ENSEK CONTRACTORS PRIVACY NOTICE
Version 3.0 Effective Date 9th June 2026
This document is our privacy notice for the purposes of Articles 13 and 14 of the UK GDPR, with respect to our contractors (freelance workers, personal services companies, agency workers, independent contractors, and staff of contractors).
1. WHO IS THIS PRIVACY NOTICE FOR?
2. WHAT THIS THIS PRIVACY NOTICE ABOUT?
3. WHO IS THE CONTROLLER OF YOUR DATA?
4. WHAT DATA DO WE HOLD ABOUT YOU?
5. HOW DO WE OBTAIN YOUR DATA?
6. WHAT IS OUR LAWFUL BASIS FOR PROCESSING YOUR DATA?
7. WHAT PURPOSES DO WE PROCESS YOUR DATA FOR?
8. WHO DO WE SHARE YOUR DATA WITH?
9. WHERE DO WE KEEP YOUR DATA?
10. HOW LONG DO WE KEEP YOUR DATA FOR?
1. WHO IS THIS PRIVACY NOTICE FOR?
Introduction
This privacy notice is addressed to the types of individuals listed below (the data subjects). PLEASE ENSURE THAT YOU READ THIS NOTICE.
Temp Workers
(1) Individuals who are supplied as temporary workers under a contract for services between ENSEK and an employment business.
(2) You may be employed by that employment business, or by an umbrella company set up by them.
(3) We are a controller with respect to your data that we hold.
Contractor Staff
(1) Individuals who are provided by contractors to carry out services for ENSEK or work within a team at ENSEK.
(2) The individuals could be acting as consultants, developers, team members, or in other roles.
(3) The individuals could be officers, employees, or owners of the contractor or of its sub-contractors.
(4) Contractors may include consultancy businesses, software development businesses, professional services businesses, legal businesses, personal services companies, or other companies providing man-power or people based services.
(5) We are a controller with respect to your data that we hold.
Freelance Workers
(1) Individuals who are freelance workers, working for us directly under a contract for services, or through a company they own (personal services companies), or through an umbrella company set up to provide their services.
(2) We are a controller with respect to your data.
Other Notices
(1) We have a privacy notice for employees, which is published internally only.
(2) We have a privacy notice for job candidates and applicants, published internally and on our website.
(3) We also have a general privacy notice, for any data processing not covered by this notice or the above notices, which is published on our website.
Any Questions?
(1) If you have any questions, please contact our People Team in the first instance, and then our data protection officer if your question has not been resolved.
(2) Contact details can be found later in this notice.
2. WHAT THIS THIS PRIVACY NOTICE ABOUT?
Introduction
(1) This privacy notice explains what personal data we hold about you, how we collect it, how we use it, who we share it with, and what your rights are.
(2) We are required to notify you of this information, under data protection legislation.
(3) Set out below are some general points to note before reading further.
What is the applicable law?
(1) This document is a privacy notice is published to comply with Article 13 and Article 14 of the UK GDPR, as updated by the Data (Use And Access) Act 2025.
(2) You can find out more information through the useful links section of this document.
What is our commitment as controller?
(1) The controller of your data is the person ultimately responsible for the processing of your data.
(2) As the controller of your data, we are committed to complying with our legal obligations as controller of your personal data, and to transparency about what we use your data for.
(3) Our legal obligations are set out in: (a) the UK GDPR; (b) the Data Protection Act 2018 (supplements the UK GDPR); and (c) the Data (Use And Access) Act 2025.
(4) As controller, we comply with the data protection principles in the UK GDPR when gathering and using personal data.
(5) We seek to ensure that our information collection and processing is always proportionate.
(6) We will inform you of any material changes to information we collect or to the purposes for which we collect and process it, through updates to this policy.
Must you provide data?
We need you to provide the personal data, in order set up and perform any contract and non-disclosure agreement with you or the business supplying you, for the proper functioning and administration of our relationship with you and/or the business supplying you, to deliver any of our equipment to you to use, and for security/privacy compliance and protection purposes.
No automated decision-making
We do not use automated decision-making tools or processes with respect to your data.
Contracts
(1) When we refer to a contract in this privacy notice, we include the following.
(2) If you are a freelance worker, our contract with you and/pr the business supplying you, including any collateral agreements (such as side letters).
(3) If you are a temporary worker, our contract with the employment business supplying you.
(4) If you are a consultant or other contractor, our contract with the consultancy or other contractor business under which you are supplied.
(5) Any non-disclosure agreement with you or any person supplying your services to us.
Work Data
(1) Please note that your work output and communications are not your personal data, and belong to and are confidential to ENSEK.
(2) This includes all work related files, messages, data, and actions you store, send, receive, create, add-to, or modify in ENSEK's systems and on ENSEK's equipment.
3. WHO IS THE CONTROLLER OF YOUR DATA?
The controller of your data is ENSEK LTD, and our contact details are set out blow.
Company Name
ENSEK Ltd
Company Number
UK Companies House: 07167027
Country of Registration
England and Wales
Registered Office
(1) Hounds Gate, 30-34 Hounds Gate, Nottingham, England, NG1 7AB.
(2) This is also our postal address and head office.
Website
People Team Email
Data Protection Email
Data Protection Officer
Our Data Protection Officer can be contacted through the email address provided above.
4. WHAT DATA DO WE HOLD ABOUT YOU?
This section lists what data we hold about you in connection with the contract and supply relationship with us. Some of this data will only be used after you have been engaged by us.
# Core Data
We hold some core data about you as follows:
Identity
Your name and the company you are supplied by.
Address
Your home address, if we are supplying a laptop to you or collecting a laptop from you.
Email Addresses
Work or home email addresses for you, such as if we are communicating with you relating to access to ENSEK systems.
CV
We may hold your CV, if you or your employer supplies a CV, and store this in our recruitment system.
Complaints
We may hold information about complaints you make to us or your employer about us or our handling of your data / compliance with data protection laws; or complaints others make to us or your employer about you; including records of investigations and responses.
# Background Screening Data
If we have conducted a background screening check then we may hold some or all of the following information, or alternatively we may hold simply a confirmation from the business supplying you of the results of a background screening check they carried out:
Identify Verification Data
Proofs of your identity, such as passport details, drivers licence, national identity card or other similar proofs.
Address Verification Data
Proofs of your current residential address and previous residential address history, such as utilities bills or bank statements, and electoral register search results.
Right To Work Verification Data
Proofs of your right to work, including share codes, and results of online checks.
Proofs of Qualifications
Proofs of any qualifications you hold, such as certificates, qualification or licence numbers, and results of checks.
Employment History Check Results
Details of employment and educational history and results of checks, such as: (a) employer references; (b) payslips and contracts; (c) tax or benefit records checks; and (d) educational certificates.
Criminal Records Check Results
Results of checks on your history of cautions and convictions, including any resulting check certificate issued by a government agency.
Financial Position Check Results
Results of checks on your financial position, and any adverse conditions, such as results of: (a) court judgement checks; (b) bankruptcy checks; and (c) identity fraud checks.
Sanctions Check Results
Results of checks as to whether you are affected by global sanctions, are on a sanctions list, or are a politically exposed person.
# Business Information
We may hold in connection with you, details in relation to the business supplying you, such as the following. This is relevant particularly if you are the owner or director of the business supplying you.
Business Details
(1) Company name.
(2) Trading name.
(3) Registered address and office address.
(4) Legal status and form.
(5) Country of registration.
(6) Registration number.
(7) VAT number.
(8) Date of incorporation.
(9) Website, telephone, email, social media and other business contact details and public facing pages.
(10) Business activities.
(11) Directors and shareholders.
(12) Information about financial position.
(13) Policies, procedures, and practices.
(14) Regulatory authorisations and licences.
(15) Information concerning security and privacy measures.
Procurement Information
(1) Details relating to our procurement of services from the business supplying you.
(2) Tenders, bids, and proposals.
(3) Due diligence information, including information and accounts filed with companies house, validity of VAT number, review of contractor website, and financial information.
(4) Negotiation and contract preparation information and communications.
(5) Any recruitment agency that referred you or your business to us, restrictions applicable to you, and introduction fees or commission payable in respect of you.
Business Contracts
(1) Information relating to agreements between us and you or the business supplying you.
(2) Non-disclosure agreements which you or the business supplying you enter into with us.
(3) Services contracts with you or the business supplying you.
(4) The terms of any services contract, including scope and timescales for the services, charges payable, and duration of services, and workers provided.
(5) Information concerning you that may appear in the contract.
(6) Side letters and collateral agreements signed in connection with the contract, including with you or other workers.
(7) Notices, variations, and other contract related documents, including termination letters and notices.
Signatory Information
(1) Name of contract signatory of any agreement above.
(2) Title and position of contract signatory.
(3) Date of signature.
(4) Signature.
(5) Signature evidence captured by Docusign or other online signing-service including history of views and opening of documents, IP address, and signing device.
Business Role
(1) Whether you are a director of the business supplying you, and your role as director.
(2) Whether you are a shareholder of the business supplying you, and your shareholding.
Fees & Timesheets
(1) Fees payable to you or the business supplying you for the services.
(2) Timesheets completed in relation to the provision of services for ENSEK.
(3) Bank details for payment of these fees (including account name, number, and sort code).
(4) Invoices and payment information, including payment and credit terms, and payments made by us.
# Office Information
We may hold information connected with your visits to and working at our offices.
CCTV
(1) You may be captured on CCTV at our offices.
(2) There may be CCTV located in the main building reception and any car park.
(3) There may be CCTV located in specific secure areas of our offices.
Card Access
(1) Details of any card issued to you for access to ENSEK's offices.
(2) Logs of any entry or exit from our offices.
# Working At ENSEK
We may hold information arising from your provision of services to ENSEK.
Role
Your position or role in relation to the work you are doing for ENSEK.
Competence
Evidence of competence and capability of staff the business is to supply to us.
Equipment
Company equipment (including laptops) loaned to you or the business supplying you, which is allocated to and/or delivered to you.
System Access
(1) Information relating to any email address given to you by ENSEK and accounts created for you in any ENSEK systems.
(2) Access rights and credentials to our networks and systems.
Communications
Images, video, and voice, including where you participate in recorded conferences and meetings for ENSEK.
Training
(1) Training information, including training you have undertaken with the business supplying with you, and training you have undertaken with ENSEK.
(2) Includes training completion, timeliness and questionnaire results.
(3) Phishing and other security awareness tests we carry out on our contractors who are given ENSEK email addresses or access to ENSEK systems, as well as: (a) the results of these tests; (b) your history of performance against these tests including history of reporting phishing attacks; and (c) records of any associated follow-up advice and training.
Policy Acknowledgement
We may hold details concerning your reading of and acknowledgement of our policies and processes, such as relating to security and privacy.
Performance and Incidents
(1) Information, assessments and reviews of your performance of the services.
(2) Information concerning conduct, claims and disputes relating to you or the business supplying you.
(3) Information relating to security or privacy incidents and breaches relating to you or the business supplying you.
Data Subject Rights
Details of any exercise by you of data subject rights, such as subject access requests you make, comprising communications with you, and responses we give.
Surveys
Your responses to surveys, including eNPS surveys and feedback; if you make a non-anonymous response.
Working Hours
Your days of work and working hours.
Management Records
If you are responsible for managing other personnel within ENSEK as part of your role, we will capture information about your management of those personnel, including any reviews, assessments, comments, performance management, and feedback.
Travel Expenses
Travel, hotel and other similar information and associated expense information relating to working with ENSEK.
# System Information
We may hold information about what you do in our systems, including for security and privacy management purposes.
Access Rights
Access rights and log-in information to our equipment and systems, and to any third party systems we use.
System Use
(1) Usage logs of our offices, networks, systems, and software, including access logs, what was viewed or done, use of email and other messaging software, files stored, accessed, and downloaded, software installed, and websites visited.
(2) This includes audit trails relating to tasks and other actions carried out by you in our systems.
User Interface Analysis Data
(1) We capture usage information concerning your visits to any live or test websites and user interfaces of our software products, including: (a) where you use our Ignition user interfaces; and (b) where you are selected to take part in surveys using third party user interface testing software.
(2) This may include: (a) mouse movements; (b) clicks; (c) features and pages visited and used, surveys.
(3) This may also include audio and video recording only where users have selected to respond using one of these methods.
5. HOW DO WE OBTAIN YOUR DATA?
This section sets out how we obtain your data.
From You
(1) We may obtain information directly from you.
(2) From conversations and meeting with you.
(3) From emails and other messages sent by you.
(4) From any files and documents provided to us by you.
(5) From forms you complete.
(6) From surveys, eNPS and other questionnaires we issue, if you choose to identify yourself.
From The Business Supplying You
(1) We may obtain information from the business supplying you.
(2) From conversations and meeting with representatives of the business.
(3) From emails and other messages sent by the business supplying you.
(4) From any files and documents provided to us by business supplying you.
(5) From forms completed by you or the business supplying you, including any contractor information forms or security or privacy questionnaires we request are completed.
(6) From any published information on any websites or trust centres of the business supplying you.
From Contracts
From information in any contracts signed with you or the business supplying you.
From Our Own Staff
We may obtain information about you or the business supplying you where our own staff: (a) provide us with introductions or other details; (b) are making assessments and decisions relating to the engagement of you or the business supplying you; (c) are managing your performance or that of the business supplying you.
From Our Systems
(1) We may obtain data about you from our systems, including data inputted by you into our systems or data captured or generated by our systems; including systems we develop and systems we procure from third parties.
(2) From your ENSEK issued computer and phone.
(3) From your personal computer and phone, if it is used to access any of our systems or is used under our bring your own device policy.
(4) From our door entry systems and CCTV systems.
(5) From our business and cloud networks and systems that you or the business supplying you accesses and uses,
(6) From all files and information you send, receive, create, edit, upload or access, and all APIs that you call or use, in our networks and systems.
(7) From all logs created by our systems.
(8) From any analytics systems we use to generate analytics about use of our systems or products.
From Third Parties
(1) We may obtain information about you or the business supplying you from third parties.
(2) From a recruitment professional that was involved in introducing you or the business supplying you to us.
(3) From background checks providers, and the third party databases they use (including the Disclosure and Barring Service),
(4) From right to work checking services.
(5) From the Home Office, HMRC or other government agencies.
(6) From VAT checking services and other business registries.
(7) From website and public register searches.
From Us
Some information will also be created by ENSEK itself.
6. WHAT IS OUR LAWFUL BASIS FOR PROCESSING YOUR DATA?
To be able to process your data we need to have a lawful basis for doing so under the law. This section sets out the types of lawful basis we can use, and then the next section sets out the purposes for which we process your data and the main lawful basis for doing so.
Contract
To enter into or perform a contract with you or the business supplying you.
Legal Obligation
We need to do so to comply with a legal obligation or exercise a legal right.
Our Legitimate Interest
(1) We do so for our "legitimate interests".
(2) This is flexible ground, and is a balance between ENSEK's interests and your own.
(3) It requires a judgement on our part, but is typically doing something you would normally expect, or there is a compelling justification.
(4) You have a right to object if you don't agree with our judgement (see later in this notice), and we must stop if it is clear you have overriding reasons for asking us to stop.
(5) Most of our processing would fall within legitimate interests.
(6) Examples of legitimate interests include: (a) to administer, operate and grow our business; (b) to operate a proper and secure procurement process; (c) verification of identity and address; (d) assessment of suitability; (e) security checks; (f) making informed decisions; (g) negotiating and enforcing contracts; (h) managing the supply of services to us and monitoring that it is in accordance with the contract; (i) monitoring use of our networks, systems, and offices; (j) performing our contractual commitments with our clients; (k) securing work and services outputs; (l) financing and insuring our business; (m) developing and improving our software and services; (n) training individuals working for or with us; (o) operating to public and contractual standards; (p) have sufficient competent personnel, and supporting personnel; (q) complying with legislation, regulations, or mandatory industry codes; (r) bringing or defending legal claims; (s) maintaining reasonable records and evidence; and (t) operating ENSEK's reasonable business policies.
Special Category Data
We do not process any data concerning your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetics, biometrics, health, or sex life or sexual orientation.
Security
(1) We may process your data for the purposes of ensure the security of our network and information systems; for example for network monitoring, access monitoring, data loss prevention, and enforcement of security and privacy policies and standards.
(2) This is expressly recognised now as a lawful basis of processing under the Data (Use And Access) Act 2025.
Intragroup data
We may process your data for the purposes intra-group data transfers for group administration purposes.
Your Interests
(1) We need to do so, to protect you vital interests.
(2) This could include care for your health and safety.
Your Consent
(1) If the above do not apply, we would need to get your consent to the specific use.
(2) This could be an explicit documented consent, or it could be implicit because you have requested some action to be taken involving your data.
7. WHAT PURPOSES DO WE PROCESS YOUR DATA FOR?
This part sets out the key purposes we use your data for.
Audits
PURPOSE | To carry out audits of ENSEK's business and to enable third parties to audit ENSEK's business and controls, including audits under ISO 27001 & ISO 27701, audits under the Smart Energy Code and other industry codes, and SOC (Service Organisation Controls) audits.
EXAMPLE | Providing evidence (which may include your personal data) to demonstrate the operation of ENSEK's policies and controls in the business (such as performance reviews, access logs).
LAWFUL BASIS | Legitimate Interests - To operate ENSEK's business to a good standard.
Background Checks
PURPOSE | (1) Carrying ENSEK's background checks with third parties to assess your reliability and security risk status. (2) ENSEK's business handles a lot of security and privacy sensitive data, and can access smart meters, and accordingly ENSEK carries out background checks on staff of ENSEK and contractors, to protect security and privacy.
EXAMPLES | (1) Digital identity verification and passport validation. (2) Right to work checks. (3) Address confirmation and electoral roll checks. (4) Financial status search including county court judgements, insolvencies, and bankruptcy orders. (5) Checks with global and other sanctions lists, enforcement agency checks, and checks for PEP status (politically exposed persons). (6) Employment history verification, over 5 years, with an explanation of and evidence for gaps. (7) Criminal convictions and disclosure checks.
LAWFUL BASIS | (1) Legitimate Interests - ENSEK's business handles security sensitive data, including connections with smart meters, and needs to be able to meet regulatory and client security standards. (2) Legitimate Interests - To protect ENSEK's networks and information security, and to protect personal data processed by ENSEK. (3) Legal obligation - If governments introduce an obligation on businesses using contractors to carry out direct right to work checks on the contractor personnel.
Business Management
PURPOSE | To manage our business.
EXAMPLES | (1) Insuring our business. (2) Looking after all our workers. (3) Complying with our legal and contractual obligations, including under any client contracts sub-contracted to the business supplying you. (4) Managing our business systems, granting, and revoking access, and monitoring proper access and use. (5) Maintaining the security of our business, data, and finances, and implementing and monitoring security controls and measures. (6) Carry out audits of our business and enabling third party audit companies to audit our business. (7) Providing evidence (which may include your personal data) to demonstrate the operation of our policies and controls in the business (such as performance reviews, access logs). (8) Operating our business and its processes. (9) Checking the quality of work output and activities of all our staff and workers.
LAWFUL BASIS | (1) Contract - Performing any contract with the business providing you. (2) Legitimate Interest - To operate our business to a high standard and comply with our contractual and legal obligations. (3) Legal Compliance - Complying with tax, legal, regulatory, and corporate governance obligations. (4) Legitimate Interest - Managing risk in the business.
Claims
PURPOSE | To bring or defend legal claims relating to the contract under which you are supplied.
LAWFUL BASIS | (1) Legitimate Interests - Natural justice indicates that any person should be able to enforce or defend claims. (2) Contract - To comply with and enforce any contract for services under which you are supplied.
Complaints Handling
PURPOSE | To investigate, respond to and handle complaints you may make or others may make about you.
EXAMPLES | (1) You make a complaint about your data subject rights. (2) Someone makes a complaint about your conduct when providing services to ENSEK.
LAWFUL BASIS | (1) Legal obligation - To comply with any legal obligations we may have (including under data protection laws) to handle complains you make. (2) Legitimate interest - To ensure that we properly address complaints that may affect you and the services you are providing.
Contacting You Or The Business Supplying You
PURPOSES | Contacting you and your next of kin.
EXAMPLES | (1) Contacting you to supply or recover any ENSEK laptop or other equipment. (2) Containing you to set up your access to any ENSEK systems. (3) ENSEK may contact you by letter, email, or phone where appropriate. (4) ENSEK may need to let your next of kin or emergency contact know, or the business supplying you, if there has been an emergency, e.g., accident or illness.
LAWFUL BASIS | (1) Legitimate Interests - To operate ENSEK's business and policies. (2) Contract - To comply with the contract for services under which you are supplied. (3) Your Interests - To communicate with you and your next of kin, or the business supplying you, in connection with your work for us, and any health related matters we become aware of.
Contract Management
PURPOSE | To manage our contract for services with you or the business supplying you.
EXAMPLES | (1) Maintaining a record of the procurement process. (2) Maintaining a record of the contract and all changes to it. (3) Maintaining a record of our due diligence and verification activities. (4) Managing variation and termination of the contract. (5) Communicating the agreed terms to necessary people in the business (e.g., charges communicated to finance team). (6) Maintaining a record of termination dates. (7) Maintaining a record for audit purposes.
LAWFUL BASIS | (1) Legitimate Interest - Maintaining evidence of the contract. (2) Contract Compliance - Performing the contract. (3) Legal Compliance - Having audit information available. (4) Contract - Performing any contract with the business providing you.
CV
PURPOSE | We may use your CV to assess your suitability to provide the services your employer is providing to us; or if you are interested in applying for a permanent role.
LAWFUL BASKS | (1) Legitimate interest - Ensuring that contractors have provided competent personnel to provide their service. (2) Legitimate interest - Assessing potential job applicants.
Incident Management
PURPOSE | To deal with incidents affecting the contract under which you are supplied, including breach, competence, progress, and security matters.
EXAMPLES | (1) Gathering and storing facts and evidence. (2) Making claims and exchanging position statements and offers. (3) Following our security breach procedures. (4) Reporting information to government bodies.
LAWFUL BASIS | (1) Legitimate Interests - Having our suppliers perform their contracts, and defending claims. (2) Contract - Enforcing and performing the contract. (3) Legitimate Interests - Managing claims, issues and incidents appropriately and to the standards required by ISO and data protection laws.
Intellectual Property
PURPOSE | To identify, prove, capture, maintain and protect the intellectual property, trade secrets, confidential information and know-how of ENSEK and its clients.
EXAMPLES | Capturing and storing code, files and documents you create and evidence of who created or change to code, files or documents.
LAWFUL BASIS | (1) Contract - To enforce legal and contract rules on IPR ownership and confidentiality. (2) Legitimate Interest - To protect and secure our business, software and services, and intellectual property rights and trade secrets.
Joiner, Mover, Leaver Processes
PURPOSES | (1) To operate ENSEK's joiner, mover (change of role) and leaver processes, where individuals commence working with ENSEK, ore change what they are working on and their role with ENSEK, or cease working with ENSEK. (2) This includes equipment provision and retrieval, and system and office access grant, change and removal..
EXAMPLES | (1) Couriering ENSEK laptops and retrieving them. (2) Granting, changing or removing access to ENSEK systems.
LAWFUL BASIS | Legitimate Interests - To control and protect ENSEK's assets, systems, and data, and comply with ENSEK's security and privacy obligations at law and in contract.
Payment Management
PURPOSE | To manage payment to you or the business supplying you for services provided.
EXAMPLES | (1) Storing and approving timesheets. (2) Receiving and checking invoices for work done. (3) Making bank transfers.
LAWFUL BASIS | Contract - Performing the contract with the business supplying you.
Performance Management
PURPOSE | To manage and monitor the provision of the services and performance of the contract with the business supplying you, and your performance of the services for that business.
EXAMPLES | (1) Giving instructions and managing the receipt and use of the services. (2) Monitoring progress and compliance. (3) Monitoring and capturing outputs, including deliverables such as code, advice, reports, analysis, and plans. (4) Assessing the quality of outputs.
LAWFUL BASIS | (1) Legitimate Interest - That our suppliers comply with their contracted obligations. (2) Contract Compliance - Performing the contract. (3) Legal Compliance- Complying with security standards and information and data protection laws.
Procurement Management
PURPOSE | To operate a reasonable procurement process for procuring your services or those of the business supplying you.
EXAMPLES | (1) Entering into non-disclosure agreements. (2) Verifying identity, authenticity, and financial standing. (3) Assessing bids and tenders. (4) Carrying our due diligence and security checks, and taking up references. (5) Validating that you are not being engaged as an employee by us. (6) Making decisions on procurement. (7) Preparing, negotiating, and entering into contracts. (8) Setting up you or the business supplying you in our systems for payment; applying our joiner-mover-leaver process.
LAWFUL BASIS | (1) Legitimate Interest - To operate a professional procurement of services, and to know who we are dealing with, their trustworthiness, and competence. (2) Contract- To enter into a contract. (3) Legal Compliance - To comply with regulations that govern procurement of services (including ant-bribery and financial conduct).
Record Keeping
PURPOSE | To maintain appropriate, accurate, complete, and up-to-date records relating to your work with us and our contract with the business supplying you.
LAWFUL BASIS | (1) Legitimate Interests - ENSEK's legitimate interest in managing ENSEK's business staffing. (2) Legal Obligation - Complying with ENSEK's contract with you or the business supplying you. (3) Contract - Paying you our the business supplying you. (4) Legal Obligation - Complying with ENSEK's tax obligations. (5) Legitimate Interest - Operating and demonstrating security, privacy, operational and other controls in the business. (6) Legitimate Interest - Managing risk in the business.
Role Management
PURPSE | (1) To manage your role in the business and your work output, and for any management you carry out on our behalf of other ENSEK personnel. (2) To book travel and accomodation and manage expenses we are responsible for in relation to your role.
EXAMPLES | (1) Contacting and managing you in the day-to-day performance of your role. (2) Maintaining and reviewing records of your role in ENSEK's business. (3) Monitoring your work output. (4) Capturing your records of performance management of other ENSEK personnel. (5) Record
LAWFUL BASIS | (1) Legitimate Interests - Ensuring that ENSEK's staff (own and contractors) know what they are engaged to do, and are delivering according to their role. (2) Legitimate Interests - Supporting ENSEK's business needs and good management and operation of ENSEK's business. (3) Legitimate Interests - Supporting ENSEK's personnel and ensuring they are looked after and successful in their roles. (4) Legitimate interests - meeting our responsibilities to pay expenses and associated financial accounting.
System Access & Use
PURPOSE | (1) To manage, document, monitor and review, access to and use of our systems. (2) Systems include networks, laptops, file storage, messaging, SaaS products, and third party back office cloud services we use.
EXAMPLES | (1) Granting you access and documenting the systems you have access to and the scope of permission you have for those systems. (2) Maintaining logs of your access to those systems, and any activities you carry out in those systems.
LAWFUL BASIS | (1) Legitimate Interest - To maintain a good security and privacy management system, including to be able to restrict access to what is necessary, to identify threats and data loss, to know what access you have been granted. (2) Legitimate Interest - Operational auditing and incident management, to be able to identify and investigate if any security or privacy breach has occurred or to investigate whether a business process, activity or processing step or task has been completed correctly, and to identify who carried out that process, activity or step for the purpose of training and preventing recurrence of errors.
System Improvement
PURPOSE | To improve our software and services.
EXAMPLES | (1) Capturing data about your use of our software user interfaces and their features to assess the effectiveness of our designs and features. (2) Capturing testing data where you are invited to participate in a test of a new use interface feature or a user interface survey. (3) Capturing user feedback.
LAWFUL BASIS | Legitimate Interest - Developing and improving our products and services, and compliance with our contracts to supply our SaaS services.
Training & Policies
PURPOSE | (1) Ensuring that you have appropriate security and privacy training, and that you have appropriate equality and diversity training, for your role in ENSEK's business; and ensuring that you have appropriate competencies and skills for your role in ENSEK's business. (2) Ensuring that you acknowledge and agree to ENSEK's policies applicable to your work within ENSEK, and access to systems, equipment, offices and data.
EXAMPLE | (1) Providing training courses. (2) Maintaining training records. (3) Recording acknowledgement of policies.
LAWFUL BASIS | (1) Legitimate Interests - Maintaining security, privacy and quality in ENSEK's business. (2) Legitimate Interests - To avoid causing breach of security or data protection rules through lack of staff knowledge and training. (3) Legitimate Interests - Maintaining controls for ISO 27001 and ISO 27701.
Worker Management
PURPOSE | To manage the interactions and interface points between us and you or other workers provided by the business supplying you, and manage the skills, training, and knowledge of workers.
EXAMPLES | (1) Carrying our background checks with third parties to assess your reliability and security risk status. (2) Issuing equipment. (3) Issuing access cards. (4) Issuing access accounts and credentials to our systems and setting up roles and permissions. (5) Providing training on our policies and procedures, security and data protection, and other requirements for working with us. (6) Monitoring your access to and use of our equipment, networks, and systems. (7) Recovering and terminating any of the above.
LAWFUL BASIS | (1) Legitimate Interest - Maintaining control and security over our equipment, networks, systems and data. (2) Legitimate Interest - Ensuring that all workers are interfacing correctly with our business. (3) Contract Compliance - Performing the contract with the business supplying you. (4) Legal Compliance - Complying with security standards and information and data protection laws.
8. WHO DO WE SHARE YOUR DATA WITH?
This section details who we may share your information with. We will normally share in confidence unless the law requires otherwise
Auditors
DESCRIPTION | (1) ENSEK may share your personal data with any third party that is auditing ENSEK's business and controls, including ENSEK's security measures and operational controls, for the purposes of evidence, but only to the extent reasonably required for such evidence. (2) It will be shared securely, and under a non-disclosure agreement; and is shared normally to the auditors secure evidence repository.
RECIPIENT ROLE | They use it as ENSEK's sub-processor, to provide audit services to ENSEK.
RETENTION | They may retain this in archive for up to 7 years, as evidence of the audit services provided.
Background Check Providers
DESCRIPTION | ENSEK will share your information with background check providers (currently Experian) to the extend necessary for them to carry out background checks such as: (a) criminal records; (b) credit; (c) electoral roll, world watch list, and address and employment history.
RECIPIENT ROLE | (1) They use it as ENSEK's sub-processor, or provide the background check information to ourselves. (2) A credit search may also go on your credit record.
RETENTION | They will retain this for 12 months in their systems.
Corporate
DESCRIPTION | If ENSEK is selling or transferring ENSEK's business, or there is to be a change of control or new investment, or a re-structuring of ENSEK's business, ENSEK may share your information as appropriate with potential purchasers and new owners and shareholders, and their advisors, to support such process and for their due diligence purposes.
RECIPIENT ROLE | They will use it as data controller, to assess in relation to such business acquisition, and will provide you with a privacy notice if legally required.
RETENTION | They will retain this according to their own retention policies.
Contacts
DESCRIPTION | (1) ENSEK may share your work contact data to the extent appropriate or relevant to your role, with your potential internal and external business contacts, such as contacts at ENSEK clients. (2) This will normally be sharing of contact details and place of work with colleagues, staff, customers, and suppliers. (3) Limited to name, role, email address.
RECIPIENT ROLE | (1) Internal staff will receive it only in their capacity as ENSEK's staff. (2) External contacts will receive it as data controller, and will let you have a privacy notice if legally required.
RETENTION | They will retain this according to their own retention policies.
Home Office
DESCRIPTION | ENSEK may share your personal data with the Home Office for background check and right to work check purposes.
RECIPIENT ROLE | They will receive it as data controller, and will let you have a privacy notice if legally required.
RETENTION | They will retain this according to their own retention policies.
Emergency and Health Services
DESCRIPTION | ENSEK may share your personal data with emergency services and health professionals if required, such as if you are unwell at an ENSEK office or become unwell on a call and need assistance.
RECIPIENT ROLE | They will receive it as data controller, and will let you have a privacy notice if legally required.
RETENTION | They will retain this according to their own retention policies.
Invoice Support
DESCRIPTION | To an invoice scanning service, to scan and analyse your invoices or the invoices of the business supplying you to make input into our finance systems and payment more efficient.
RECIPIENT ROLE | They will receive your invoices as our processor.
RETENTION | They will retain this according to ENSEK's retention policies.
Government Agencies
DESCRIPTION | We may be legally required to share information relating to you to government agencies generally. For example, for right to work checking and reporting.
RECIPIENT ROLE | They will receive it as data controller, and will let you have a privacy notice if legally required.
RETENTION | They will retain this according to their own retention policies.
Other Staff
DESCRIPTION | We may share your information where relevant with other staff who are to be involved in procurement of your services with the business supplying you.
RECIPIENT ROLE | They will receive it in their capacity as our staff.
RETENTION | They will retain this according to ENSEK's retention policies.
Professional Advisors
DESCRIPTION | We may share your information where relevant with our lawyers, accountants, consultants, and other professional advisors, for the purpose of their advising ENSEK and providing services to ENSEK involving your personal data.
RECIPIENT ROLE | They will receive it as ENSEK's sub-processor.
RETENTION | They may retain this in archive for up to 7 years, as evidence of the services provide, if appropriate.
Recruitment Agents
DESCRIPTION | We may share your information with recruitment agents who introduced you or the business supplying you, to let them know the outcome and pay them any commission due.
RECIPIENT ROLE | They will receive it as data controller.
RETENTION | They will retain this according to their own retention policies.
Systems Providers
DESCRIPTION | We may share your data with our systems providers, through putting your data into any systems that we procure, as part of their hosting of those systems; but they are not expected to access or use it, except for technical support purposes; and your data otherwise just resides on the systems as part of their cloud service, and is encrypted at rest.
RECIPIENT ROLE | They will receive it as ENSEK's sub-processor.
RETENTION | They will retain this according to ENSEK's retention policy.
Training Providers
DESCRIPTION | (1) We share your data with our training providers to record and manage training, such as the mandatory on-line cyber security, discrimination, equality, and data protection training that you are required to undertake. (2) This will normally include what training, and deadlines you need to observe.
RECIPIENT ROLE | They will receive it as ENSEK's sub-processor.
RETENTION | They will retain this according to ENSEK's retention policy.
9. WHERE DO WE KEEP YOUR DATA?
Introduction
Your data is kept in the systems referred to below. We no longer keep any paper records and all of your data is created, stored, and retained electronically.
General Location
(1) ENSEK has a supplier on-boarding process that assesses where your data is held, and the security and privacy compliance measures of that supplier.
(2) ENSEK aims to use cloud service providers who store your data in data centres in the UK or European Economic Area, but occasionally also the USA, following EU and UK rules for data transfers.
(3) ENSEK accesses these systems from its networks and staff located in the UK.
Access Rights Tables
(1) ENSEK use a cloud data table system to host ENSEK's access control records for its systems, including details of what systems you have access to from time to time.
(2) Your name, work contact details, and access rights may appear in that system.
(3) We may also create access review tables with your details in, when reviewing access to specific ENSEK systems and databases.
Business Systems
(1) Elements of your personal data may appear in ENSEK business systems, such as our SaaS systems, ENTRA Id, Azure DevOps, Outlook, Teams, ServiceNow etc.
(2) This will be incidental according to your use of those systems, and amount to an association between you and your use of those systems, and messages, chats, documents involving you.
People Systems
(1) ENSEK use third party cloud services to store and process staff information including, core information like name and contact details, time sheets, training, survey, timesheets, and performance records.
(2) We may identify you as a contractor in those systems, and store a range of your information, including timesheets and background screening information.
(3) You may also be requested to give feedback and performance reviews relating to other personnel of ENSEK in those systems, which will be recorded by those systems.
(4) They are hosted in the UK, European Economic Area or USA.
Expenses Management
(1) ENSEK use an expense management cloud service and phone app to manage your expenses claims, and to enable you to book travel.
(2) It may send you notifications.
(3) It captures images of receipts for your expenses, and dates, times, and other details of those expenses, and and travel information.
(4) It supports ENSEK approval of those expenses and travel bookings, and records this.
(5) You may also be asked to include your bank details in the system, to support reimbursement of your expenses to your bank account.
(6) It is are hosted in part in the UK, European Economic Area and USA.
Finance System
(1) ENSEK's main finance and invoice management system may contain details of invoices from the business supplying you, and payment made, along with associated tax information .
(2) It is are hosted in part in the UK, European Economic Area and USA.
Training Systems
Some training related records relating to you or the business supplying you will be stored in our training system.
Productivity Systems
(1) ENSEK uses Microsoft Google and other apps for its general email, messaging, document creation, document storage and document sharing and its social and collaborative features.
(2) Your personal data may appear there in various forms for a specific use connected with ENSEK's business and systems.
(3) We specify the UK for hosting where possible.
10. HOW LONG DO WE KEEP YOUR DATA FOR?
This section covers our retention policy.
General Principle
ENSEK will only use your data for as long as it is required for the purposes for which it is processed.
Archiving Period
EVIDENCE ARCHIVE | (1) ENSEK will retain a copy of your data for evidential purposes during the term of the contract with the business supplying you and for 7 years after the end of that contract. (2) This is to enable evidence to be provided for tax and legal claims purposes within the general legal claims limit of 6 years: see the Limitation Act 1980.
LOGS | (1) Logging data relating to your use of ENSEK's systems (such as SharePoint logs) may be deleted sooner than this, depending on the logging configuration, typically after 12 months. (2) However, logs relating to activities carried out in ENSEK's SaaS systems may be retained for 7 years after the end of the contract under which you were supplied.
WORK OUTPUT | Data consisting of or relating your work output and work tasks, messages, and activities may be retained indefinitely, such as code or documents created, or tasks and other activities in ENSEK's systems and databases.
Archiving Period | CCTV
LANDLORD | Landlord CCTV recordings are held for 30 days.
INTERNAL | We hold CCTV recordings from internal secure areas for 3 months.
INCIDENTS | If a recording is needed for evidence in relation to an incident that has happened, ENSEK may hold the data for as long as may be reasonably required for that incident.
11. HOW DO WE KEEP YOUR DATA SECURE?
This section covers our security measures.
General Principle
(1) We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way.
(2) In particular we have the following measures to keep your data secure.
ISO 27001
We are certified to and aim to keep certified to ISO 27001:2022, which requires us to have a security management system, and to maintain a wide range of security controls.
ISO 27701
We are also certified to and aim to keep certified to ISO 277001:2019, which is an extension to ISO 27001 for privacy information management.
Other Audits
We have our security controls audited independently by an auditor under the SOC (service organisation controls) audit standards; as well as under the smart energy code, the retail energy code, and other industry codes.
Data Breach
(1) We have procedures in place to deal with any suspected data security breach affecting your data.
(2) We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Other Measures and Controls
(1) The above standards and audits require and examine all our security and privacy measures and controls, which we have in place to protect against unauthorised use, access to, change to, or disclosure of your data, against viruses and other malicious software, and against unauthorised access to our equipment, offices, networks, cloud systems, and databases.
(2) These measures and controls cover areas such as office access controls, equipment log-in, cloud system log-in and associated roles and permissions, network and access monitoring, staff training, management, staff background checks, usage monitoring, anti-virus and other protective software and devices, and data segregation and encryption.
System Providers
Individual system providers listed in this document have their own separate security and controls with respect to your data in their systems, and we consider these prior to using those systems.
Cloud First
We operate on a "cloud first" basis, which means that your data is stored in secure and reputable cloud systems, rather than at any offices of ours.
Access Controls
We limit access to your personal information to those who have a genuine business need to know it.
Proportionate and Confidentially
Those processing your information will do so only in an authorised and proportionate manner and are subject to a duty of confidentiality.
12. WHAT ARE YOUR RIGHTS?
This section covers your rights in relation to our processing of your data.
Introduction
(1) You have the following rights in relation to our processing of your personal data, but please note that these rights may be subject to conditions and exceptions set out in the law.
(2) If you would like to exercise these rights, please contact the head of human resources or our data protection officer.
(3) If you are not sure, just email us using our contact details in this document.
Our Service Providers
If you ask for the following, we are obliged to pass this request down to the providers of the systems we use and anyone else we use to process your data, as needed. See Article 19 of the UK GDPR.
Right to be informed
(1) You have the right to be informed if your data is being used.
(2) This document is how we are informing you.
(3) See Article 13 and Article 14 of the UK GDPR.
Right to withdraw consent
If any processing is based on your consent, you have the right to withdraw it at any time. Just email using our contact details in this document.
Right to stop direct marketing
You have the right to stop direct marketing at any time.
Right to a copy
(1) You have a right to an update of the information in this document.
(2) You also have a right to a copy of the personal data we hold about you.
(3) See Article 15 - Paragraph 3 of the UK GDPR.
(4) You have the right to ask for your data in a computer readable for, so that you can use it elsewhere.
(5) See Article 20 of the UK GDPR.
Right to a correction
(1) You have the right to request correction of your data (a right to rectification).
(2) See Article 16 of the UK GDPR.
Right to erasure
(1) You have the right to request erasure of your data (also known as the right to be forgotten).
(2) However, there are a range of exceptions to this, which mean that we do not have to erase your data if there are good reasons for retaining a copy of it.
(3) See Article 17 of the UK GDPR.
Right to restriction
(1) You have the right to request that we stop using your data for some purposes.
(2) There are conditions that apply.
(3) This means that we might still hold your data, but we would be stopped from using it for certain purposes.
(4) See Article 18 of the UK GDPR.
Right to object to legitimate interests
(1) If the legal basis for our using your personal data is a "legitimate interest", or we are using your data to market to you, then you can object to the processing.
(2) See Article 21 of the UK GDPR.
(3) We must stop the processing, unless we can show that our interests should take precedence over yours.
Automated Decision Making
(1) If we are making important decisions about using a compute, without any human involvement, then you can ask us to stop, subject to conditions.
(2) See Article 22 of the UK GDPR.
Right to complain
(1) We hope that our Head of People and data protection officer can resolve any quey or concern you have about our use of your personal data or your rights.
(2) In any case, you have the right to complain to the Information Commissioner at any time.
(3) Their details are: (a) Address - Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; (b) Helpline number - 0303 123 1113; (c) ICO website - <LINK>https://ico.org.uk/make-a-complaint/</LINK>.
13. USEFUL LINKS
Data Protection Act 2018
Contains additional rules to support the UK GDPR.
https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted
GDPR (UK)
The UK's copy of the GDPR following BREXIT.
https://www.legislation.gov.uk/eur/2016/679/contents
Data (Use and Access) Act 2025
Contains updates to Data Protection laws in the UK.
https://www.legislation.gov.uk/ukpga/2025/18
ISO 27001
International security controls standard.
https://www.iso.org/isoiec-27001-information-security.html
ISO 27701
International personal data management controls standard.
https://www.iso.org/isoiec-27001-information-security.html
Limitation Act 1980
Legal limitation periods for bringing a claim in court.
https://www.legislation.gov.uk/ukpga/1980/58/contents
SOC - Service Organisation Controls
Auditing standard for auditing of security and operational controls.
https://en.wikipedia.org/wiki/ISAE_3402
ICO - Complaints Page
Page for making a complaint to the ICO.
https://ico.org.uk/make-a-complaint/
ICO - Your Rights
ICO page on your rights.
https://ico.org.uk/your-data-matters/
Air Table
An online database system ENSEK use to manage staff system access rights records.
https://www.airtable.com/product
Cezanne HR
ENSEK's current employee management system and payroll provider.
Expensify
ENSEK's current staff expenses management system.
Full Story
A system used to generate user interface usage analytics, used by ENSEK to improve ENSEK's software user interfaces.
Google Workspace
ENSEK's back office business tools for email, messaging, calling, and file creation, storage and editing.
Illuminate
ENSEK's current training system, provided by Thrive.
https://illuminate.learn.link/
Leapsome
ENSEK's current performance management system.
Microsoft 365
ENSEK's back office business tools for email, messaging, calling, and file creation, storage and editing.
https://docs.microsoft.com/en-us/microsoft-365/enterprise/o365-data-locations?view=o365-worldwide
Sage
ENSEK's current finance system, from March 2023.
Teamtailor
ENSEK's current job application system.
https://www.teamtailor.com/en/
Thrive Learning
Providers of ENSEK's current employee training system from 1st January 2023.
https://www.thrivelearning.com/
Useberry
A third party system use to test user interface designs with users and to obtain user surveys and feedback, used by ENSEK to improve and develop ENSEK's user interface designs.
Vanta
ENSEK current compliance management and policy acknowledgement system.
XERO
ENSEK's old finance system, replaced in March 2023.