic means, unless an exemption applies. Each ‘Notification’ is stored as a public register entry and an Internet version can be viewed on the Information Commissioner’s Public Register of Data Controllers.

The City of London’s entry can be accessed on the Register by typing in the City of London’s Registration Number Z5996206.

Please note that the Electoral Registration Officer, the Town Clerk, is subject to a separate notification. The Registration Number is Z9239467.

The following bodies, normally associated with the City of London, are legally data controllers in their own right and so are responsible for their own notifications