Last updated May 2026

Introduction

The City and Guilds of London Institute (“CGLI”), which operates under the working name City & Guilds Foundation, is committed to data security and the fair and transparent processing of personal data.

This privacy notice (“Notice”) sets out how we will treat the personal data which you provide to us, in compliance with the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”). Where we process personal data of individuals located in the European Economic Area, the EU General Data Protection Regulation (EU GDPR) may also apply.

Please read this Notice carefully. It explains who we are, what personal data we collect, how and why we use it, with whom we share it, how long we keep it, and your rights.

Who We Are

The City and Guilds of London Institute is a charity incorporated by Royal Charter, with registered charity number 312832 (England and Wales) and SC039576 (Scotland). Our registered address is Giltspur House, 5–6 Giltspur Street, London EC1A 9DE. City & Guilds Foundation is the working name of The City and Guilds of London Institute.

We operate the website cityandguildsfoundation.org and are the data controller for the personal data processed through it and through our programmes and activities.

We are separate from, but work closely with, City & Guilds Limited, the Awarding Organisation for City & Guilds qualifications. If you are interacting with City & Guilds Limited, please refer to their separate privacy notice at cityandguilds.com/en/help/privacy-statement.

Contact us: If you have any queries about this Notice or wish to exercise your rights, please contact us at info@cityandguildsfoundation.org or write to: Data Protection, The City and Guilds of London Institute, Giltspur House, 5–6 Giltspur Street, London EC1A 9DE.

Personal Data We Collect

Data you provide to us

When you interact with us — for example by completing a form on our website, registering for a webinar or event, applying for a bursary or award, signing up to our newsletter, or corresponding with us — we may collect:

• Name, job role, and organisation name
• Email address, telephone number, and postal address
• Information about your organisation and training programme (if applying for an award)
• Details of any third party you nominate for an award (including their name, position, contact details)
• Date of birth (for Fellows of the Institute)

Data we collect about you

In connection with membership of The City and Guilds of London Institute, we may also hold:

• Professional and livery company memberships
• Corporate and national connections, and professional networks
• Biographical notes and areas of interest or expertise
• Where relevant, dates and departments at Imperial College (for Imperial Fellows)
• Head and gown measurements (for Fellowship ceremonies)

Data collected automatically when you visit our website

When you visit our website we may automatically collect:

• Technical data: IP address, browser type and version, operating system, time zone, and browser plug-in information
• Usage data: pages visited, search terms used, page response times, length of visit, and navigation methods

We use cookies and similar technologies on our website. Please see our Cookie Policy for details of what cookies we use and how to manage your preferences: cityandguildsfoundation.org/cookie-policy

Data we receive from third parties

We may receive personal data about you from third parties, such as individuals who nominate you for an award, medal, or other role, or from other websites we operate.

How and Why We Use Your Personal Data

We only process your personal data where we have a lawful basis for doing so. The table below sets out our main processing activities and the lawful basis for each.

Purpose	Lawful Basis	Notes
Communicating with you about governance, compliance, or your membership	Legitimate interests	Necessary for the Institute to operate as a Royal Charter body
Processing award and bursary applications	Legitimate interests / Contract	Necessary to administer our programmes
Issuing certificates, credentials, or records of achievement	Contract / Legitimate interests
Sending newsletters, event information, and updates	Consent	You may withdraw consent at any time
Registering you for and delivering webinars and events	Contract / Legitimate interests	Includes recording and sharing webinar recordings where notified in advance
Responding to queries, complaints, or disputes	Legitimate interests / Legal obligation
Improving our website and services	Legitimate interests	Analytics and performance monitoring
Complying with legal or regulatory obligations	Legal obligation	e.g. responding to law enforcement requests
Processing data of Institute Members (Trustees, Councillors, Fellows etc.)	Legitimate interests / Contract	In connection with membership of The City and Guilds of London Institute

 

You have the right to object to processing based on legitimate interests. See section 8 for details.

Recordings of Meetings and Webinars

External webinars and events (Zoom)

We host publicly-accessible webinars and events via Zoom. These sessions are recorded and the recordings are shared after the event for those who could not attend. We will always notify you in advance — in our pre-event communications and registration confirmation — that a session will be recorded and that the recording will be shared publicly. Zoom’s in-platform recording notification will also appear at the start of the recording; by remaining in the session you are confirming your awareness of the recording.

Zoom’s privacy notice governs Zoom’s own processing of data within the platform. The City and Guilds of London Institute is a separate data controller for any recording once it is downloaded, stored, or shared by us.

Internal meetings (Microsoft Teams)

Internal meetings held on Microsoft Teams may be recorded for specific purposes such as training or sharing with colleagues who could not attend. All participants are informed before recording begins and consent is obtained. Recordings are stored within our Microsoft 365 environment and are not shared externally without the consent of all participants.

Trustee Board and Committee meetings

Trustee Board and Committee meetings are not routinely recorded. A temporary recording may exceptionally be made to support minute-taking, subject to consent from all attendees and deletion within seven days of the minutes being approved.

Who We Share Your Personal Data With

We take all reasonable steps to ensure that personal data is protected and that access is limited to those with a genuine need. We may share your personal data with:

• Legal, professional, and other advisers and consultants
• IT service providers, CRM platform providers, and event management suppliers contracted to us
• Our digital credential partner platform
• Analytics and search engine providers (in connection with website improvement)
• Other Members of The City and Guilds of London Institute, where relevant to their membership
• City & Guilds Limited, in connection with shared initiatives
• Law enforcement or regulatory authorities, where required by law

We require all third parties with whom we share personal data to have a contract in place which includes obligations on confidentiality, security, and lawful processing.

Where a third party is located outside the UK or European Economic Area, we will ensure that the transfer is protected by appropriate safeguards, such as UK International Data Transfer Agreements or Standard Contractual Clauses approved by the European Commission.

AI tools: We use approved AI tools (Microsoft Copilot and Claude) to support our work. These tools are used in accordance with our AI Governance Policy. Personal data is not entered into AI prompts.

How Long We Keep Your Personal Data

We retain personal data only for as long as necessary for the purpose for which it was collected, and in accordance with our legal and regulatory obligations. The table below sets out our key retention periods.

Category of data	Lawful basis / purpose	Retention period
Website enquiry and contact form data	Legitimate interests	2 years from last contact
Award and bursary applications	Legitimate interests / Contract	6 years from decision date
Event and webinar registrations	Contract / Legitimate interests	2 years from event date
Zoom webinar recordings (shared publicly)	Consent / Legitimate interests	2 years from event date, then review
Teams meeting recordings (training/onboarding)	Legitimate interests	1 year from recording date
Teams meeting recordings (other purposes)	Legitimate interests	Delete once purpose fulfilled; max 6 months
Board/Committee recordings (minute-taking support)	Legitimate interests	Delete within 7 days of minutes approved
Newsletter and marketing preferences	Consent	Until consent withdrawn, then promptly deleted
Member data (Trustees, Fellows, Councillors etc.)	Legitimate interests / Contract	Duration of membership plus 6 years
Legal and compliance correspondence	Legal obligation	6 years from resolution

 

Where you have consented to marketing communications, you may update your preferences or unsubscribe at any time by clicking the unsubscribe link in any of our emails.

Your Rights

Under UK GDPR, you have the following rights in relation to your personal data. To exercise any of these rights, please contact us at info@cityandguildsfoundation.org.

 

Right of access

You have the right to request a copy of the personal data we hold about you. We will respond within one month of receiving your request. We may need to verify your identity before responding. Please note that exceptions may apply in certain circumstances.

Right to rectification

You have the right to ask us to correct inaccurate or incomplete personal data we hold about you.

Right to erasure

You have the right to ask us to delete your personal data where, for example, it is no longer necessary for the purpose for which it was collected, you have withdrawn consent, or it has been unlawfully processed.

Right to object

You have the right to object to processing based on legitimate interests, or to processing for direct marketing purposes. If you object to processing based on legitimate interests, we will cease unless we can demonstrate compelling legitimate grounds that override your interests.

Right to restrict processing

You have the right to ask us to restrict further processing of your personal data in certain circumstances, for example where you have queried its accuracy or objected to its processing.

Right to data portability

Where processing is based on consent or a contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format, and to have it transferred to another controller where technically feasible.

Please note that data protection law provides for exceptions to these rights. Where we are unable to comply with a request, we will explain why in our response.

How We Protect Your Personal Data

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction. We have procedures in place to detect and respond to suspected personal data breaches, and we will notify you and the Information Commissioner’s Office (ICO) where we are legally required to do so.

Where you have a username or password to access parts of our website, you are responsible for keeping that information confidential and must not share it with others.

Please note that the transmission of data over the internet cannot be guaranteed to be completely secure. While we take all reasonable precautions, any transmission is at your own risk.

Cookies

Our website uses cookies and similar technologies to improve your experience and to help us understand how the site is used. This includes the collection of IP addresses, browser information, and usage data as described in section 3.3 above.

Please see our Cookie Policy (available on our website) for full details of the cookies we use and how to manage your preferences.

International Data Transfers

Some of our service providers and technology platforms are based outside the UK or European Economic Area. Where we transfer personal data internationally, we ensure that appropriate safeguards are in place, such as UK International Data Transfer Agreements or Standard Contractual Clauses. If you would like further information about the safeguards we use, please contact us.

Complaints

If you believe your data protection rights have been breached and we have been unable to resolve your concern, you have the right to lodge a complaint with a supervisory authority.

• UK residents: Information Commissioner’s Office (ICO) — ico.org.uk/concerns
• EEA residents: your local data protection supervisory authority

We would always encourage you to contact us first so that we can try to resolve your concern directly.

Changes to This Notice

We may update this Notice from time to time. The current version and its effective date are shown at the top of this document and on our website. Where changes are material, we will notify you by email where we hold your contact details.

Contact: info@cityandguildsfoundation.org  |  Data Protection, The City and Guilds of London Institute, Giltspur House, 5–6 Giltspur Street, London EC1A 9DE  |  Registered Charity 312832