Data Protection and Privacy Policy

Table of Contents

1 Data protection and privacy policy

1.1 Summary – Data Protection Dos and Don’ts.

1.2 Background To Data Protection.

1.3 ZE’s Approach to Data Protection.

1.4 Who This Policy Applies To.

1.5 Common Data Protection Terms.

1.6 Fundamental Principles.

1.7 Applying The Principles.

1.8 Other related policies.

1.9 Key Contacts.

2 Employee and contractor privacy policy

2.1 What information does Zenobe collect?

2.2 Where does Zenobe store data about you?

2.3 Why does Zenobe process personal data?

2.4 Who has access to data?

2.5 How does Zenobe protect data?

2.6 For how long does Zenobe keep data?

2.7 Your Rights.

2.8 What if you do not provide personal data?

2.9 Automated decision-making.

2.10 Security and Monitoring.

2.11 Why we collect this information?

2.12 How we protect this information?

2.13 Who do we share this information with?

3 Candidate privacy policy

3.1 UK Candidate Privacy Policy – Recruitment and offer of employment process

3.2 How does Zenobe Energy protect data?

3.3 What if you do not provide personal data?

3.4 Automated decision-making

4 Data breach policy

4.1 Introduction

4.2 What is a data breach?

4.3 What shouldn’t I do if I discover a data breach?

4.4 What if a 3^rd party tells me about a data breach they have suffered?

5 Data subject’s rights policy

5.1 Introduction

5.2 What are the rights?

5.3 What shouldn’t I do with a request to exercise rights?

5.4 Can ZE charge a fee for dealing with a request to exercise rights?

6 Subject access request policy

6.1 Introduction

6.2 What information is an individual entitled to under the GDPR?

6.3 How can I identify a subject access request?

6.4 What shouldn’t I do with a SAR?

6.5 What should I do with a SAR?

6.6 Can ZE refuse to respond to a SAR?

6.7 Can ZE charge a fee for dealing with a subject access request?

7 References to Regulatory and Industry Standards

8 References to Other Documents

9 External References.

1 Data protection and privacy policy

Reviewed and updated April 2024

1.1 Summary – Data Protection Dos and Don’ts

1.2 Background to Data Protection

It is a well-established principle in the European Union (“EU”) that the protection of individuals in respect of the processing of their personal data is a fundamental right. That principle is protected by law in the EU by the Data Protection Directive (the “Directive”) of 1995 (brought in to law in the UK by the Data Protection Act 1998).

In the last few years, the processing of data has grown exponentially. In recognition of that growth, the European Parliament passed the General Data Protection Regulation (the “GDPR”) to ensure that the law keeps pace with the rapid development of personal data processing. The UK signed up to GDPR and implemented the regulations into UK law in 2018.

Since the UK left the EU in 2020, GDPR has remained part of UK law (albeit it with some small changes).  This means that there is a consistent approach to data protection between the UK and EU and EFTA (EEA) countries and personal data can flow between those countries with relative ease.

Recent EU case law, however, has introduced complications in relation to the transfer of personal data from the UK or EU countries to other countries and so special care should be taken in relation to such transfers.

Privacy and data protection legislation is not limited to the UK and the EU countries.  Most notably, Australia has privacy legislation applying to government, large organisations and those who process a lot of personal data.  Certain US states, particularly California, have data protection regulations as do New Zealand and Canada.

Since the GDPR standards are the most rigorous and most of the personal data ZE processes relates to UK and EU individuals, this policy addresses the requirements for compliance with GDPR and is applicable to all ZE staff.  If you have specific questions concerning privacy laws outside of the UK and EU, please contact the legal team by email to sophie.barr@Zenobe.co.uk.

1.3 Zenobē’s Approach to Data Protection

The GDPR introduces significant penalties for organisations that fail to act in accordance with the rules around processing personal data. A non-compliant organisation could suffer one or all of the following:

• a fine of up to 4% of total worldwide annual turnover.
• compensation payable to individuals affected by non-compliant data processing; and
• significant reputational damage undermining the trust of its clients and business partners.

The GDPR makes it clear that organisations that deal with personal data will be legally accountable for compliance with the GDPR. What that means in practice is that ZE will not only need to comply with the GDPR, it will also need to show how it has complied, and this policy and its requirements form an important part of demonstrating compliance.

The GDPR requires organisations fulfilling certain criteria to appoint a Data Protection Officer (a “DPO”) to oversee all issues relating to data protection. Although ZE does not currently meet those criteria we are taking other steps to ensure that our obligations in respect of personal data are considered and complied with as necessary.

This policy, together with appropriate education within ZE, is intended to provide guidance to all employees to ensure compliance with data protection requirements. In addition, ZE’s legal team is always on hand to help you interpret this policy and the GDPR in more detail.   This policy should also be read and followed in conjunction with ZE’s policies covering IT and organisational security and the Employee Handbook.

You can contact the legal team by email to sophie.barr@zenobe.co.uk

We keep this policy under regular review. This policy does not override any applicable national data privacy laws and regulations in countries where ZE operates.

1.4 Who This Policy Applies To

This policy seeks to address all of the key concepts and restrictions relating to data protection that are set out in the GDPR. However, this policy is not designed to be a detailed ‘how to’ manual and if you have any concerns or queries about how you should be dealing with personal data you should speak to the legal team.

ZE cannot be compliant without the assistance of all employees. For that reason, compliance with this policy is a responsibility shared by all employees and so you should thoroughly read and ensure you understand this policy.

In addition, it is the responsibility of the senior manager of each function, acting with the legal team, to ensure that employees in their group are properly instructed regarding the requirements of the GDPR and this policy. This instruction shall include:

• explanation of this policy; and
• data protection compliance seminars and other related legal and corporate education programs to promote an awareness of the importance and requirements of data protection, and to promote compliance with all data protection laws relevant to ZE’s business operations.

Failure to follow this policy could result in disciplinary action.

1.5 Common Data Protection Terms

1.6 Fundamental Principles

The GDPR is founded upon certain principles on which the detailed obligations and restrictions are built. In summary, personal data must be:

1. processed lawfully, fairly and transparently (“lawfulness, fairness and transparency”);

2. collected for specified, explicit and legitimate purposes (“purpose limitation”);

3. adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed (“data minimization”);

4. accurate and kept up to date (“accuracy”);

5. stored for no longer than is necessary for the purpose for which it is processed (“storage limitation”);

6. appropriately secured to protect against unauthorized or unlawful processing and against accidental loss, destruction, or damage (“integrity and confidentiality”);

7. not transferred to another country without appropriate safeguards in place (“transfer limitation”); and

8. made available to data subjects and allow data subjects to exercise certain rights in relation to their personal data (“data subject’s rights and requests”).

1.7 Applying The Principles

All of the principles set out above are applicable all of the time. However, in practice, certain principles will apply more particularly at certain times in the data processing “lifecycle”.  To help you understand how the principles might apply we have broken down compliance into a number of realistic stages.

 1.7.1 The Planning Stage

Data Protection by Design

The GDPR places an emphasis on the planning stage by incorporating a concept of ‘data protection by design’. Applying that concept in practice means considering all aspects of data protection at the outset of a new project to ensure it proceeds in a way that will be always compatible with the obligations in the GDPR.

At this planning stage, for example, you should consider carefully whether you need to use personal data. For instance, might it be possible to filter data so that it does not relate to identifiable individuals (a process known as anonymization if the change is permanent or ‘pseudonymization’ if the intent is to ‘re-identify’ the individual at a later stage by combining the data with identifiers).

If personal data must be used, then it should be kept to the absolute minimum for what is required. For example, don’t collect telephone numbers from individuals if all you actually need is an address.

Justifications for Processing

If it is absolutely necessary for personal data to be used as part of the relevant project, the next step is to identify the justification for doing so in accordance with the GDPR.  Data processing will be unlawful unless it falls within one of the grounds set out in the GDPR.  The three grounds most likely to be relevant to processing ZE wishes to undertake are:

1. The individual has given their CONSENT to the processing.

At first glance this would appear to be a simple and obvious method for compliant processing. To be compliant though the consent must comply with a number of criteria:

It is important to note that consent can be withdrawn at any time by the individual. This can lead to uncertainty if the processing needs to carry on for a defined period and the consent may need to be refreshed if you intend to process personal data for a different and incompatible purpose which was not disclosed when the data subject first consented.

2. The processing is NECESSARY FOR THE PERFORMANCE OF A CONTRACT with the individual.

For example, personal data provided by an employee needs to be processed in order to pay that employee their salary in accordance with their employment contract. In those circumstances, no further justification is necessary.

3. The processing is necessary for the purposes of the LEGITIMATE INTERESTS OF THE DATA CONTROLLER where such purposes are not overridden because the processing prejudices the interests or fundamental rights and freedoms of the data subjects.

Some examples of what is within the data controller’s legitimate interests are given and may be helpful, such as the sharing data amongst a group of companies. The purposes for which the data controller processes personal data for legitimate interests will need to be set out in the applicable privacy notice.

However, in each case, an assessment must be carried out on a case-by-case basis and recorded (see “Throughout the Processing Period – Record Keeping” below).  This is particularly important as processing activities relying on the “legitimate interests” ground are more open to challenge by individual data subjects.  Amongst other things, you will need to consider whether the relevant processing was within the reasonable expectation of the individual at the time and in the context of the data collection.

The justifications set out above for lawfully processing data are those that are most likely to apply in respect of data processing at ZE. However, there are other justifications available, and the legal team will be able to advise you if you think one of the following justifications may apply:

• processing is necessary for compliance with a legal obligation.
• processing is necessary in order to protect the vital interest of an individual or another person; and
• processing is necessary for the performance of a task carried out in the public interest.

Security

The security of personal data forms a critical part of any data protection compliance strategy.  Data breaches (such as stolen laptops or allowing unauthorized access to data) are the cause of many data protection issues.  Security means not only maintaining the confidentiality of the personal data, but also includes the ability to recover data and having in place processes for regular testing.

When considering what level of security to apply to data processing activities you should take a risk-based approach which has regard to the harm that could be done if there was a security breach in respect of the relevant personal data. For example, could the breach enable fraudulent transactions to be carried out (high risk), or would it cause the individual only minor inconvenience and nothing more (lower risk)? The more serious the harm that could occur, the more effort should be put in to secure the personal data.

Unfortunately there is no ‘one size fits all’ security response. You will need to consider what technology is available to you to assist in data security, the costs of any security measures and the ease with which those measures can be implemented. When carrying out high risk processing an appropriate safeguard may involve a high technology, high-cost security solution which is complex to implement.

The considerations above are likely to be most relevant in respect of “technical” security measures such as encryption solutions for computer systems. So long as personal data is held on ZE’s IT systems, we consider that appropriate technical security measures have been applied in accordance with the GDPR. However, it is also necessary to consider “organisational” security measures.

Organisational security measures may overlap with technical measures. For example, applying restrictive access controls dependant on personnel seniority. Organisational measures also refer to processes, procedures and structures that embed an approach within an organisation whereby security considerations are built in. For example, the Data Protection Committee has overall responsibility for data compliance, this policy sets out ZE’s expectations of employees and employee training is a further way in which we can educate and audit your understanding of ZE’s responsibilities.

Record Keeping & Future Compliance with Data Subjects’ Rights

A significant part of compliance with the GDPR relies on the ability to effectively deal with and manage the personal data that ZE holds.

In some instances this may be a relatively simple paper based exercise. For example, retaining correspondence in respect of a reference for a new employee. For large scale systematic processing it is likely that technical solutions will be required.  As this is not a core element of ZE’s function the legal team and the Data Protection committee should always be consulted prior to any large scale processing.

Similarly, ZE will also need to be able to carry out audits on the records that it keeps as well as comply with the exercise of individual’s rights (see “Throughout the Processing Stage – Rights of Data Subjects” below). The systems and processes via which individual personal data records are processed should therefore be organised in a systematic way that allows for that personal data to be:

• isolated.
• modified; and
• deleted.

Addressing these matters at the outset during planning will allow GDPR compliance activity to be carried out simply and efficiently and in a way that does not disrupt the business.

Privacy Impact Assessments

If you are considering undertaking a project that involves high risk data processing, for example where dealing with large scale processing of personal data or processing of special categories of personal data, then you should seek guidance from the legal team and the Data Protection Committee at the earliest possible opportunity. In those circumstances it is likely that a ‘Privacy Impact Assessment’ will be required and it may also be necessary to liaise with the relevant data protection regulator in your jurisdiction.

A Privacy Impact Assessment is a formal planning tool specified in the GDPR which will force organisations to consider both the risks associated with the relevant processing and also the safeguards that are intended to put in place. In other words, it is a formal procedure for recording all of those matters this section of the policy has considered. You can view a template Privacy Impact Assessment on the Information Commissioner’s website.

 1.7.2 The Collection Stage

Transparency and Information Notices

Transparency is a fundamental principle of the GDPR and certain information must be made available to individuals when their data is collected (or shortly thereafter if it has been obtained from another source).

The information that must be provided to individuals is set out below and will often be included in a statement called an ‘Information Notice’ or a ‘Privacy Notice’:

• Identity and contact details of the controller (or its representative, for a non-EU established controller).
• Purposes of processing and the legal basis for processing, including the “legitimate interest” pursued by the controller (or third party) if this is the legal basis.
• Recipients, or categories of recipients.
• Details of data transfers outside the UK, EEA, including how the data will be protected (e.g. the recipient is in a country recognized as providing an adequate level of protection, Binding Corporate Rules are in place, or the recipient has agreed to EU standard contractual clauses or the UK’s International Data Transfer Agreement.) and how the individual can obtain a copy of the BCRs or other safeguards, or where such safeguards are available for viewing.
• The retention period for the data. If the retention period cannot be specified then the criteria used to determine the retention period should be provided.
• That the individual has a right to access and port data, to rectify, erase and restrict his or her personal data, to object to processing and, if processing is based on consent, to withdraw consent.
• That the individual can complain to a supervisory authority.
• Whether there is a statutory or contractual requirement to provide the data and the consequences of not providing the data.
• If there will be any automated decision taking and, where there is automated decision taking, information about the logic involved and the significance and consequences of the processing for the individual.

The amount of information that needs to be provided once again demonstrates the need for proper consideration of data protection issues from the outset of a project.  The legal team will be able to assist you in putting together a comprehensive Information Notice and you should always seek their advice in doing so.

The notice must be concise, transparent, intelligible, easily accessible and in clear and plain language so that the data subject can easily understand it.

Capturing consent

As has already been noted, getting an individual’s consent may not be as straightforward as it might at first appear. The Section above entitled “The Planning Stage – Justifications for Processing” details the criteria for obtaining valid consent and you should always refer to those criteria when considering how you gather consent.

It is also important to ensure you have systems and processes in place to properly record an individual’s consent.

 1.7.3 Throughout the Processing Stage

Transfers to Third Party Processors

Generally, we are not allowed to share personal data with third parties unless certain safeguards and contractual arrangements have been put in place. Personal data should not be shared with third parties unless: (a) they have a need to know the information for the purposes of providing the contracted services; and (b) sharing the personal data complies with the privacy notice provided to the data subject and, if required, the data subject’s consent has been obtained.

In addition to the above, the obligation to deal with personal data in a particular way does not fall solely on the data controller. If you engage a third party to assist in delivering your project, for example a sub-contractor or delivery partner, and they may be processing personal data on behalf of ZE then they will also have to abide by certain rules.

Although those rules will apply directly to the data processor, if ZE is the data controller then it has to be confident that the data processor can meet the requirements of the GDPR and ensure the protection of the rights of the individual. Ensuring that the data processor can meet these requirements will require three steps:

1. Carrying out due diligence with regard to the delivery partner’s data protection policies, procedures and security measures;

2. Putting in place a binding written contract with the delivery partner (if applicable). That written contract will need to include certain protections specified in the GDPR. For example, the contract needs to explicitly state, amongst other things, that:

a. the processor will only act on the instructions of the data controller in respect of the personal data;

b. the personal data will be deleted or returned to the controller at the end of the processing period; and that

c. the processor will provide any information necessary to demonstrate compliance with the obligations on the processor in the GDPR.

The obligations laid down in the GDPR are detailed and specific and for that reason it is important that you seek the legal team’s assistance in ensuring that all of the necessary protections are included in your contract with the processor.

3. Carrying out periodic audits of compliance with regard to the processor, particularly in the case of large scale processing of personal data.

International Data Transfers

Transfers to organisations within the UK or EU and EFTA countries (the EEA) require no further considerations beyond the general considerations set out in this policy. However, if personal data is going to be transferred outside of those countries[1] to an organisation or their infrastructure in a ‘third country’ then further considerations with regard to the protection of personal data should be made.

It is important to remember that international transfers of personal data will not always be obvious. Services are increasingly being provided via the ‘cloud’ and it is therefore important to always consider the location of any servers that will be hosting data even if only on a transitory basis as it passes through. That consideration will form part of your due diligence process and a supplier should be able to answer any questions in that respect and they may even have a ‘data map’ to assist your due diligence.  It will also be important to consider where the data may be accessed from as remote data access will constitute “processing” of the data in the jurisdiction in which the person accessing the data is based.

There are a number of options that are available to ensure that an international transfer of data to a third country. In general though, international transfers will need to fall in to one of the following three categories in order to be compliant.

1.7.4 Adequacy

Some countries outside of the UK or EEA have been recognized by the UK’s Information Commissioner or by the European Commission as ensuring an adequate level of protection for personal data[2]. If you are transferring personal data to one of those countries then no special steps need to be taken over and above those in relation to transfers to third party processors set out above.

Originally, the US was deemed to provide an adequate level of protection for data transfers provided that the company to which personal data was being transferred was a participant in the Safe Harbor scheme. That scheme was replaced by the Privacy Shield which has been the subject of legal challenge and is no longer effective. The EU now requires that standard contractual clauses (as explained below) are put in place for any transfers of personal data outside of an ‘adequate’ country – including the US – and that the exporting entity also undertake an assessment to ensure the transfer is safe and personal data cannot fall into the wrong hands under the laws of the recipient’s country.

The UK initially followed the same approach but has now introduced the International Data Transfer Agreement (IDTA) that does the same thing as the standard contractual clauses but is a little easier to use. The legal team can assist you with the IDTA or standard contractual clauses.

More recently, both the EU and the UK have established the EU – US Data Privacy Framework and the corresponding UK – US Data Bridge.  The scheme allows US companies to sign up to a set of enforceable data protection principles, allowing them to be listed on the Data Protection Framework List (and corresponding UK Extension).  Once listed, personal data can be transferred to the US company as though the company provided an adequate level of protection.  That is, no further paperwork is required to allow the international transfer.   Controller to processor agreements may still be needed, however.

Standard Contractual Clauses

If you are transferring personal data to a country outside the UK or EEA and that country has not been assessed as ensuring an ‘adequate level of protection’, it will be necessary to gain protection by implementing either the UK’s ‘IDTA’ or the UK’s ‘standard contractual clauses’ which have been approved by the Information Commissioner or the European Commission for such purposes.

The IDTA or standard contractual clauses are sets of contractual clauses that are the contractual basis for transferring personal data outside of the UK or EEA. The use of these clauses provides appropriate protection for the personal data being transferred and ensure recourse for the individuals whose data is being transferred.

It is important that the IDTA or standard contractual clauses are not amended in any way. Therefore, if you believe the IDTA standard contractual clauses would be appropriate for a particular data transfer then you must seek advice from the legal team.

Record Keeping

Whenever you carry out high risk data processing, processing that is not occasional or you process any special categories of personal data you will need to keep relevant records of that processing.

The information that will need to be included in any processing records will differ depending on whether you are acting as a data controller or a data processor.  To ensure you are keeping the correct records you should speak to the legal team.

Changes to Processing

It should be kept in mind at all times throughout the processing period that one of the fundamental principles on which the GDPR is based is that personal data should only be processed for specified purposes.

Provided that this policy has been complied with, the purposes of ZE’s processing should have been clearly determined and it should therefore be clear if that purpose changes. If there is a change, all of the steps outlined above should repeated in light of that change. For example, the grounds on which the personal data is being processed should be reconsidered. Similarly, if consent was obtained for the relevant processing purpose and that purpose has now changed, a new consent will need to be obtained in respect of the new or additional purpose.

As mentioned above, it goes against the fundamental principles of the GDPR to simply hold as much data as you think you might need. Data should only be collected to the extent it is necessary for the required purpose of the processing and it will therefore be important to give careful thought at the outset to the purpose for which you want to process the personal data. Get it wrong and you will need to start all over again.

Rights of Data Subjects

As already mentioned, the purpose of the GDPR is to further protect the rights of individuals in respect of their personal data. The main impact of the GDPR is to place obligations on organisations dealing with personal data to act in a certain way.

However, there are certain specific and critical rights that an individual can exercise directly against organisations to further assist them in protecting their personal data:

If you receive what you believe to be a request from an individual in respect of the rights set out above, you must notify the Data Protection Committee or contact the legal team immediately. The identity of the individual requesting data under any of the rights listed above must be verified before any information is shared. Under no circumstances should you allow a third party to persuade you into disclosing personal data without proper authorisation.

Data breaches

We have all heard stories about how an unfortunate employee has left personal data in public, for example on a train. That’s an obvious data breach. However, the full definition of a data breach is actually much wider than that and means, “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

In whatever capacity ZE handles personal data, it has certain notification obligations in the event of a data breach. When acting as a data processor ZE will usually be required to notify the data controller of any data breach, and when acting as a data controller ZE may be required to notify the relevant data regulator.  In certain circumstances, ZE may be required to notify the individuals affected by the data breach.

Any notifications must happen without undue delay after becoming aware of the relevant data breach (and in the case of notifying the regulator, within 72 hours) and ZE could face very substantial fines if it does not make the necessary notifications.

It is therefore critical that if you know or suspect that there has been a data breach, you notify the legal team without delay in accordance with the Data Breach Policy. No employee should attempt to make any notifications without seeking the advice of the legal team. In addition, the legal team will maintain a data breach register as required by the GDPR and the details of any data breach will need to be recorded in that register.

 1.7.5 When Processing Ceases

Storage limitation

Personal data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed.

At the end of a matter which has involved the processing of personal data, the relevant personal data should be dealt with so as to ensure that no further processing – which would most likely be unlawful – can occur.

The personal data could be deleted. In that case care must be taken to ensure that the deletion is done in an organised and systematic way so that the data is completely deleted from all systems and devices.

Alternatively, the personal data could be pseudonymised in such a way that it no longer constitutes ‘personal data’. Such an approach may be helpful if you think that the underlying data of which the personal data formed a part may be useful in the future.

1.8 Other related policies

You may wish to refer to the following policies and sub-policies as necessary:

• Employee Handbook
• Policy on Data Subjects’ Rights;
• Policy on Subject Access Requests;
• Policy on Data Breaches.

1.9 Key Contacts

Legal team – sophie.barr@zenobe.com;

2 Employee and contractor privacy policy

Data Controller:  Zenobe Energy Limited (Zenobe)

Data Protection Manager: Anne Darnell – Head of HR (anne.darnell@zenboe.com)

Introduction

Zenobe collects and processes personal data relating to its employees, workers (including agency workers), consultants, contractors, secondees, directors, and others working for or with us to manage the employment relationship. We are committed to being transparent about how we collect and use that data and to meeting our data protection obligations.

This notice does not form part of any contract of employment or other contract to provide services. Zenobe may update this notice at any time and, if updates are made, Zenobe will provide you with an updated copy of this notice as soon as reasonably practical.

It is important that you read and retain this notice, together with any other privacy notice Zenobe may provide on specific occasions when collecting or processing personal information about you, so that you are aware of how and why Zenobe is using that information and what your rights are under the data protection legislation.

2.1 What information does Zenobe collect?

Zenobe collects and processes a range of information about you. This includes:

• your name, home address, personal and work email addresses and telephone numbers, date of birth and gender;
• the terms and conditions of your employment or engagement including salary or fees (as applicable), bonus (if applicable), job title, notice period, details of your schedule (days of work and working hours), start date and work location;
• details of your qualifications, professional memberships, skills, experience and employment history, including start and end dates, with previous employers and with Zenobe, plus employment references;
• information about your remuneration, including entitlement to benefits such as pension, life insurance, share options, season ticket loan, and Cycles scheme (if applicable);
• details of your bank account and national insurance number (if applicable);
• information about your next of kin and emergency contacts;
• information about your nationality and entitlement to work in the UK through your passport and visa (if applicable);
• where relevant, details of your driving license, business insurance cover, points history, and driver’s medical questionnaire;
• details of periods of leave taken by you, including holiday, sickness absence, compassionate leave, maternity, paternity, shared parental leave, training, medical appointments and other reasons for leave;
• details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;
• assessments of your performance, including appraisals, performance reviews, 360 feedback, performance improvement plans and related correspondence;
• Details of any training courses you have attended and your qualifications.
• Any assets you have been assigned, including PPE and details of sizing.
• information about medical or health conditions which first aiders need to be aware of and which may be relevant to enable Zenobe to manage the impact of any organisation-wide illnesses or pandemics, including whether or not you have a disability for which Zenobe needs to make reasonable adjustments; and
• health and safety data including accident report forms, good catch forms and emergency evacuation lists.

Zenobe may collect this information in a variety of ways. For example, data might be collected through CVs; obtained from your passport or other identity documents such as your driving license; from forms completed by you at the start of or during employment (such as new starter forms, disclosure forms, nomination of beneficiary forms, benefits forms, proof of qualifications/professional membership, driving forms); from correspondence with you; or through interviews, meetings or other assessments.

In some cases, Zenobe may collect personal data about you from third parties, such as references supplied by former employers and in some cases information from employment background check providers. In particular, Zenobe may use your personal telephone number and/or emails to send company-wide communications to your personal number or email address in the event of emergency. For example, this may include texts to all employees to instruct employees to work from home in the event of adverse weather conditions, terrorism-related incidents or contagious illnesses affecting a number of employees within the organisation.

2.2 Where does Zenobe store data about you?

Data will be stored:

• internally in: its HR IT systems (including Zenobe’s email system and confidential HR section of SharePoint); and
• externally in: (i) Zenobe’s HR information system (Bamboo HR); and (ii) with third party payroll/benefit providers and specialist visa agencies.

2.3 Why does Zenobe process personal data?

Zenobe needs to process data to enter into an employment contract or a contract for service with you and to meet its obligations under your contract. For example, it needs to process your data to provide you with an employment contract, to pay you in accordance with your employment contract and to administer benefits including pension and life insurance entitlements.

In some cases, Zenobe needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check an employee’s entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable employees to take periods of leave to which they are entitled.

In other cases, Zenobe has a legitimate interest in processing personal data before, during and after the end of the employment or contractor relationship. Processing employee data allows Zenobe to:

• run recruitment and promotion processes;
• maintain accurate and up-to-date employment records and contact details (including details of how to contact you and/or your emergency contacts in the event of an emergency (as above) and records of employee contractual and statutory rights;
• operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace;
• determining whether your engagement is deemed employment for the purposes of Chapter 10 of Part 2 of the Income Tax (Earnings and Pensions) Act 2003 (“ITEPA 2003”) and providing you with a status determination statement in accordance with the applicable provisions of ITEPA 2003;
• operate and keep a record of employee performance and related processes, to plan for career development and for succession planning and workforce management purposes;
• operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled;
• obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled;
• operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that Zenobe complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled;
• ensure effective general HR and business administration including budgeting and management /board reporting;
• provide references with permission e.g. employment/mortgage/rental on request for current or former employees; and
• respond to and defend against legal claims, undertake business planning and progress corporate activity (such as fundraises, obtaining and maintaining insurance cover, in the context of merger and acquisition activity affecting the business).

Some special categories of personal data, such as information about health or medical conditions, are processed to carry out employment law obligations (such as those in relation to employees with disabilities, duty of care when driving on Company business, management of long-term absence etc.).

2.4 Who has access to data?

Relevant aspects of your information will be shared internally, including with members of the HR and recruitment team, finance (for payroll and budgeting), your line manager, managers in the business area in which you work, the Founder/Directors and external IT support agencies if access to the data is necessary for performance of their roles.  This might include transfers to ZE group companies in different countries.

Zenobe shares your data with third parties in order to obtain pre-employment references from other employers, and in some cases, obtain employment background checks from third-party providers.

Zenobe may also share your data with third parties in the context of a sale of some or all of its business or a fundraise. In those circumstances, the data will be subject to confidentiality arrangements.

Zenobe also shares your data with third parties that process data on its behalf in connection with payroll, the provision of benefits such as pension, life insurance, salary sacrifice schemes and training providers.

Except for transfers between Zenobe group companies, Zenobe will not transfer your data to countries outside the UK or European Economic Area (EEA).

All international transfers are made in accordance with the requirements of GDPR.

2.5 How does Zenobe protect data?

Zenobe takes the security of your data seriously. We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed and is not accessed except by its employees in the performance of their duties. Where Zenobe engages third parties to process personal data on its behalf, those third parties are (i) required to do so on the basis of written instructions or legal requirements (such as pension auto enrolment); (ii) under a duty of confidentiality; and (iii) are obliged to implement appropriate technical and organizational measures to ensure the security of data.

2.6 For how long does Zenobe keep data?

Zenobe will hold your personal data for the duration of your employment and for 10 years after to ensure that any legal claims can be dealt with.

2.7 Your Rights

As a data subject, you have a number of rights. These include your right to:

• access and obtain a copy of your data on request;
• require Zenobe to change incorrect or incomplete data;
• request that Zenobe deletes your data where there is no good reason for it continuing to process that data;
• ask us to suspend the processing of your data, for example if you want us to establish its accuracy or the reason for processing it;
• object to the processing of your data where Zenobe is relying on its legitimate interests as the legal ground for processing and there is something about your particular situation which makes you want to object to processing on this ground; and
• request the transfer of your personal data to another party.

In the limited circumstances where you have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. If you have withdrawn your consent in relation to a particular purpose we will no longer process your information for that purpose, unless we have another legitimate basis for doing so in law.

If you would like to exercise any of these rights, please contact a member of the HR team or email  anne.darnell@zenboe.com

We may need to request specific information from you to help confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in these circumstances.

If you believe that Zenobe has not complied with your data protection rights, you can complain to the Information Commissioner https://ico.org.uk/concerns/

2.8 What if you do not provide personal data?

You have some obligations under your employment contract to provide Zenobe with data. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith. You may also have to provide Zenobe with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights.

Certain information, such as contact details, your right to work in the UK and payment details, have to be provided to enable Zenobe to enter a contract of employment with you. If you do not provide other information, this will hinder Zenobe’s ability to administer the rights and obligations arising as a result of the employment relationship efficiently.

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

2.9 Automated decision-making

Employment decisions are not based on automated decision-making.

2.10 Security and Monitoring

During the course of our security and monitoring activities, personal data will be processed and stored in relation to your use of Zenobe premises, information and communication systems. In some cases, this may also include automated decisions in the generation of events that constitute outliers, security incidents and used to generate a severity or risk rating, or indicator of compromise. The following data is processed or stored:

• IP address & location data;
• Name, user-ID, device ID and or software associated with any access to or actions performed on our information and communication systems;
• Website traffic and email communications;
• Access and download of electronic information, or printing of any records; and/or
• Information obtained through your use of electronic door access systems, where Zenobe own’s and operates these systems.

2.11 Why we collect this information?

We process and store this information to:

• Ensure the safety of our employees and reduce the risk of harm or theft;
• Monitor business and personal use of our information and communications systems to ensure compliance with corporate policies, standards and procedures;
• Safeguard Zenobe data and that of its customers;
• Detect and prevent:
  • Network and information system abuse, misuse of distribution of malicious software or code;
  • Fraud; and
  • Data security breaches.

2.12 How we protect this information?

Information related to our security and monitoring activities is classified as ‘Company Confidential’, as such we limit and control access to this information via the adoption of both physical and logical controls to ensure access is only available to those who require it to perform their job roles.

2.13 Who do we share this information with?

Notwithstanding any third parties’ systems used to provide monitoring capabilities, we assure these third parties implement appropriate technical and organizational measures to safeguard the data they process or store on Zenobe’s behalf. Security and monitoring information is only shared on a “need-to-know” basis and only what is required to fulfil a given purpose within Zenobe, or with external parties where required to do so by law.

3 Candidate privacy policy

3.1 UK Candidate Privacy Policy – Recruitment and offer of employment process

Data Controller: Zenobe Energy Limited (Zenobe)

Data Protection Manager: Anne Darnell – Head of HR anne.darnell@zenobe.com

As part of our recruitment and employment offer of employment process, Zenobe collects and processes personal data relating to job applicants. We are committed to being transparent about how we collect and use that data and how we meet our data protection obligations.

What information does Zenobe as a recruiter and potential employer collect?

Zenobe collects a range of information about you during the recruitment and employment offer process. This includes;

• your name, gender, address and contact details, including email address and telephone numbers;
• other information you have stated on your CV including details of your qualifications, skills, experience and employment history;
• information about your current level of remuneration, including benefit entitlement;
• whether or not you have a disability which Zenobe needs to make reasonable adjustments during the recruitment process;
• information about your entitlement to work in the UK ; and
• reports from candidate tests as part of the selection process

We may collect this information in a variety of ways. For example, data might be contained in your CVs, obtained from your passport or other identity documents, collected by recruitment companies or online networking sites, or collected through interviews or other forms of assessment including online tests.

We also collect personal data about you from third parties, such as references supplied by former employers and in some cases information from employment background check providers. We will only seek information from third parties only once a job offer to you has been made and will inform you that we are doing this. Data will be stored in a range of different places, including on your application record, in HR management systems  and on other  internal IT systems (including email , SharePoint and on our applicant tracking system).

Why does the Zenobe process personal data?

We need to process data to enable us to assess your application and, where relevant, to prepare to enter into a contract of employment with you. We need to process data to ensure that we are complying with our legal obligations. For example, we are required to check successful applicant’s eligibility to work in the UK before employment starts. Zenobe has a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows us to manage the recruitment process, assess and confirm a candidate’s suitability for employment and decide to whom to offer a job. We may also need to process data from job applicants to respond to and defend against legal claims.

After acceptance of an offer of employment, we also collect information about whether or not applicants are disabled to make reasonable adjustments for candidates who have a disability. We process such information to carry out our obligations and exercise specific rights in relation to employment.

Who has access to data?

Your information may be shared internally for the purposes of the recruitment exercise. This includes members of the HR and recruitment team, interviewers involved in the recruitment process, managers in the business area with a vacancy, the Founder Directors and IT staff if access to the data is necessary for the performance of their roles. Zenobe  will not share your data with third parties, unless your application for employment is successful and it makes you an offer of employment. Zenobe will then share your data with former employers to obtain references for you, and if needed employment background check providers to obtain necessary background checks. We will not transfer your data outside the UK or European Economic Area, except if we need to transfer your data to someone who is in a Zenobe group company outside of the UK or EEA.   All international transfers are done in accordance with the rules of GDPR.

3.2 How does Zenobe Energy protect data?

Zenobe takes the security of your data seriously. It has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties. For example, our IT systems are password protected and access to confidential data is restricted and monitored.

How long does Zenobe keep data for?

If your application for employment is unsuccessful, Zenobe will hold your data on file for up to 24 months after the end of the relevant recruitment process.  We do this in case other vacancies arise which might be suitable for you, and in case we need to defend any legal claims. After this period, our policy is, in most circumstances, to delete your personal data from our system. This is subject to any legal or regulatory obligation to keep personal data for a longer period of time (for example if it is subject to our obligations as a Skilled Hire Sponsor). We will also hold your personal data for a longer period if it is required in connection with legal proceedings. If we would like to retain your data for longer than this we will ask for your consent which you will be able to withdraw at any time. If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your HR file and retained during your employment. The periods for which your data will be held will be after any employment with Zenobe ending is 10 years and this is documented in the Employee Privacy Policy which is issued as part of the onboarding process.

Your rights

As a data subject, you have a number of rights. You can:

• access and obtain a copy of your data on request;
• require Zenobe to change incorrect or incomplete data;
• request that Zenobe delete your data where there is no good reason for its continuing to process that data;
• ask us to suspend the processing of your data, for example if you want us to establish its accuracy or the reason for processing it;
• object to the processing of your data where Zenobe is relying on its legitimate interests as the legal ground for processing and there is something about your particular situation which makes you want to object to processing on this ground; and
• request the transfer of your personal data to another party.

If you would like to exercise any of these rights, please contact olivia.tonks@zenobe.com

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in these circumstances.

If you believe that Zenobe has not complied with your data protection rights, you can complain to the Information Commissioner.

3.3      What if you do not provide personal data?

You are under no statutory or contractual obligation to provide data to Zenobe Energy during the recruitment process. However, if you do not provide the information, Zenobe Energy may not be able to process your application properly or at all.

3.4      Automated decision-making

Recruitment processes are not based solely on automated decision-making

4 Data breach policy

4.1 Introduction

The protection of individuals in respect of the processing of their personal data is a fundamental right recognised by the EU and has been previously enshrined in European law.  The General Data Protection Regulation (the “GDPR”) is the latest update to those laws and has been implemented by the European Parliament to ensure that the laws in EU member states in respect of data protection keep pace with rapid technological developments in data processing.

To learn more about the GDPR and ZE’s approach to data protection, please refer to ZE’s Data Protection Policy.

The GDPR provides that certain specific actions take place if a data breach occurs.  This policy sets out how ZE intends to deal with data breaches and compliance with it is a responsibility shared by all employees.

4.2 What is a data breach?

Although you might assume that a data breach relates only to an unauthorised disclosure of personal data the GDPR defines it much more widely.

A data breach will occur when there has been a breach of security that leads to the accidental or unlawful:

• destruction;
• loss;
• alteration;
• unauthorised disclosure of; or
• access to;

personal data that is being transmitted, stored or otherwise processed.

4.3 What shouldn’t I do if I discover a data breach?

Do not ignore a data breach as a 72 hour notification deadline usually applies.  Even if you have limited details with regard to the breach, report what you know as soon as possible.

Do not disclose details of the data breach other than in accordance with this policy.

Report details of the breach on to a member of the Data Protection Committee or the legal team, or send an email to Sophie.Barr@Zenobe.co.uk.  Alternatively, if you would prefer to make an anonymous report you can do so by using ZE’s whistleblowing procedures which are available in the Employee Handbook.

Please ensure that you log the Breach with our IT provider who will assist in resolving any issues and ensure that logged and recorded.

You should make the report as soon as possible so that ZE has the maximum time available to take the necessary action.  Such action may include some or all of the following steps, amongst others:

• the legal team will evaluate the data breach including the likelihood and severity of the resulting risk to people’s rights and freedoms;

• the legal team will convene an urgent meeting to consider the data breach, initiate an expedited investigation and plan an urgent response;

• The legal team will:

• • advise upon notification requirements in respect of:

• • • the supervisory authority; and
    • data subjects.

• • if necessary, prepare a draft notification including:

• • • a description of the nature of the personal data breach including, where possible:

• • • • the categories and approximate number of individuals concerned; and
      • the categories and approximate number of personal data records concerned;

• • the name and contact details of the contact point where more information can be obtained;

• • • a description of the likely consequences of the personal data breach; and
    • a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects,
  • in each case for circulation amongst and approval by the Founders. You should not attempt to make any notifications yourself.
• The legal team will update the data breach register.

ALL DISCUSSION AND DECISIONS IN RESPECT OF A DATA BREACH SHOULD BE DOCUMENTED AND FILED ACCORDINGLY FOR FUTURE REFERENCE.

4.4 What if a 3^rd party tells me about a data breach they have suffered?

You should follow the same advice as is set out under “What shouldn’t I do if I discover a data breach?” and “What should I do if I discover a data breach?” above.

5 Data subject’s rights policy

5.1 Introduction

The protection of individuals in respect of the processing of their personal data is a fundamental right recognised by the EU and has been previously enshrined in European law.  The General Data Protection Regulation (the “GDPR”) is the latest update to those laws and has been implemented by the European Parliament to ensure that the laws in EU member states in respect of data protection keep pace with rapid technological developments in data processing.

To learn more about the GDPR and ZE’s approach to data protection, please refer to ZE’s Data Protection Policy.

The GDPR grants certain rights to individuals to strengthen their control over their data.  This policy sets out how ZE intends to deal with requests that it may receive in respect of the exercise of data subjects’ rights and compliance with it is a responsibility shared by all employees.

5.2 What are the rights? 

5.3 What shouldn’t I do with a request to exercise rights?

Do not ignore a request as there is usually a strict one-month time limit for responding.

Do not try to respond to the request.

Pass the request on to the legal team as soon as possible so that they have the maximum time available to take the necessary action.  Such action may include some or all of the following steps, amongst others:

• the legal team to

• • evaluate the validity of the request, including the identity of the requestor;

• • to consider the request, whether a ‘reasonable fee’ should be paid, as well as plan a response;

• • request relevant shared service teams contact relevant third parties in connection with the request;

• • recommend a course of action; and

• • prepare a draft response to the requestor that is in a concise, transparent, intelligible and easily accessible form using clear and plain language,

in each case for circulation amongst and approval by to the Founders.

5.4 Can ZE charge a fee for dealing with a request to exercise rights? 

A response to request to exercise rights must be provided free of charge.  However, ZE can charge a ‘reasonable fee’ based on the administrative cost of providing the information if a request is manifestly unfounded or excessive, particularly if it is repetitive or if further copies of the information previously provided is requested.

6 Subject access request policy

6.1 Introduction

The protection of individuals in respect of the processing of their personal data is a fundamental right recognized by the UK and EU and has been previously enshrined in law.  The General Data Protection Regulation (the “GDPR”) is the latest update to those laws and has been implemented across the EU and the UK to ensure that the laws in the UK and EU member states in respect of data protection keep pace with rapid technological developments in data processing.

To learn more about the GDPR and ZE’s approach to data protection, please refer to ZE’s Data Protection Policy.

The GDPR includes a ‘right of access’ which grants individuals the right to request access to their personal data from data controllers and data processors via what is known as a ‘subject access request’ (a “SAR”).  The purpose of granting individuals such a right is so that they are aware of and can verify the lawfulness of any processing being carried out in respect of their personal data.

This policy sets out how ZE intends to deal with SARs it receives and compliance with this policy is a responsibility shared by all employees.

6.2 What information is an individual entitled to under the GDPR? 

Under the GDPR, individuals have the right to obtain:

• confirmation that their data is being processed;
• access to their personal data; and
• certain other supplementary information regarding the processing carried out in respect of their personal data. For example, the purpose of the processing, the recipients of the personal data and the period for which personal data will be stored.

6.3 How can I identify a subject access request?

In a perfect world, SARs would be clearly labelled as such.  However, that is unlikely to always be the case and therefore ZE’s policy is to treat any request for information about an individual’s personal data as a SAR, whether it strictly satisfies the relevant criteria.  A SAR may not be presented formally and could be received by post or by email or via other means such as social media.

If you have any doubt about whether a request you have received is a SAR, you should contact the legal team as soon as possible.

6.4 What shouldn’t I do with a SAR?

Do not ignore a SAR as there is usually a strict one-month time limit for responding.

Do not try to respond to a SAR yourself.

6.5 What should I do with a SAR?

Pass the request on to the legal team as soon as possible so that they have the maximum time available to collate a response.  In order to provide a compliant response to the requestor it may be necessary for the following stakeholders to take some or all of the following steps:

• the legal team to evaluate the validity of the SAR, including the identity of the requestor.
• the legal team to convene a meeting to consider the SAR, whether a ‘reasonable fee’ should be paid, as well as plan a response.
• The legal team to prepare a draft response to the SAR and circulate to the Founders for approval.

Any response prepared by the legal team will be provided, where appropriate, via the same means as it was received.

6.6 Can ZE refuse to respond to a SAR?

Yes, but only if the SAR is manifestly unfounded or excessive because it is repetitive.

The legal team will consider whether a SAR is manifestly unfounded or excessive when they first receive it.  If the legal team do consider a SAR to be manifestly unfounded or excessive then they will respond to the individual without undue delay, and in any event within one month, explaining why they have reached that decision and informing the individual of their right to complain to the supervisory authority and to a judicial remedy.

6.7 Can ZE charge a fee for dealing with a subject access request?

A response to the SAR must be provided free of charge.  However, ZE can charge a ‘reasonable fee’ based on the administrative cost of providing the information if a SAR is manifestly unfounded or excessive, particularly if it is repetitive or if further copies of the information previously provided is requested.

7 References to Regulatory and Industry Standards

References to Regulatory and Industry Standards are listed in the table below.

8 References to Other Documents

References to other Policies, Standards, Procedures, Forms, or other Document Types in this document are listed in the table below.

9 External References

References used or cited in the creation of this document are listed in the table below.

Other comments

[1] Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, UK, Lichtenstein, Iceland and Norway – http://ec.europa.eu/justice/data-protection/international-transfers/index_en.htm

[2] Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, Uruguay, UK, https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en