ENSEK's Public Privacy Notice

ENSEK LTD | PRIVACY NOTICE | GENERAL

(V2.2 2023-04-28)

1. WHO IS THIS PRIVACY NOTICE FOR?

2. WHAT THIS THIS PRIVACY NOTICE ABOUT?

3. WHO IS THE CONTROLLER OR PROCESSOR OF YOUR DATA?

4. WHAT DATA DO WE HOLD ABOUT YOU?

5. HOW DO WE OBTAIN YOUR DATA?

6. WHAT IS OUR LAWFUL BASIS FOR PROCESSING YOUR DATA??

7. WHAT PURPOSES DO WE PROCESS YOUR DATA FOR?

8. WHO DO WE SHARE YOUR DATA WITH?

9. WHERE DO WE KEEP YOUR DATA?

10. HOW LONG DO WE KEEP YOUR DATA FOR?

11. HOW DO WE KEEP YOUR DATA SECURE?

12. WHAT ARE YOUR RIGHTS?

13. USEFUL LINKS

1. WHO IS THIS PRIVACY NOTICE FOR?

This privacy notice is addressed to the types of individuals listed below (the data subjects). PLEASE ENSURE THAT YOU READ THIS NOTICE.

Contacts

(1) Individuals who are contacts for our clients, contractors or other third parties we may deal with.

(2) Contractors include development companies, professional services companies, and software and system suppliers.

(3) We hold this data as controller.

Energy Supply Customers

(1) Individuals who are supply customers of our clients, whose data is processed in our SaaS systems.

(2) Your energy supplier is the controller, and we are their data processor.

(3) We hold this data as processor.

Enquirers

(1) Individuals who make a sales or other enquiry with us, including by submitting a contact or request form through our website.

(2) Individuals who we include on our marketing database.

(3) We hold this data as controller.

Users

(1) Individuals who are given a log-in or account to any system of ours, such as individuals given access to our product help system or SaaS systems.

(2) This is mainly staff of our clients who are using our systems on behalf of our clients.

(3) This does not include our staff or contractors, as they are covered by separate privacy notices.

(4) We hold this data as processor (for our clients) and controller (with respect to usage data).

Visitors

(1) Individuals who visit and browse our website.

(2) Individuals who visit our offices or attend meetings we arrange.

(3) Individuals who join any video or audio conference call that we may set up.

(4) We hold this data as controller.

Not Listed?

(1) We have separate privacy notices for staff, job applicants, and contractors.

(2) These are available on request.

Any Questions?

If you have any questions, please contact our HR team in the first instance, and then our data protection officer if your question has not been resolved.

2. WHAT THIS THIS PRIVACY NOTICE ABOUT?

This privacy notice explains what personal data we hold about you, how we collect it, how we use it, who we share it with, and what your rights are. We are required to notify you of this information, under data protection legislation. Set out below are some general points to note before reading further.

What is the applicable law?

(1) This document is a privacy notice is published to comply with Article 13 and Article 14 of the UK GDPR.

(2) You can find our more information here: (a) Information Commissioner's Office; (b) UK GDPR; (c) Data Protection Act 2018.

What is our commitment as controller?

(1) The controller of your data is the person ultimately responsible for the processing of your data.

(2) As the controller of your data, we are committed to complying with our legal obligations as controller of your personal data, and to transparency about what we use your data for.

(3) Our legal obligations are set out in: the UK GDPR and DATA PROTECTION ACT 2018 (supplements the UK GDPR).

(4) As controller, we comply with the DATA PROTECTION PRINCIPLES when gathering and using personal information. We seek to ensure that our information collection and processing is always proportionate.

(5) We will inform you of any material changes to information we collect or to the purposes for which we collect and process it.

What is our commitment as processor?

(1) The processor of your data is the person who is processing data on behalf of the controller (such as a sub-contractor).

(2) If we are the processor of your data, we are committed to complying with our legal obligations as processor of your personal data, and to transparency about what we use your data for.

(3) Our legal obligations are set out in: the UK GDPR and DATA PROTECTION ACT 2018 (supplements the UK GDPR).

(4) As a processor, our main obligations are to keep your data secure, and only to process it in accordance with the instructions of the controller.

Energy Supply Customers

(1) If you are a customer of an energy supplier, and any personal data relating to you (and your energy supply) is processed by us in our cloud service for your supplier, then please read the following.

(2) We are only the data processor. Your supplier is the controller of the personal data we hold. You should ask your supplier for their privacy notice. Your rights in this document should be exercised against your supplier, who will contact us if we need to be involved.

(3) The majority of this document does not apply to you, but please note that we do owe our security obligations to you and the controller, and you still have the right to complain about us to the Information Commissioner directly.

(4) For information, we process a large range of data relating to your energy supply contract. for the supplier. This includes your supply contract details, your contact, meter and address details, meter readings, prices, bills, payments, debt, and complaints. We only process these according to the instructions of your supplier.

Must you provide data?

(1) There is no obligation to provide the data referred to in this privacy notice.

(2) However, if you are a customer of an energy supplier, then they will need data relating to your supply in order to make the supply of energy to you.

Contracts

When we refer to a contract in this privacy notice, we mean any contract for supply of services between you and us, and any non-disclosure agreement or heads of terms between you and us.

Processor and Controller

This privacy notice sets out whether we, or any person we transfer your data to, are: (a) controller (ultimately responsible); (b) processor (handle data for someone else).

3. WHO IS THE CONTROLLER OR PROCESSOR OF YOUR DATA?

The controller (or where applicable, processor) of your data is ENSEK LTD, and our contact details are set out blow.

Our Company Name

ENSEK Ltd

Our Company Number

UK Companies House: 07167027

Our Country of Registration

England and Wales

Our Registered Office

(1) Hounds Gate, 30-34 Hounds Gate, Nottingham, England, NG1 7AB.

(2) This is also our postal address and head office.

Our Website

https://ensek.com/

Data Protection Email

dataprotection@ensek.co.uk

Our Data Protection Officer

Our Data Protection Officer can be contacted through the email address provided above

4. WHAT DATA DO WE HOLD ABOUT YOU?

This section lists what data we hold about you in connection with your dealings with ENSEK Ltd.

CCTV

You may be captured on CCTV if you visit our premises. There is CCTV located in the main building reception and the car park. It is operated by the landlords of the building. We may review a copy if there has been an incident relevant to us.

Communications

Any emails and messages, and notes of any calls, between you and us.

Company Name

The name of any company or other organisation you are representing or work for.

Email

(1) Web Download in Email - image download email.

(2) Direct Messages from linked in or other social meter, phone calls.

Email Address

This will be the email address that is supplied to us, so it could be a work or private email address depending on what is supplied.

Enquiries

Any queries and other enquiries that you raise with us, and responses that we give to you.

Job Title

Your job title or role at the company or other organisation you represent or work for.

Log-Ins

(1) Log-in and account details where you are given access by us to any system (e.g. SaaS system) or resource (e.g. user guides).

(2) Data concerning your logging in to and use of our systems, to tack and monitor correct usage, and to support our clients in dealing with wrongful usage.

Name

Your first name, middle names, and last names.

Phone Number

Your telephone number supplied to us, and/or any public telephone number published by any company or organisation you represent.

Product Usage Information

(1) We capture information about visits to the web based user interfaces for our SaaS products. This will be visits by client staff who have accounts in our SaaS products, or by our own staff.

(2) This comprises: (a) page views; (b) browser name; (c) browser version; (d) server name; (e) first visit; (f) last visit; (g) sample group; (h) client you work for; (i) language; (j) your user roles; (k) number of days active; (l) average usage per day; (m) total usage time; (n) usage trend; (o) quantity of events; (p) page usage time; (q) feature clicks.

Relationship

Your relationship with us, such as whether you are a client, potential sales opportunity, supplier, visitor or other.

Usage Information

If you are given user rights to access any of our systems, then we may record and store information about your use of those systems, including APIs called and tasks undertaken in the systems.

Video Call Recordings

Your image and voice may be captured if you allow your video feed or audio to feature in any video call or conference we arrange and record. For instance a business update, or training, conference to which you are invited.

Website Usage Information

(1) We capture and record information about visits to our website, and our cookies notice gives further information on this.

(2) This may include when you visited, the IP address you visited from, browser information, your location in the globe, the pages you visited, the parts of the pages you viewed, and server session information concerning any processes you are undertaking through our website.

(3) This information may be captured by means of JavaScript, and by cookies or other local browser storage technologies, which are detailed further in our cookies notice.

(4) This is not recorded against you personally, and is stored and used in an anonymous form, except that if you are added to our marketing database HubSpot, the information may be linked to you at that point.

5. HOW DO WE OBTAIN YOUR DATA?

This section sets out how we obtain your data, including from you and other sources.

From Forms You Complete

We obtain it from forms you complete, including any general enquiries, sales, media contacts, demo requests forms on our website, and any newsletter sign-up.

From Your Documents

From files and documents you provide to us, and emails and messages you send, and from your public LinkedIn account.

From Conversation With You

We obtain it from conversation with you, which may include phone calls and video calls, emails, and instant messaging.

From Your Web Browser and Email Client

(1) From data automatically supplied by your web browser when you visit our website.

(2) From data we collect through your browser by means of cookies, JavaScripts and other technologies on our website.

(3) From tracking images downloaded in our marketing emails, that capture when the email was opened and whether you clicked on links in it.

From Our SaaS Systems

Where we are collecting analytics concerning usage of our SaaS systems by staff of our client or our own staff, we will again collect data from your web browser and we may also collect data from events in our SaaS system that are associated with your user account.

6. WHAT IS OUR LAWFUL BASIS FOR PROCESSING YOUR DATA??

To be able to process your data we need to have a lawful basis for doing so under the law.

Contract

To enter into or perform a contract with you or your employer or company.

Criminal Records

(1) We do not process any data concerning your criminal convictions.

(2) However, we may do so if you are a job applicant or employee or contractor - and you should see our separate privacy notices for those roles.

Legal Obligation

We need to do so to comply with a legal obligation or exercise a legal right. This could be a statute.

Our Legitimate Interests

(1) We do so for our "legitimate interests".

(2) This is flexible ground which we must prove.

(3) It requires a judgement on our part, but is typically doing something you would normally expect, or there is a compelling justification.

(4) You have a right to object if you don't agree with our judgement (see later in this notice), and we must stop if it is clear you have overriding reasons for asking us to stop.

(5) Most of our processing would fall within legitimate interests or contract performance, such as: (a) operating a proper and secure procurement process; (b) verification of identity; (c) assessment of suitability; (d) security checks; (e) making informed decisions; (f) negotiating contracts; (g) managing the supply of services to us and monitoring that it is in accordance with the contract; (h) monitoring use of our networks, systems, and offices; (i) performing our contractual commitments with our clients; (j) securing work and services outputs; (k) financing and insuring our business; and (l) improving our products and services.

Sensitive Data

(1) We do not process any data concerning your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetics, biometrics, health, or sex life or sexual orientation.

(2) However, we may process health data if you are a job applicant or employee or contractor - and you should see our separate privacy notices for those roles.

Your Consent

(1) If the above do not apply, we would need to get your consent to the specific use.

(2) This could be an explicit documented consent, or it could be implicit because you have requested some action to be taken involving your data.

Your Interests

We need to do so, to protect you vital interests. This could include care for your health and safety.

7. WHAT PURPOSES DO WE PROCESS YOUR DATA FOR?

This part sets out the key purposes we use your data for.

Enquiry Follow-Up

(1) PURPOSE | For the purposes of following up on an enquiry or request you made, including any follow-up sales processes.

(2) EXAMPLES | (a) Telephoning or emailing you following an enquiry by you. (b) Arranging meetings and video conferences with you. (c) Providing a demonstration to you. (d) Pursuing a sales process with you. (e) Preparing and signing an NDA or heads of terms for a sale discussion or proposed contracts. (f) Providing information you have requested.

(3) LAWFUL BASIS | Legitimate Interest- We are responding to an enquiry you made, as you would expect, and you have implicitly requested our response by submitting your form.

Marketing

(1) PURPOSE | For the purposes of marketing our products to you or the business or organisation you represent or work for.

(2) EXAMPLES | (a) Email marketing messages. (b) Linked-in campaigns.

(3) LAWFUL BASIS | (a) Consent- We will have asked for your consent, including in any website forms. (b) You have the right to ask for this to stop.

(1) PURPOSE | Where you have signed-up, we will use your data to send to our regular newsletter until you ask us to stop.

(2) LAWFUL BASIS | (a) Consent- You requested by submitting your email. (b) You have the right to ask for this to stop.

Product Improvement

(1) PURPOSE | (a) Our main products are SaaS products, which are accessed by our clients using a web user interface. (b) The quality of that user interface determines how well and efficiently our clients and their staff are able to use our products. (c) We therefore, as with a web site, we seek to capture information about how our SaaS products and their interfaces are used by our staff, which we then use to consider and improve the design of our products and the user guidance we provide.

(2) LAWFUL BASIS | (a) Legitimate interest - To be able to improve our products. (b) Contract - To be able to deliver SaaS products that meet the standards expected by our clients in their contracts with us.

Relationship Management

(1) PURPOSE | To manage our business or other relationship with you or the company or organisation you work for.

(2) EXAMPLES | Client account management, contract management, support, and delivery purposes, to deal with matters arising in relation to a service contract with us, and to deliver on the service contract with us.

(3) LAWFUL BASIS | (a) Contract- To perform and manage a contract between you and us, or between the company or organisation you work for and us. (b) Legitimate Interest- We would not be able to manage our contracts properly without being able to contract our client or other party to the contract.

Security

(1) PURPOSE | We use CCTV to monitor access to our offices for security monitoring purposes.

(2) EXAMPLES | To check if any unauthorised persons are accessing our premises.

(3) LAWFUL BASIS | Legitimate Interest- The protection of the security of our property and assets.

System Management

(1) PURPOSE | To be able to manage access to and use of the systems you are given access to.

(2) EXAMPLES | (a) To be able to give you the access intended. (b) To authenticate and authorise your access, and revoke your access. (c) To communicate with you about your access. (d) To maintain access logs and audit trails for the purposes of recording what you do in our systems.

(3) LAWFUL BASIS | (a) Contract- To perform a contract with a client whom you work for. (b) Legitimate Interest- To protect the rights interests of our clients' in relation to their data you may have access to. (c) To protect our rights and interests in relation to our data and information in the system. (d) To maintain the security of our systems and be able to detect and evidence wrong-doing.

Training and Information Sharing

(1) PURPOSE | (a) We may use your video and voice call recordings for the purposes of keeping evidence of the call, and incidentally in connection with the sharing of that video or call in our business. (b) We would not record a video or voice call without making you aware at the time.

(2) EXAMPLES | (a) Recording a meeting for the purposes of capturing the details of that meeting so that its information can be communicated to others not able to be present, can be actioned correctly, and evidence is maintained. (b) Recording of a training, event, or other type of meeting for the purposes of training or providing business information and updates internally.

(3) LAWFUL BASIS | (a) Legitimate Interest- To be able to share training and business updates in our business to those not able to attend. (b) To be able to keep a proper record for the effective performance of our business.

Visit Management

(1) PURPOSE | To manage your visits with us.

(2) EXAMPLES | Arranging and administering face-to-face meetings and visits, and virtual meetings through videos.

(3) LAWFUL BASIS | Legitimate Interest- To be able to manage the day to day operation of our business effectively, and know who we are dealing with.

Website Improvement

(1) PURPOSE | We use website usage information to be able assess the use of our website and improve it so that it is visited and used more, and has better rankings in search engines.

(2) EXAMPLES | Capturing how many unique visitors there are and how often they are visiting and which parts of the site are used most.

(3) LAWFUL BASIS | Legitimate Interest- To be able to promote and grow our business through an effective and relevant website.

8. WHO DO WE SHARE YOUR DATA WITH?

This section details who we may share your information with. We will normally share in confidence unless the law requires otherwise

Auditors

(1) PURPOSE | (a) We may share your personal data with any third party that is auditing our business and controls, including our security measures and operational controls, for the purposes of evidence, but only to the extent reasonably required for such evidence. (b) It will be shared securely, and under a non-disclosure agreement; and is shared normally to the auditors secure evidence repository.

(2) RECEIVED AS | They use it as our sub-processor, to provide audit services to us.

Other Staff

(1) PURPOSE | We may share your information where relevant with other staff who are to be involved in engaging you.

(2) RECEIVED AS | They will receive it in their capacity as our staff.

9. WHERE DO WE KEEP YOUR DATA?

Your data is kept in the systems referred to below. We no longer keep any paper records and all of your data is created, stored, and retained electronically.

HubSpot

(1) We have a marketing database and we use the following features of HubSpot where you contact us through a form on our website,

(2) Details of their security can be found here: https://legal.hubspot.com/secu...

Microsoft 365 and SharePoint

(1) ENSEK uses Microsoft 365, Exchange, and SharePoint for its general email, messaging, document creation, document storage and document sharing.

(2) Your personal data may appear there in an ad-hoc form where there is follow-up activity following an enquiry.

Pendo

(1) SaaS product usage information for our SaaS product users, is stored in the Pendo solution (see useful links) in a pseudo anonymised form.

(2) We hash the user's email address and only store the hash in Pendo, along with the analytics information associated with that user.

(3) It is not possible for Pendo to link the data back to a person, only ENSEK Ltd can do that by using the original email address stored in ENSEK Ltd.'s SaaS systems.

10. HOW LONG DO WE KEEP YOUR DATA FOR?

This section covers our retention policy.

General Principle

We will only use your data for as long as it is required for the purposes for which it is processed.

Archiving Period | CCTV

CCTV recordings are held for 30 days, unless a recording is needed for evidence in relation to an incident that has happened, in which case the following will apply.

Archiving Period | Clients and Contractors

If you are (or you are staff of) a client or contractor of ENSEK, then your personal data will be retained for the duration of our relationship and contract with the client or contractor, and for 7 years thereafter.

Archiving Period | Other

In any other case, your data will be retained for 36 months.

11. HOW DO WE KEEP YOUR DATA SECURE?

This section covers our security measures.

General Principle

(1) We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way.

(2) In particular we have the following measures to keep your data secure.

ISO 27001

We are certified to and aim to keep certified to ISO 27001, which requires us to have a security management system, and to maintain a wide range of security controls. See ISO 27001

ISO 27701

We are also certified to and aim to keep certified to ISO 277001, which is an extension to ISO 27701 for privacy information management. See ISO 27701

SOC

We have our security controls audited independently by an auditor under the ISAE 3402 audit standard. See ISAE 3402

Data Breach

(1) We have procedures in place to deal with any suspected data security breach affecting your data.

(2) We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Other Measures and Controls

(1) The above standards and audits require and examine all our security and privacy measures and controls, which we have in place to protect against unauthorised use, access to, change to, or disclosure of your data, against viruses and other malicious software, and against unauthorised access to our equipment, offices, networks, cloud systems, and databases.

(2) These measures and controls cover areas such as office access controls, equipment log-in, cloud system log-in and associated roles and permissions, network and access monitoring, staff training, management, staff background checks, usage monitoring, anti-virus and other protective software and devices, and data segregation and encryption.

System Providers

Individual system providers listed in this document have their own separate security and controls with respect to your data in their systems, and we consider these prior to using those systems.

Cloud First

We operate on a "cloud first" basis, which means that your data is stored in secure and reputable cloud systems, rather than at any offices of ours.

Access Controls

We limit access to your personal information to those who have a genuine business need to know it.

Proportionate and Confidentially

Those processing your information will do so only in an authorised and proportionate manner and are subject to a duty of confidentiality.

12. WHAT ARE YOUR RIGHTS?

This section covers your rights in relation to our processing of your data.

Introduction

(1) You have the following rights in relation to our processing of your personal data, but please note that these rights may be subject to conditions and exceptions set out in the law.

(2) If you would like to exercise these rights, please contact the head of human resources or our data protection officer.

Our Service Providers

If you ask for the following, we are obliged to pass this request down to the providers of the systems we use and anyone else we use to process your data, as needed. See Article 19 of the UK GDPR.

Right to be informed

(1) You have the right to be informed if your data is being used.

(2) This document is how we are informing you.

(3) See Article 13 and Article 14 of the UK GDPR.

Right to withdraw consent

If any processing is based on your consent, you have the right to withdraw it at any time. Just email using our contact details in this document.

Right to stop direct marketing

You have the right to stop direct marketing at any time.

Right to a copy

(1) You have a right to an update of the information in this document.

(2) You also have a right to a copy of the personal data we hold about you.

(3) See Article 15 - Paragraph 3 of the UK GDPR.

(4) You have the right to ask for your data in a computer readable for, so that you can use it elsewhere.

(5) See Article 20 of the UK GDPR.

Right to a correction

(1) You have the right to request correction of your data (a right to rectification).

(2) See Article 16 of the UK GDPR.

Right to erasure

(1) You have the right to request erasure of your data (also known as the right to be forgotten).

(2) However, there are a range of exceptions to this, which mean that we do not have to erase your data if there are good reasons for retaining a copy of it.

(3) See Article 17 of the UK GDPR.

Right to restriction

(1) You have the right to request that we stop using your data for some purposes.

(2) There are conditions that apply.

(3) This means that we might still hold your data, but we would be stopped from using it for certain purposes.

(4) See Article 18 of the UK GDPR.

Right to object to legitimate interests

(1) If the legal basis for our using your personal data is a "legitimate interest", or we are using your data to market to you, then you can object to the processing.

(2) See Article 21 of the UK GDPR.

(3) We must stop the processing, unless we can show that our interests should take precedence over yours.

Automated Decision Making

(1) If we are making important decisions about using a compute, without any human involvement, then you can ask us to stop, subject to conditions.

(2) See Article 22 of the UK GDPR.

Right to complain

(1) We hope that our head of human resources and data protection officer can resolve any quey or concern you have about our use of your personal data or your rights.

(2) In any case, you have the right to complain to the Information Commissioner at any time.

(3) Their details are: (a) Address - Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; (b) Helpline number - 0303 123 1113; (c) ICO website - https://ico.org.uk/make-a-complaint/