Privacy and cookies policy

Privacy notice for Fulham Palace

This is the privacy policy for Fulham Palace. A large print version of this policy is available on request from

Fulham Palace is the former home of the Bishops of London situated in Fulham, southwest London. It is open to the public as a historic house and garden with exhibitions and educational activities. There is a café and shop on site.

Fulham Palace Trust is a registered charity (charity number 1140088) and company (company number 07464167). Fulham Palace Enterprises Community Interest Company (company number 07574413) is an associated company handling the commercial income on the site. Under this notice, ‘we’ and ‘Fulham Palace’ refer to both Fulham Palace Trust and Fulham Palace Enterprises Community Interest Company.

1. Introduction

This policy is set out as a privacy notice. It explains how we meet our commitment to protect your privacy and ensure the confidentiality of the personal information we collect and use. Information is also provided on your data protection rights and on the use of cookies on our website.

The processing of personal data is governed by the General Data Protection Regulation (the “GDPR”). We are registered with the Information Commissioners Office and our registration number is ZA239185.

Any updates to this policy will be published on our website.

2. How we collect personal data

Data is classed as personal if it:

  • identifies an individual, by itself or with other information
  • is about a living person and affects a person’s privacy (personal, family, business or professional)

We collect information you provide to us in person, online (though the use of the Fulham Palace website and any other electronic communication networks), via email, phone, in writing or other correspondence.

For example:

  • when you join as a Friend, Patron or Corporate Patron;
  • when you book a ticket for an event, tour or museum visit (either online or in person);
  • when you donate (either online, in person, or by filling out a form);
  • when you sign up to Fulham Palace email updates, either via the website or by filling in a form on site;
  • when you apply for a job or a volunteer role;
  • when you provide visitor feedback.

We also use a CCTV system for the prevention of crime.

3. The personal data we collect

The personal data we collect and process will clearly vary in line with the nature of your contact with us. The main types of information are as follows (this is not intended to be a fully comprehensive list):

All contacts

  • personal identification information normally includes name, title, address, email address and phone number

Friends and Patrons

  • direct debit details, when applicable
  • UK tax status confirmation if the membership donation is gift-aided
  • contact preference for receipt of biannual newsletters
  • option on receiving general communications on events and activities

Other donors

  • UK tax status confirmation if the donation is gift-aided
  • option on receiving general communications on events and activities

Attendees at events

  • information on access needs or special dietary requirements, when relevant to the event

Job applicants

  • details on qualifications, skills, experience and employment history
  • information on entitlement to work in the UK
  • information on any disabilities and need for special facilities
  • reference information, before any appointment
  • for relevant posts, a DBS check before any appointment. (Access to this information is normally limited to the chief executive and the nominated safeguarding officer.)

Information on age and ethnic origin is only collected anonymously, for equal opportunities monitoring purposes.

Members of staff (in addition to the job application information)

  • terms and conditions of employment, including salary details
  • bank account details and national insurance number
  • periods of sickness absence and the reasons for the absence
  • records of any disciplinary or grievance procedure issues
  • records of PDR reviews and assessments
  • emergency contact details


  • information on interests, skills, qualifications and previous volunteer experience
  • information on any disabilities and need for special facilities
  • reference and DBS check information, as above for job applicants
  • availability times to carry out a volunteer role
4. How we use your personal data

4.1 General principles

We only ever use your personal data with your consent, or where it is necessary in order to:

  • enter into, or perform, a contract with you
  • comply with a legal duty
  • protect your vital interests
  • carry out a task in the public interest
  • for our own (or for a third party’s) legitimate interests, provided your rights do not override these interests

We will only use your personal data for the purpose or purposes for which it was obtained.

When consent is requested, we will ask for a positive opt in choice. It will also be made clear how consent can be withdrawn.

4.2 Marketing and fundraising communications

Unless you have already given us your email address or telephone number so that we can tell you about making donations to us or about the supply of goods and services including Friends and Patrons memberships, we must ask you to ‘opt-in’ to receive fundraising and marketing emails from us. You have the choice as to whether you want to receive or continue to receive these messages. You are also able to change your preferences at any time.

When you receive a communication from us, we may collect information about your response and this may affect how we communicate with you in future.

4.3 Specific uses

Specific ways we use your personal data may include:

  • receiving donations (for example, direct debits or gift-aid instructions)
  • maintaining databases of our Friends, Patrons and other supporters
  • processing Friends and Patrons subscriptions
  • performing our obligations under Friends and Patrons contracts and other supporters’ agreements
  • managing custody of our collection including our intellectual property rights
  • carrying out due diligence to meet our compliance duties (for example, before making any acquisition into our collections, accepting financial support, or making agreements for the supply of goods and services)
  • processing enquiries and requests for information
  • managing feedback, comments, and complaints we receive
  • fulfilling orders for tickets, goods, or services (whether placed online, over the phone or in person)
  • helping us respect your choices and preferences
  • recruitment and staff management including pay, tax, and pensions administration
  • management of suppliers of goods and services
  • managing your visit to Fulham Palace (for example, health and safety, security, lost property, and incident management)

4.4 Internal research and profiling

We carry out research and analysis on our visitors, Friends, Patrons and other supporters to determine the success of our public offer and programmes and other activities in the public interest and to help us provide you with a better experience (for example so that you only receive communications about areas of our activities or research you are mostly likely to be interested in).

We may evaluate, categorise and profile your personal data in order to tailor materials, services and communications (including targeted advertising) to your needs and your preferences and to help us to understand our audiences. For example, we may keep track of the amount, frequency and value of your support including your philanthropic involvement elsewhere. This information helps us to ensure communications are relevant, timely and in the best interest of our charitable purposes.


Fulham Palace use CCTV to help provide a safe and secure environment for visitors, for our staff and for the collection and to prevent or detect crime.

The system is managed in accordance with our standard operating procedures and with good practice guidance issued by the Information Commissioner’s Office. CCTV images will only be accessed by authorised security staff and are stored for up to 36 days, unless flagged for review.

6. Data security

We have in place physical, electronic and managerial procedures to safeguard and secure the personal information we collect. These procedures apply to personal data which is collected, stored and transmitted electronically, on paper, or by any other means.

New members of staff are made aware of these procedures as part of the induction process, as appropriate to their role.

We do use external ‘data processors’ to manage the payroll, ticket purchases and online donations; and to hold membership and donation information and email mailing lists. Our data processors have provided statements on how they keep your personal data safe and secure in compliance with the General Data Protection Regulation (GDPR).

All our employees and data processors, who have access to, and are associated with the processing of personal data, are legally obliged to respect the confidentiality of the personal data.

7. Sharing personal information

Within Fulham Palace, personal data is only shared between colleagues who legitimately require the information to carry out their duties.

Personal data is shared with Government and Regulatory Bodies when required to meet legal, regulatory and professional obligations.

We do not share personal information with any third parties for marketing purposes.

As stated under 6. above, external data processors are required to provide statements on how they keep personal data safe and secure in compliance with legislation.

8. Storing your personal data

8.1 Where we store data

The majority of the personal data that we collect is processed in the UK and is therefore protected by the UK data privacy laws.

Some of our third party data processors do store information on remote servers across the world, and we have agreements with them to ensure that your information is safe and secure and not shared with other organisations.

8.2 Retention of your personal data

We will hold your personal information for as long as it is necessary for the relevant activity.

If you ask us to stop contacting you with marketing or fundraising materials, we will keep a record of your contact details and limited information needed to ensure we comply with your request.

Paper records such as visitor feedback, membership forms*, and email sign up forms will be destroyed after two years.

If you are a donor, we will only retain limited personal data if we have not had any contact with you within the last two years.

*Gift Aid records are kept on file for a minimum of six years in order to comply with HMRC regulations.

To request a copy of our full data retention guidelines please contact

9. Children and young people

We recognise the importance of fully applying all data protection requirements whenever children and young people aged under 18 are involved.

Personal information for children and young people attending clubs or courses can only be accessed by the member(s) of staff responsible for running these events. (Examples of these events include Palace explorers, Young Archaeologists’ Club, and Arts Award courses.)

If for a child under 13 years of age we rely on consent as the lawful basis for processing the personal data, we will get consent from whoever holds parental responsibility.

10. Your data protection rights

You have the following data protection rights:

  • to be informed about the collection and use of your personal data
  • to receive a copy of the personal data we hold about you
  • to have your personal data corrected
  • to request erasure of your personal data – this will not be possible if it is necessary for us to retain your personal data for a lawful reason
  • to request a restriction in how your personal data is being used
  • to object to how your personal data is being used
  • to data portability – you may request a copy of your personal data in a format that is accessible, machine-readable, and transferable to another organisation provided this is technically feasible

To find out more about the conditions and exemptions applying to these rights, or to exercise any of them, please contact us as shown at the end of this policy. We will normally respond to a request within one month.

11. Complaints

We take great care to comply with the laws governing the protection of personal data. If, however, you do want to complain about our use of personal data, please write to the chief executive (contact details below) with the details of your complaint and your concerns will be investigated.

If the issue is not resolved after receiving our response, you have the right to raise your concerns with the Information Commissioner’s Office (

12. Cookies

A cookie is a small file downloaded on to the hard drive of a computer or mobile device when the user logs on to a website.

One cookie we use is to remember your font size preference.

We also set Google Analytics cookies to collect general statistical information to help us understand how our website is used and to improve the service we provide. We learn whether visitors have used the website before, which pages are the most popular and how users move around the site. This information does not allow users to be identified individually.

It is important for us to be able to include your visit in our statistics. By continuing to use the website without changing settings, you are agreeing to our use of these cookies.

To find out more general information on cookies and how to control or delete them please go to or

These are the cookies set commonly on our website:

  • _ga: Google Analytics. This helps us count how many people visit the website by tracking if you’ve visited before. Expires: 2 years.
  • _gat_UA-4986127-50: Google Analytics. Used to throttle request rate. Expires: 1 min.
  • _gid: Google Analytics. Used to distinguish users. Expires: 24 hours.
  • _gcl_au: Used by Google AdSense for experimenting with advertisement efficiency across websites using their services. Expires: 3 months.
  • _hjSessionUser{site_id}: Hotjar. Used to persist the Hotjar User ID, unique to that site on the browser. Expires: 1 year.
  • _hjSession{site_id}: Hotjar. Holds the current session data. Expires: 30 minutes.
  • _hjIncludedInPageviewSample: Hotjar. This cookie is set to let Hotjar know whether that user is included in the data sampling defined by your site’s pageview limit. Expires: 30 minutes.
  • _hjAbsoluteSessionInProgress: Hotjar. This cookie is used to detect the first pageview session of a user. Expires: 30 minutes.
  • _hjFirstSeen: Hotjar. This is set to identify a new user’s first session. Expires: when the current session ends.
  • YSC: Youtube. Registers a unique ID to keep statistics of what videos from YouTube the user has seen. Expires: when the current session ends.
  • VISITOR_INFO1_LIVE: Youtube. Tries to estimate the users’ bandwidth on pages with integrated YouTube videos. Expires: 180 days.
  • CONSENT: Youtube. Used to detect if the visitor has accepted the marketing category in the cookie banner. Expires: 2 years.
13. Links to other sites

On our website we occasionally provide links to other websites for your convenience and information. Please be aware that these sites may have different security and privacy policies and we have no control over and take no responsibility for any information submitted to these sites.

14. Changes to this policy

This privacy policy will be amended in the light of any relevant changes in legislation or related good practice. The current version will always be posted on our website.

This privacy policy was last updated in April 2022.

15. How to contact us

Please contact us if you have any questions about our privacy policy. Our contact details are as follows: