Privacy policy

Personal data refers to any information that can be directly or indirectly attributed to you.

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal data. We rely on one or more of the following bases:

Consent

You have given your consent for us to process your personal data for specific purposes. You can withdraw your consent at any time. For example, we may rely on consent as the basis for sending newsletters and updates.

Contractual obligations

We need to process your personal data for the performance of a contract. For example, when you purchase an item from our shop, buy tickets, or become a member, We must fulfil our obligations under the contract we have with you.

Legal compliance

We are required to process your personal data because we have legal obligations which we must fulfil.

Legitimate interests

In some cases, we have a legitimate interest in collecting your personal data because it benefits you or us and does so without materially affecting your personal rights or freedoms.

Performance of a task carried out in the public interest

Some of our processing, such as the use of CCTV for security and crime prevention, is necessary because as a world heritage site we have a responsibility to care for and preserve our buildings and collections.

Vital interests

We process some personal data (e.g. safeguarding information related to children or vulnerable adults) because it is necessary to protect an individual’s vital interests.

We collect personal information when you: 

• visit our websites or online shop
• buy a ticket
• make an online purchase with us using your own account or using a guest account
• make a donation
• create an account with us or sign up to become an Association member
• sign up to or attend an event
• arrange a group tour for your school
• subscribe to one of our mailing lists
• contact any of our departments directly by email, phone, or letter
• make a complaint or provide feedback
• engage with us on social media
• fill in any forms (visitor surveys, accident forms, ethnicity monitoring forms)
• visit the Abbey, we may take photos, videos, or capture CCTV footage of you
• sign in to our free Wi-Fi service
• sign in at reception on our smart visitor management kiosks
• apply for a job with us

When we ask you for personal data it may be used for any of the following purposes:

• To provide and deliver goods and services to you
• To manage your membership with us
• To administer donations and process payment claims
• To issue invoices and handle payment transactions
• To promote our public offering and charitable aims
• To send you requested information and details of events
• To send you regular updates on issues you have indicated will be of interest to you
• For administrative purposes (e.g. to maintain databases, create accounts, and manage records)
• For research and analysis so that we can better understand our audiences and enhance visitor experience
• To improve your experience on our websites
• To write event programmes (if you are a guest speaker, we might include a brief biography or a photo)
• To gather feedback and respond to suggestions and complaints
• To deter and prevent crime or fraud
• To comply with any legal and regulatory obligations we may have
• For safeguarding purposes

We may collect or use the following personal information when you visit the Abbey, buy tickets, join the Abbey Association, make a donation, make an online purchase, sign up to or attend one of our events, or interact with us online.

• Names
• Contact details
• Addresses
• Website user information (including your IP address, browsing preferences and cookies, user journeys and cookie tracking). Find out more about how we use cookies and similar technologies on our List of cookies on this website page.
• Profile data (usernames and passwords for any accounts with us)
• Information about your personal devices through your use of our Wi-Fi
• Details of your visits to our websites
• Marketing preferences
• Payment related data
• Service use history
• Purchase or browsing history
• Details of your interactions with us
• Donation history
• Taxpayer information (for Gift Aid purposes)
• Gifts in wills
• Photographs if you attend any of our events
• Video footage if you attend a service which is streamed or recorded
• Dietary information including allergies, where applicable
• Accessibility information, where applicable
• Demographic information, where applicable
• Records of consent, where appropriate
• Car registration if you are parking onsite

We may collect or use the following personal information for dealing with queries, complaints or claims and investigating incidents:

• Names and contact details
• Purchase or service history
• CCTV footage
• Witness statements and contact details
• Customer accounts and records
• Financial transaction information
• Information relating to health and safety (incident investigation details, accident reports, photos of the injury where appropriate)
• Photos or videos you have shared with us as evidence
• Correspondence with any of our departments
• Safeguarding information

We collect or use the following information to organise weddings and baptisms:

• Names
• Contact details
• Home addresses
• Occupation
• Marital status
• Parents’ names and occupations
• Parents’ employment status
• Baby’s date of birth
• Names of witnesses
• Names of godparents
• Records of consent (where appropriate)

We may collect or use the following information to organise funerals, memorial services, or special services:

• Names
• Contact details
• Addresses (to post invitations)
• Accessibility needs 

Depending on security requirements for the services, attendee names and contact details may be disclosed to the appropriate security agencies.

We may collect or use the following information to process job applications: 

• Names
• Contact details
• Addresses
• CV and application form
• Details of your skills, experience, and previous employers
• Information about your current salary level
• Interview notes
• Right to work documentation
• Identity checks
• Copies of qualifications and certificates 

If your application is unsuccessful, your personal data will be securely deleted within 12 months.

Some personal data are more sensitive (referred to as “Special Category Data”). This includes personal data revealing racial or ethnic origin, gender, political opinions, religious or philosophical beliefs, trade union membership, biometric data, genetic data, and data concerning health or an individual’s sex life or sexual orientation.

There are some instances when we may collect sensitive personal data:

• If you have given us your dietary requirements (including allergies), we will then hold some of your health data. This will be deleted when we no longer need this information.
• If you have given us information about your accessibility requirements, we may then hold information about a disability you have. This will be deleted when we no longer need this information.
• If you have an accident at the Abbey, we will need to fill in an accident form. This will contain details of your injury. Depending on the circumstances, we may need to share this with the Health and Safety Executive or our insurance company.
• With your consent, we may ask you to complete an Ethnicity, Diversity and Monitoring survey. We will collect information about your gender, ethnicity, race, and religious and philosophical beliefs. Usually, these forms are anonymous, so we will not know who submitted them and won’t be collecting personal data. We will make it very clear if the form is not anonymous.
• We may hold information which could be used to infer your religious, political, or philosophical beliefs. For example, if you sign up to our worship newsletters or attend certain events. We do not process this data further.
• If you are a member of the Institute, we may hold information relating to your political opinions, religious and philosophical beliefs. This is because the Institute works with civil servants and parliamentarians.
• With your consent, we may take photos and videos of you. This means we may capture images which could be used to infer your racial or ethnic origin, sexual orientation, political, religious, or philosophical beliefs, or health. For example, if you are wearing a religious garment. We also operate CCTV cameras which might capture this information. This data is not processed further.

To process special category personal data, we must identify a lawful basis from Article 6 of the UK GDPR as well as an additional condition for processing from Article 9 (2) of the UK GDPR. The additional conditions relevant to our processing of this personal data are as follows:

• The data subject has given explicit consent to the processing of personal data for one or more specified purposes;
• Processing is necessary to protect someone’s vital interests;
• Processing is carried out in the course of legitimate activities by a not-for-profit organisation with a political, philosophical, religious, or trade union aim;
• Processing relates to personal data which is manifestly made public by the data subject; or
• Processing is necessary for the establishment, exercise or defence of legal claims.

We may collect personal information about children in the following circumstances:

• If a child is baptised at the Abbey or St Margaret’s, we collect their name and date of birth, with consent from their parent(s) or guardian(s).
• If children attend events, services, workshops, or any other activity held by the Abbey, we may ask for the consent of their parent(s) or guardian(s) to take photos or videos. With consent, these may be shared on our website or social media accounts to promote our work.
• If a child has an accident or incident onsite which needs to be reported for health and safety purposes, we may collect information about their injury or health.
• If a child has accessibility or dietary requirements, we may collect this information in order to support their needs when they visit the Abbey.

Usually, we collect children’s personal information with the consent from their parent(s) or guardian(s). There are two exceptions: images captured by CCTV or streaming cameras or information contained in confidential safeguarding disclosures. Further information about the Abbey’s Safeguarding policies can be found on our Safeguarding webpage.

Personal information processed by Westminster Abbey Choir School or by the Abbey on behalf of the Choir School is outlined in the school’s Privacy Notice. This can be found on the Westminster Abbey Choir School Policies webpage.

We operate overt closed-circuit television (CCTV) systems. This may be used to detect and prevent crime as well to enable compliance with Abbey policies. The cameras are installed in a number of locations in the Abbey and surrounding precincts. This system is in operation 24/7 all year round and is managed by our security team.

Clear and prominent signage is displayed to show that we have CCTV cameras and to identify us as the data controller.

Footage captured by our CCTV system is retained for 30 days before it is automatically overwritten, except where retention is lawfully required for investigative or evidentiary purposes.

Sometimes, we obtain your personal information indirectly. For example, we use the data processor Eventbrite to manage event registrations. They collect information on our behalf which is then shared with us. This usually includes your name, email address, marketing preferences, and ticket details.

We may also obtain personal information when you buy your tickets from a third-party travel agency or if your organisation provides us with your details on your behalf to organise your attendance at an event. Occasionally, someone you know might give us your details with your consent so we can contact you.

In some cases, we may obtain your personal information from publicly available sources. For example, if you are a civil servant, member of the clergy, or very well-known individual. We use trusted information sources like Companies House, Crockford’s, or Dods to collect this information.

We may use your personal data for direct marketing purposes. We will only do this with your consent or if you fulfil the criteria for a ‘soft opt in’. You have the right to opt out of direct marketing at any time.

You can do this by changing your marketing preferences, clicking unsubscribe on the footer of any of our emails, or by contacting [email protected]. If you unsubscribe, we will add your email address to our ‘do not contact’ list to make sure we don’t contact you again.

If you have not clicked on any of the emails from us within a 12-month period, you will be removed from the mailing list.

Soft opt-in

Sometimes, we use the ‘soft opt-in' as the basis for sending out direct marketing emails. This only applies if you are an existing visitor or customer who has previously engaged with us, gave us your details, and did not opt out of marketing messages from us.

We will only send emails related to your previous engagement with us. We always ensure that you have the option to opt out of further communications from us by clicking the ‘Unsubscribe’ at the footer of any email we send you.

Your personal data is only shared with those who need access to it in order to fulfil the purpose of the processing. We will never sell your data.

We use a number of third-party service providers to assist in the provision of our services and to facilitate our day-to-day operations. For example, when you make a payment, you may choose to use one of our independent payment service providers (such as PayPal, Google Pay, or Apple Pay). When you go to book tickets for an event on our website, you may be redirected through Eventbrite. They will process your registration details on our behalf and will share this information with us.

We only share personal data with third parties when it is necessary for them to carry out the tasks we have asked them to do on our behalf. Before disclosing personal data to a third party or engaging a processor, we contractually require the third party to take adequate precautions to protect that personal data and to comply with data protection law.

In some instances, we may share your personal data with the following bodies:

• Statutory services
• Professional and legal advisors
• Legal bodies or authorities
• Local authorities or councils
• Relevant regulatory authorities
• External auditors or inspectors
• Organisations we’re legally obliged to share personal information with
• Organisations we need to share information with for safeguarding reasons

With your consent, we may share your data (photos or videos featuring you) publicly on our website or social media channels. If you would like to withdraw your consent to be filmed or photographed, you can do so at any time by contacting [email protected].

This applies to photos or videos featuring you for which we explicitly asked for your consent before sharing on our website, social media pages or using for any other promotional purpose. If we are streaming a service, we try to make all worshippers and visitors aware that it is being streamed. Please note that we do not ask for consent to stream our services.

If we were to restructure or transfer our organisation, we reserve the right to transfer your personal data to our successor.

We will only keep personal data for as long as necessary to fulfil its purpose. Usually, we delete your personal data soon after you cease to engage with us. Sometimes, we have to keep some of your personal data for longer to provide evidence of compliance or to comply with applicable legal obligations.

For more information on how long we store your personal information or the criteria we use to determine this, please contact us at [email protected].

We collect anonymous information about the use of our website. For example, our web server automatically records which pages of our website our visitors view, their IP addresses, and which web browsers they use. This technology enables us to compile statistics about all of visitors and their use of our website, so that we can improve user experience.

Our website contains hyperlinks to other pages on our website. We may use technology to track how often these links are used and which pages on our website our visitors choose to view. Again, this technology does not identify you personally – it simply enables us to compile statistics about the use of these hyperlinks.

A cookie is a small file created by a website and then stored by your browser. Most web browsers automatically accept cookies, but you can control if and when you allow cookies to be stored on your device and can view or delete any cookies stored. When you visit our website, a pop-up message will appear asking for your consent to place performance and statistical cookies on your device.

To provide or refuse consent, click the appropriate button. Once your consent has been provided, this message will not appear again when you revisit. It may appear again when you visit areas of the Website which are the responsibility of our associated Choir School and Westminster Abbey Trust.

If you, or another user of your device, wish to withdraw or alter your consent at any time, you can do so by going to your browser Settings or Preferences, find the Privacy and security section, and then select Cookies and other site data.

We may, subject to your preferences, use four types of cookies on our website:

1. Strictly necessary cookies

These cookies are essential in order to enable you to move around the website and use its features. Without these cookies, you would not be able to navigate the website and use its functionality.

2. Performance and statistical cookies

These cookies collect information anonymously about how visitors use our website.

They allow us to recognise and count the number of visitors and to see how visitors move around the site when they are using it.

We may also use your IP address to help diagnose problems with our server, to administer our website and to improve the service we offer to you. An IP address is a numeric code

that identifies your computer on a network, or in this case, the internet. Your IP address might also be used to gather broad demographic information.

We may perform IP lookups to determine the source you are coming from (e.g. google.com) to more accurately gauge our users' demographics.

Information from these types of cookies and technologies or about website usage is not combined with information about you from any other source.

None of the cookies or technologies that we use will personally identify you.

3. Marketing cookies

These cookies, if selected, will be used to target and improve our advertising to you. We use cookies to - for example, improve reporting on advertising campaign performance, to avoid showing ads you have already seen, or to enable us to display advertising that is more relevant to you.

These cookies contain no personally identifiable information. If you have chosen not to accept these cookies, you will not receive personalised advertisements.

4. Preference cookies

These cookies are used to recognise you and remember your preferences or settings when you return to our site, so that we can provide you with a more personalised experience - for example, if you have chosen a language for the site other than English, we will remember this and ensure that you receive information in that language when you visit our site again.

A full list of cookies that Westminster Abbey uses can be found on our Cookies webpage.

Our websites may contain hyperlinks to websites that are not operated by us. These hyperlinks are provided for your reference and convenience only and do not imply any endorsement of the activities of such third-party websites or any association with their operators.

We do not control these websites and are not responsible for their personal data practices. We urge you to review any privacy policy posted on any site you visit before using the site or providing any personal data about yourself.

Subject access right

You have the right to ask us for copies of your personal information or to request other information such as details about where we get personal information from and with whom we share your personal information. There are some exemptions which mean we may not be able to provide all the information that you have requested.

If you submit a subject access request (SAR), you will receive a response within 30 days of submitting your request, unless an exemption applies. The Abbey reserves the right to charge a reasonable fee to cover the administrative costs of complying with a SAR that is repetitive or manifestly unfounded or excessive.

Your other rights

• Your right to be informed – You have the right to know how we process your data. This is why we have written this Privacy Notice.
• Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete.
• Your right to erasure (or the right to be forgotten) - You have the right to ask us to delete your personal information in some circumstances.
• Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information in some circumstances.
• Your right to object to processing - You have the right to object to the processing of your personal data in some circumstances.
• Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation or to you.
• Your right to withdraw consent – When we use consent as our lawful basis, you have the right to withdraw your consent at any time.
• Your right to review automated decision making – While we do not process personal data for automated decision making, we confirm that you have the right to request that a human reviews any decisions made solely by automated means.

You can find out more about these rights and when they apply by visiting the website of the Information Commissioner's Office.

If you wish to make a request, please email [email protected]. We might ask you to verify your identity or to clarify your request before proceeding.

If you have any concerns about our use of your personal data or how we have responded to a request you have made, you should reach out to us directly at [email protected].

If you are still unhappy after having complained to us, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). You can contact them by visiting Advice services for members of the public or by calling their helpline 0303 123 1113.

You can also write to them:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

If you are based outside the UK, you have the right to lodge your complaint with the relevant data protection regulator in your country of residence.