Data protection privacy policy

The primary purpose of current data protection legislation is to protect individuals against possible misuse of information about them held by others. It is the policy of The Friends of The City Churches to ensure that all members of The Friends of The City Churches and its volunteers are aware of the requirements of data protection legislation under their individual responsibilities in this connection.

The Act covers personal data, whether held on computer or in certain manual files. The Friends of The City Churches are obliged to abide by the data protection principles embodied in the Act.

About us

The Friends of the City Churches (FCC) is a Charitable Incorporated Organisation (CIO), Nº 1155049. The charity is run by a Committee of volunteers who are elected by the members at the Annual General Meeting. We employ one part-time administrator, who is occasionally assisted by volunteers drawn from the membership. Our office comprises a secure room within St Mary Abchurch, and we have exclusive access to a safe in the adjacent vestry. The church, office and neighbouring lanes are covered by CCTV.

Your personal data

‘Personal data’ is any information about a living individual which allows them to be identified from that data (for example, names, photographs, videos, addresses or e-mail addresses). Identification can be by the information alone or in conjunction with any other information. The processing of personal data is governed by [the Data Protection Bill/Act 2017 the General Data Protection Regulation 2016/679 (the “GDPR” and other legislation relating to personal data and rights such as the Human Rights Act 1998].

These principles require that personal data shall:

1. be processed fairly and lawfully;
2. be held only for specified purposes and not used or disclosed in any way incompatible with those purposes;
3. be adequate, relevant and not excessive;
4. be accurate and kept up-to-date;
5. not be kept for longer than necessary for the particular purpose;
6. be processed in accordance with data subject’s rights;
7. be kept secure;
8. not be transferred outside the European Economic Area unless the recipient country ensures an adequate level of protection. Our website is also accessible from overseas so on occasion some personal data (for example in a newsletter) may be accessed from overseas.

The Act provides individuals with rights in connection with personal data held about them. It provides individuals with the right to access data concerning themselves (subject to the rights of third parties). It also includes the right to seek compensation through the courts for damages and distress suffered by reason of inaccuracy or the unauthorised destruction or wrongful disclosure of data.

Under the terms of the Act, processing of data includes any activity to do with the data involved. All members or other individuals who have access to, or who use, personal data, have a responsibility to exercise care in the treatment of that data and to ensure that such information is not disclosed to any unauthorised person.

Examples of data include address lists and contact details as well as individual files. Any processing of such information must be done in accordance with the principles outlined above. In order to comply with the first principle (fair and lawful processing), at least one of the following conditions must be met:

• the individual has given his or her consent to the processing;
• the processing is necessary for the performance of a contract with the individual;
• processing is required under a legal obligation;
• processing is necessary to protect the vital interests of the individual;
• processing is necessary to carry out public functions;
• processing is necessary in order to pursue the legitimate interests of the controller or third parties (unless it could prejudice the interests of the individual);

In the case of sensitive personal data (which includes information about racial or ethnic origins, political beliefs, religious or other beliefs, trade union membership, health, sex life, and criminal allegations, proceedings or convictions), there are additional restrictions and explicit consent will normally be required.

Your rights and your personal data

You have the following rights with respect to your personal data. When exercising any of the rights listed below, in order to process your request, we may need to verify your identity for your security. In such cases we will need you to respond with proof of your identity before you can exercise these rights.

The right to access information we hold on you. At any point you can contact us to request the information we hold on you as well as why we have that information, who has access to the information and where we obtained the information from. Once we have received your request we will respond within one month. There are no fees or charges for the first request but additional requests for the same data may be subject to an administrative fee.

The right to correct and update the information we hold on you. If the data we hold on you is out of date, incomplete or incorrect, you can inform us and your data will be updated.

The right to have your information erased. If you feel that we should no longer be using your data or that we are illegally using your data, you can request that we erase the data we hold. When we receive your request, we will confirm whether the data has been deleted or the reason why it cannot be deleted (for example because we need it for our legitimate interests or regulatory purpose(s)).

The right to object to processing of your data. You have the right to request that we stop processing your data. Upon receiving the request we will contact you and let you know if we are able to comply or if we have legitimate grounds to continue to process your data. Even after you exercise your right to object, we may continue to hold your data to comply with your other rights or to bring or defend legal claims.

The right to data portability. You have the right to request that we transfer some of your data to another controller. We will comply with your request, where it is feasible to do so, within one month of receiving your request.

The right to withdraw your consent to the processing at any time for any processing of data to which consent was sought. You can withdraw your consent easily by telephone, e-mail, or by post (see Contact Details below).

The right to object to the processing of personal data where applicable.

The right to lodge a complaint with the Information Commissioner’s Office.

In relation to security (Principle 7), The Friends of The City Churches as Data Controller must take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data and sets out specific considerations for ensuring security. Members and other individuals should be aware that guidelines and regulations relating to the security of manual filing systems and the preservation of secure passwords for access to relevant data held on computer should be strictly observed.

Members should also note that personal data should not normally be provided to parties external to The Friends of The City Churches. Special arrangements apply to the exchange of data between The Friends of The City Churches and third parties.

Under Principle 8, which restricts the transfer of material outside the European Area, personal data about an individual placed on the World Wide Web is likely to breach the provisions of the Act unless the individual whose data is used has given his or her express consent. It is important that all those preparing web pages, address lists and the like, are aware of these provisions, and seek advice from the Data Protection Officer if in doubt.

The Act specifies arrangements for the notification of processing undertaken by the Friends of The City Churches. Any member who is uncertain as to whether their activities or proposed activities are included in The Friends of The City Churches notification should contact the Data Protection Officer in the first instance.

A failure to comply with the provisions of the Act may render The Friends of The City Churches, or in certain circumstances the individuals involved, liable to prosecution as well as giving rise to civil liabilities. Individuals are encouraged to familiarise themselves with the general aspects of Data Protection contained in the Friends of The City Churches’ guidelines to the Act, referred to above and with any specific measurements recommended by The Friends of The City Churches relevant to the particular nature of their work.

Further processing

If we wish to use your personal data for a new purpose, not covered by this Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.

Changes to this notice

We shall keep this Privacy Notice under regular review and we will place any updates on our website This Notice was last updated in March 2019.

Contact details

Please contact us if you have any questions about this Privacy Notice, or the information we hold about you, or to exercise all relevant rights, queries or complaints at:

The Data Controller
The Friends of The City Churches St Mary Abchurch
Abchurch Lane
London EC4N 7BA
Tel. 020 7626 1555

Download our Privacy Policy here

Download our Privacy Notice here


St Dunstan's ceiling detail