Data Protection Policy

Policy Objective

Data Protection Law, namely the General Data Protection Regulations, puts strict requirements on the way that organisations manage personal data

Policy Owners

The policy ownership belongs to the Senior Management Team. The day to day management of the policy and its provision will rest with the Business Unit Managers

Primary Audience

This policy applies to every employee and every subcontractor under Effective Energy’s control. Suppliers that are working on our behalf or in our name, through outsourcing of service, processes of any business activity, will be required to act consistently with this policy. Effective Energy expects its partners to adopt a similar policy and adequate procedures.

Scope

The scope of this policy is business wide and applies to all Effective Energy operations including businesses and legal entities

Policy statement

In order to undertake its obligations effectively, deliver services and meet customer requirements, Effective Energy needs to collect, use and retain information, much of which is personally identifiable information about

Our employees or their families

Members of the public

Local authorities or other public bodies

Other organisations and their employees.

We regard the lawful and correct treatment of personal data by Effective Energy as very important for successful operations, and to maintain the confidence of our clients. To this end, Effective Energy will ensure compliance in all its function with relevant data protection law, including but not limited to the General Data Protection Regulations.

Compliance with the Principles

The principles of the GDPR state that personal data shall be

  • Processed lawfully, fairly and in a transparent manner in relation to individuals;
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

Lawful basis for processing

In order to comply with these principles, Effective Energy will ensure that the use of personal data is reviewed in the business and the lawful basis for the processing is documented for all purposes

Individual rights

Effective Energy will ensure individual rights provided for by GDPR are maintained including

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights related to automated decision making including profiling

Accountability and governance

Accountability is a large part of GDRP and Effective Energy will ensure compliance by

  • Implementing this Data Protection Policy
  • Reviewing personal Data in the business and where possible designing out the potential for non-compliance
  • Putting written contracts in place with organisations that process personal data on our behalf
  • Documenting processing activities
  • Implementing appropriate security measures
  • Recording and where necessary reporting personal data breaches

Security

A key principle of Data Protection law is to maintain adequate security measures on all personal data held by the organisation. Effective Energy Solutions will

  • Review data in the business and assess the current security in place and assess the risk of data being accessed, altered, disclosed or deleted by unauthorised users.
  • Put in place measures to protect data using both technical and physical measures.
  • Implement measures to improve security where proportionate to the risk and use where appropriate pseudonymisation and encryption.
  • We will put appropriate measures in place to ensure we can restore access and availability of our systems and services to ensure our data remains accessible and useable.
  • We will test the effectiveness of the measure implemented and undertake any required improvements.