1. Our company values regarding user privacy and data protection
- User privacy and data protection are human rights.
- We have a duty of care our customers, staff and stakeholders with their data.
- Data is a liability and should only be collected and processed when absolutely necessary
- We dislike spam as much as you do.
- We will never sell, rent or otherwise distribute or make public your personal information.
2. Relevant legislation
Along with our business and internal computer systems, this website is designed to be used by UK residents only. It complies with the following national and EU legislation with regards to the data protection of our customers, partners and user privacy.
- Data Protection Act 1998 (DPA)
- Data Protection Bill 2018
- EU General Data Protection Regulations 2018 (GDPR)
3. Personal data that this website collects and why we collect it
This website collects and uses personal information for the following reasons:
- Website Visitor Tracking
- Contact Forms
We use a number of different contact forms on this website. Should you choose to contact us by using our contact forms in any area of our website, none of the data that you supply will be stored by this website. The data submitted through our contact forms with regards to any grant funding enquiries will be processed by our contractor MintBlu Limited in partnership with an appropriate installation company and grant funding provider. MintBlu provide us with extra support to ensure we follow up with you quickly and process your information without delay. See section 7 on more information about MintBlu. Data collected with these forms are the basic building blocks required to provide you with our products and services. Not providing this information or asking us to stop using it, will prevent us from offering our products and services to you. Information submitted through our contact forms is emailed to our in-house team directly or our data processor MintBlu (see section 7) using Simple Mail Transfer Protocol (SMTP). The email content is then decrypted by our local computers and electronic devices.
- Email Links
We provide a number of different email links for your convenience on our website. Should you choose to contact us by using our email links, none of the data that you supply will be stored by this website. You will essentially transfer off of our website and into your own email system.
- Other Websites
Our website contains links to enable you to visit other sites of interest easily. Once you have used these links to leave our site you should note that we do not have any control of the other website. We cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question. Data collected about your interaction with this website is not transferred to or otherwise shared with the website you are transferring to.
- Other People’s data
5. How we store your personal information
As detailed under section 3 above, if you contact us by using our contact forms, the information you provide will not be stored on the website’s database.
We endeavour to take all reasonable steps to protect your personal information. However, we cannot guarantee the security of any data that you disclose online and we will not be responsible for any breach of security unless this is due to our negligence or wilful default.
Once we receive your information into our in-house systems, your data will be stored securely on our own servers and within our own systems in line with legal requirements.
6. About this website’s server
This website is hosted by UK-2 Limited on a London, UK based server.
Some of the data centre’s more notable security features are as follows:
- Optical, ionisation and heat detection sensors
- VESDA Fire Detection
- 24/7 On-site security teams
- CCTV with PIR motion detectors, beam detectors and alarms
- Dual-factor entry system
- Surplus generators to support ongoing operation
Full detail of the UK-2 Limited data centre can be found on www.uk2.net
All traffic (transfer of files) between this website and your browser is encrypted and delivered over Hyper Text Transfer Protocol Secure (HTTPS).
7. Our Third Party Data Controllers and Data Processors
We use a number of third parties to process personal data on our behalf. These third parties have been carefully selected and all of them comply with the legislation set out in section 2.
The Company set out above shares your personal information with the following organisations. In some cases these organisations may be an additional Data Controller and/or Data Processors, depending on the source of grant funding in your personal circumstances. Due to the breadth of products and services offered by the Company, please contact the Company for any clarification you may require with regards to your personal data journey.
In any event, your information will only be used to deliver your chosen products or services.
- MintBlu Limited is based in the UK, details can be found on Companies House
- The Department for Work and Pensions, based in the UK, overlooking applications of DWP recipients for grant funding. Their Information Charter can be found here.
- The Department of Business, Energy and Industrial Strategy is based in the UK and oversees the meeting of energy efficiency legislation.
- ECO Grant funding suppliers differ for each property and are dependent on postcode, type of measure and funding required. All obligated suppliers are listed here.
We will specifically ask you if you would like to hear from us in the future. Many of our offers are dependent on government policy, especially the availability of grant funding, where those who may not be eligible today, may be in the future. Enabling us to contact you in the future with offers of products and services does not prevent you from removing yourself from our distribution lists in the future. Contact us via email@example.com with the subject line ‘remove’ and we will do so.
9. Data Breaches
We will report any unlawful data breach relevant to this website, our in-house database or the database of any of our third party data processors to any and all relevant persons and authorities within 72 hours of the breach, if it is apparent that personal data stored in an identifiable manner has been lost, stolen or accidentally destroyed.
Our first point of contact in such cases is the Information Commissioners Office (ICO) as our regulatory authority in all aspects of privacy and data protection. The ICO can be contacted via www.ico.org.uk and our registration with them can be found on the public register.
The data controller of this website is City Energy Network Limited. Our registration with the ICO can be found on the public register under our registered address Coptic House, 4-5 Mount Stuart Square, Cardiff, CF10 5EE with registration number Z3489541.
11. Data Protection Officer
Ms Mireia Lopez Garcia
Data Protection Officer
02920 499 183
12.Your Rights under the GDPR from May 2018
- The right to be informed.
We meet your rights by providing you with this Privacy Statement.
- The right of access.
You have the right to obtain confirmation that your data is being processed and access to your personal information, also known as Subject Access Rights.
- The right of rectification.
You have the right to update us with any changes to your personal information if it is inaccurate or incomplete.
- The right of erasure.
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable you to request the deletion or removal of personal data whether there is no compelling reason for its continued processing.
- The right to restrict processing.
When processing is restricted, you permit us to store your personal data, but do not allow us to further process it. We can retain just enough information about you to ensure that the restriction is respected in future.
- The right to data portability.
It allows you to obtain and reuse your personal data for your own purposes across different services. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
- The right to object.
You have the right to object to processing on legitimate interests or the performance of a task in the public interest, direct marketing and processing for purposes of scientific or historical research and statistics.
- The right to lodge a complaint with a supervisory authority.
The supervisory authority with regards to data protection and privacy is the Information Commissioners Office (ICO). Contact them on www.ico.org.uk or telephone 0303 123 1113.
13. Subject Access Request
You have the right to see your personal data as defined under the legislation that we keep about you upon receipt of a written request. Any request should be sent to:
DPO Ms Mireia Lopez Garcia
City Energy Network Ltd
4-5 Mount Stuart Square
We will ask you to verify your identity and will not provide such information until such time as we are satisfied that you have a right to this information.
Information will be provided to you within 30 days unless in exceptionally challenging situations where we may advise you of an extension of up to 60 days.
14. Data Retention
Once you have provided your information, the Company will retain your information as relevant to your product, service, grant funding and installation arrangements as outlined below.
|Record Type||Record Period|
|Company accounts, Finance & VAT records||6 years and current|
|Money Laundering||5 years|
|Internal audit records||6 years|
|Communication records (including enquiries)
|12 months from transaction|
|Warranty Records for Cavity Wall Insulation,
External Wall Insulation & Internal Wall Insulation
|25 years from transaction|
|ECO Customer Records including installation||6 years from transaction|
|Consumer Credit Records||6 years from last transaction|
|Health and Safety Accident and Incident Records||40 years|
|Waste||3 years from transaction|
|Electronic Waste (WEEE)||4 years from transaction|
|Data record destruction records||6 years after activity|
15. Changes to our privacy statement
This privacy statement may change from time to time in line with legislation, industry changes and internal company developments. We will not explicitly inform our customers, partners or website users of these changes.
Instead we recommend that you check this page occasionally for any changes to this statement. Specific statement changes and updates are mentioned in the change log below.
|Version||Date||Version Update Detail|
|2||01.08.2017||Statement updated with requirements under the GDPR|
|3||06.09.2017||Company name change|
|3.1||07.11.2017||DPO details updated|
|4||21.05.2018||Data Retention Information & Data Controllers added|