In this notice, you’ll find important information about how and why we collect and use your personal information, and how we protect it. It also provides information about your privacy rights. This notice applies to anyone who interacts with us about our products and services (“you”, “your”) whether through our websites, by email or otherwise.
1. About the Carbon Trust
This privacy notice is issued on behalf of the Carbon Trust (registered company 04190230), so when we mention the Carbon Trust, “we”, “us” or “our” in this privacy notice, we are referring to the relevant company in our group responsible for processing your personal information. We will let you know which entity in our group will be the controller of your personal information when you provide us with it. Unless we inform you otherwise in writing, the Carbon Trust will be the controller.
2. How we process your personal information
We may collect information from you directly when you:
- contact us, whether through our websites, by live chat, phone, or email, to enquire about our products and services
- contact us to request information or products (such as our publications)
- receive funding from the Green Business Fund or the Energy Efficiency Loan Fund
- register for events
- subscribe for our newsletter
- provide information by completing surveys
- when you engage us to provide products and services
- work with us as a partner, sub-contractor or supplier providing services to the Carbon Trust
- otherwise through providing our products and services or operating our business
- download or use one of our apps or other software, including our digital platform at footprinting.carbontrust.com.
We may also collect information about you indirectly from other organisations, including from:
- companies that we provide products and services to
- any sub-contractors and service providers who work with us or on our behalf in relation to our products and services
- other third parties we work with, such as credit reference agencies and research firms
For example, we sometimes offer products, publications and events via our websites using service providers such as GoToWebinar, Glisser, Eventbrite, Paypal to collect fees and Mailchimp to administer our newsletters. Please note, that all GoToWebinar and Paypal transactions are subject to GoToWebinar’s or Paypal’s privacy notice and all event bookings on Eventbrite are subject to Eventbrite’s privacy notice. We may also use Survey Monkey to conduct online surveys and research.
We may collect information about you when you use our website:
- when you browse our websites, we automatically collect data about your internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website. This is collected by using cookies and other similar technologies
And we may also collect information about you in the course of providing a service to a third party.
This includes the BEIS Industrial Energy Efficiency Accelerator (IEEA) which we manage on behalf of the Department for Business, Energy and Industrial Strategy. These third parties will be a controller of your personal information. We may act as a controller, joint controller or a processor in this capacity and if we’re a controller, we’ll tell you this at the time. Please refer to their respective privacy notices for details on how such third parties will use your personal information.
3. What personal information do we collect?
We collect, store and use the following categories of personal information about you:
- your name and contact details including your address, telephone numbers, and email address
- financial information including details about payments made to and from you and other details of products and services you have
- information about your use of our services including aggregated data on your location, device and demographic information (Google Analytics provides aggregated data on age range, gender and interests based on your browsing activities)
- information about your preferences in receiving marketing from us
We also collect, use and share aggregated data such as statistical or demographic data for any purpose. This could come from your personal data but is not considered personal data in law as it will not directly or indirectly reveal your identity.
If we change the way in which we use aggregated data (for example, if we combined this data with your personal data so we can directly or indirectly identify you) we will treat the combined data as personal data and will only use it in accordance with this policy.
Our use of special category data
Data protection law recognises that certain categories of data are far more personal to you and therefore require enhanced protection. These categories of data are called ‘special category data’ and this includes data relating to your health (including disabilities), political opinions and religious beliefs.
We may very occasionally collect and use your special category data. We will only ever do this if we are lawfully allowed to do so and if it is for one of the reasons set out in ‘How we process your personal data’.
4. How do we use your personal information
Under data protection law, we have to have one or more lawful grounds to process your personal data. We explain below the lawful grounds we think are most relevant to the use of your personal data by us:
- if it is necessary for us to use your personal data to perform the contract we are about to enter into or have entered into with you
- if it is necessary for us to use your personal data to comply with a legal or regulatory obligation
- if we have a legitimate interest in using your personal data
- if you have given us your consent for us to use your personal information for a particular purpose
We think it’s important that you have a little more information about how we use your personal data so we’ve set out below a summary of the ways in which we use your personal data and the lawful grounds we rely on to do so.
|We use your personal data to:||Our lawful ground for processing is:|
|To provide you with further information about our work, services or products where you request this||Legitimate interest – it is in our legitimate interest to promote our business, and to publicise our mission to accelerate the move to a decarbonised future|
|To provide you with the services and products that you’ve asked for||Performance of contract|
|To keep in contact with you about future opportunities that may be of interest||Legitimate interest – it is in our legitimate interest to let you know about future opportunities in order to develop and manage our business|
|To assess our activities (e.g. quality assurance and market research) and to provide you with information about similar services and events that may be of interest to you||
Consent – marketing (see below on Direct Marketing)
Legitimate interest – it is in our legitimate interest to assess and maintain the quality of our services, to grow our business and to inform our marketing strategy
|To provide digital marketing that is intentionally sent or displayed to you on third-party online platforms or websites (such as advertisements you may see on LinkedIn and other social media) which we believe would be relevant to you based on your interests.||
Consent – marketing
Legitimate interest – it is in our legitimate interest to develop our business and to promote our mission to accelerate the move to a decarbonised future
|To reserve a place for you at the event(s) for which you have registered and to provide you with information about the event(s) (e.g. event updates, cancellation etc.)||
Performance of contract
Legitimate interest – it is in our legitimate interest to develop our business and to promote our mission to accelerate the move to a decarbonised future
|To provide you with newsletter(s) where requested||
Legitimate interest – it is in our legitimate interest to develop our products and services, and to promote our mission to accelerate the move to a decarbonised future
Consent - marketing
|To analyse survey results where you have completed surveys or provided information to us via an app.||Legitimate interest – it is in our legitimate interest to develop our business and to promote our mission to accelerate the move to a decarbonised future|
|To contact you for an expert opinion in relation to a project we may be working on||Legitimate interest - it is in our legitimate interest to develop our products and services, and to promote our mission to accelerate the move to a decarbonised future|
|To use data analytics to measure usage on our websites in order to improve our websites, services and client experiences||Legitimate interest – it is in our legitimate interest to assess and maintain the quality of our services and products, and to improve the clients’ experience|
|To establish, exercise and defend our legal rights||
Legitimate interest – it is in our legitimate interest to exercise and defend our legal rights
|To facilitate access to our events, meet your special dietary requirements||Consent - we will only process this special category data with your explicit consent|
Where we rely on the lawful ground of ‘legitimate interests’ to use your personal data, we explain above what we consider our legitimate interest to be. In deciding to use legitimate interests, we have carefully considered the need to balance our legitimate interests with yours and to ensure that our interests are not overridden by yours.
If you are an individual or part of a business we work with or have worked with, we may use your personal information to contact you about similar opportunities. If, at any time, you prefer not to receive direct marketing from us, you will have the ability to unsubscribe from all such communications by:
- contacting us; or
- using the unsubscribe link in every email that is sent to you by us.
If you decide not to receive information from us, we will only keep a record of your contact details to ensure we do not contact you in the future.
5. What happens if you do not provide personal information
Where we need to collect your personal information for the performance of a contract with you, or to comply with a legal obligation, and you do not provide that information, we may not be able to perform the contract or provide you with the requested services. In such case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.
6. Who we share your personal information with
We may share your personal information with our subsidiaries to process it for the purposes of inter-group administration and to deliver products or services.
We may also share your personal information with the organisations below for the purposes set out in the table at paragraph 5 above:
- our partners, sub-contractors and suppliers who work with us or provide services on our behalf
- our professional advisors, including auditors, lawyers, bankers and insurers who provide consultancy, banking, legal, insurance and accounting services
- social media platforms and marketing and advertising agencies
- our clients (where you are or act on behalf of a partner, sub-contractor or supplier and have been contracted to provide services to us for that client)
- funders, being certain Government bodies (where you receive or have received a loan under our interest-free loan scheme)
- law enforcement or other regulatory bodies including HM Revenue & Customs where required by applicable law
- a prospective purchaser in the event that our business or any part of it is sold or merged with another business
Our sub-contractors and service providers are subject to security and confidentiality obligations and are only permitted to process your personal information for specified purposes and in accordance with our instructions.
7. How long do we keep your personal information?
We will retain your personal information for as long as you continue to engage us to provide the services and products requested. We may be required to retain certain information for longer where required by law, for example, to satisfy any legal, accounting or reporting requirements.
8. Security and storage of personal data
Security of your personal data
We are committed to ensuring that we keep your personal information safe and secure. We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. Those processing your information (including any third parties) will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where required to do so.
Storage of your personal data
Your personal information may be transferred to, stored in, or accessed from a location outside of the European Economic Area (EEA). Some of our service providers and subcontractors are based outside the EEA, and so when we share information with them and they provide us with services, this may involve processing outside of the EEA.
Whenever we transfer personal information outside of the EEA, we take steps to ensure similar protection as in the EEA by ensuring at least one of the following safeguards is implemented:
- we transfer personal information to countries that have been deemed to provide adequate protection for personal information by the European Commission;
- we use model contractual clauses approved by the European Commission obliging recipients to protect your personal information; and/or
- we may transfer data to the United States, where the recipient is a certified member of the EU-US Privacy Shield.
In other circumstances, the law may permit us to otherwise transfer your personal information outside the EEA. In all cases, however, we will ensure that any transfer of your personal information is compliant with data protection law.
You can obtain more details of the protection given to your personal information when it is transferred outside the EEA (including a copy of the model contractual clauses, which we have entered into with recipients of your personal information) by contacting us using the details set out above.
9. Your privacy rights
Under data protection laws, you have a number of important rights:
- Right of access: you have the right to access your personal information and to receive a copy of the personal information we hold about you to check that we are lawfully processing it
- Right to rectification: you have the right to have inaccurate or incomplete information about you corrected
- Right to erasure: you have the right to request the erasure of your personal information where there is no good reason for us to continue to process it or where you have exercised your right to object to processing
- Right to restriction: you have the right to request the restriction or suppression of your personal information in certain circumstances
- Right to object: you have the right to:
- object to us processing (including profiling) your personal information in cases where our processing is based on our legitimate interest
- object to us using your information for direct marketing and profiling purposes in relation to direct marketing
- Right to data portability: you have the right to receive your personal information in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations
- Right in relation to automated decision-making: in certain circumstances, you have the right not to be subject to a decision, which is based solely on automated processing where this produces legal effects concerning you or otherwise significantly affects you
- Right to withdraw consent: you have the right to withdraw any consent you have given us to handle your personal information at any time. This will not affect the lawfulness of how we used your personal information before you withdrew consent
These rights may not always apply and we may be entitled to refuse requests where exceptions apply.
If you would like to exercise any of those rights, please:
- email, call or write to us (using the details set out above),
- let us have enough information to identify you (we may require evidence of your identity and if we reasonably need more information to confirm your identity, we’ll let you know), and
- if possible, let us know the information to which your request relates.
10. Third-party links
This website may include links to other sites. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We don’t control these third-party websites and so are not responsible for their privacy notices.
We always recommend reading the privacy notice of every website you visit.
11. If you have questions or comments, or want to complain about our processing of your personal data
If you have any queries or complaints relating to this notice, or any other concerns about the way in which we process your personal information, please contact us using the contact details set out above.
You also have a right to make a complaint to the Information Commissioner’s Office:
Information Commissioner's Office
Cheshire, United Kingdom
Phone: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
12. How to contact us
You can contact us in the following ways:
By email: email@example.com
By post: General Counsel & Company Secretary, The Carbon Trust, 4th Floor, Dorset House, 27-45 Stamford Street, London, SE1 9NT
By phone: +44 (0)20 7170 7000
If you need to see this notice in another format (for example, audio, large print, braille), please contact us.
13. Changes to this privacy notice
We may update this notice from time to time so please check back every now and again. If we make any significant changes, we’ll tell you by putting a notice on our website.