Privacy Policy
Canterbury Cathedral External Privacy Notice
Last Updated: May 2026
1. Who we are and what we do
Who we are
We are Canterbury Cathedral (“Canterbury Cathedral”, “us”, “we”, “our”), a charity registered in England under number 1206913, whose registered office is at Cathedral House, 11 The Precincts, Canterbury, Kent, CT1 2EH. We are registered with the UK supervisory authority, Information Commissioner’s Office (“ICO”), in relation to our processing of Personal Data under registration reference Z7522224.
What we do
Canterbury Cathedral consists of a number of internal departments and charities based largely within the Cathedral Precincts (the Canterbury Cathedral Group). These include The Chapter of Canterbury, Canterbury Cathedral Trust, Friends of Canterbury Cathedral, Canterbury Cathedral Lodge and Cathedral Enterprises Ltd (the Cathedral shop).
The Cathedral works with a large number of people on a daily basis, for example worshippers, visitors, volunteers, students and businesses. Nearly every area of the Cathedral has a requirement to collect certain personal information in order to maintain our relationships with individuals and to carry out our work.
Canterbury Cathedral is committed to safeguarding and protecting the privacy of the individuals and organisations we deal with in line with legislation.
Controller
Unless we notify you otherwise, we are the controller of the Personal Data we process about you. This means that we decide what Personal Data to collect and how to process it.
2. Purpose of this privacy notice
The purpose of this privacy notice is to explain what Personal Data we collect about you and how we process it. This privacy notice also explains your rights, so please read it carefully. If you have any questions or you wish to make a complaint, you can contact us using the information provided below under the ‘How to contact us and our Data Protection Officer’ section.
3. Who this privacy notice applies to
This privacy notice applies to you if:
- You visit our website
- You purchase goods or services from us
- You purchase tickets to visit us, or attend an event
- You book accommodation at The Lodge
- You enquire about our products and/or services
- You sign up to receive newsletters and/or other promotional communications from us, including if you enter a competition, promotion or survey
- You donate money to us
- You worship at the cathedral and are included in our Community Roll
- You form part of one of our choirs or groups
- You provide us with feedback
4. What Personal Data is
‘Personal Data’ means any information from which someone can be identified either directly or indirectly. For example, you can be identified by your name or an online identifier.
‘Special Category Personal Data’ is more sensitive Personal Data and includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purposes of uniquely identifying someone, data concerning physical or mental health or data concerning someone’s sex life or sexual orientation.
5. Personal Data we collect
The type of Personal Data we collect about you will depend on our relationship with you. For the type of Personal Data, we collect see the table below in the section entitled ‘Purposes and lawful bases‘.
6. How we collect your Personal Data
We collect most of the Personal Data directly from you in person, by telephone, text, email and/or via our website.
However, we may also collect your Personal Data from third parties such as:
- Booking affiliates
- Others to whom you have provided consent
- Publicly available sources such as social media platforms
- Technical data from analytics providers such as Google and Facebook based outside the United Kingdom
- Contact, financial and transaction data from providers of technical, payment and delivery services
7. Purposes and lawful bases
We will only use your Personal Data when the law allows. Most commonly, we will use your Personal Data in the following circumstances:
|
Purpose / Activity |
Type of data this could include |
|
Lawful basis for processing including basis of legitimate interest |
|
To register you as a new volunteer, supporter, customer, contractor, or worshipper, or member of a choir or group |
(a) Identity including full name, title, date of birth and gender. (b) Contact details including one or more of the following: email, phone, address (c) Health information, appropriate to your role with us, including any medical issues or allergies we need to be aware of whilst you are with us.
|
|
(a) Performance of a contract with you (b) Necessary for a legitimate interest (to raise funds to maintain and run Canterbury Cathedral) (c) Necessary for a legitimate interest (to protect the health of our worshippers) |
|
To allow pre-arranged admission to the cathedral for: · Sightseeing · Educational visits · Public events · Hiring of spaces for private events |
(a) Identity including full name, title, date of birth and gender. (b) Contact details including one or more of the following: email, phone, address |
|
(a) Performance of a contract with you (b) Consent
|
|
To notify you about Cathedral services, activities and events that may be of interest to you, and to provide with news, including newsletters, on Cathedral events and news from the wider Church of England. |
(c) Identity including full name, title, date of birth and gender (d) Contact details including one or more of the following: email, phone, address (e) Marketing and communications preferences |
|
(a) Consent |
|
To process and respond to enquiries about your booking order, including for bookings to visit the cathedral and stay at The Lodge, or donation, including: (a) to manage payments, fees and charges, and take bookings (b) to collect and recover money owed to us for services (c) to maintain and our own accounts and records (including the processing of Gift Aid) |
(a) Identity including full name, title, date of birth and gender. (b) Contact details including one or more of the following: email, phone, address (c) Marketing and Communications preferences (d) Financial information including bank account and payment card details (e) Transaction information including payments to and from you, and other details of products/ services you have purchased. (f) Marketing and communications preferences |
|
(c) Performance of a contract with you (d) Necessary for a legitimate interest (to raise funds to maintain and run Canterbury Cathedral) (e) Necessary for a legitimate interest (to protect the health of our worshippers) (f) Necessary for our legitimate interests (to recover debts due to us) |
|
To manage our relationship with you which will include: (a) notifying you about changes to our terms or privacy notice (b) asking you to leave a review or take a survey |
(a) Identity including full name, title. (b) Contact details including one or more of the following: email, phone, address (c) Marketing and Communications preferences (d) Profile information including your username and password, purchases or orders made, your interests, preferences, feedback and survey responses |
|
(a) Performance of a contract with you. (b) Necessary to comply with a legal obligation. (c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services). |
|
To enable you to apply for a job |
(a) Identity including full name, title, date of birth and gender. (b) Contact details including one or more of the following: email, phone, address (c) CV |
|
(a) Taking steps at your request with a view to entering a contract with you. |
|
To administer and protect our business and our website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data). |
(a) Identity including full name, title. (b) Contact details including one or more of the following: email, phone, address (c) Technical data including your internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website. |
|
(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) (b) Necessary to comply with a legal obligation |
|
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you |
(a) Identity including full name, title. (b) Contact details including one or more of the following: email, phone, address (c) Technical data including your internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website. (d) Marketing and Communications preferences (e) Profile information including your username and password, purchases or orders made, your interests, preferences, feedback and survey responses (f) Usage information including how you use our website, product and services. |
|
(a) Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy) |
|
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences |
(a) Identity including full name, title. (b) Contact details including one or more of the following: email, phone, address (c) Technical data including your internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website. (d) Usage information including how you use our website, product and services. |
|
Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy) |
|
To make suggestions and recommendations to you about goods or services that may be of interest to you |
(a) Identity including full name, title, date of birth and gender. (b) Contact details including one or more of the following: email, phone, address (c) Technical data including your internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website. (d) Usage information including how you use our website, product and services. (e) Profile information including your username and password, purchases or orders made, your interests, preferences, feedback and survey responses |
|
Necessary for our legitimate interests (to develop our products/services and grow our business) |
|
To undertake background checks in relation to applicants for jobs or volunteer positions |
(a) Identity including full name, title, date of birth and gender. (b) Contact details including one or more of the following: email, phone, address |
|
(a) Necessary for a legal obligation (safeguarding) |
|
To deal with issues, complaints, incidents or disputes arising out of our relationship with you/your business, and to prevent or detect crime, including fraud
|
(a) Identity including full name, title, date of birth and gender. (b) Contact details including one or more of the following: email, phone, address (c) Technical data including your internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website. (d) Marketing and Communications preferences (e) Profile information including your username and password, purchases or orders made, your interests, preferences, feedback and survey responses (f) Usage information including how you use our website, product and services. |
|
(a) Performance of a contract with you (b) To establish, exercise or defend legal claims |
Where Personal Data is processed because it is necessary for the performance of a contract to which you are a party, we will be unable to provide our services without the required information.
8. Data retention (How long we will keep your personal data for)
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
We will only keep your data for as long as is required, and in line with the Church of England’s retention guidelines, which can be found here: https://www.churchofengland.org/about/libraries-and-archives/records-and-information-management
9. Sharing your Personal Data
The Cathedral works with a number of external service providers and contractors, for example a mailing house to send out printed newsletters. The Cathedral only shares with these providers information that is necessary for them to carry out the functions we employ them for and does not sell or trade personal data. Third party agreements are in place to ensure your data is handled respectfully.
We may share your Personal Data with our carefully selected third parties, including:
- Other people in the Canterbury Cathedral group, as referenced in Section 1, acting as joint controllers or processors.
- Service providers actings as processors who provide services to us, for example IT and system administration services, event and accommodation booking services, tour services, financial services, background checks or other similar services.
- Professional advisors actings as joint controllers or processors, including lawyers, bankers, auditors and insurers.
- HM Revenue and Customs, regulators, and other authorities acting as joint controllers or processors who require reporting in certain circumstances.
- Business partners involved in the contract we have entered into with them for one of the activities listed above.
- Market research organisations acting as processors who conduct research on our behalf.
10. International Transfers
Your Personal Data will not be processed outside the UK.
11. Marketing Communications
From time to time, with your consent, or as part of our legitimate interests, we may use your information to contact you with details about our products and services which we feel may be of interest to you.
You have the right at any time to stop us from contacting you for marketing purposes. If you wish to exercise these rights, you can do so by following the ‘unsubscribe’ link on any emails received or contacting us at [email protected]
12. Automated Decision-making
We do not make any decisions about you based solely on automated decisions.
13. Your rights
You have certain rights in relation to the processing of your Personal Data, including to:
- Right to be informed
You have the right to know what personal data we collect about you, how we use it, for what purpose and in accordance with which lawful basis, who we share it with and how long we keep it. We use our privacy notice to explain this. - Right of access (commonly known as a “Subject Access Request”)
You have the right to receive a copy of the Personal Data we hold about you. - Right to rectification
You have the right to have any incomplete or inaccurate information we hold about you corrected. - Right to erasure (commonly known as the right to be forgotten)
You have the right to ask us to delete your Personal Data. - Right to object to processing
You have the right to object to us processing your Personal Data. If you object to us using your Personal Data for marketing purposes, we will stop sending you marketing material. - Right to restrict processing
You have the right to restrict our use of your Personal Data. This means that you can ask us to suspend the processing of your Personal Data, in certain circumstances, such as where you contest the accuracy of your Personal Data. - Right to portability
You have the right to ask us to transfer your Personal Data to another party. - Automated decision-making. You have the right not to be subject to a decision based solely on automated processing which will significantly affect you. We do not use automated decision-making.
- Right to withdraw consent
If you have provided your consent for us to process your Personal Data for a specific purpose, you have the right to withdraw your consent at any time. If you do withdraw your consent, we will no longer process your information for the purpose(s) you originally agreed to, unless we are permitted by law to do so.
How to exercise your rights
You will not usually need to pay a fee to exercise any of the above rights. However, we may charge a reasonable fee if your request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
If you wish to exercise your rights, you may contact us using the details set out below within the section called ‘How to contact us and our Data Protection Officer’. We may need to request specific information from you to confirm your identity before we can process your request. Once in receipt of this, we will process your request without undue delay and within one month. In some cases, such as with complex requests, it may take us longer than this and, if so, we will keep you updated.
14. Complaints
You have the right to complain if you consider that we have not complied with the data protection law when handling your Personal Data. We will acknowledge receipt of your complaint within 30 days, investigate the matter without undue delay, and keep you informed of the progress and outcome. If you wish to complain please use the contact details given below under “How to contact us and our Data Protection Officer”. We will do our best to resolve the matter to your satisfaction.
If you are not satisfied with the outcome of your complaint, you can complain with the relevant supervisory authority.
The supervisory authority in the UK is the Information Commission who can be contacted online at: Contact us | ICO
Or by telephone on 0303 123 1113
For supervisory authorities in other countries within the EU see the link below:
https://edpb.europa.eu/about-edpb/about-edpb/members_en
15. Children’s Privacy
At the Cathedral, we do offer services to children, for example, our Children’s Choir, which means we do collect Personal Data of children with parental/guardian consent, as permitted by law. If you are a child, you must have your parent’s permission to use our services.
If you learn that a child has provided us with their Personal Data without parental consent, you may contact us, as described below, and if appropriate, we will securely and permanently delete it, in accordance with applicable law.
16. How to contact us and our Data Protection Officer
If you wish to contact us in relation to this privacy notice or if you wish to exercise any of your rights outlined above, please contact us as follows:
11 The Precincts, Canterbury, Kent, CT1 2EH
[email protected]
+44 (0) 1227 762862 (office hours, Monday–Friday)
We have also appointed a Data protection Officer (“DPO”). Our DPO is Evalian Limited and can be contacted as follows:
West Lodge, Leylands Business Park, Colden Common, Hampshire, SO21 1TH, United Kingdom.
[email protected]
Please mark your communications FAO the ‘Data Protection Officer’.
17. Changes to this privacy notice
We may update this notice (and any supplemental privacy notice), from time to time as shown below. We will notify of the changes where required by applicable law to do so.
Last modified May 2026