Skip to main content
Menu

NNB third party privacy notice

Who we are

NNB Generation Company (HPC) Limited ("we”) are a nuclear site licence company which will develop, construct, own, operate, maintain and decommission the nuclear new build power plant at the Hinkley Point C site in Somerset. We also own and operate Trimdon Grange Wind Farm, which involves the generation and sale of electricity.  We are a registered private limited company (no. 06937084) and our registered address is at 90 Whitfield Street, London, England, W1T 4EZ.

This notice applies to any third party who provides information to us. This may include visitors to our sites and contractors working with us, including agency supplied workers, managed service workers and embedded contractors.  It does not apply to employees.

We respect your privacy and value the trust you place in us when you share your personal information with us. This notice sets out how we collect and use your personal information, why we use it, with whom we share it, the rights to which you may be entitled and your choices about our use of your personal information, that may arise from your interactions with us.

If you have any questions please get in touch with our Data Protection Officer: at dpo@edfenergy.com or 90 Whitfield Street, London, W1T 4EZ.

 

Changes to our privacy notice

We keep our notice under review and this notice will be updated from time to time but if we change anything important about this notice (the information we collect, how we use it or why) we will highlight those changes to you.

 

Summary – What we collect, how we collect and why we collect information about you

We collect certain types of information from and / or about you throughout our interaction with you, your employing organisation, third party service providers or publicly available sources. This information may include your name, address, contact details, curriculum vitae, and medical information. We use this information for the activities we have listed in the table below, including in order for us to manage the services that you or your employing organisation provide to us; to comply with legal and regulatory obligations; for marketing and reporting purposes; for the prevention of fraud and investigation of complaints.

When you provide us with information you are consenting that we may collect and use it in the way we have set out.

We will keep your information for as long as it is reasonably necessary or as long as is set out in any relevant contract you hold with us. It will depend on factors such as whether you are working on our sites, have attended one of our visitor centres recently or you or your employer have an ongoing relationship with us or have recently interacted with us regarding future relationships. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Types of information we collect

The categories of information we may collect include:

What we collect

The information we may collect about you includes:

How we use it

We may use this information for certain activities, including to:

Why we use it

We may use this information because:

Information when you communicate with us whether in person, through our website or via email, over the telephone, through social media or via any other medium

  • Your contact details: your name, address, email address, telephone number(s).
  • The details of your communications with us.
  • The details of our messages to you.
  • Your marketing preferences.
  • Answer any issues or concerns.
  • Public consultation and stakeholder engagement.
  • Monitor stakeholder communications.
  • Improve our engagement with you.
  • Personalise our engagement with you.
  • Deal with any complaints.
  • For the purposes of marketing / sending invitations to events.
  • We have a legitimate business interest in:
    • understanding public feedback and in responding to communications in a consistent manner;
    • ensuring that we are better able to personalise our engagement with the public.
  • In addition to the above, where we have obtained your consent to use the data in this explicit way, then we can rely on that consent.

Information you give us when working at or visiting our offices or sites

  • Your contact details including: your name, address, email address, telephone number(s).
  • Personal identification details including your nationality, passport, national identity card, or drivers’ licence number.
  • Your date of birth.
  • Your job title and employing organisation.
  • The date, time and length of your visits.
  • We use this information to regulate and restrict access to our offices and sites.
  • Organise and monitor attendance of our offices and sites.
  • Manage and administer our systems.
  • We have a legitimate business interest in:
    • ensuring that we comply with our regulatory and legal obligations, including our nuclear site licence;
    • ensuring the safety and security of nuclear sites;
    • investigating possible/actual incidences of fraud or non-compliance with laws.
  • In addition to the above, where we have obtained your consent to use the data in this explicit way, then we can rely on that consent.

Information you provide to us during a contract tendering process, contract negotiation or operation of a contract

  • Your contact details, including: your name, your address, your email address, your telephone number.
  • Your job title and employing organisation.
  • We use this information to conduct any discussions, negotiations, consultations or other interactions. 
  • We store contact details of people outside our organisation with whom we interact.
  • It’s necessary to perform the contract and tender exercise.
  • We have a legitimate business interest in:
    • ensuring that we comply with our regulatory and legal obligations;
    • developing and maintaining relationships with vendors, partners and other companies and dealing with individuals who work for them.

Information obtained as a result of a criminal records check

  • Criminal records information.
  • To complete our security checks.
  • To comply with our regulatory obligations in relation to Office of Nuclear Regulation (and in all cases checks are carried out only under the control of an official authority).
  • It is necessary for contractors to work on our sites.
  • We have a legitimate business interest in:
    • ensuring that we comply with our regulatory and legal obligations, including nuclear site requirements;
    • ensuring the safety and security of nuclear sites;
    • ensuring the suitability of contracted staff in relation to relevant roles;
    • maintaining appropriate records in relation to potential legal claims.

Information about your role, workplace performance and progression

  • Which member of our staff you report to.
  • Your role and employment history.
  • Your skills and experience (including CV).
  • Your attendance record.
  • Your training records.
  • To manage our workforce and ensure you integrate into the team on the particular project on which you are working.
  • We have a legitimate business interest in:
    • ensuring that we comply with our regulatory and legal obligations, including nuclear site requirements;
    • managing the performance of our contractors;
    • managing contractors’ attendance at work;
    • maintaining appropriate records in relation to potential legal claims.

Information about your fitness for work

  • Your attendance record.
  • Your sickness records.
  • Results of drugs and alcohol testing.
  • Display Screen Equipment Assessments.
  • Personal Evacuation Plans.
  • Information provided to us by your employer regarding your health and/or reasonable adjustments which you need in the workplace.
  • To assess your fitness for work.
  • To provide appropriate support to contractors with health and wellbeing issues.
  • To comply with our legal obligations, such as the duty to make reasonable adjustments and provide a safe working environment.
  • To manage our workforce if you are sick or not well.
  • We have a legitimate business interest in:
    • ensuring that we comply with our regulatory and legal obligations (such as health and safety obligations);
    • planning and managing our workforce;
    • maintaining appropriate records in relation to potential legal claims.
  • It is necessary for the purposes of preventive or occupational medicine, for the assessment of your working capacity, medical diagnosis, or the provision of health or social care or treatment.

Information we need to contact you 

  • Your personal and work contact details including your name, address, email address, telephone number(s).
  • Your date of birth.
  • To contact you.
  • It is necessary to perform our duties under a contract with your employer.
  • We have a legitimate business interest in:
    • ensuring appropriate records are kept of third parties on site;
    • maintaining appropriate records in relation to potential legal claims.

Information required to allow you to access systems in order to effectively carry out your role

  • Your contact details.
  • Monitoring of our systems.
  • To enable contractors to view data held on our systems.
  • To enable contractors to log their work.
  • We have a legitimate business interest in:
    • providing access to users to systems required for us to properly carry out our business.

Information about the way you use information provided by us to you or your employing organisation

  • Your name and email address.
  • The date, time and length of your accessing information from our electronic databases.
  • Which information you consult and how frequently.
  • Whether you have clicked on links in electronic communications from us or visited pages on our website.
  • Your IP address and location data.
  • We analyse access and monitor frequency, date and time of accessing our information.
  • Statistical analysis, research, and reporting.
  • Help to train our staff.
  • Test computer systems.
  • Keep a record of the information which you have been provided. 
  • We have a legitimate business interest in:
    • ensuring that we comply with our regulatory and legal obligations;
    • improve our information communication and better understand how you use information;
    • ensure that we are better able to personalise information to you;
    • protect our business interests by ensuring that vendors, partners and other companies and individuals who work for them are genuine.

Information you provide to us in your capacity as employee of, or agent for, a public authority with whom we interact 

  • Your contact details including: your name, address, email address, telephone number(s).
  • Your date of birth.
  • Personal identification details including your nationality, passport, national identity card, or drivers’ licence number.
  • Your job title and employing organisation.
  • The date, time and length of your visits to our sites.
  • We use this information to conduct any discussions, negotiations, consultations or other interactions.  
  • We have a legitimate business interest in:
    • ensuring that we comply with our regulatory and legal obligations;
    • developing and maintaining relationships with vendors, partners and other companies and dealing with individuals who work for them.
  • In addition to the above, where we have obtained your consent to use the data in this explicit way, then we can rely on that consent.

Information we collect from third party partners 

  • Credit rating information from credit reference agencies.
  • Details of work or services you have provided.
  • Manage and administer our systems.
  • Evaluate your capacity to act on behalf of our organisation.
  • Help us to ensure that our vendors, partners and other companies and individuals who work for them are genuine and to prevent fraud.
  • Statistical analysis and research into vendors, partners and other companies and individuals who work for them.
  • We have a legitimate business interest in:
    • developing and maintaining relationships with vendors, partners and other companies and dealing with individuals who work for them;
    • ensuring our partner contacts are duly authorised to engage with us on behalf of our contractors and other service providers.
  • In addition to the above, where we have obtained your consent to use the data in this explicit way, then we can rely on that consent.

Information that we collect from you in order to comply with all relevant laws, regulations, industry codes and government instructions, and to deal with complaints

  • Your contact details including: your name, address, email address, telephone number(s).
  • Your date of birth.
  • Personal identification details including your passport, national identity card, or drivers’ licence number
  • Your job title and employing organisation.
  • Health and medical data.
  • Your skills and experience (including CV).
  • Report to relevant governmental and supervisory bodies such as the Department for Energy Security and Net Zero (DESNZ) .
  • Monitor services provided to us.
  • To ensure personnel are suitably qualified and experienced for the work being carried out.
  • Investigate incidences of potential, or actual, fraud or non-compliance with laws.
  • Respond to requests made by law enforcement or regulatory authorities, bodies or agencies, or in the defence of a legal claim.
  • Deal with complaints received.
  • We need to comply with legal obligations.
  • We have a legitimate business interest in:
    • ensuring that we comply with our regulatory and legal obligations;
    • ensuring capacity to work;
    • investigating possible/actual incidences of fraud or non-compliance with laws;
    • resolving any complaints we may receive;
    • maintaining appropriate records in relation to potential legal claims.
  • In addition to the above, where we have obtained your consent to use the data in this explicit way, then we can rely on that consent.

Information that we collect incidentally from other sources or public sources

  • Information presented on our social media or wider media platforms such as Facebook, Instagram or Twitter.
  • Information collected by security systems.
  • Your name and postcode from publicly available sources like the electoral roll or Royal Mail.
  • Potential stakeholder details, such as individuals who may be interested in our sites or other aspects of our business, like name and email address.
  • Maintain close working relationships with our business partners and relevant third parties and improving our employees’ professional networks.
  • Maintain market awareness.
  • Build and maintain social media branding, and our branding in general.
  • Address subject access requests.
  • Check and confirm validity and maintain accuracy of data we hold in our systems about you.
  • We have a legitimate business interest in:
    • providing security over our business;
    • maintaining a public profile within the media;
    • resolving complaints;
    • maintaining the accuracy of data we hold.
  • In addition to the above, where we have obtained your consent to use the data in this explicit way, then we can rely on that consent.

 

Information we share

  • There are certain circumstances where we may transfer your personal data to employees, contractors, governmental bodies and to other third parties. Some examples of when your personal information is transferred to other third party organisations are as follows:
  • We may share information about you with other members of our group of companies and shareholders so that we can best manage the services your organisation is providing to us across our group. They are bound to keep your information in accordance with this notice.
  • We may also share your information with certain contractors or service providers and they may process your personal data for us. They are always required to meet our standards on processing information and security. The information we provide them, including your information, will only be provided in connection with the performance of their function.
  • If we're discussing selling or transferring part or all of our business, the information may be transferred to our professional advisers, the prospective purchasers and their professional advisers under suitable terms as to confidentiality – or if sold, to buyers who can continue our business.
  • If we are required to by law, or under any regulatory code or practice we follow, or if we are asked by any public or regulatory authority – for example the Police, the Office of Gas and Electricity Markets (Ofgem), the Office of Nuclear Regulation (ONR), the Low Carbon Contracts Company (LCCC) or the Department for Energy Security and Net Zero (DESNZ)  – or to defend any legal claims.
  • Your personal data may be shared if it is made anonymous and aggregated, as in such circumstances the information will cease to be personal data.

 

Where your information will be held

When we share your information, your information may be transferred outside the European Union. We will only transfer data to jurisdictions outside the scope of the General Data Protection Regulation (GDPR) where the appropriate safeguards required by the GDPR are in place.

We may store our information on cloud servers located in the USA, or engage vendors which do not always have equivalent data protection laws to those applicable in Europe. The transfer of this information is therefore governed by a contract including standard contractual clauses (SCCs) approved by the European Commission.

 

Your rights

You may have certain rights in relation to your information including a right to access or to correct the information we hold about you. Some of these rights will only apply in certain circumstances however, such as the right to be forgotten or the right to request that we move your information to another company. They will generally not be available if there are outstanding contracts between us, if you continue to be employed as a contractor on one of our sites, if we are required by law to keep the information or if the information is relevant to a legal dispute. If you would like to exercise, or discuss, any of these rights, please contact our Data Protection Officer at dpo@edfenergy.com or 90 Whitfield Street, London, W1T 4EZ.

  • You can remove consent, where you have provided it, at any time, as well as update any of your opt-in marketing preferences by sending an email to hinkley-enquiries@edf-energy.com or a letter to 90 Whitfield Street, London, W1T 4EZ.
  • You can ask us to confirm if we are processing your information.
  • You can ask for access to your information.
  • You can ask to correct your information if it is wrong.
  • You can ask us to delete your information (the right to be forgotten), but only in certain cases.
  • You can ask us to restrict how we use your information, but only in certain cases.
  • You can ask us to help you move your information to other companies, but only in certain cases.
  • You can object to us processing your information based on legitimate interests, but only in certain cases.
  • You can object to processing your information in relation to direct marketing.
  • You can ask us to stop using your personal information, but only in certain cases.
  • You have the right to complain to the relevant supervisory authority.

 

Security and Accuracy

We are committed to keeping your personal information safe. We have physical, technical and administrative measures in place to prevent unauthorised access or use of your information. We also require that our suppliers protect such information from unauthorised access use and disclosure. We will also routinely refresh our information to ensure we keep it up-to-date.

 

Website Privacy and Cookie Policy

Our website Privacy and Cookie Policy can be found at www.edfenergy.com/yourprivacy