About this policy
At any one time we have between 60 and 80 different and separately-funded projects underway. All of these are helping people and communities to meet real needs for both environmentally sound and affordable energy services. These projects operate in different ways but nearly all process some sort of personal data.
We’re committed to processing this data lawfully, safely and securely and have stringent data security and data protection practices in place.
This policy gives a broad overview of how the organisation as a whole processes personal data but if you would like to find out how the project you are involved in is processing your personal data, please contact firstname.lastname@example.org and someone will be in touch (within 30 days) to answer your questions.
If you have received support from our Home Energy Team through our advice line, please head to this page for more specific information about how we will use your data.
References to 'we' or 'us' are to the Centre for Sustainable Energy, registered charity number 298740, registered company number, 2219673. Our registered offices are at St James Court, St James Parade, Bristol BS1 3LH.
Why we process data
There are many reasons why we process personal data, including but not limited to:
- Giving advice on keeping warm at home and energy efficiency improvements.
- Administering grants, funds and loans.
- Providing mentoring or advice to groups or individuals on topics like community energy, low carbon planning and community development.
- Organising and holding events, workshops and consultations.
- Carrying out energy audits, technical assessments or measuring energy usage.
- Carrying out research such as surveys and interviews.
- Contacting others working in the energy sector and those who we work with collaboratively to influence policy.
- Updating people about the work we are doing through our e-news, 'Energise' newsletter and annual report.
- Evaluating and improving the services we offer and the work that we do.
- Supporting human resources and administrative functions – like processing payments and recruiting staff.
The lawful basis for processing
The lawful basis for processing your data will depend on how you are interacting with us and what your relationship is with us. Below is a short overview of the different lawful basis we are using to process personal data:
- Consent: In some situations we will ask for your consent to process your data. This applies to our e-newsletters. It may also apply in some of our other projects or activities.
- Contractual obligation: Because we have a contractual obligation, for example to provide you with something you have purchased from us or contracted us to provide.
- Statutory obligation: we are obliged by law to process certain types of personal data, for example, processing salary information for taxation.
- In some extremely limited circumstances we may rely on vital interests. This would only be in situations where we needed to process data in order to protect someone’s life.
- Our legitimate interests: as detailed below.
Our legitimate interests include:
Providing comprehensive advice through the Home Energy Team advice line and in-person advice services
In order to provide comprehensive advice on energy it is necessary for us to collect certain personal information so that we are able to give accurate information and relevant support. There’s more detailed information available on how this data is used available here.
Maintaining relationships with relevant business contacts
This includes people working within our sector or with whom we have a professional relationship. We may process personal information in order to inform people of our work, events and activities, coordinate collaborative work, or to invite people to participate in research or policy work. It also includes processing personal data for the purposes of highlighting the need for and benefits of policy change e.g. to MPs, relevant local authority personnel or other policy makers. It further includes occasionally sending materials about our work by post (e.g. our Energise newsletter and Annual Report).
It’s necessary for us to process certain types of personal data in order to manage our relationships with our employees, volunteers and trustees. We also consider it in our legitimate interests to process personal data for the purposes of recruitment.
General operation and administration
This includes responding to solicited requests and enquiries, complying with internal and external governance procedures, financial reporting and communicating for purposes such as facilities management.
Carrying out research to support our charitable objectives
We consider it to be within our legitimate interests to invite people to participate in research projects that work towards achieving our charitable mission.
Contacting people to inform them about services of benefit to them
This includes contacting people to let them know about services, specific activities, projects or events which may be of direct benefit to them or where they are likely to have a professional interest e.g. contacting neighbourhood planning groups to inform them about financial support for their activities.
We have balanced our legitimate interests against the rights and freedoms data subjects have enshrined in law through the General Data Protection Regulations and consider that they have a minimal privacy impact. However, you have the right to opt out or object to our processing of your data on the basis of legitimate interests. You can do so by emailing email@example.com and we’ll respond within 30 days.
Sharing and storing data
In some situations for some projects we will share your information with other organisations. This may include the funder or other project partners (e.g. to obtain a grant or help from them). We will make it clear whether we intend to share your data when we obtain it from you.
We take data security very seriously and are certified on the Cyber Essentials scheme, the Government-backed and industry supported scheme to guide businesses in protecting themselves against cyber threats. We store and process most of the personal data we hold on our secure, internal system which is hosted on servers located in the UK. When we keep paper records, they are stored in locked cupboards accessible only to limited members of staff.
When we use third parties to process your data (e.g. for e-mail news distribution) we only do so if they are based in the EU, registered in the EU-US Privacy Shield Framework, or in a country described as having adequate data protection by the European Commission.
How long we keep your data for will depend on the purposes for which we are using it, which will vary from project to project. Our internal policy and governance procedures describe the maximum amount of time we will keep your data; these are available on request.
When we destroy or delete your data we will do so securely.
Contact us with any questions
We’re happy to answer any questions you have about how we are using your data. You can ask us to:
- Tell you what data we have about you.
- Stop using your data in a certain way.
- Withdraw your consent for us to use your data (if consent is the lawful basis for processing).
- Object to our definition of our legitimate interests or opt out of us processing your data on this basis.
- Delete your data.
- Correct your data.
You can do any of the above by contacting us at firstname.lastname@example.org or ringing our main switchboard on 0117 934 1400. We won’t charge you for this service.
If you aren’t happy about how we have used your data, you can make a complaint via these contact details. You can also contact the Information Commissioner’s Office if you aren’t satisfied with our response.