Privacy policy

PRIVACY POLICY

1.0 The Policy Purpose 

The purpose of this policy is to describe how the processing of personal data is undertaken at Contact Solar. It describes our approach to meeting our obligations in respect of the processing of personal data, and ensuring that in carrying out our work we can comply with the Data Protection Act 2018. It contains information regarding how we collect and use personal data or person information about employees, partners and any other person or organisation in association with Contact Solar in accordance with the General Data Protection Regulation (GDPR) and all other data protection legislation currently in force.

This policy shall apply to EDF Energy, RESQ and employees of Contact Solar and any other person or organisation required to process personal data on our behalf.

 

2.0 Policy Statement

Contact Solar is a “data controller”. This means that we are responsible for determining the purpose and means of processing personal data relating to you.

During the course of our activities, staff will gather, store and process personal information and must recognise the need to treat it in an appropriate and lawful manner.

The types of information that we may be required to handle include details of current, past and prospective partners, employees, suppliers, business associates, patients and others with whom we communicate. The information, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the Act and other regulations. The Act imposes restrictions on how we may use that information.

This policy sets out our rules on data protection and our approach to meeting the legal conditions that must be satisfied in relation to the obtaining, handling, processing, storage, transportation and destruction of personal information.

Legislation places specific responsibilities on us, as a Data Controller, and our staff, recognising that an act of non-compliance may lead to legal prosecution. It may also damage our reputation. Data protection is a matter of good business and social responsibility. To ensure that an appropriate level of data protection is maintained, this policy must be observed in relation to the collection, holding, use and disclosure of personal information.

Regular monitoring and reviewing of the effectiveness of this policy will take place to ensure that it continues to achieve its stated objectives.

Any breach or suspected breach will be investigated and may lead to disciplinary action where that breach arises as a result of the action of a staff member. In some cases a breach of the terms of this policy may be treated as gross misconduct, leading to the summary dismissal of any employee who is found responsible.

 

3.0 Definition of Data Protection terms 

“Data” is information that is stored electronically, on a computer, or in certain paper-based filing systems.

“Data subjects”, for the purpose of this policy, include all living individuals about whom we hold personal data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal data.

“Personal data” means data relating to a living individual who can be identified from that data (or from that data and other information in our possession). Personal data can be factual (such as a name, address or date of birth) or it can be an opinion (such as a performance appraisal).

“Data controllers” are the people who (or organisations that) determine the purposes for which, and the manner in which, any personal data is processed. They have a responsibility to establish practices and policies in line with the Act. We registered with the UK Information Commissioner’s Office (ICO) as a data controller for all personal data that we use.

“Data users” include staff whose work involves using personal data. Data users have a duty to protect the information they handle by complying with this data protection policy and its protocols at all times.

“Data processors” include any person who processes personal data on behalf of a data controller. The staff of data controllers are excluded from this definition, but it could include suppliers that handle personal data on our behalf.

“Processing” is any activity that involves the use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data, including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.

“Sensitive personal data” includes information about a person’s physical or mental-health condition, racial or ethnic origins, political opinions, religious or similar beliefs, trade union membership, or sexual life. It also includes data about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings, or the sentence of any court in such proceedings. Sensitive personal data can only be processed under strict conditions, and will usually require the express consent of the person concerned.

 

4.0 Details of Information we hold on Contact Solar Employees 

The list below identifies the kind of data that we will hold about you:

  • personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
  • date of birth
  • your photograph
  • gender
  • marital status
  • dependents, next of kin and their details
  • national Insurance number
  • bank account details, payroll records and tax codes
  • salary, pension and benefits information
  • leave records including annual leave, family leave, sickness absence etc.
  • start date
  • location of employment or workplaceco
  • py of driving license
  • information included on your CV including references, education history and employment history
  • documentation relating to your right to work in the UK
  • information used for equal opportunities monitoring about your sexual orientation, religion or belief and ethnic origin
  • medical or health information including whether or not you have a disability
  • current and previous job titles, job descriptions, pay grades, training records, hours of work, professional membership and other terms and conditions relating to your employment with us 
  • compensation history
  • internal performance information including measurements against targets, formal warnings and related documentation with regard to capability procedures and appraisal forms
  • information and relevant communications regarding disciplinary and grievance issues
  • CCTV footage and other information obtained through electronic means such as building entry card records
  • information about your use of our information and communications systems

The following list identifies the kind of data that that we will process and which falls within the scope of “special categories” of more sensitive personal information:

  • information relating to your race or ethnicity, religious beliefs, sexual orientation, sex life and political opinions
  • trade union membership
  • information about your health, including any medical conditions and disabilities
  • information about criminal convictions and offence

 

5.0 Protocols for Data Protection Compliance 

The People Operations Assistant is the assigned person/role within Contact Solar with functional responsibility for co-ordinating and maintaining our data-protection registration process and who will advise on any issue in relation to compliance with this policy.

Partners and line management are responsible for ensuring that employees and suppliers/service providers understand and carry out their responsibilities under the Act and this policy.

All staff are responsible for informing the People Operations Assistant of any new processing activity, or amendments to existing processing activities, of personal data.

Hard-copy and electronic media containing personal information must be securely stored to protect them from unauthorised use, or from activity that threatens the availability, confidentiality and/or integrity of personal data.

Personal data must not be disclosed to unauthorised persons other than in accordance with this policy.

Correspondence received from members of the public and/or employees requesting information under the Data Protection Act, or making any reference to the Act in regard to our work, must immediately be forwarded to the People Operations Assistant.

Every staff member must understand their responsibilities for data protection.

 

6.0 Data Protection Principles 

Any person processing personal data must comply with the eight enforceable principles of good practice and observe any instructions issued in relation to the processing of personal data. These principles provide that personal data must: 

  • Be processed fairly and lawfully;
  • Be processed for limited purposes and in an appropriate way; 
  • Be adequate, relevant and not excessive for the purpose; 
  • Be accurate;
  • Not be kept longer than necessary for the purpose;
  • Be processed in line with data subjects’ rights;
  • Be secure; 
  • Not be transferred to people or organisations situated in other countries without adequate protection. 

Fair and Lawful Processing

The Data Protection Act is not intended to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject. The data subject must be told who the data controller is, who the data controller’s representative is, the purpose for which the data is to be processed by us, and the identities of anyone to whom the data may be disclosed or transferred.

For personal data to be processed lawfully, certain conditions have to be met. These may include, among other things, requirements that the data subject has consented to the processing, or that the processing is necessary for the legitimate interest of the data controller or the party to whom the data is disclosed. When sensitive personal data is being processed, more than one condition must be met. In most cases the data subject’s explicit consent to the processing of such data will be required.

Limited purpose and appropriateness

Personal data may only be processed for the specific purposes notified to the data subject when the data was first collected or for any other purposes specifically permitted by the Act. This means that personal data must not be collected for one purpose and then used for another. If it becomes necessary to change the purpose for which the data is processed, the data subject must be informed of the new purpose before any processing occurs.

Adequate, relevant and non-excessive processing

Personal data should only be collected to the extent that it is required for the specific purpose notified to the data subject. Any data that is not necessary for that purpose should not be collected in the first place.

Accurate data

Personal data must be accurate and kept up to date. Information that is incorrect or misleading is not accurate and steps should therefore be taken to check the accuracy of personal data at the point of collection and at regular intervals thereafter. Inaccurate or out-of-date data should be destroyed.

Timely Processing

Personal data should not be kept longer than is necessary for the purpose. This means that data should be destroyed or erased from our systems when it is no longer required. Guidance on how long certain data is to be kept before being destroyed will be given by the People Operations Assistant.

Processing in line with the data subject’s rights 

Data must be processed in line with data subjects’ rights. Data subjects have a right to:

  • request access to any data held about them by a data controller;
  • prevent the processing of their data for direct-marketing purposes
  • ask to have inaccurate data amended
  • prevent processing that is likely to cause damage or distress to themselves or anyone else.

Data Security

We must ensure that appropriate security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. Data subjects may apply to the courts for compensation if they have suffered damage from such a loss. Also, our reputation relies on managing data protection effectively to avoid potential adverse publicity and reputation damage from any failure.

The Act requires us to put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data may only be transferred to a third party’s data processor if they give explicit agreement to comply with those procedures and policies, or if they put in place adequate measures themselves.

Maintaining data security means guaranteeing the confidentiality, integrity and availability of the personal data, defined as follows: 

  • Confidentiality means that only people who are authorised to use the data can access it. 
  • Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
  • Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should not normally, therefore, be stored solely on our individual PCs

 

Security protocols include: 

  • Entry controls: Entry and movement around the premises must be strictly controlled through appropriate authorisation and unauthorised persons seen in entry controlled areas should be reported.
  • Secure, lockable desks and cupboards: Desks and cupboards should be kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.)
  • Methods of disposal: Paper documents should be shredded or securely disposed of through approved means. Digital/optical media should be physically destroyed when they are no longer required.
  • Equipment: Data users should ensure that individual monitors do not show confidential information to passers-by and that they lock/log off from their PC when it is left unattended.

 

7.0 Dealing with data subjects’ access requests 

  • A formal request from a data subject for information that we hold about them must be made in writing. A fee maybe payable by the data subject for provision of this information.
  • Any staff member who receives a written request should forward it to the People Operations Assistant immediately.

 

8.0 Providing information over the telephone

  • Any employee dealing with telephone enquiries should be careful about disclosing any personal information held by us.
  • In particular the employee should: 
  • Check the caller’s identity to make sure that information is only given to a person who is entitled to it;
  • Suggest that the caller put their request in writing if they are not sure about the caller’s identity (and if their identity cannot be checked); and/or,
  • Refer to their line manager for assistance in difficult situations. No-one should be bullied into disclosing personal information.




9.0 Method of Collection of Personal Information 

Your personal information is obtained through the application and recruitment process, this may be directly from candidates, via an employment agency or a third party who undertakes background checks. Further information will be collected directly from you when you complete forms at the start of your employment, for example, your bank and next of kin details. Other details may be collected directly from you in the form of official documentation such as your driving license, passport or other right to work evidence. Data may be collected during the course of your engagement with us to enable its continued existence or development.

Personal data is kept in personnel files or within our HR and IT systems.

 

10.0 Processing information about Employees 

We will only administer personal information in accordance with the lawful bases for processing. At least one of the following will apply when we process personal data:

  • consent: You have given clear consent for us to process your personal data for a specific purpose.
  • contract: The processing is necessary for a contract we have with you, or because we have asked you to take specific steps before entering into a contract.
  • legal obligation: The processing is necessary for us to comply with the law (not including contractual obligations).
  • vital interests: the processing is necessary to protect someone’s life.
  • public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
  • legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect your personal data which overrides those legitimate interests.

 

11.0 Lawful Basis For Processing “Special Categories” of Sensitive Data

“Special categories” of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

  • consent: You have given clear consent for us to process your personal data for a specific purpose.
  • contract: The processing is necessary for a contract we have with you, or because we have asked you to take specific steps before entering into a contract.
  • legal obligation: The processing is necessary for us to comply with the law (not including contractual obligations) and meets the obligations under our data protection policy.
  • vital interests: the processing is necessary to protect someone’s life.
  • public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law and meets the obligations under our data protection policy. (For example in the case of equal opportunities monitoring)
  • legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect your personal data which overrides those legitimate interests (For example to assess your capacity to work on the grounds of ill health)

Occasionally, special categories of data may be processed where you are not capable of giving your consent, where you have already made the information public or in the course of legitimate business activities or legal obligations and in line with the appropriate safeguards.

 

Examples of the circumstances in which we will process special categories of your particularly sensitive personal information are listed below (this list is non-exhaustive): 

 

  • in order to protect your health and safety in the workplace
  • to assess your physical or emotional fitness to work
  • to determine if reasonable adjustments are needed or are in place
  • to monitor and manage sickness absence, family leave or other absences from work (including time off for dependents)
  • to administer benefits
  • In order to fulfill equal opportunity monitoring or reporting obligations

 

Where appropriate, we may seek your written authorisation to process special categories of data. Upon such an occasion we will endeavor to provide full and clear reasons at that time in order for you to make an informed decision. In any situation where consent is sought, please be advised that you are under no contractual obligation to comply with a request. Should you decline to consent you will not suffer a detriment.




12.0 Information about Criminal Convictions 

Information regarding criminal convictions may be processed in accordance with our legal obligations. Occasionally we may process such information to protect yours, or someone else’s interests and you are not able to give your consent, or we may process such information in cases where you have already made the information public. Such information may be sought as part of the recruitment process or in the course of your employment with us. Where we process information regarding criminal convictions we will adhere to the guidelines currently in force regarding data security and data retention as determined by the appropriate governing body.

We do not anticipate that we will process information about criminal convictions.

 

13.0 Automated Decision-Making

We do not anticipate that any of our decisions will occur without human involvement. Should we use any form of automated decision making we will advise you of any change in writing.

 

14.0 Sharing Data

Your data will be shared with colleagues within the Company where it is necessary for them to undertake their duties. This includes, for example, the Office Manager for their management of you, the HR department for maintaining personnel records and the payroll department for administering payment under your contract of employment.

It may be necessary for us to share your personal data with a third party or third party service provider (including, but not limited to, contractors, agents or other associated/group companies) within, or outside of, the European Union (EU). Data sharing may arise due to a legal obligation, as part of the performance of a contract or in situations where there is another legitimate interest (including a legitimate interest of a third party) to do so. 

The list below identifies which activities are carried out by third parties on our behalf:

  • payroll
  • pension providers/administrators
  • IT services
  • legal advisors
  • security
  • insurance providers

Data may be shared with 3rd parties in the following circumstances:

  • in the process of regular reporting activities regarding our performance, 
  • with regards to a business or group reorganisation, sale or restructure, 
  • in relation to the maintenance support and/or hosting of data 
  • to adhere with a legal obligation
  • in the process of obtaining advice and help in order to adhere with legal obligations

If data is shared, we expect third parties to adhere and comply with the GDPR and protect any data of yours that they process. We do not permit any third parties to process personal data for their own reasons. Where they process your data it is for a specific purpose according to our instructions.

We do not anticipate that we will transfer data to other countries.

 

15.0 Data Retention

We anticipate that we will retain your data for as long as we need it but for no longer than is necessary for the purpose for which it was collected.

We have given consideration to the following in order to decide the appropriate retention period:

  • quantity
  • nature
  • sensitivity
  • risk of harm
  • purpose for processing
  • legal obligations

At the end of the retention period, upon conclusion of any contract we may have with you, or until we are no longer legally required to retain it, it will be reviewed and deleted, unless there is some special reason for keeping it. Occasionally, we may continue to use data without further notice to you. This will only be the case where any such data is anonymised and you cannot be identified as being associated with that data.

 

16.0 Your Rights in Relations to your Data 

We commit to ensure that any data we process is correct and up to date. It is your obligation to make us aware of any changes to your personal information.

In some situations, you may have the;

  • Right to be informed. This means that we must tell you how we use your data, and this is the purpose of this privacy notice.
    • Right to request access. You have the right to access the data that we hold on you. To do so, you should make a subject access request
    • Right to request correction. If any data that we hold about you is incomplete or inaccurate, you are able to require us to correct it.
    • Right to request erasure. If you would like us to stop processing your data, you have the right to ask us to delete it from our systems where you believe there is no reason for us to continue processing it.
    • Right to object to the inclusion of any information. In situations where we are relying on a legitimate interest (or those of a third party) you have the right to object to the way we use your data where we are using it. 
    • Right to request the restriction of processing. You have the right to ask us to stop the processing of data of your personal information. We will stop processing the data (whilst still holding it) until we have ensured that the data is correct. 
  • Right to portability. You may transfer the data that we hold on you for your own purposes.
  • Right to request the transfer. You have the right to request the transfer of your personal information to another party.

Where you have provided consent to our use of your data, you also have the unrestricted right to withdraw that consent at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted by having a legitimate reason for doing so.

If you wish to exercise any of the rights explained above, please contact the People Operations Assistant.

 

Consequences of your failure to provide personal information

Last Updated 23.04.25

× Chat via WhatsApp