Privacy Policy
1.0 Introduction
1.1 About Cenex
1.1.1 This privacy notice is for The Centre of Excellence for Low Carbon & Fuel Cell Technologies (Cenex, referred to as “we”, “us” or “our” in this Policy).
1.1.2 The data controller, Cenex, is a UK private company limited by guarantee (number 05371158), based at Holywell Building, Holywell Park, Ashby Road, Loughborough, Leicestershire, England, LE11 3UZ.
1.1.3 We can be contacted at info@cenex.co.uk or by enquiring through our website.
1.2 About this privacy notice
1.2.1 Cenex is committed to treating your private information with respect, and operating legally and compliantly wherever we work.
1.2.2 As a non-profit, independent consultancy based in the EU, we have chosen to apply the EU’s data privacy laws, known as the General Data Protection Regulations (GDPR) to all information we process, regardless of origin.
1.2.3 In-line with these regulations, we want to let you know:
- 1.2.3.1 What information we may collect about you
- 1.2.3.2 What we use your personal information for
- 1.2.3.3 How we store your personal information
- 1.2.3.4 Who (if anyone) we pass your information on to and for what purpose
- 1.2.3.5 How you can raise any concerns about the accuracy, processing or use of your personal information
1.2.4 This privacy notice was drafted with brevity and clarity in mind. Due to our diverse portfolio of consultancy work, it cannot provide exhaustive detail of all aspects of Cenex’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the addresses above.
1.3 Contact details
1.3.1 We have appointed a Data Protection Officer (DPO) who is in charge of privacy- related matters for us. If you have any questions about this Privacy Policy, our procedures or practices, please contact the DPO using the details below:
1.3.2 Data Protection Officer, Cenex, info@cenex.co.uk
1.3.3. It is very important that the information we hold about you is accurate and up-to-date. Please let us know if at any time your personal information changes.
2.0 Information collection and storage
2.1.1 This section lays out when information is collected, why it is collected, where it is stored and how it is protected, along with relevant notes or other important statements.
2.2 Visitors to our websites
2.2.1 When – When someone visits www.cenex.co.uk, we use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns.
2.2.2 Why – We process this data to analyse your use of our website and other online services, to administer and protect our business, to deliver relevant website content to you, and to understand the effectiveness of our content.
2.2.3 Where – This information is stored on the Google Analytics servers in the US and may be downloaded onto our staff’s devices as part of their work.
2.2.4 How – Google’s servers are encrypted and access is via a strong password through a password-protected device for a limited set of Cenex staff members and our marketing contractors. Read the Google Analytics Privacy Policy.
2.2.5 Note – We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. This information is processed in such a way that does not identify anyone.
2.2.6 Note – You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our website may become inaccessible or not function properly.
2.3 E-newsletter
2.3.1 When – When someone signs-up to our e-newsletter, we use a third-party service, MailChimp, to handle your contact information and preferences. MailChimp also gathers statistics around email-opening and clicks by using industry-standard technologies.
2.3.2 Why – We do this to keep in touch with you and so that we can monitor and improve our e-newsletter.
2.3.3 Where – The information is stored on MailChimp’s servers in the USA and may be downloaded onto our staff’s devices as part of their work.
2.3.4 How – MailChimp’s servers operate within the EU Privacy Shield, are encrypted and access is via a strong password through a password-protected device for a limited set of Cenex staff members and marketing contractors. Read the MailChimp Privacy Policy
2.3.5 Note – When someone enters an email address to subscribe (whether directly on our website or through our web forms), we will send a confirmation to verify their identity before accepting a subscription. All emails contain an explanation of why the recipient is on the list as well as a simple option to unsubscribe at the bottom the message. Recipients may also unsubscribe by emailing info@cenex.co.uk or visiting http://eepurl.com/duieZP and checking/unchecking the relevant boxes to adjust your marketing preferences.
2.4 General web forms
2.4.1 When – When someone submits a form on our website, it collects and handles the information before it is emailed across to a general Cenex email address.
2.4.2 Why – We do this to handle your enquiry.
2.4.3 Where – The information is stored on the our WordPress servers before being shared via email to our staff. Read Wordpress’ Privacy Policy .
2.4.4 How – The WordPress servers are encrypted and access is via a strong password through a password-protected device for Cenex staff members and our marketing contractors.
2.4.5 Note – If we do want to collect personally identifiable information through our web forms, we will be up-front about this. We will always make it clear when we collect personal information and will explain what we intend to do with it – this will be in a statement above the ‘submit’ button on all forms.
2.5 Social media
2.5.1 When – When someone engages with us on social media or other messaging platforms, we use HootSuite and our Social Media platforms to engage with you directly or through broadcast means. The platforms gather statistics around engagement and clicks by using industry-standard technologies.
2.5.2 Why – We do this to keep the general public aware of important, interesting and helpful news from Cenex.
2.5.3 Where – The information is stored on HootSuite’s servers in Canada and the US, LinkedIn’s servers in the US, Twitter’s servers in the US or Ireland and may be downloaded onto our staff’s devices as part of their work.
2.5.4 How – All these systems’ servers are encrypted and access is via a strong password through a password-protected device for a limited set of Cenex staff members and marketing contractors. Read the Privacy Policies for the platforms here: Twitter; LinkedIn; Hootsuite.
2.5.5 Note – If you send us a private or direct message via social media, the message will be stored by the Social Media platform on their standard terms. It will not be shared with any other organisations.
2.5.6 Note – Cenex is not responsible for any other information collected on you by Social Media companies.
2.6 Email
2.6.1 When – when someone emails us, we use a third-party service, Office 365 by Microsoft, to handle and respond to your enquiry or contact.
2.6.2 Why – We do this to deal with your email and ensure we serve you in accordance with our mission statement.
2.6.3 Where – This information is stored on the Microsoft servers in European Union and may be downloaded onto our staff’s devices as part of their work.
2.6.4 How – Microsoft servers are encrypted and access is via a strong password through a password-protected device by any of our staff. Read Microsoft’s Privacy Policy.
2.6.5 Note – Any email sent to us, including any attachments, may be monitored and used by us for reasons of security and for monitoring compliance with our office policy. Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law.
2.7 LCV Event (in-person)
2.7.1 When – when someone registers to attend our LCV Event, we and our co-organisers Millbrook use Event Reference by RefTech to process your information.
2.7.2 Why – We do this to enable you to attend, participate in and make the most of the event.
2.7.3 Where – This information is stored on RefTech’s servers in Germany and may be downloaded onto our staff’s devices as part of their work.
2.7.4 How – RefTech’s servers are accessed via strong password through a password- protected device by any of our staff. Read RefTech’s Privacy Policy.
2.7.5 Note – Individuals who register for LCV will only be contacted by us about Cenex’s physical or online events
2.8 Clear Capture
2.8.1 When – when someone uses our ClearCapture service, we use Mythic Beasts to process your information.
2.8.2 Why – We do this to provide a fleet review, fleet tracking or driving behaviour diagnostic service.
2.8.3 Where – This information is sent back securely to Mythic Beasts in the UK and GoSafe in the US using the GSM network, where it is stored on their secure servers. Information may be accessed or downloaded onto our staff’s devices as part of their work. We will only share this information with our partners and affiliates as our contract with the user allows.
2.8.4 How – Access to Mythic Beast is via a strong password through a password-protected device by any of our staff.
2.9 Vehicle CANbus telemetry
2.9.1 When – when someone uses our CANbus telemetry service, we use our own systems to process your information.
2.9.2 Why – We do this to provide a driving behaviour, detailed fleet tracking or vehicle diagnostic service.
2.9.3 Where – This information is sent back securely to Cenex using the GSM network, where it is stored on our secure in-house servers. Information may be accessed or downloaded onto our staff’s devices as part of their work. We will only share this information with our partners and affiliates as our contract with the user allows.
2.9.3 How – Cenex’s servers are encrypted and access is via a strong password through a password-protected device by our staff.
2.10 Personal Data required for provision of contractual services
2.10.1 When – When we are engaged to complete Research & Development, innovation or consultancy work, we may be required to process personal information.
3.10.2 Why – We do this to provide an R&D, innovation or consultation service to our contracted client
2.10.3 Where – This information will be transmitted, processed and stored according to the nature of the work. We will therefore complete a GDPR check and (if required) Data Protection Impact Assessment in the initiation stage of projects, allowing us to store such information in systems protected by appropriate organisational and technical measures.
2.10.4 How – Appropriate organisational and technical measures (to be determined project- by-project) will be taken to ensure the security and safety of the personal information in question.
2.11 LCV Event (online)
2.11.1 When – when someone registers to attend our online LCV Event, we use The Virtual Event Company (TVEC) to process your information.
2.11.2 Why – We do this to enable you to attend, participate in and make the most of the event.
2.11.3 Where – This information is stored on TVEC’s servers in the EEA and may be downloaded onto our staff’s devices as part of their work.
2.11.4 How – TVEC’s servers are accessed via strong password through a password-protected device by any of our staff. Read TVEC’s Privacy Policy.
2.11.5 Note – Individuals who register for LCV will only be contacted by us about Cenex’s physical or online events.
2.12 National EV Insight and Strategy (NEVIS)
2.12.1 When – when someone uses our NEVIS service, we use our subcontractor PDC to process your information. If your information relates to an English Local Authority, we may also share your personal data with our partners Energy Saving Trust and PA consulting.
2.12.2 Why – We do this to provide a service of quantitative modelling, qualitative advice, networking, events and LEVI Fund application advice.
2.12.3 Where – This information is sent securely to PDC, where it is stored on their secure servers. Information may be accessed or downloaded onto our staff’s devices as part of this work and PDC’s staff devices.
2.12.4 How – Access to the web servers is via a strong password through a password-protected device by any of our staff or PDC’s staff.
3.0 Information processing
3.1.1This section lays out the basis for processing your information, what information is processed, who processes it and how long it is held for.
3.2 Answering enquiries
3.2.1 Basis – Cenex has a legitimate interest to process personal data received from individuals to enable us to respond to your enquiry. Submitting an enquiry in whatever form means you are happy for us to use your personal information as described in this policy.
3.2.2 What – Some or all of the following information may be collected: full name, email address, postal address, phone number and the nature of your enquiry, which may include any personal information you choose to share with us.
3.2.3 Who – Cenex operations or marketing staff will receive the initial enquiry and may pass some or all of the information described above to relevant staff members in order for us to respond effectively.
3.2.4 How long – Information from enquiries is held for up to 1 year in case you submit further enquiries in that time.
3.3 Assessing job applications
3.3.1 Basis – Cenex has a legitimate interest to process personal data received from individuals when they apply to work at Cenex. Submitting a job application means you are happy for us to use your personal information as described in this policy.
3.3.2 What – Some or all of the following information may be collected for: full name, email address, postal address, phone number, birthday, gender, ethnicity, marital status, educational background, work history, hobbies, skills, and any other information you choose to share about yourself as part of your application.
3.3.3 Who – Cenex administrative and operations staff will receive the initial enquiry and may pass some or all of the information described above to relevant staff members in order for us to respond effectively.
3.3.4 Note – Where we want to disclose information to a third-party, for example where we want to take up a reference or obtain a ‘disclosure’ from the UK Criminal Records Bureau or similar European agencies, we will not do so without informing you beforehand, unless the disclosure is required by law.
3.3.5 Note – Printed information is disposed of securely following any interview.
3.3.6 Note – Information from job applications held for 1 year in case you submit further enquiries in that time.
3.4 Employment of staff
3.4.1 Basis – Cenex has a contractual obligation to process personal data received from individuals who we employ. Signing your employment paperwork means you enter a contract with Cenex for us to use your personal information as described in this policy.
3.4.2 What – Some or all of the following information may be collected: full name, email address, postal address, date of birth, national insurance number, qualifications, emergency contact details, banking information, pension preferences, performance data, line-management notes and absence/sickness information.
3.4.3 Who – Cenex administrative, operations and line-management staff may receive some or all of the information described above in order to fulfil our contractual obligations to the employee.
3.4.4 Note – Information about employees will be held for 2 years after the termination of their employment contract in case of employment tribunal or other legal requirements.
3.4.5 Note – Information about employees may be held for longer to comply with our statutory requirements as an employer.
3.4.6 Note – Personal data is considered sensitive if it includes racial, ethnic, political, religious, trade union, health, sexual or criminal data. This type of data will only be collected and processed where it is absolutely necessary to carry out our obligations as an employer.
3.4.7 Note – The Company will review personal data regularly to ensure that it is accurate, relevant and up to date. What data is reviewed and how often is detailed in the Company Handbook.
3.5 Electronic Marketing
3.5.1 Basis – Cenex has obtained consent from individuals to market to them electronically. Signing up to our e-newsletter and confirming your agreement with our privacy policy is taken as consent.
3.5.2 What – Some or all of the following information may be collected: full name, email address, job title, company name, topics of interest and industry-standard email performance data.
3.5.3 Who – Cenex administrative, marketing and operations staff may use and process some or all of the information described above in order to market Cenex’s activities, events and news to you.
3.5.4 Note – Information will be held until the contact unsubscribes. The marketing contact lists will be scrubbed every six months to remove information about contacts which is over a year old.
3.5.5 Note – Cenex’s marketing activities comply with the Privacy and Electronic Communications Regulations.
3.6 Contractual and consultation services
3.6.1 Basis – Cenex has a legitimate interest to process information relating to individuals when completing its R&D, innovation or consultancy work. Appropriate checks are completed at the inception of the project to ensure that legitimate interests is an appropriate basis on which to process such information.
3.6.2 What – A wide range of information may be collected, depending on the nature of the brief. This will be described in project-specific documentation completed in our on- boarding process, maintained throughout the project and confirmed at the project closure.
3.6.3 Where – This information will be transmitted, processed and stored in different ways, according to the nature of the work. We will therefore complete a GDPR check and (if appropriate) a Data Protection Impact Assessment in the initiation stage of projects, allowing us to store such information in systems protected by appropriate organisational and technical measures.
3.6.4 How – Appropriate organisational and technical measures (to be determined project- by-project) will be taken to ensure the security and safety of the personal information in question.
3.7 Historical, Scientific and Research activities
3.7.1 Basis – Under Article 6(4) and in accordance with Article 89(2) of the GDPR, Cenex may complete further processing on data for scientific/historical research or statistical purposes.
3.7.2 What – A wide range of information may be processed, depending on the nature of the research in-question. This will be restricted to the research purposes and described in project-specific documentation completed in our on-boarding process, maintained throughout the project and confirmed at the project closure. Where possible, anonymisation or pseudonymisation of the data will be completed to add additional suitable safeguards to the individuals impacted.
3.7.3 Where – This information will only be processed in our internal systems and stored on our secure server in our office. A GDPR check will be completed before taking on such projects, allowing us to ensure that suitable safeguards are maintained.
3.7.4 How – Appropriate organisational and technical measures (to be determined project- by-project) will be taken to ensure the security and safety of the personal information in question.
3.8 Internal Uses
3.8.1 To help us fulfil our mission, we share information and data with some external processors and third-party applications. We have assessed all these processors to ensure our continued compliance with our obligations to users, clients and legislation such as the GDPR.
3.8.2 We list those processors here, since data may be shared with them, and outline the agreements in-place.
3.8.3
Service: | Company: | Purpose: | Data Storage: | Terms / Conditions: |
---|---|---|---|---|
Low-carbon transport consultancy and R&D | Stichting Cenex Nederland | Sub- contracting for consultancy and R&D | Cenex NL has mirrored Cenex’s privacy policy
and procedures, and signed a Data Protection Addendum to ensure all data passed from Cenex to Cenex NL is handled appropriately |
https://cenexgroup.nl/privacypolicy/ |
Tax and Business advice including yearend and project
audits |
Charnwood Accountants and Business Advisors | Preparing Accounts, tax returns and audit reports to comply
with legal, statutory or contractual requirements |
All data is stored securely and
kept in line with Charnwood Accountant’s retention policy. Data is stored in the UK. |
Engagement letter which outlines how all date including personal data is collected, used and stored. The letter also includes a copy of Charnwood Accountant’s privacy notice. |
IT service provider, including support helpdesk and
management of back office systems. |
IITL Limited (trading as Infinity IT) Solutions | IT Support | All personal data is processed and stored securely, for no longer
than is necessary in light of the reason(s) for which it was first collected. Data is stored in the UK. |
A contract which contract states that both parties will comply with the Data Protection legislation, and both parties must have appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data.
https://www.infinityit- solutions.com/privacy-policy-infinity/ |
Web developers and host our websites | Project Development Consultants (PDC) | Web developers | All personal data is stored on Cenex’s servers with secure access | Cenex and PDC have signed a Data Protection Addendum to ensure appropriate organisational and technical measures are in place to protect data subjects. |
LCV event management | LMG Events
(Ashby) Ltd |
Supporting
the LCV event setup and management |
Personal data relating to attendees registering for Cenex’s LCV Event | Cenex and LMG Events have signed a Data Protection Addendum to ensure appropriate organisational and technical measures are in place to protect data subjects. |
Cloud file storage provider | Egnyte Inc | Remote access to files | Egnyte, Inc. participates in and has certified its compliance with the EU–U.S. Privacy Shield Framework. Egnyte, Inc. is committed to subjecting all personal data received from European Union (EU) member countries or the United Kingdom, in reliance on the Privacy Shield Framework.
Data is stored within the EEA. |
Egnyte terms of service which we agreed to when purchasing.
The terms of services state that Egnyte will comply with the data protection and information security procedures described in Egnyte’s Data Protection Addendum.
https://www.egnyte.com/terms-of- service
https://www.egnyte.com/enterprise- tos/data-protection-addendum |
Online LCV Event | The Virtual Event Company (TVEC) | Software platform and hosting of virtual events | Personal data relating to attendees registering for Cenex’s online LCV Event. | Cenex and TVEC have signed a Data Protection Addendum to ensure appropriate organisational and technical measures are in place to protect data subjects. |
4.0 Your rights and notes
4.1 As a data subject, you may:
- 4.1.1.1 Access and obtain a copy of your data on request
- 4.1.1.2 Require Cenex to change incorrect or incomplete data
- 4.1.1.3 Require Cenex to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing (unless retention is required for legal reasons)
- 4.1.1.4 Object to the processing of your data where Cenex is relying on its legitimate interests as the legal ground for processing; and/or object to the processing of your data for historical/scientific research and statistical purposes, so long as you can demonstrate this relates to your particular situation and the processing is not being carried out for reasons of public interest.
4.2 Complaints or queries
4.2.1 Cenex strives to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
4.2.2 Please send any complaints to the details below.
4.2.3 You also have the right to lodge a complaint with the data protection supervisory authority, The UK Information Commissioner’s Office (ICO) who can be contacted at https://ico.org.uk/concerns/handling
4.3 Access to personal information
4.3.1 Cenex tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the GDPR. If we do hold information about you, within 30 days we will:
- 4.3.1.1 Give you a description of it
- 4.3.1.2 Tell you why we are holding it
- 4.3.1.2 Tell you who it could be disclosed to
- 4.3.1.3 Let you have a copy of the information in an intelligible form.
4.3.2 To make a request to Cenex for any personal information we may hold, you need to put the request in writing addressing it to our DPO, including your full name, postal address, daytime telephone number, whether you seek general information or specific information and proof of your identity.
4.3.3 Having proved your identity, with your permission, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone. Where this is not possible, we will make available all applicable personal data in a format that is reasonable and manageable
4.3.4 If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting our DPO.
4.4 Disclosure of personal information
4.4.1 We do not and will never disclose personal data without prior consent, except where required by law.
4.5 Data retention
4.5.1 We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. This is laid out in detail in Section 4.
4.5.2 When deciding what the correct time is to keep the data for we look at its amount, nature and sensitivity, potential risk of harm from unauthorised use or disclosure, the processing purposes, if these can be achieved by other means and legal requirements.
4.5.3 For tax purposes the law requires us to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they stop being customers.
4.6 International Transfers
4.6.1 We are subject to the provisions of the GDPR that protect your personal data. Where we transfer your data to third parties outside of the EEA, we will ensure that certain safeguards are in place to ensure a similar degree of security for your personal data such as:
- 4.6.2 Transferring your personal data to countries that the European Commission have approved as providing an adequate level of protection for personal data by;
- 4.6.3 Using US-based providers that are part of EU-US Privacy Shield or have equivalent safeguards in place; or using certain service providers who are established outside of the EEA with specific contracts, codes of conduct or certification mechanisms approved by the European Commission which give personal data the same protection it has in Europe.
4.6.4 If none of the above safeguards is available, we may request your explicit consent to the specific transfer. You will have the right to withdraw this consent at any time.
4.7 Links to other websites
4.7.1 This privacy notice does not cover the links within our websites linking to other websites, plug-ins or applications.
4.7.2 Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements.
4.7.3 We encourage you to read the privacy statements on the other websites you visit.
4.8 Changes to this privacy notice
4.8.1 We review our privacy notice at least once per year. This privacy notice was last updated on 21st November 2022.
4.9 How to contact us
4.9.1 If you want to request information about our privacy policy you can contact us directly through our website, email info@cenex.co.uk or write to:
4.9.2 DPO, Cenex, Holywell Building, Holywell Park, Loughborough, Leicestershire, England, LE11 3UZ