Privacy Notice
Durham Cathedral is a Christian church of the Anglian Communion and the Seat of the Bishop of Durham. We are a place of welcome, worship and hospitality.
We are dedicated to working in ways that are motivated by wisdom, responsibility, ethics and above all, the Christian faith. We recognise the image of God in all human beings, honour their dignity and treat them with courtesy. This is reflected in the way in which we work with everyone with whom we engage as a cathedral – our employees, volunteers, visitors, supporters and those who worship here – and in how we respect their privacy and protect their personal information.
Purpose of this Privacy Notice
The purpose of this Privacy Notice is to set out in detail how and where we collect your personal information through your use of this website and otherwise, how we use it and why. It states your rights to access your data and to control how it is used. It also refers to the relevant UK data protection legislation, currently the General Data Protection Regulation ((EU) 2016/679) (GDPR), and describes the steps that we are taking to ensure that we comply with it regarding your personal data. We have used the capitalized term Personal Data throughout this Notice – see below for what we mean by this term.
Our Privacy Notice is founded on three main principles:
Transparency: We are committed to giving you clear and detailed information on when and why we collect your personal information and how we use and store it. Information about this is set out in this Privacy Notice and in other written communications which we may make available to you such as Privacy Notices specific to the interaction between you and us or Consent Forms. Further details are available from us at the contact addresses set out below.
Lawfulness: We are committed to protecting data by collecting, using and storing personal information in a way that complies with the law.
Fairness: We are committed to fairness in all our dealings with personal information. Your trust is very important to us and we will do our best to keep your data safe and secure. We promise never to sell your personal details to anyone or to share them without your knowledge or consent.
Our approach to data privacy can help you to make informed decisions about whether and how you wish to engage with us and to be in control of how your data is held here.
Our Organisation
Durham Cathedral is made up of several connected organisations, trading companies and charities and this enables us to deliver our work in the most efficient manner. This Privacy Notice applies to all the following and for the purposes of this Privacy Notice, “Durham Cathedral”, “we”, “us” refers to all of them:
- Durham Cathedral
- Durham Cathedral Open Treasure Limited (now trading as Durham Cathedral Museum)
- Durham Cathedral Trading Limited
For the avoidance of doubt, the Chorister School is no longer a department of Durham Cathedral. It is now part of Durham Cathedral Schools Foundation.
The Chapter of Durham Cathedral is the data controller for the purposes of GDPR and responsible for our website hosted at www.durhamcathedral.co.uk (“this website” or “our website”). This means it decides, as data controller, how your personal information is processed and for what purposes
What is Personal Data and what data do we collect?
Personal Data is information about living, identifiable individuals relating to their private, professional or public life, that can be used directly, or when combined with other information, indirectly to identify the person. In providing a wide range of worship, services and activities, Durham Cathedral processes Personal Data for many reasons (see below). We collect information about the people who visit us, book and attend services and events, about our supporters and members of the Cathedral Community, participants in our public programmes, our suppliers, volunteers and employees so that we can contact them when appropriate and so that we can deliver our services and run our businesses. The data we hold about them may include:
- Identifying Data which includes first and last name, username or similar identifier, marital status, title, date of birth (and may include in some circumstances a maiden or previous name).
- Contact Data which includes an individual’s name and/or the organisation for which they work or at which they study (if they identify themselves as a student), postal address, email address and telephone numbers.
- Financial Data which includes bank account details and payment card details.
- Transaction and Donation Data which includes details about payments to and from them and other details about the products and services they have purchased from us and donations they made to us.
- Technical Data which includes their internet protocol (IP) address (the location of the computer on the internet), browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology relating to the devices you use to access this website including login data and data collected by cookies.
- Profile Data which includes purchases or orders made by them, their particular interests, feedback and survey responses and other information about how they use our website, the services we provide and our events and products.
- Method of Communications Data which includes their preferences as to how we communicate with them.
- Any Track and Trace Data collected during Covid-19 will be stored for 21 days as per Government guidelines and then destroyed. If requested as part of a formal track and trace process it will be used for that purpose.
You do not have to disclose any of the above information to view our website. However, please be aware that we may not be able to provide you with certain services where you do choose to withhold requested information. We use cookies to help make the experience of using our websites better and to personalise the service you receive from us.
A cookie is a small file of letters and numbers that we put on your computer if you agree. These cookies allow us to distinguish you from other users of our websites, which helps us to provide you with a good experience when you browse our website and allows us to improve our site.
For example, we may use Technical and Profiling Data obtained through cookies to remember your previous visits and monitor the pages on our websites that you visit. For more information please see our Cookie Policy, or contact us directly.
We may hold additional details on our employees, volunteers and others who work here for purposes other than in this Privacy Notice e.g. in order to keep them safe, (such as emergency contact details and information about their medical conditions) and in order to recruit them (such as data about applicants’ past roles and qualifications where they have sent us their CV or an application for a position). Separate Data Notices will be sent to these groups of individuals.
How do we collect your Personal Data?
We collect Personal Data in three main ways:
1. Data provided by you: You give us your information in several circumstances including the following: -
- when you become an employee, volunteer or supplier of ours
- when you buy or reserve a ticket or join an event or workshop over the counter, by phone or online via our website
- when you hire any cathedral spaces or any of our facilities for an event, ceremony or service
- when you otherwise buy or sell goods and/or services to or from us
- when you donate to us or any of our groups and/or complete a Gift Aid envelope
- when you become parents or pupils at the Chorister School or take part in one of our young person’s groups
- where you consent to receiving marketing information and material from us during a visit to or via our website or contact us to request further information about anything
- by completing a consent form or other written communication
- in the case of Technical and Profiling Data, by using our website. This information does not tell us anything about who you are or where you live.
2. Data Collected from Third Parties: In some cases, we may receive Personal Data from a third party. Please note that we do not buy data from third parties. If we do acquire Personal Data from a third party, we will only use it if we have a legal basis for doing so (see below). The ways in which we sometimes collect Personal Data from third parties include data from the Friends of Durham Cathedral (the Friends) and Durham Cathedral Choir Association (DCCA). The Friends and DCCA are separate organisations and comply with their own privacy policies. To the extent the names and contact details of all subscribers to the Friends and DCCA are shared with Durham Cathedral to invite them to events for example, such sharing will be subject to receiving the individual’s consent.
3. Data Collected from publicly available sources: We may collect data from publicly available sources including data from, for example, reputable newspapers, Companies House, or social media platforms such as LinkedIn / Twitter. We do this to manage our fundraising and outreach effectively and to give you the best experience by tailoring our approaches to you according to your interests as well as ways in which we hope you might potentially support us.
How do we use your information?
We use your Personal Data collected as above in the following ways:
- to give you information about Durham Cathedral’s worship, its other services and groups, events and ticketing
- administer your requests, such as applications for membership, donations, participation in campaigns, events and activities and the provision of information
- to tell you about our restaurant and goods available in our shop
- to fundraise for our vital work
- process sales transactions, donations or other payments to us and verify financial transactions and bank card details
- administer your orders and deliver products to you
- arrange activities and services and ensure your safety and that of your children during these activities
- keep a record of your relationship with us
- to manage and administer all our work
- to review and improve our goods and services and to undertake research projects
- where appropriate, to safeguard children and vulnerable adults
- to provide you with information that we think may be of interest to you and offer you marketing information in accordance with your marketing preferences. (see Marketing Information below).
Personal Data about your use of our website is used in the following ways:
- to administer our website and enable our IT professional support to carry out technical, logistical or other functions on our behalf
- for internal purposes such as data analysis, testing, and site research, surveys and statistics
- to enable us to improve our website
- to allow you to participate in interactive features of our service, when you choose to do so
- as part of our efforts to keep our site safe and secure and to prevent or detect fraud or abuses of our websites
- to carry out research on the demographics, interests and behaviour of our website users and supporters to help us gain a better understanding of them and to enable us to improve our service and to provide a personalised service to you when you visit our websites. (This research may be carried out internally by our employees or we may ask another company to do this work for us).
Marketing Communications
We will add your details to our marketing database if:
- you make an enquiry about our goods or services or opt-in or otherwise consent to receiving marketing communications from us either on this website and in email or postal communications with you.
- you buy our goods or services.
- you have told one of the third parties with whom we work that you would like them to pass us your contact details so that we can send you information about our goods and services.
We may send you marketing communications by email, telephone, post. You can contact us to ask us to only send you marketing communications by particular methods e.g. you may be happy to receive emails from us but not telephone calls or only receive communications from us about specific subjects e.g. music events or children’s activities or you may ask us not to send you any marketing communications at all.
You can opt out of receiving messages from us in the future if you change your mind at any time by using the link in our email messages or by calling, emailing or writing to us using the details set out in the contact section below. Where contact details have been provided for a specific purpose (such as inviting you to an event), we will ask if you would like to continue to receive information from us. If we do not hear from you, or if you tell us that you would not like to receive any further information, we will remove you from our mailing list (see Retention of Personal Data below).
Legal Basis of Holding Personal Data
We respect your right to Privacy and are committed to ensuring that our holding of all Personal Data has a lawful basis. We will hold your Personal Data only on one of the following legal bases:
- you have given us your consent to do so (and by visiting our websites you are giving us consent to use your Personal Data for the purposes set out above and in accordance with the terms of this Privacy Notice)
- the data is for the performance of a contract with you
- to meet our legal compliance obligations
- to protect your vital interests (for example in taking emergency contact details during a trip or as an employee or volunteer working on site)
- to pursue our legitimate interests for purposes of running the Cathedral and where these interests are not overridden because processing your Personal Data prejudices your interests or fundamental rights and freedoms under data protection law
Sharing your information
We will only share your personal information if:
- we are legally required to do so, for example, by a law enforcement agency legitimately exercising a power or if compelled by an order of the Court
- we believe it is necessary to protect or defend our rights, property or the personal safety of our people or visitors to our premises or websites
- where we are working with our service providers in order for them to perform services on our behalf – such as payment handling services, mailing houses, marketing agencies, IT specialists, professional advisers and research firms. The kind of work we may ask them to do includes processing, packaging and postal mailing, sending emails and text messages, answering questions about products or services, carrying out research or analysis and processing card payments.
- We only choose partners we can trust and are committed to ensuring that they:
- abide by the requirements of GDPR
- only use the data they receive for the purposes it was supplied (and not for their own purposes or the purposes of any other organisation)
- allow us to carry out checks to ensure they are doing all these things.
Storing and processing your information
We place a great importance on the security of all Personal Data of our employees, volunteers, visitors, supporters and those who worship here, visit our websites and use our apps.
Your Personal Data is held by us electronically subject to appropriate security procedures. We may also store information in paper files. Our staff who may handle this Personal Data are subject to a duty of confidentiality.
We have appropriate technical and organisational policies and/or procedures in place to mitigate against unauthorised or unlawful processing of your Personal Data and against accidental loss, destruction or damage.
We may transfer the information to reputable third-party organisations within the European Economic Area (EEA) as mentioned in Sharing Your Data above. Some third parties with whom we deal are based outside the EEA, so their processing of your Personal Data will involve a transfer of that data outside the EEA. These transfers will be subject to GDPR compliant ‘appropriate safe-guards’. Please contact us if you want further information on the specific mechanism used by us when transferring your Personal Data out of the EEA. You can also see European Commission: Adequacy of the protection of Personal Data in non-EU countries.
We have put in place procedures to deal with a suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally obliged to do so and within prescribed time frames.
Retaining your Personal Data
We will only retain your Personal Data for as long as necessary to fulfil the purposes for which we have collected it and meet our legal, financial or governance obligations or other professional best practice requirements. We will not keep more information than we need. We periodically review the data we hold and delete as appropriate.
Our internal Privacy Policy set outs procedures for determining the appropriate retention period for each type of Personal Data we hold, considering the amount, and nature of the Personal Data that we propose to hold, whether it is sensitive data and if there is any potential risk of harm to you from unauthorised use or disclosure of this Personal Data. It will consider applicable legal requirements and our internal departmental retention policies or procedures. We keep these policies and procedures under review.
We will take all reasonable steps to destroy or erase from our systems all your Personal Data that we no longer require in accordance with this Privacy Notice and will require third parties to delete such Personal Data where applicable. If you ask us to stop sending direct marketing communications to you, we will keep the minimum amount of information (e.g. your name, address or email address) to ensure we adhere with such requests e.g. to make sure that you are not added to our mailing lists again should another department or someone known to us recommend we contact again you at a later date.
In some circumstances we may anonymise your Personal Data (so that it can no longer be associated with you) for research or statistical purposes or for archiving material that we believe to be of historical significance or which we require to comply with the Church of England’s “Chapter and Verse” document and will store this information indefinitely without further notice to you.
Your rights under GDPR
GDPR gives you several rights in respect of your Personal Data. These rights include:
- the right to transparency i.e. the right to be informed as to how we use your data
- the right of access i.e. the right to request a copy of the information we hold about you
- the right to rectification i.e. to require us to update or amend the data we hold about you
- the right to erasure i.e. the right to request that we delete or remove the data we hold about you (sometimes referred to as 'the right to be forgotten')
- the right to restrict processing i.e. the right to request information on the length of time for which we are holding your data or to request that we cease processing your data
- the right to data portability i.e. the right to transfer the data we hold for your own purposes
- the right to object; i.e. the right to object to us processing your data for certain purposes. Where you have provided consent for us to process your data, you have the right to withdraw this consent at any time.
If you wish to exercise any of your rights set out above, please contact us at the address below.
There is no fee payable for you to access your Personal Data or to exercise any of your rights (although we do reserve the right to charge a reasonable fee if your request is clearly unfounded or if you make several requests which become repetitive or excessive or if you require multiple copies of the data). We can also refuse to comply with your request in those limited circumstances.
We may need to request specific information from you for security purposes to help us confirm your identity and ensure your right to access your Personal Data or to exercise any of your other rights. We will act on your request without undue delay and at the latest within one month of receipt of request although we may extend this period if it is a particularly complex request. We will keep you updated about the progress of any request or exercise of your rights.
You can find out more about your rights by visiting the Information Commissioner's Office website - www.ico.org.uk.
We have decided not to appoint a dedicated data protection officer but if you would like any further details about our organisations or if you have any questions regarding your personal information or its use, including any requests to exercise your legal rights, please contact the Governance and Compliance Manager, Chapter Clerk’s Office at the following address:
- Durham Cathedral
The Cathedral Office
The College
Durham
DH1 3EH - Telephone: 0191 386 4266
- Email address: leslie.webster@durhamcathedral.co.uk
If you wish to complain about the way we are processing or controlling your data, please contact the Chapter Clerk’s Office in the first instance so we can investigate and do our best to address your concerns. However, if you are not satisfied with our response you can make a complaint to the Information Commissioner's Office - www.ico.org.uk/concerns
Other Important Information
Freedom of Information Act
Please note that Durham Cathedral is not a ‘public authority’ as defined under the Freedom of Information Act 2000 (as amended) and we will not therefore respond to requests for information made under it.
Children’s data
Some of the services we offer are aimed specifically at children (for example Young Curators) and to deliver these services safely it is necessary for us to collect data and store it on our database. Before we collect personal information from anyone under 18 we will always ask them to:
- Obtain the permission of a parent or guardian before providing it to us
- Let an adult know before they use our websites to obtain information about fundraising, campaigning or supporting our work.
We won’t send marketing emails and letters or make marketing calls to people under 13. We won’t send any marketing communications requesting donations to young people aged between 13 and 17, but we will send them information on how to fundraise on our behalf or participate in other activities aimed at them if they specifically request this. In such circumstances we can provide a Privacy Notice that is drafted in language particularly suitable for young people and this can be obtained from the contact address below.
Links to third party websites
Our websites contain links to third party websites or applications that we believe may be of interest to visitors to our websites. Clicking on any link or enabling any connection may result in your personal information being shared with these third parties. Please be aware that this Privacy Notice only governs our websites and we cannot accept any responsibility for third party websites or apps to which we provide links. If you wish to use any link on our websites, we recommend you read their privacy policy.
Social media sites
We operate on several social media platforms (including Facebook, Twitter, LinkedIn, YouTube and Instagram) and believe that this is an important way of reaching people and keeping people informed about our work. This Privacy Notice covers how we will use any Personal Data collected from you from those pages, but it does NOT cover how the providers of those social media websites use your information. Please ensure you read the privacy policy of the social media platform before sharing personal information and please make use of the privacy settings and reporting mechanisms to control how your personal information is used.
Sending Data over the internet
Although we will take all the precautions set out in this Privacy Notice, the transmission of data across the internet is not completely secure and we cannot therefore ensure or guarantee that loss, misuse or alteration of data will not occur whilst data is being transferred or while it is under our control so wish to draw your attention to the fact that you do so at your own risk.
Changes to this Privacy Notice
We may make changes to this Notice from time to time. If we do so, we will post the changes on this page so please check back regularly to obtain the latest copy of this Privacy Notice. Changes will apply from the time we post them.
This Privacy Notice was last changed on 27 September 2022.
This Privacy Notice applies to your use of our websites, social media pages, and/or your provision of information through using them. If you do not agree to the terms of this Privacy Notice, please do not use our sites, social media pages.