In this notice, you’ll find important information about how and why we collect and use your personal information, and how we protect it. It also provides information about your privacy rights. This notice applies to (i) anyone who interacts with us about our products, services and/or events, (ii) job applicants and potential job applicants and (iii) friends and supporters/donors (“you”, “your”).
1. About the Carbon Trust
This privacy notice is issued on behalf of the Carbon Trust (registered company 04190230), so when we mention the Carbon Trust, “we”, “us” or “our” in this privacy notice, we are referring to the relevant company in our group responsible for processing your personal information. We will let you know which entity in our group will be the controller of your personal information when you provide us with it. Unless we inform you otherwise in writing, the Carbon Trust will be the controller.
2. How we process your personal information
We may collect information from you directly when you:
- contact us, whether through our websites, by the contact form, phone or email, to enquire about our products or services
- contact us to request information or products (such as our publications)
- receive funding from the Green Business Fund or the Energy Efficiency Loan Fund
- enquire about, register for and/or attend events (including online events such as webinars and briefings)
- subscribe for our newsletter
- provide information by completing surveys
- engage us to provide products and services
- work with us as a partner, sub-contractor or supplier providing services to the Carbon Trust
- otherwise through providing our products and services or operating our business
- download or use one of our apps or other software
- enquire about job opportunities with us and/or apply for jobs with us
We may also collect information about you indirectly from other organisations, including from:
- companies that we provide products and services to
- organisations that fund, or donate to, our work and services
- any sub-contractors and service providers who work with us or on our behalf in relation to our products, services and events - for example, we sometimes offer products, publications and events using service providers such as Microsoft Teams, GoToWebinar, Glisser, Eventbrite and PayPal. We also use Mailchimp to administer some of our newsletters. Please note that in these instances the relevant third party service provider’s privacy notice will apply in addition to this policy notice
- other third parties we work with, such as credit reference agencies and research firms
- in the case of job applicants and prospective job application, recruitment agencies or consultants or from employment agencies or background check agencies
- in the case of supporters or prospective supporters, if we believe you may be interested in becoming more involved with the work we do, we may gather additional data from external sources such as company resources and publications, news media, and social media sites (depending on your privacy settings and interaction with us)
We may collect information about you when you use our website in particular, when you browse our websites, we automatically collect data about your internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website. This is collected by using cookies and other similar technologies.
And we may also collect information about you in the course of providing a service to a third party.
This includes the Industrial Energy Efficiency Accelerator (IEEA) which we manage on behalf of the Department for Energy Security and Net Zero. These third parties will be a controller of your personal information. We may act as a controller, joint controller or a processor in this capacity and if we’re a controller, we’ll tell you this at the time. Please refer to the third parties’ respective privacy notices for details on how they will use your personal information.
3. What personal information do we collect?
Depending on your interaction with us, we may collect, store and use the following categories of personal information about you:
- your name and contact details including your address, telephone number(s) and email address
- financial information including details about payments made to and from you and other details of products and services you have received from us and/or events you have attended or signed up to attend with us
- information about your use of our services including aggregated data on your location, device and demographic information (Google Analytics provides aggregated data on age range, gender and interests based on your browsing activities)
- information about your preferences in receiving marketing from us
- your video and/or audio stream, where you attend a recorded event with us and opt to enable your video and/or audio device during the event
- in the case of job applicants or prospective job applicants, biographical, educational and social information such as details of your education and work history, references from previous employer(s), and any other information relevant to your employment or other engagement to work for us (such as information required to confirm your ‘right to work’ for us in the relevant jurisdiction)
- in the case of supporters/donors, your donation history, our assessment of your ability and willingness to make donations
- information about our interactions with you such as records of meetings, conversations and correspondence with you
We also collect, use and share aggregated data such as statistical or demographic data for any purpose. This could come from your personal data but is not considered personal data in law as it will not directly or indirectly reveal your identity.
If we change the way in which we use aggregated data (for example, if we combined this data with your personal data so we can directly or indirectly identify you) we will treat the combined data as personal data and will only use it in accordance with this policy.
Our use of special category data
Data protection law recognises that certain categories of data are far more personal to you and therefore require enhanced protection. These categories of data are called ‘special category data’ and this includes data relating to your health (including disabilities), political opinions and religious beliefs.
We may very occasionally collect and use your special category data (including when you apply for a job with us). We will only ever do this if we are lawfully allowed to do so and if it is for one of the reasons set out in ‘How we process your personal data’.
4. How do we use your personal information?
Under data protection law, we need to have one or more lawful grounds to process your personal data. We explain below the lawful grounds we think are most relevant to the use of your personal data by us:
- if it is necessary for us to use your personal data to perform the contract we are about to enter into or have entered into with you
- if it is necessary for us to use your personal data to comply with a legal or regulatory obligation
- if we have a legitimate interest in using your personal data
- if you have given us your consent for us to use your personal information for a particular purpose
We think it’s important that you have a little more information about how we use your personal data so we’ve set out below a summary of the ways in which we use your personal data and the lawful grounds we rely on to do so.
|We use your personal data:
|Our lawful ground for processing is:
|To provide you with further information about our work, services or products where you request this
|Legitimate interest – it is in our legitimate interest to promote our business, and to publicise our mission to accelerate the move to a decarbonised future
|To provide you with the services and products that you’ve asked for
|Performance of contract
|To keep in contact with you about future opportunities that may be of interest
|Legitimate interest – it is in our legitimate interest to let you know about future opportunities in order to develop and manage our business
To administer job applications and, where relevant, to offer you a role with us
To carry out due diligence checks on you during the application process
To make a decision about your recruitment or appointment, and (if applicable) to determine the terms on which you work for us
To monitor in relation to equal opportunities
Performance of contract as well as taking steps at your request prior to potentially entering into a contract
Legal obligations – we may need to process some of your personal data for compliance with our legal obligations for example, relating to equality and diversity, health and safety and immigration laws and rules
|To process your loan or grant application when you apply for our grant or our interest free-loans scheme or funding from the Green Business Fund (including for credit checking purposes)
Legal obligation (e.g. to comply with our money laundering obligations and to prevent financial crime)
Performance of contract
|To assess our activities (e.g. quality assurance and market research) and to provide you with information about similar services and events that may be of interest to you
Consent – marketing (see below on Direct Marketing)
Legitimate interest – it is in our legitimate interest to assess and maintain the quality of our services, to grow our business and to inform our marketing strategy
|To provide digital marketing that is intentionally sent or displayed to you on third-party online platforms or websites (such as advertisements you may see on LinkedIn and other social media) which we believe would be relevant to you based on your interests
Consent – marketing
Legitimate interest – it is in our legitimate interest to develop our business and to promote our mission to accelerate the move to a decarbonised future
|To reserve a place for you at the event(s) for which you have registered and to provide you with information about the event(s) (e.g. event updates, cancellation etc.)
Performance of contract
Legitimate interest – it is in our legitimate interest to develop our business and to promote our mission to accelerate the move to a decarbonised future
|To record an online event such as a webinar, meeting or training session
|To provide you with newsletter(s) where requested
Legitimate interest – it is in our legitimate interest to develop our products and services, and to promote our mission to accelerate the move to a decarbonised future
Consent - marketing
|To analyse survey results where you have completed surveys or provided information to us via an app.
|Legitimate interest – it is in our legitimate interest to develop our business and to promote our mission to accelerate the move to a decarbonised future
|To contact you for an expert opinion in relation to a project we may be working on
|Legitimate interest - it is in our legitimate interest to develop our products and services, and to promote our mission
|To engage in fundraising in support of our mission including to administer donations, acknowledge donors and provide updates on the use and impact of donations we have received
|Legitimate interest – it is in our legitimate interest to build, and engage with, a wide community to support our mission and the activities that further our mission including, by way of philanthropic activity
|To use data analytics to measure usage on our websites in order to improve our websites, services and client experiences
|Legitimate interest – it is in our legitimate interest to assess and maintain the quality of our services and products, and to improve the clients’ experience
|To establish, exercise and defend our legal rights
Legitimate interest – it is in our legitimate interest to exercise and defend our legal rights
|To facilitate access to our events, meet your special dietary requirements
|Consent - we will only process this special category data with your explicit consent
Where we rely on the lawful ground of ‘legitimate interests’ to use your personal data, we explain above what we consider our legitimate interest to be. In deciding to use legitimate interests, we have carefully considered the need to balance our legitimate interests with yours and to ensure that our interests are not overridden by yours.
If you are part of a business we work with or have worked with, we may use your personal information to contact you about similar opportunities. If, at any time, you prefer not to receive direct marketing from us, you will have the ability to unsubscribe from all such communications by:
- contacting us; or
- using the unsubscribe link in every email that is sent to you by us.
If you decide not to receive information from us, we will only keep a record of your contact details to ensure we do not contact you in the future. If you are an individual interacting with us in private capacity (as opposed to as part of a business we work with or have worked with) we will only engage in direct marketing with you where you have consented, and you may also unsubscribe as described above.
If we intend to record an event, you will at a minimum be informed on the day of recording the session, normally verbally, prior to any recording taking place. You will be told of the purpose of the recording and what we intend to do with the recording.
5. What happens if you do not provide personal information
Where we need to collect your personal information for the performance of a contract with you, or to comply with a legal obligation, and you do not provide that information, we may not be able to perform the contract or provide you with the requested services. In such case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.
6. Who we share your personal information with
We may share your personal information with our subsidiaries to process it for the purposes of inter-group administration and to deliver products, services or events.
We may also share your personal information with the organisations below for the purposes set out in the table at paragraph 4 above:
- our partners, sub-contractors and suppliers who work with us or provide services on our behalf
- our recruitment partners and Hireful which provides the software for our job application system
- our professional advisors, including auditors, lawyers, bankers and insurers who provide consultancy, banking, legal, insurance and accounting services
- social media platforms and marketing and advertising agencies
- our clients (where you are or act on behalf of a partner, sub-contractor or supplier and have been contracted to provide services to us for that client)
- funders, being certain Government bodies (where you receive or have received a loan under our interest-free loan scheme)
- law enforcement or other regulatory bodies including HM Revenue & Customs where required by applicable law
- a prospective purchaser in the event that our business or any part of it is sold or merged with another business
Our sub-contractors and service providers are subject to security and confidentiality obligations and are only permitted to process your personal information for specified purposes and in accordance with our instructions.
7. How long do we keep your personal information?
We will only retain your personal data for as long as necessary to fulfil the purposes we collect it for. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data (such as contractual, legal, accounting or reporting requirements) and whether we can achieve those purposes through other means, and the applicable legal requirements.
For the avoidance of doubt, we retain unsuccessful job applications for one year, after this we may contact you to consent to us holding your job application for a further one year for the purpose of considering you for future roles.
8. Security and storage of personal data
Security of your personal data
We are committed to ensuring that we keep your personal information safe and secure. We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. Those processing your information (including any third parties) will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where required to do so.
Storage of your personal data
Your personal information may be transferred to, stored in, or accessed from a location outside of the European Economic Area (EEA). Some of our service providers and subcontractors are based outside the EEA, and so when we share information with them and they provide us with services, this may involve processing outside of the EEA.
Whenever we transfer personal information outside of the EEA, we take steps to ensure similar protection as in the EEA by ensuring at least one of the following safeguards is implemented:
- we transfer personal information to countries that have been deemed to provide adequate protection for personal information by the European Commission;
- we use model contractual clauses approved by the European Commission obliging recipients to protect your personal information; and/or
- we may transfer data to the United States, where the recipient is a certified member of the EU-US Data Privacy Framework.
In other circumstances, the law may permit us to otherwise transfer your personal information outside the EEA. In all cases, however, we will ensure that any transfer of your personal information is compliant with data protection law.
You can obtain more details of the protection given to your personal information when it is transferred outside the EEA (including a copy of the model contractual clauses, which we have entered into with recipients of your personal information) by contacting us using the details set out above.
9. Your privacy rights
Under data protection laws, you have a number of important rights:
- Right of access: you have the right to access your personal information and to receive a copy of the personal information we hold about you to check that we are lawfully processing it
- Right to rectification: you have the right to have inaccurate or incomplete information about you corrected
- Right to erasure: you have the right to request the erasure of your personal information where there is no good reason for us to continue to process it or where you have exercised your right to object to processing
- Right to restriction: you have the right to request the restriction or suppression of your personal information in certain circumstances
- Right to object: you have the right to:
- object to us processing (including profiling) your personal information in cases where our processing is based on our legitimate interest
- object to us using your information for direct marketing and profiling purposes in relation to direct marketing
- Right to data portability: you have the right to receive your personal information in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations
- Right in relation to automated decision-making: in certain circumstances, you have the right not to be subject to a decision, which is based solely on automated processing where this produces legal effects concerning you or otherwise significantly affects you
- Right to withdraw consent: you have the right to withdraw any consent you have given us to handle your personal information at any time. This will not affect the lawfulness of how we used your personal information before you withdrew consent
These rights may not always apply and we may be entitled to refuse requests where exceptions apply.
If you would like to exercise any of those rights, please:
- email, call or write to us (using the details set out above),
- let us have enough information to identify you (we may require evidence of your identity and if we reasonably need more information to confirm your identity, we’ll let you know), and
- if possible, let us know the information to which your request relates.
10. Third-party links
This website may include links to other sites. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We don’t control these third-party websites and so are not responsible for their privacy notices.
We always recommend reading the privacy notice of every website you visit.
11. If you have questions or comments, or want to complain about our processing of your personal data
If you have any queries or complaints relating to this notice, or any other concerns about the way in which we process your personal information, please contact us using the contact details set out above.
You also have a right to make a complaint to the Information Commissioner’s Office:
Information Commissioner's Office
Cheshire, United Kingdom
Phone: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
12. How to contact us
You can contact us in the following ways:
By email: email@example.com
By post: General Counsel & Company Secretary, The Carbon Trust, Level 5, Arbor, 255 Blackfriars Road, London SE1 9AX, UK.
By phone: +44 (0)20 7170 7000
If you need to see this notice in another format (for example, audio, large print, braille), please contact us.
13. Changes to this privacy notice
We may update this notice from time to time so please check back every now and again. This notice was last updated on 16 January 2024. If we make any significant changes, we’ll tell you by putting a notice on our website.