Privacy Policy

Introduction

1. Welsh Power Group Limited is a private limited company registered in England and Wales with its registered address at: Fourth Floor, 2 Kingsway, Cardiff, CF10 3FD with registered number: 05766467 (collectively referred to as “the Company”, "we", "us" or "our" in this privacy policy (“Privacy Policy”)).
2. The Company is the Data Controller responsible for your Personal Data.
3. We respect your privacy and are committed to protecting your Personal Data lawfully, in compliance with UK GDPR.
4. The purpose of this Privacy Policy is to set out how we collect, use and protect your Personal Data, including when you visit our website, provide any Personal Data when you use our contact form or otherwise communicate with us e.g. by phone, in writing, or e-mail.
5. Our use of any information we collect about you when you visit our website or otherwise will be governed by this Privacy Policy together with any internal Data Protection Policy and any other Privacy Notices that we may provide to you on specific occasions when we are collecting or Processing Personal Data about you e.g. for job applications, during employment or when contracting with us so that you are fully aware of how and why we are using your data.
6. This Privacy Policy supplements other Privacy Notices and is not intended to override them. This Privacy Policy should also be read in conjunction with the Privacy Notices as applicable and the Terms and Conditions of Use of this website, and forms part of the Terms and Conditions of Use.

What Personal Data do we collect about you & How?

1. We may collect and use Personal Data about you if:
   1. you contact us via the website
   2. make enquiries or send other communications
   3. apply for jobs
   4. visit our offices or sites
   5. work for us as an employee, consultant, agent or contractor.
2. Most of the information we collect about you is provided directly by you when you send it to us for example via the website contact form, by e-mail or if you call or write to us or if you visit our office. The type of Personal Data we have about you will depend on your relationship with us.
3. We have listed below examples of some of the Personal Data we may collect about you:

   a) Your contact details (including, name, date of birth, title, postal addresses, telephone numbers and email addresses) to keep in touch with you and/or contract with you

   b) Your age, gender, employment history, role, position and/or job title, work experience and other information that you provide us when applying for a job  - if applying for a role with the Company please read the privacy policy for candidates or if this has not been provided, you can request by contacting us

   c) Financial information from an individual and/or supplier in order to fulfil any contractual obligations we have with your business or with a view to enter into a contract with you. This can include your payment details including your bank details

   d) Any personal information you choose to give us when contacting us

   e) Other operational Personal Data created, obtained, or otherwise processed in the course of carrying out our business activities, including but not limited to, details of your visits to our office or premises, logs of visitors, and logs of accidents, injuries

   f) We may also collect information about you from public sources, for example from the Land Registry, Companies House etc.

Personal Data protection principles

1. We adhere to the principles relating to Processing of Personal Data set out in the UK GDPR which require Personal Data to be:
2. Processed lawfully, fairly and in a transparent manner  
3. Collected only for specified, explicit and legitimate purposes
4. Adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed
5. Accurate and where necessary kept up to date
6. Not kept for longer than is necessary for the purposes for which the data is Processed
7. Processed in a manner that ensures its security to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage
8. Not transferred to another country without appropriate safeguards being in place
9. Allow you to exercise your rights in relation to their Personal Data.

Processing

1. Personal Data must be processed lawfully, fairly and in a transparent manner. We will only process your Personal Data for specified and legitimate purposes, where:

   a) you have given your Consent to such Processing (which you may withdraw at any time, as detailed below)

   b) is necessary for the performance of a contract with you or your employer

   c) Processing is necessary to meet our legal compliance obligations or to protect your vital interests

   d) Processing is necessary to pursue our legitimate interests

   e) Respond to and deal with your query if you contact us

   f) Process your application if you have applied for a role with us

   g) Investigate, respond to and/or process any complaints

   h) Fulfil our obligations under any contract we may have with your or your employer

   i) Contact you about the services we offer (where we have received your Consent to do so)

   j) Comply with our legal and regulatory obligations

   k) Comply with court orders

   l) Exercise and/or defend our legal rights

   m) Record and monitor health and safety incidents on our premises.

Consent

1. Where we need your specific Consent to hold your Personal Data we will ask you to confirm your Consent in writing and we will inform you why we are collecting the Personal Data, how we will use it, how long we keep it for, who else will have access to it and what your rights are as a data subject.
2. Where we do rely on Consent you have the right to change your mind and withdraw that Consent at any time by writing to us. If you withdraw your Consent we will immediately cease using any Personal Data obtained and processed under that Consent unless we have some other legal obligation to continue to use it.

Storage limitation

We will only retain your Personal Data for as long as necessary for the period it is required. When deciding how long we keep your information we take into account the purpose for which the data was collected, our legal obligations and/or our Data Retention Policy. Depending on the purpose for which we hold your Personal Data, retention periods may vary but if you so request, we are happy to provide you with the relevant retention period for the Personal Data we hold in relation to you.

Access to your Personal Data

1. There may be occasions where we also share your details with third parties (if necessary )including to:
   1. our group companies
   2. advisors, including insurers, legal advisors or third-party suppliers/service providers who perform functions on our behalf under contract, support our systems, operations and/or processes
   3. Tax, audit, or other authorities, when we believe the law or other regulation requires us to share this information
   4. to any government, regulatory agency, enforcement or exchange body or court where we are required to do so by applicable law or regulation or at their request.
2. The Personal Data we collect from you may be transferred to (including accessed in or stored in) a country or territory outside the European Economic Area (“EEA”), including to countries whose laws may not offer the same level of protection of Personal Data as are enjoyed within the EEA.
3. We will ensure that any such international transfers are made subject to appropriate or suitable safeguards as required by the UK GDPR.

Your rights and requests

1. You have certain rights when it comes to how we handle your Personal Data. Some of these are briefly summarized below and include rights to:

   a) Access: The right to request access to the Personal Data we hold about you, understand why we have that information and be aware of who has access to the information and where we obtained the information from. You also have the right to request a copy of an agreement under which Personal Data is transferred outside of the EEA

   b) Consent: the right to withdraw Consent to Processing at any time where we are relying on Consent to process your Personal Data

   c) Erasure: the right to ask us to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or Processed . Upon receiving a request for erasure we will confirm whether it has been deleted or a reason why it cannot be deleted (for example because we have a legal obligation to keep the information or we need it for a legitimate business interest)

   d) Accuracy: The right to correct and update the information we hold about you. If the Personal Data we hold about you is out of date, incomplete or incorrect you can inform us and your Personal Data will be updated

   e) Challenge: the right to challenge Processing which has been justified on the basis of our legitimate interests or in the public interest

   f) Object: The right to object to Processing of your Personal Data. You may request that we stop Processing information about you. Upon receiving your request we will contact you and let you know if we are able to comply or if we have legitimate grounds to continue to process your Personal Data

   g) Restrict: prevent Processing that is likely to cause damage or distress to you or anyone else

   h) Notification: the right to be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms

   i) Complain: you have the right to make a complaint to the supervisory authority

   j) Transfer: in limited circumstances you have the right to receive or ask for your Personal Data to be transferred to a third party.

2. We will verify the identity of an individual requesting Personal Data under any of the rights listed above before responding to the request.

Queries or Requests

1. If you have any queries in relation to this Privacy Policy, or need more information please do not hesitate to contact us and mark as for the attention of the Data Protection Manager.
2. To exercise your rights, some of which are outlined above, please send your request in writing. We may be required to verify your identity for security purposes as noted above. We will comply with your request where it is feasible to do so, within 30 days of verifying your identity.  There are no fees or charges for the first request.  However additional requests for the same data may be subject to an administrative fee. To exercise your rights please do so by writing to:
   
   The Data Protection Team
   Welsh Power Group Limited
   Fourth Floor
   2 Kingsway
   Cardiff
   CF10 3FD

Complaints

1. We aim to ensure all Personal Data collected about you is done so fairly and lawfully, whilst implementing robust measures to keep your information secure. If you are not satisfied with the information provided in this Privacy Policy, we would be grateful if you would contact us in the first instance so we can resolve your queries or provide you with any additional information required. To contact us in relation to any complaint, please use the contact form and mark as for the attention of the Data Protection Manager or write to us at:
   
   The Data Protection Team
   Welsh Power Group Limited
   Fourth Floor
   2 Kingsway
   Cardiff
   CF10 3FD
2. Alternatively it is your right to contact your local Data Protection Authority and lodge a complaint. In the UK the lead Data Protection Authority is the Information Commissioner. For more information please visit the Information Commissioner’s office at www.ico.org.uk/concerns or contact the Information Commissioners Office at:
   
   E-mail: Wales@ico.org.uk  
   Tel: 01625 545 298

Glossary

The following terms are used in this Privacy Policy:

Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject's wishes by which they, by a statement or by a clear positive action, signify their agreement to the Processing of Personal Data relating to them.

Data Controller: the person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in line with the UK GDPR. The Company is the Data Controller of all Personal Data relating to you and Personal Data used in our business for our own commercial purposes.

Data Retention Policy:  The Company’s Policy setting out the periods for which data is retained based on relevant legal and commercial requirements. This is not available generally on the website however, we are happy to provider details of the periods for which your Personal Data will be held by us.

Data Subject: You i.e. a living, identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.

Data Protection Policy: the Company’s internal Data Protection Policy.

Data Protection Manager (DPM): the person(s) appointed to the Company Data Protection Team with responsibility for data protection compliance.

Personal Data: any information identifying You (i.e. a Data Subject) or information relating to Your (a Data Subject) that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data includes Sensitive Personal Data and Pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal Data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person's actions or behaviour.

Personal Data Breach: any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical, administrative or organisational safeguards that we or our third-party service providers put in place to protect it. The loss, or unauthorised access, disclosure or acquisition, of Personal Data is a Personal Data Breach.

Privacy Notices: separate notices setting out information that may be provided to Data Subjects when the Company collects information about them. These notices may take the form of general privacy statements applicable to a specific group of individuals (for example, the Contractors Data Privacy Notice, the Employee Data Privacy Notice they may be stand-alone, one time privacy statements covering Processing related to a specific purpose). These are all available on request by contacting us.

Processing or Process: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.

Pseudonymised: replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.

Sensitive Personal Data: Sensitive Personal Data: information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and Personal Data relating to criminal offences and convictions.

UK GDPR: the UK General Data Protection Regulation (retained from EU Regulation 2016/679 EU).

Updates to this Privacy Policy

1. We may change or update parts of this Privacy Policy in order to maintain our compliance with applicable law and regulation or following an update to our internal practices.
2. We will do this by updating this Privacy Policy on this website but it is your responsibility to regularly check this Privacy Policy so you are fully aware of any changes or updates.
3. This Privacy Policy was last updated on 20th September 2021.