1. Home
  2. GDPR

Keeping your information safe

THE WORSHIPFUL COMPANY OF WATER CONSERVATORS

DATA PROTECTION POLICY

DRAFT FOR APPROVAL BY COURT 11 December 2025

  1. Who we are

The Worshipful Company of Water Conservators (“the Company”, “we”, “us”, “our”) is a City of London livery company and registered nonprofit organisation acting as data controller for personal data processed in connection with our website, membership, events, charitable activities, and related administration.

You can contact the Clerk in relation to data protection matters at:

  • Email: clerk@waterconservators.org
  • Postal address: The Worshipful Company of Water Conservators, c/o Watermen’s Hall, 16-18 St Mary at Hill, London EC3R 8EF.

At present, the Company is not required to appoint a Data Protection Officer under UK GDPR; if this changes, updated contact details will be included in this policy.

  1. What data we collect

Depending on your relationship with us, we may collect and process:

  • Identification and contact details: name, title, postal address, email address, telephone number.
  • Membership and governance data: livery status, committee roles, records of subscriptions, Gift Aid declarations, communications history.
  • Event participation data: booking details, dietary/access requirements, payment confirmations, attendance records.
  • Donation and fundraising data: donation amounts and dates, campaign interests, communication preferences (we do not store full payment card details on our systems).
  • Website and communications data: IP address, logs, cookie identifiers, device and browser information, and email engagement data where legally permitted.

Where relevant to bursaries, awards, or pastoral support, we may process limited “special category” data such as health or accessibility information, based on your explicit consent and strict need-to-know access.

  1. How we obtain your data

We collect personal data:

  • Directly from you when you complete membership forms, event bookings, donations, surveys, or contact us by email, post, telephone, or via our website forms.
  • Indirectly from third parties where lawful, for example, event partners, professional bodies, or payment service providers, and publicly available sources such as professional registers or Companies House.

When data is not obtained directly from you, we will inform you of the categories of data and the source, unless an exemption applies under data protection law. ​

  1. Purposes and lawful bases for processing

We process personal data only where a lawful basis under UK GDPR applies, typically:

  • Contract: to administer membership, process event bookings, and manage services you have requested.
  • Legal obligation: to meet statutory requirements, such as tax, Gift Aid, company and charity law, and regulatory reporting.
  • Legitimate interests: to manage our governance, livery activities, charitable work, professional networking, and to maintain appropriate contact with members, donors, and partners in a proportionate way.
  • Consent: for certain email marketing or newsletters, for the use of photos or quotes in publicity where appropriate, and for any special category data not otherwise covered by law.

Where we rely on legitimate interests, these include: efficient administration of a membership-based livery company; promotion of our objects in water and environmental stewardship; safeguarding our finances and assets; and maintaining accurate historical and archival records, balanced against your rights and reasonable expectations.

  1. How we use your data

Typical uses of your personal data include:

  • Managing applications, admissions, membership records, and livery rolls.
  • Organising meetings, formal dinners, events, and associated logistics.
  • Administering charitable giving, awards, bursaries, and professional activities.
  • Communicating with you about Company business, events, news, and opportunities, in line with your preferences and applicable e‑privacy rules.
  • Managing our website, improving user experience, monitoring security, and producing anonymised statistics.
  • Meeting legal, regulatory, audit, and risk management obligations.

We do not carry out solely automated decision‑making, including profiling, that produces legal or similarly significant effects on you.

  1. Sharing your data

We may share personal data, where necessary and lawful, with:

  • Professional advisers (e.g. legal, financial, or IT consultants) bound by confidentiality.
  • Service providers acting as processors, such as website hosts, email and IT providers, event venues, mailing houses, or payment processors, under written contracts that require appropriate data protection and security.
  • HM Revenue & Customs and other public authorities where required by law (including for Gift Aid).
  • Partner organisations or professional bodies where you have agreed to such sharing, for example joint events or collaborative initiatives.

We do not sell personal data to third parties for their own marketing.

  1. International transfers

If any processing involves transfers of personal data outside the UK (for example, through cloud or email providers whose servers are overseas), we will ensure that appropriate safeguards are in place, such as adequacy regulations, standard contractual clauses, or equivalent mechanisms recognised under UK data protection law, and that you can obtain a copy of these safeguards on request.

  1. Data retention

We retain personal data only for as long as necessary for the purposes for which it was collected, taking into account legal, accounting, and reporting requirements, and the Company’s historical and archival functions.

In practice, this means:

  • Membership and governance records: retained for as long as you remain associated with the Company and for a reasonable period thereafter, and certain core records may be kept permanently for historical, archival and governance purposes.
  • Event and donation records: retained in line with tax, Gift Aid, and financial record-keeping requirements (typically at least six years after the end of the financial year of the transaction).
  • Routine correspondence and operational records: retained in accordance with our internal retention schedule and then securely deleted or anonymised.

Details of specific retention periods are available on request.

  1. Your rights

Under UK GDPR you have the following rights, subject to conditions and exemptions in law:

  • Right of access: to obtain a copy of your personal data and information about how it is used.
  • Right to rectification: to have inaccurate or incomplete data corrected.
  • Right to erasure: to request deletion of your data in certain circumstances (the “right to be forgotten”).
  • Right to restriction: to limit how your data is used in specific situations.
  • Right to data portability: to receive certain data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.
  • Right to object: to processing based on legitimate interests or for direct marketing; this includes the right to object at any time to receiving marketing communications.
  • Rights in relation to automated decision‑making and profiling: to not be subject to decisions based solely on automated processing where they produce legal or similarly significant effects.

You may exercise these rights by contacting the Clerk using the contact details above. We may need to verify your identity and may not always be able to comply where legal obligations or overriding interests apply; in such cases we will explain our reasons as permitted by law.

  1. Consent and withdrawal

Where we rely on your consent, you are free to withhold it and may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

You can:

  • Unsubscribe from certain communications using links in our emails, or
  • Contact the Clerk to update your preferences or withdraw consent for specific uses (for example, marketing or use of images).
  1. Whether you must provide data

In some cases, provision of personal data is a statutory or contractual requirement, or necessary to enter into or perform a contract with you (for example, to process a membership application, event booking, or Gift Aid claim).

If you choose not to provide such information, we may be unable to process your application, complete your booking, claim Gift Aid, or provide certain services or benefits of membership. Where providing data is optional, this will be made clear at the point of collection.

  1. Data security

We use appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include:

  • Access controls and role-based permissions.
  • Secure systems and encrypted channels where appropriate.
  • Staff and office-holder awareness of data protection responsibilities.
  • Policies, procedures, and regular review of our controls.

Where we use third‑party processors, they are required to implement suitable security measures and process personal data only on our documented instructions.

  1. Cookies and website usage

Our website may use cookies and similar technologies to ensure core functionality, improve performance, and, where enabled, understand how visitors use the site.

Where required by law, we will:

  • Provide clear information about the cookies used and their purposes, and
  • Obtain your consent before setting non-essential cookies, which you can withdraw by changing your cookie settings or browser preferences.

Further information is provided in our separate cookies notice, where applicable.

  1. Complaints and supervisory authority

If you have any concerns about how we handle your personal data, please contact the Clerk in the first instance so that matters can be addressed promptly.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection:

  • Website: www.ico.org.uk
  • Telephone: 0303 123 1113
  • Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
  1. Changes to this policy

We may update this data protection policy from time to time to reflect legal, technical, or organisational changes, or developments in the Company’s activities.

Any significant changes will be indicated on our website privacy page with the date of the latest revision, and where appropriate we may notify you through email or other communication channels.