Who we are
Ely Cathedral (we, our, us) welcomes many individuals from our faithful congregation to our many visitors from around the world who come to learn about the history of the Cathedral or marvel at our architecture. You can learn more about the Cathedral here.
As we engage with people in a variety of ways through our services, events and other activities the Cathedral has to offer it means we process the personal data of our congregation, visitors, choristers and those attending events or conferences.
Ely Cathedral is not just one entity but consists of a number of companies and charitable organisations. This privacy notice relates to all of those companies, charities outlined below as well as our website www.elycathedral.org.
- Ely Cathedral
- Ely Cathedral Trust
- Ely Cathedral Enterprise Limited
We are supported by the Friends of Ely Cathedral that is a registered charitable organisation who support the Cathedral by raising funds via subscriptions or other means to assist the Cathedral in the advancement of its religious, pastoral, musical and educational work including the preservation of its fabric and the ornaments and furnishings thereof.
We, at Ely Cathedral are committed to protecting and respecting your privacy and the purpose of this notice is to provide you with information on who we are, how and why we collect, and process your personal data.
It is important that you read this privacy notice carefully together with any other privacy notice we may provide to you on specific occasions when we are collecting or processing personal data about you to ensure you are fully aware of how and why we are using your data. This privacy notice supplements other notices and privacy policies and is not intended to override them.
How to contact us and our data protection officer
If you wish to know more about us or if you have any questions about this privacy notice, data processing practices, data protection matters generally, or you wish to exercise your legal rights you can contact us by writing to us at
Ely Cathedral, Chapter House, The College, Ely, Cambs, CB7 4DL
We have appointed GRCI Law Limited as our Data Protection Office (DPO) and you can contact them via email email@example.com, telephone: 0333 800 7000 or by writing to them at GRCI Law, Unit 3 Clive Court, Bartholomew’s Walk, Cambridgeshire Business Park, Ely, CB7 4EA.
What is Personal Data?
What we mean by personal data is any information relating to an individual from which an individual can be identified, directly or indirectly, either by itself or when combined with other information.
Special category data is sensitive personal information. This type of data is particular to you as it reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership as well as genetic data, biometric data used to identify an individual, data concerning health or data concerning an individual’s sex life or sexual orientation.
This type of data requires higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information.
Further information regarding the reasons why we might process such data can found below.
Data we collect about you
In order to provide the wide range of worship, services, events and services we collect and process personal data about different categories of individuals including our employees, volunteers, congregation, supporters, donors, visitors.
We may collect, use, store and/or transfer different kinds of personal data about you which will differ depending on your interaction with us.
We will limit the collection and processing of personal data to what is necessary to achieve one or more purpose(s) as identified in this notice.
As a minimum we will collect basic information about you which will include:
- Basic personal data to identify you such as your first name, maiden name, last name, username or similar identifier, title, occupation, job title, date of birth;
- Your contact information including your email address, address, geographical region and telephone numbers.
Description of Data Types
|Data type||Descriptions of data|
|Identification data||First name, last name, username, image, other identifier, marital status, title, job title, date of birth|
|Contact data||Name, postal address, email address, telephone number|
|Financial transaction and Donation Data||Bank account details and card payment details|
Information regarding payments made and details regarding services purchased, events attended, donations made to us, the method of donation and the frequency of such donations.
|Technical data||Internet protocol (IP) address, or other unique device identifiers. |
Login data, browser type, version and settings, browser plug-in types.
Your operating system and platform.
Time and dates of access and time zone settings and location.
Information provided via a web form.
Searches conducted, site visits and versions.
Attempts to log onto closed sites.
Data collected by cookies
It is important that the personal data we hold about you is accurate and current.
Please keep us informed if your personal data changes during your relationship with us.
Please click the link below to find out more about the different types of personal data we will process depending on your interaction with us.
Table of Data Collected
|Relationship with Us||Data Collected||Categories of Data Subjects|
|A website user||Technical Data||Users of the website including members of the public|
|Security & Monitoring||Identification Data||Staff, visitors and individuals who may interact with the security systems.|
|Online transactions, attending events, conferences and tours||Contact Data Financial Data|
Details of events organisers and guests including details of organisations represented, and the event purpose
Billing information re facilities and services
Meal information, special adaptions due to medical condition or disability we notified to us
Photos, audio, video recording of the event
Guest login information – IP address, devices connected and traffic monitoring data
|Attendees, visitors, organisers and those involved in events and/or conferences|
Members of the public
Members of the Congregation
|Financial transactions and Donation Data||Identification Data|
Legacy information and details including copies of Wills or sections of Wills
Requests for anonymity
Letters and correspondence relating to gifts you made and notes of meetings
Plans outlining future activities and interactions
Membership of societies or groups
Information regarding relationships to friends, patron groups, relevant trusts and/or foundations
Donation due-diligence research
|IT Systems||Identification Data|
|Staff, and users of IT systems, email, mobile devices and telephones|
|Archives||Family members information|
Details of disciplinary complaints or decisions about you
Health data – age- gender-religion – Equality Act
Special category data and criminal convictions
|Individuals who have donated items to our archives|
Researchers who access our archives
Other third parties referred to in records held in the archive
What are the consequences of not providing data requested?
In the majority of circumstances, the provision of data is a contractual requirement.
If you do not provide us with information that you are contractually obliged to provide, the consequences will depend on the particular circumstances. In some cases, we may not be able to provide you with certain services; in other cases, this could result in disciplinary action or the termination of your contract.
Certain information will be required to use the relevant IT system. For example you will require a password to access the Cathedrals IT systems. If you do not provide such data, you will not be able to use our system and depending on the circumstances this may become a disciplinary matter that could lead to the termination of your contract with us if you are an employee.
Failure to provide financial information will mean we are unable to process any payment from you and may not be able to enter into the relevant contract with you.
Failure to provide accurate organisation and purpose details for events may mean that we choose not to enter into the relevant contract with you or an event in progress may not be permitted to continue.
Failure to provide information regarding visa status or right to work or related information may mean you are unable to enter into a contract with you and/or may result in the termination of a contract.
We may collect personal information from children under the age of 16 but we will not do so or knowingly allow such persons to provide us with their personal information without verifiable parent or guardian consent.
In the event we learn that we collected personal information from anyone under the age of 16, and do not have a parent or guardian's consent, we will delete that information as quickly as possible.
How we collect personal data
We collect personal data directly from you but also may collect and generate from different sources.
|Source of Data||How data is collected|
|Directly from you||When you contact us |
via telephone, letters or email
to join the Congregational Roll
to make payments to request for information electronically or otherwise
to request marketing material to be sent to you including donation envelopes; and/or to provide feedback.
|Information we learn about you through our relationship and the way you interact with us;||In our communications with you|
When you attend a conference or an event
|Information received from third parties||The Friends of Ely Cathedral|
As the Friends of Ely Cathedral is a separate organisation, they have a separate privacy notice. However, they share Identity and Contact Data of all subscribers
We operate a number of IT systems and includes but not limited to systems such as Microsoft Office, your email accountobtained from our third-party suppliers. For example, via the generation of telephone records or guests who may attend our conferences or events.
Through voluntary or statutory services
|Information we gather using technology, and how you use technology (for example recognising behavioural patterns).||When you access our website (an IP address for example)statistical information we receive from applications such as Google Analytics. For more information about Google Analytics see www.google.com/analytics |
When you access our IT systems
Generating a log of your attendance at events and/or conferences
|Other sources||Staff, donors to our archives, family members, friends and visitors to the and other such third parties|
Why we use your personal data
We will collect and process personal information about you to enable us to enter into a contract with you, for example to attend an event with us, to inform you of conferences and events tailored to your interests, to provide you with information about the Cathedral and our activities, to facilitate financial transactions, operational reporting and for the production of management information, to provide support and assistance where required and to manage our ongoing relationship with you.
Under data protection law, we can only use your personal information if we have a proper reason or legal basis for doing so. We have provided further information regarding our reasons for processing your data below.
Our reasons for processing personal data
Our Legitimate interests. We process your personal data for our legitimate business purposes, which include but not limited to the following:
- Communicate with you about the Cathedral and/or Cathedral activities
- For our administration functions such the managing generous donation made to us and other Cathedral activities such as paying certain expenses incurred by our registered volunteers;
- Monitoring of IT and telecommunications systems to maintain the integrity of the systems and prevent misuse;
- Provide technical support;
- Notify you about updates to our processes and services;
- Using CCTV monitoring at the Cathedral to help provide safety and security
Wherever we process your personal data for these purposes, we ensure that your interests, rights and freedoms are carefully considered.
Contractual necessity. We use your personal data for the following purposes on the basis that it is necessary for us to provide our services to you:
- to identify you
- to respond to your enquiry if you contact us
- to provide pre-contractual information about the
- to take part in or hold a conference or an event
Compliance with a legal obligation. We may use your personal data in order to comply with certain laws and legal obligations.
Public Interest. Where the processing is in the public interest, for example archiving activities.
Consent. Usually, we do not use consent as the legal basis for processing your personal data; but sometimes we may have to get your consent to use your personal data such as when we collect and use sensitive information about you or when we want to send you third party direct marketing communications to you via email, letters or phone calls. Where we process your personal data on this basis you have the right to withdraw consent at any time.
Emergency situations. We may also use your personal information, typically in an emergency, where this is necessary to protect your vital interests, or someone else’s vital interests.
Why we use special category data
We may process special categories of personal information in the following circumstances:
- Where we have your explicit written consent do so;
- Where we necessary for reasons of employment, social security and or social protection law
- Where it is necessary for your protection or that of another individual for example in an emergency situation
- Where it is necessary in the substantial public interest, for example for the purposes of promoting and maintaining equal opportunity or treatment
- Where processing is necessary for archiving purposes in the public interest, or for scientific or historical research purposes, or statistical purposes, subject to further safeguards for your fundamental rights and interests specified in law
- Where it is necessary for the establishment, exercise or defence of a legal claim.
We have in place appropriate policy documents and/or other safeguards which we are required by law to maintain when processing such data.
Criminal convictions and allegations of criminal activity
Further legal controls apply to data relating to criminal convictions and allegations of criminal activity. We may process such data on the same grounds as those identified for “special categories” referred to above.
Marketing and Communications
You may choose to restrict the collection or use of your personal information for direct marketing purposes.
If you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by emailing us at firstname.lastname@example.org
If you are an existing contact, we will only contact you by electronic means with information about services which you have previously purchased from us or enquired about.
Where permitted selected third parties to use your data, we (or they) will contact you by post or electronic means only if you have consented to this. As mentioned above, you can choose not to receive these types of communications by contacting us.
We have put in place appropriate security measures including layered security software to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered or disclosed. Our security system is subject to regular audit and testing.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
You have several rights under data protection laws which are set out below. You can access any of these rights at any time and if you wish to do so or require further information about your rights please contact us using the details above.
- Access - the right to request a copy of the personal data we hold on you. When you request this data, this is known as making a Subject Access Request (SAR). In most cases, this will be free of charge, however in some limited circumstances, for example, repeated requests for further copies, we may apply an administration fee;
- Rectification of personal data – is the right to have any inaccuracies corrected;
- Erasure of personal data - the right to have any data erased in certain circumstances;
- Restriction of processing personal data - the right to restrict processing, in limited circumstances, where we do not have legitimate grounds for processing your personal data;
- Objection to processing of personal data - the right to object to processing of personal data in certain circumstances. For example, you can object to your personal data being used for example to send you marketing material.
- Automated decision making - the right to ask for a decision to be made manually, where a decision is made using automated means and this adversely impacts you. Please note that we do not envisage that any decisions will be taken about you based solely on automated means, however we will notify you in writing if this position changes; and
- Portability - the right to have a copy of the personal data we hold about you transferred to another data controller in electronic form.
- Withdraw consent – where we rely on consent as a legal basis for processing personal data you may withdraw consent at any time. This will not affect the validity of any lawful processing of your data up until the time when you withdrew your consent. You may withdraw your consent by contacting us at email@example.com
Please note that we do not envisage that any decisions will be taken about you based solely on automated means, however we will notify you in writing if this position changes
If you wish to exercise any of your rights in relation to your data as processed by Ely Cathedral, please contact our Data Protection Officer at firstname.lastname@example.org. Some of your rights are not automatic, and we reserve the right to discuss with you why we might not comply with a request from you to exercise them.
Further guidance on your rights is available from the Information Commissioner’s Office (https://.ico.org.uk/).
How to complain
We would appreciate the chance to address any concern you may have before you approach the ICO and ask that you contact us first.
If you are unhappy with the way we have handled your personal data and want to complain about how your personal data is being processed, you can do so at any point in time. Please contact us using the details above email@example.com
If you are not satisfied with our response, you can raise a complaint with your Supervisory Authority https://www.eudpr.com/supervisory-authorities. The Information Commissioners Office (ICO) is the UK’s supervisory authority whose role is to enforce data protection laws. You have the right to complain to ICO https://ico.org.uk/concerns/ if you believe that your data has been processed unlawfully.
How and why we share your personal data
We do not sell your personal data however we may share your personal data with certain third parties if we are allowed to do or are required to do so by law.
In circumstances where your personal data is shared with third parties, we will seek to share the minimum amount of information necessary to fulfil the purpose.
All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies and are only permitted to process your personal data for specific purposes in accordance with our instructions. We do not allow our third-party providers to use your personal data for their own purposes.
Examples of the types of third parties with whom we may share your personal data including but not limited to the following:
|Categories of Data Subjects|
|Third party service providers, including event providers or third parties who may assist us with fund raising activities.|
Other third parties such as our professional advisors such as our accountants
|Invoicing information to the extent required to fulfil Ely Cathedral ’s tax obligations.|
Book events online or directly from the Cathedral
Attendees at our events and/or our conferences.
|Third party service providers such as our IT service providers. ||To facilitate the activities of Ely Cathedral. Sharing of personal data will be subject to formal agreement between the Cathedral and the Processor.||Website Users|
Attendees, organisers those involved in our conferences and events.
|Legal advisors and auditors||To advise upon legal or regulatory matters and assist in pursuing or defending legal claims.||Website Users|
Attendees, organisers those involved in our conferences and events.
|Agencies with responsibilities for the prevention and detection of crime, apprehension and prosecution of offenders, safeguarding or national security.||For the prevention, detection or investigation of crime, for the location and/or apprehension of offenders, and/or for the protection of the public (in cases where there is a duty on us to report).||Website Users|
Attendees, organisers those involved in our conferences and events.
Transferring personal data outside the UK and European Economic Area (EEA)
It may be necessary for your information to be transferred to and stored in locations outside the United Kingdom (UK) European Economic Area (EEA), including countries that may not have the same level of protection for personal information.
We may need to transfer your information in this way to carry out our contract with you, to fulfil a legal obligation, to protect the public interest and/or for our legitimate interests.
When we do this, we’ll ensure it has an appropriate level of protection and that the transfer is in accordance with data protection laws. We will transfer of data to an organisation based in a country with an adequacy decision issued by the European Commission or alternatively put in place an appropriate safeguard such as standard model clauses. If you require further information regarding data transfers please contact us using the contact details above.
How long do we hold personal data?
We keep your personal data for no longer than is necessary to fulfil the purpose for which it was collected.
How long we keep your personal data depends on several factors including but not limited to the nature and type of record, the nature of the activity, the product or service and any applicable legal or regulatory requirements and changes thereof. Any such changes will be reflected in our Record of Processing Activities.
Where legal proceedings, regulatory, disciplinary or criminal investigations are in progress or relevant requests are made under data protection laws or freedom of information legislation it may be necessary to suspend deletion of data until such proceedings, investigations or request have been fully concluded.
Links to other websites
Within our website we may have links to third party websites, plug-ins and applications. Clicking those links may enable third parties to share or collect your personal data.
Please be aware that we do not control such third-party websites and are not responsible for their privacy statements or the contents of those websites. We would encourage you to read the privacy notice of every website you visit.
Changes to the privacy notice
We keep our privacy notice under regular review. We may need to update this notice from time to time, for example if the law or regulatory requirements change, if technology changes, if we change our procedures to make operations and procedures more efficient.
We encourage you to review this page regularly to identify any updates or changes to our privacy notice.
Please contact us if you wish to receive past versions of any of our privacy notices.