Skip to content
Date updated: 15/03/2023
Data Protection Policy PDF (145KB)
Date submitted: 8/01/20

Internal Policies

Employee Data Protection Policy PDF (220KB)
Date submitted: 20/05/18
Data Subject Rights Policy PDF (232KB)
Date submitted: 24/05/18

Privacy Notice

Our Privacy Notice includes all required information on how and why the City Corporation processes personal data.

Please find below specific privacy notices for all current and former staff members and volunteers. 

Occupational Health Service Privacy Notice PDF (109KB)
Date submitted: 10/01/20
Volunteer Privacy Notice (118KB)
Date submitted: 12/01/23


The Privacy and Electronic Communications (EC Directive) Regulations 2003 have an impact on the work of the City Corporation because of the wide definition of ‘Direct Marketing’ decided by the Information Commissioner's Office, and also because the City Corporation operates websites and contacts people by email.

In complying with the legal requirements we will ensure that:

  • the proposed recipients of our eMarketing information have given their prior consent to receive the information
  • even after prior consent has been given, that the recipients of our eMarketing information are provided with the option to opt-out of further receipt of marketing information at any time
  • the personal data which we collect relating to the recipients of our eMarketing information is processed in accordance with the Data Protection Act, and in particular that: no more personal data is collected than is required, and that regular surveys are conducted to ensure that the personal data is accurate and kept up to date
  • any recipient of our eMarketing information is issued with a Privacy Notice (also called a  ‘Fair Processing Notice’) explaining what the City of London does with the information.

As the City Corporation's eMarketing is directed at both individuals and corporate subscribers, and their employees, a policy decision has been taken to apply the same principles to both sorts of subscribers on the basis of simplicity, consistency and efficiency, even though the law does not require prior consent from corporate subscribers with regard to marketing by email.

​Your rights

Under the General Data Protection Regulation (GDPR) and Data Protection Act 2018, data subjects have various rights in relation to the processing of their personal data.

What these rights are, and how they apply to the City Corporation are detailed in the Data Subject Rights Policy.

Making a Request

A data subject wishing to exercise any of the rights detailed in this policy should make their request in writing.

You can email the Information Officer or send a letter to:

Information Compliance Team
Comptroller and City Solicitor’s Department
Guildhall, PO Box 270
London EC2P 2EJ

Although requests do not have a standard format, data subjects should be as precise as possible and specify (if known) which service area(s) within City Corporation their request relates to. This will enable the City Corporation to liaise with the relevant Department responsible for coordinating a response. Requests must be made either by the data subjects themselves, or by someone properly authorised to act on their behalf.

Proofs of identity

In some circumstances, the City Corporation may require data subjects to provide proof of their identity, such as a passport, a driving licence or a recent utility bill. These can be provided in person, by post, or by sending scanned, certified copies by email. Certification should confirm that the copy is ‘a true copy’, and give the certifying person’s name, address and telephone number.

Where a request is being made by a third party, on a data subjects behalf, the City Corporation will also require proof of authority that they are acting on another's behalf.

Where this is necessary, the City Corporation will inform the data subject and request the additional information without undue delay.

Response time

The City Corporation shall process all requests without undue delay, and in any event within one month of receipt of the request, ending on the corresponding day of the following month, or the next working day.

This period may, where considered necessary, be extended by a further two months, taking into account the complexity and number of requests. Where this occurs, the data subject will be informed without undue delay, and within one month.


In some cases, where a restriction, exemption or other constraint within the GDPR or DPA 2018 applies, the City Corporation may be unable to comply with a request by a data subject. When that happens, the City Corporation will inform the data subject or their representative.

The Data Protection Act 2018 came into force in May 2018 and replaced the Data Protection Act 1998. It gives individuals (‘data subjects’) a general right of access to ‘personal data’ (personal information) about themselves held by ‘data controllers’ within the United Kingdom. It also lays down principles for the way personal data must be managed.

A ‘Data Controller’ is a person who determines the purposes and the means of the processing of personal data, and the manner of the processing. The City Corporation is a data controller.

Data Controllers have to notify the Information Commissioner's Office of the purposes for which they process personal data by electronic means, unless an exemption applies. Each ‘Notification’ is stored as a public register entry and can be viewed on the Information Commissioner’s Public Register of Data Controllers.

The City Corporation’s entry can be accessed on the Register by typing in the City Corporation’s Registration Number Z5996206.

Please note that the Electoral Registration Officer, the Town Clerk, is subject to a separate notification. The Registration Number is Z9239467.

The following bodies, normally associated with the City of London, are legally data controllers in their own right and so are responsible for their own notifications

For more details about the GDPR and DPA 2018 (including the restrictions), see the published guidance on the Information Commissioner's office. The Information Commissioner is appointed by the Crown and is the supervisory authority responsible for ensuring data protection compliance.

Alternatively for more details in regards to GDPR and DPA 2018 practices at the City Corporation please contact us on the following details:

Information Compliance Team
Comptroller and City Solicitor’s Department
City of London
PO Box 270 Guildhall
London EC2P 2EJ
020 7332 1243
Email: Information Officer

Making a complaint

​If you wish to make a complaint about how the City Corporation processes personal data, please write to the Information Compliance Team on the above contact details, or alternatively please write to;

Information Compliance Team
Comptroller and City Solicitor’s Department
City of London,
PO Box 270
London EC2P 2EJ
Email: Information Officer

If you are still dissatisfied, or you would prefer not to use our complaints procedure, you also may complain to:

Information Commissioner’s Office
Wycliffe House
Water Lane
Cheshire SK9 5AF
01625 545700
Information Commissioner's Office