ENSEK's Public Privacy Notice
Last updated: 9th June 2022
A - WHO IS THIS PRIVACY NOTICE FOR?
This privacy notice is addressed to the types of individuals listed below (the data subjects), and it sets out whether we process your data as a controller (we are ultimately responsible) or processor (we handle your data for someone else).
Individuals who are contacts for our clients, contractors, or other third parties we may deal with. Contractors include development companies, professional services companies, and software and system suppliers.
Energy Supply Customers
Individuals who are supply customers of our clients, whose data is processed in our SaaS systems.
Your energy supplier is the controller, and we are their data processor.
Individuals who make a sales or other inquiry with us, including by submitting a contact or request form through our website.
Individuals who we include on our marketing database.
Individuals who are given a log-in or account to any system of ours, such as individuals given access to our product help system or SaaS systems.
This is mainly the staff of our clients who are using our systems on behalf of our clients.
This does not include our staff or contractors, as they are covered by separate privacy notices.
Individuals who visit and browse our website.
Individuals who visit our offices or attend meetings we arrange.
Individuals who join any video or audio conference call that we may set up.
This notice explains what personal data we hold about you, how we collect it, how we use it, who we may share your data with, and your rights.
We are required to notify you of this information, under data protection legislation.
PLEASE ENSURE THAT YOU READ THIS NOTICE.
We have separate privacy notices for staff, job applicants, and contractors.
B - WHAT IS THIS PRIVACY NOTICE ABOUT?
This privacy notice explains what personal data we hold about you, how we collect it, how we use it, who we share it with, and what your rights are. Set out below are some general points to note before reading further.
What is the applicable law?
What is our commitment as a controller?
The controller of your data is the person ultimately responsible for the processing of your data.
As the controller of your data, we are committed to complying with our legal obligations as controller of your personal data, and to transparency about what we use your data for.
As controllers, we comply with the DATA PROTECTION PRINCIPLES when gathering and using personal information. We seek to ensure that our information collection and processing are always proportionate.
We will inform you of any material changes to the information we collect or to the purposes for which we collect and process it.
What is our commitment as processors?
The processor of your data is the person who is processing data on behalf of the controller (such as a sub-contractor).
If we are the processor of your data, we are committed to complying with our legal obligations as the processor of your personal data, and to transparency about what we use your data for.
As a processor, our main obligations are to keep your data secure, and only to process it in accordance with the instructions of the controller.
Energy Supply Customers
If you are a customer of an energy supplier, and any personal data relating to you (and your energy supply) is processed by us in our cloud service for your supplier, then please read the following.
We are only the data processor. Your supplier is the controller of the personal data we hold. You should ask your supplier for their privacy notice. Your rights in this document should be exercised against your supplier, who will contact us if we need to be involved.
The majority of this document does not apply to you, but please note that we do owe our security obligations to you and the controller, and you still have the right to complain about us to the Information Commissioner directly.
For information, we process a large range of data relating to your energy supply contract. for the supplier. This includes your supply contract details, your contact, meter and address details, meter readings, prices, bills, payments, debt, and complaints. We only process these according to the instructions of your supplier.
Must you provide data?
There is no obligation to provide the data referred to in this privacy notice.
However, if you are a customer of an energy supplier, then they will need data relating to your supply in order to make the supply of energy to you.
When we refer to a contract in this privacy notice, we mean any contract for the supply of services between you and us and any non-disclosure agreement or heads of terms between you and us.
If you have any questions, please contact our individual staff representative you have been dealing with, but if that is not satisfactory, then please feel free to contact our data protection officer through the email addresses below.
C - WHO IS THE CONTROLLER OR PROCESSOR OF YOUR DATA?
The controller (or where applicable, processor) of your data is ENSEK LTD, and our contact details are set out below.
Our Company Name
Our Company Number
Our Country of Registration
England and Wales
Our Registered Office
Hounds Gate, 30-34 Hounds Gate, Nottingham, England, NG1 7AB.
This is also our postal address and head office.
Data Protection Email
Our Data Protection Officer
Our Head of Information Security
D - WHAT DATA DO WE HOLD ABOUT YOU?
You may be captured on CCTV if you visit our premises. There is CCTV located in the main building reception and the car park. It is operated by the landlords of the building. We may review a copy if there has been an incident relevant to us.
Web Download in Email - image download email.
Direct Messages from linked in or other social meter, phone calls.
Any queries and other inquiries that you raise with us, and responses that we give to you.
Your first name, middle names, and last names.
Any emails and messages, and notes of any calls, between you and us.
The name of any company or other organsation you are representing or working for.
This will be the email address that is supplied to us, so it could be a work or private email address depending on what is supplied.
Your job title or role at the company or other organisation you represent or work for.
Log-in and account details where you are given access by us to any system (e.g. SaaS system) or resource (e.g. user guides).
Data concerning your logging in to and use of our systems, to track and monitor correct usage, and to support our clients in dealing with wrongful usage.
Your telephone number supplied to us, and/or any public telephone number published by any company or organisation you represent.
If you are given user rights to access any of our systems, then we may record and store information about your use of those systems, including APIs called and tasks undertaken in the systems.
Your relationship with us, such as whether you are a client, potential sales opportunity, supplier, visitor, or other.
Video Call Recordings
Your image and voice may be captured if you allow your video feed or audio to feature in any video call or conference we arrange and record. For instance a business update, or training, or conference to which you are invited.
Website Usage Information
We capture and record information about visits to our website, and our cookies notice gives further information on this.
This may include when you visited, the IP address you visited from, browser information, your location in the globe, the pages you visited, the parts of the pages you viewed, and server session information concerning any processes you are undertaking through our website.
This is not recorded against you personally and is stored and used in an anonymous form, except that if you are added to our marketing database HubSpot, the information may be linked to you at that point.
E - HOW DO WE OBTAIN YOUR DATA?
This section sets out how we obtain your data.
From Forms You Complete
We obtain it from forms you complete, including any general inquiries, sales, media contacts, demo requests forms on our website, and any newsletter sign-up.
From Your Documents
From files and documents you provide to us, emails and messages you send, and from your public LinkedIn account.
From Conversation With You
We obtain it from conversations with you, which may include phone calls and video calls, emails, and instant messaging.
From Your Web Browser and Email Client
From data automatically supplied by your web browser when you visit our website.
From tracking images downloaded in our marketing emails, that capture when the email was opened and whether you clicked on links in it.
F - WHAT PURPOSES DO WE USE YOUR DATA FOR?
To be able to process your data we need to have a lawful basis for doing so under the law.
This part sets out the types of lawful basis we can use, and then sets out the purposes for which we process your data and the main lawful basis for doing so.
For most of your data the LAWFUL BASIS will be one of the following:
To enter into or perform a contract.
To comply with a legal obligation or exercise a legal right.
In Your Interest
To protect your vital interests.
Our Legitimate Interest
For our "legitimate interests".
This is flexible ground which we must prove. It requires a judgment on our part but is typically doing something you would normally expect, or there is a compelling justification.
You have a right to object if you don't agree with our judgment (see later in this notice), and we must stop if it is clear you have overriding reasons for asking us to stop.
If the above does not apply, we would need to get your consent.
We do not process any data concerning your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetics, biometrics, health, sex life, or sexual orientation.
However, we may process health data if you are a job applicant or employee, or contractor - and you should see our separate privacy notices for those roles.
We do not process any data concerning your criminal convictions.
However, we may do so if you are a job applicant or employee, or contractor - and you should see our separate privacy notices for those roles.
In our case, these are the specific purposes we use your data for:
For the purposes of following up on an inquiry or request you made, including any follow-up sales processes.
Telephoning or emailing you following an inquiry by you.
Arranging meetings and video conferences with you.
Providing a demonstration to you.
Pursuing a sales process with you.
Preparing and signing an NDA or heads of terms for a sale discussion or proposed contracts.
Providing the information you have requested.
Legitimate Interest: We are responding to an inquiry you made, as you would expect, and you have implicitly requested our response by submitting your form.
For the purposes of marketing our products to you or the business or organisation you represent or work for.
Email marketing messages.
Consent: We will have asked for your consent, including in any website forms. You have the right to ask for this to stop.
Where you have signed up, we will use your data to send to our regular newsletter until you ask us to stop.
Consent: You requested this by submitting your email. You have the right to ask for this to stop.
To manage our business or other relationship with you or the company or organisation you work for.
Client account management, contract management, support, and delivery purposes, to deal with matters arising in relation to a service contract with us, and to deliver on the service contract with us.
Contract: To perform and manage a contract between you and us, or between the company or organisation you work for and us.
Legitimate Interest: We would not be able to manage our contracts properly without being able to contract our client or other parties to the contract.
We use CCTV to monitor access to our offices for security monitoring purposes.
To check if any unauthorised persons are accessing our premises.
Legitimate Interest: The protection of the security of our property and assets.
To be able to manage access to and use of the systems you are given access to.
To be able to give you the access intended.
To authenticate and authorise your access, and revoke your access.
To communicate with you about your access.
To maintain access logs and audit trails for the purposes of recording what you do in our systems.
Contract: To perform a contract with a client whom you work for.
Legitimate Interest: To protect the rights interests of our clients' in relation to their data you may have access to. To protect our rights and interests in relation to our data and information in the system. To maintain the security of our systems and be able to detect and evidence wrong-doing.
Training and Information Sharing
We may use your video and voice call recordings for the purposes of keeping evidence of the call, and incidentally in connection with the sharing of that video or call in our business.
We would not record a video or voice call without making you aware at the time.
Recording a meeting for the purposes of capturing the details of that meeting so that its information can be communicated to others not able to be present, can be actioned correctly, and evidence is maintained.
Recording of a training, event, or other type of meeting for the purposes of training or providing business information and updates internally.
Legitimate Interest: To be able to share training and business updates in our business to those not able to attend. To be able to keep a proper record for the effective performance of our business.
To manage your visits with us.
Arranging and administering face-to-face meetings and visits, and virtual meetings through videos.
Legitimate Interest: To be able to manage the day to day operation of our business effectively, and know who we are dealing with.
We use website usage information to be able assess the use of our website and improve it so that it is visited and used more, and has better rankings in search engines.
Capturing how many unique visitors there are and how often they are visiting and which parts of the site are used most.
Legitimate Interest: To be able to promote and grow our business through an effective and relevant website.
G - WHO DO WE SHARE YOUR DATA WITH?
We do not share the data in this privacy notice with any third party.
H - WHERE DO WE KEEP YOUR DATA?
Your data is kept in the systems referred to below. We no longer keep any paper records and all of your data is created, stored and retained electronically.
We have a marketing database and we use the following features of Hubspot where you contact us through a form on our website,
Details of their security can be found here: https://legal.hubspot.com/security
Microsoft 365 and SharePoint
ENSEK uses Microsoft 365, Exchange, and SharePoint for its general email, messaging, document creation, document storage, and document sharing.
Your personal data may appear there in an ad-hoc form where there is follow-up activity following an inquiry.
I - HOW LONG DO WE KEEP YOUR DATA FOR?
We will only use your data for as long as it is required for the purposes for which it is processed.
CCTV recordings are held for 30 days unless a recording is needed for evidence in relation to an incident that has happened, in which case the following will apply.
If you are (or you are staff of) a client or contractor of ENSEK, then your personal data will be retained for the duration of our relationship and contract with the client or contractor, and for 7 years thereafter.
In any other case, your data will be retained for 36 months.
J - HOW DO WE KEEP YOUR DATA SECURE?
We have appropriate security measures in place to prevent personal information from being accidentally lost, used, or accessed in an unauthorised way. In particular, we have the following measures to keep your data secure.
We are certified to and aim to keep certified to ISO 27001, which requires us to have a security management system and to maintain a wide range of security controls. See LINK: ISO 27001
We are also certified to and aim to keep certified to ISO 277001, which is an extension to ISO 27701 for privacy information management. See LINK: ISO 27701
We have our security controls audited independently by an auditor under the ISAE 3402 audit standard. See LINK: ISAE 3402
We have procedures in place to deal with any suspected data security breach affecting your data.
We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Other Measures and Controls
The above standards and audits require and examine all our security and privacy measures and controls, which we have in place to protect against unauthorised use, access to, change to, or disclosure of your data, against viruses and other malicious software, and against unauthorised access to our equipment, offices, networks, cloud systems, and databases.
These measures and controls cover areas such as office access controls, equipment log-in, cloud system log-in, and associated roles and permissions, network and access monitoring, staff training, management, staff background checks, usage monitoring, anti-virus, and other protective software and devices, and data segregation and encryption.
Individual system providers listed in this document have their own separate security and controls with respect to your data in their systems, and we consider these prior to using those systems.
We operate on a "cloud-first" basis, which means that your data is stored in secure and reputable cloud systems, rather than at any offices of ours.
We limit access to your personal information to those who have a genuine business need to know it.
Proportionate and Confidentially
Those processing your information will do so only in an authorised and proportionate manner and are subject to a duty of confidentiality.
K - WHAT ARE YOUR RIGHTS?
You have the following rights in relation to our processing of your personal data, but please note that these rights may be subject to conditions and exceptions set out in the law.
You can find out more here: LINK: ICO: Your Data Matters.
If you would like to exercise these rights, please contact our data protection officer or our head of information security.
If you ask for the following, we are obliged to pass this request down to the providers of the systems we use and anyone else we use to process your data, as needed. See LINK: Article 19 of the UK GDPR.
Right to be informed
You have the right to be informed if your data is being used.
This document is how we are informing you.
Right to withdraw consent
If any processing is based on your consent, you have the right to withdraw it at any time. Just email using our contact details in this document.
Right to stop direct marketing
You have the right to stop direct marketing at any time.
Right to a copy
You have a right to an update of the information in this document.
You also have a right to a copy of the personal data we hold about you.
See LINK: Article 15 - Paragraph 3 of the UK GDPR.
You have the right to ask for your data in a computer-readable form so that you can use it elsewhere.
See LINK: Article 20 of the UK GDPR.
Right to a correction
You have the right to request correction of your data (a right to rectification).
See LINK: Article 16 of the UK GDPR.
Right to erasure
You have the right to request the erasure of your data (also known as the right to be forgotten).
However, there are a range of exceptions to this, which mean that we do not have to erase your data if there are good reasons for retaining a copy of it.
See LINK: Article 17 of the UK GDPR.
Right to restriction
You have the right to request that we stop using your data for some purposes.
There are conditions that apply.
This means that we might still hold your data, but we would be stopped from using it for certain purposes.
See LINK: Article 18 of the UK GDPR.
Right to object to legitimate interests
If the legal basis for our using your personal data is a "legitimate interest", or we are using your data to market to you, then you can object to the processing.
See LINK: Article 21 of the UK GDPR.
We must stop the processing unless we can show that our interests should take precedence over yours.
Automated Decision Making
If we are making important decisions about using a computer, without any human involvement, then you can ask us to stop, subject to conditions.
See LINK: Article 22 of the UK GDPR.
Right to complain
We hope that our head of human resources and data protection officer can resolve any queries or concerns you have about our use of your personal data or your rights.
In any case, you have the right to complain to the Information Commissioner at any time.
Their details are:
Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline number: 0303 123 1113
ICO website: ICO Complaints Page (Link).