Skip to content
Date created: 6/09/2020

Data Protection Policy PDF (145KB)

Date submitted: 1/08/20

The City of London Corporation Data Protection Policy details its obligations under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018). The Data Protection Officer for the City Corporation is the Comptroller and City Solicitor.

Internal Policies

Employee Data Protection Policy PDF (220KB)

Date submitted: 5/20/18

The Policy details the City Corporations' obligations under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018).

Employee Privacy Notice PDF (92KB)

Date submitted: 1/08/20

This notice describes how the City Corporation collects and uses personal information about its current and former employees.

Occupational Health Service Privacy Notice PDF (109KB)

Date submitted: 1/10/20

The  Notice is for current and former members of staff and provides information in regards to how their personal data is processed. 

Data Subject Rights Policy PDF (232KB)

Date submitted: 5/24/18

The Policy details its obligations under GDPR and the Data Protection Act 2018, in relation to the individual rights that the data subject hold in regards to their personal data. 

Privacy Notice

Our Privacy Notice includes all required information on how and why the City Corporation processes personal data.

Marketing

The Privacy and Electronic Communications (EC Directive) Regulations 2003 have an impact on the work of the City Corporation because of the wide definition of ‘Direct Marketing’ decided by the Information Commissioner's Office, and also because the City Corporation operates websites and contacts people by email.

In complying with the legal requirements we will ensure that:

  • the proposed recipients of our eMarketing information have given their prior consent to receive the information
  • even after prior consent has been given, that the recipients of our eMarketing information are provided with the option to opt-out of further receipt of marketing information at any time
  • the personal data which we collect relating to the recipients of our eMarketing information is processed in accordance with the Data Protection Act, and in particular that: no more personal data is collected than is required, and that regular surveys are conducted to ensure that the personal data is accurate and kept up to date
  • any recipient of our eMarketing information is issued with a Privacy Notice (also called a  ‘Fair Processing Notice’) explaining what the City of London does with the information.

As the City Corporation's eMarketing is directed at both individuals and corporate subscribers, and their employees, a policy decision has been taken to apply the same principles to both sorts of subscribers on the basis of simplicity, consistency and efficiency, even though the law does not require prior consent from corporate subscribers with regard to marketing by email.

Contact us

Information Compliance Team
Comptroller and City Solicitor’s Department
City of London
Guildhall, PO Box 270 
London EC2P 2EJ
020 7332 1243
Email Information Officer

​Your rights

Under the General Data Protection Regulation (GDPR) and Data Protection Act 2018, data subjects have various rights in relation to the processing of their personal data.

What these rights are, and how they apply to the City Corporation are detailed in the Data Subject Rights Policy.

Making a Request

A data subject wishing to exercise any of the rights detailed in this policy should make their request in writing.

You can email the Information Officer or send a letter to:

Information Compliance Team
Comptroller and City Solicitor’s Department
Guildhall, PO Box 270
London EC2P 2EJ

Although requests do not have a standard format, data subjects should be as precise as possible and specify (if known) which service area(s) within City Corporation their request relates to. This will enable the City Corporation to liaise with the relevant Department responsible for coordinating a response. Requests must be made either by the data subjects themselves, or by someone properly authorised to act on their behalf.

Proofs of identity

In some circumstances, the City Corporation may require data subjects to provide proof of their identity, such as a passport, a driving licence or a recent utility bill. These can be provided in person, by post, or by sending scanned, certified copies by email. Certification should confirm that the copy is ‘a true copy’, and give the certifying person’s name, address and telephone number.

Where a request is being made by a third party, on a data subjects behalf, the City Corporation will also require proof of authority that they are acting on another's behalf.

Where this is necessary, the City Corporation will inform the data subject and request the additional information without undue delay.

Response time

The City Corporation shall process all requests without undue delay, and in any event within one month of receipt of the request, ending on the corresponding day of the following month, or the next working day.

This period may, where considered necessary, be extended by a further two months, taking into account the complexity and number of requests. Where this occurs, the data subject will be informed without undue delay, and within one month.

Exemptions

In some cases, where a restriction, exemption or other constraint within the GDPR or DPA 2018 applies, the City Corporation may be unable to comply with a request by a data subject. When that happens, the City Corporation will inform the data subject or their representative.

The Data Protection Act 2018 came into force in May 2018 and replaced the Data Protection Act 1998. It gives individuals (‘data subjects’) a general right of access to ‘personal data’ (personal information) about themselves held by ‘data controllers’ within the United Kingdom. It also lays down principles for the way personal data must be managed.

A ‘Data Controller’ is a person who determines the purposes and the means of the processing of personal data, and the manner of the processing. The City Corporation is a data controller.

Data Controllers have to notify the Information Commissioner's Office of the purposes for which they process personal data by electronic means, unless an exemption applies. Each ‘Notification’ is stored as a public register entry and can be viewed on the Information Commissioner’s Public Register of Data Controllers.

The City Corporation’s entry can be accessed on the Register by typing in the City Corporation’s Registration Number Z5996206.

Please note that the Electoral Registration Officer, the Town Clerk, is subject to a separate notification. The Registration Number is Z9239467.

The following bodies, normally associated with the City of London, are legally data controllers in their own right and so are responsible for their own notifications

For more details about the GDPR and DPA 2018 (including the restrictions), see the published guidance on the Information Commissioner's office. The Information Commissioner is appointed by the Crown and is the supervisory authority responsible for ensuring data protection compliance. 

Alternatively for more details in regards to GDPR and DPA 2018 practices at the City Corporation please contact us on the following details:

Information Compliance Team
Comptroller and City Solicitor’s Department
City of London
PO Box 270 Guildhall
London EC2P 2EJ
020 7332 1243
Email: Information Officer

Making a complaint

​If you wish to make a complaint about how the City Corporation processes personal data, please write to the Information Compliance Team on the above contact details, or alternatively please write to; 

Complaints Officer
Town Clerk’s Department
City of London, PO Box 270
Guildhall
London EC2P 2EJ
Email the Complaints Team

If you are still dissatisfied, or you would prefer not to use our complaints procedure, you also may complain to:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
01625 545700
Information Commissioner's Office