Third Parties'
Privacy Notice

Third Parties' Privacy Notice

This notice applies to any Third Party who provides information to EDF Energy. This may include visitors to EDF Energy sites and contractors working at or with EDF Energy, including agency supplied workers, managed service workers and embedded contractors. It does not apply to employees.

EDF Energy respects your privacy and values the trust you place in us when you share your personal information with us. This policy sets out how we, as controller, collect and use your personal information; why we use it, with whom we share it, the rights to which you may be entitled and your choices about our use of your personal information.

This notice will be changed from time to time but if we change anything important (for example, the information we collect, how we use it or why) we will highlight those changes to you.

If you have any questions please get in touch with our Data Protection Officer: at dpo@edfenergy.com or EDF Energy, 90 Whitfield Street, London, W1T 4EZ.

Summary – What we collect, how we collect and why we collect information about you

table {text-align:left;}

We collect certain types of information from and/or about you throughout our interaction with you, from third-party service providers or publicly available sources. This information may include your name, address, contact details, curriculum vitae, and medical information. We use this information for the activities we have listed in the table below, including in order for us to provide our services, comply with legal and regulatory obligations, for marketing and reporting purposes.

If you are a child or teenager, then please read the first box below which summarises what information we collect, how we collect it and why we collect it.

	What we collect This category of information we collect about you may include:	How we use it We use this information for certain activities, including to:	Why we use it We use this information because:
Information that we collect from children, teenagers, parents and teachers through our initiatives including Pretty Curious/POD and when visiting our sites	- Your contact details; - Your parent’s contact details; - Your email address; - The name of your school/college or university; - The address of your school/college or university; - Your phone number; - Your date of birth;	- So that we can send you email communications about attending our programmes, events and initiatives; - For the purposes of marketing/sending invitations to attend events; - So that we can invite you to apply for jobs in the future	- We have obtained your consent to use the data in this explicit way and we rely on that consent - We have a legitimate business interest in being able to promote diversity in STEM industries by engaging with children and young people
Information when you communicate with us whether as a third party, contractor or otherwise, whether in person, when visiting our sites, through our website or via email, over the telephone, through social media or via any other medium	- Identification information such as passports, driving licences etc; - Your vehicle registration number(s) - Your contact details; - The details of your communications with us; - The details of our messages to you; - Your marketing preferences; - Marketing information	- Identifying you - Answer any issues or concerns; - Monitor potential stakeholder communications for quality and training purposes; - Develop new services; - Improve our services; - Personalise our service; - Deal with any complaints; - For the purposes of marketing/sending invitations to events - To facilitate work-related travel, including vehicle parking and ensuring only safe and authorised vehicular access to our sites;	- We have a legitimate business interest in: - understanding public feedback and in responding to communications in a consistent manner; - ensuring that we are better able to personalise our service to the public; - Ensuring the safety and security at all of our sites; - In addition to the above, where we have obtained your consent to use the data in this explicit way, then we can rely on that consent - For security purposes
Information that we collect incidentally from other sources or public sources	- Information presented on our social media or wider media platforms such as Yammer, Facebook or Twitter; - Information collected by security systems; - Your name and postcode from publicly available sources like the electoral roll or Royal Mail	- Maintain market awareness; - Build and maintain social media branding, and our branding in general; - Deal with complaints received; - Address subject access requests	- We have a legitimate business interest in: - providing security over our business; - maintaining a public profile within the media; - resolving complaints; - maintaining the accuracy of the data we hold; - In addition to the above, where we have obtained your consent to use the data in this explicit way, then we can rely on that consent
Information we collect from third-party partners, including third-party contractor employers and corporate customers	- Potential [stakeholder details, like name and email address, from: - Publicly available sources such as the electoral roll; Royal Mail	- Provide our services; - Manage and administer our systems; - Statistical analysis and research into our clients	- We have a legitimate business interest in: - developing and maintaining relationships with third-party partners and other companies and dealing with individuals who work for them; - conducting research to improve our services - In addition to the above, where we have obtained your consent to use the data in this explicit way, then we can rely on that consent
Information that we collect from you or your employer in order to comply with all relevant laws, regulations, industry codes and government instructions, and to deal with complaints	Your contact details - Health and medical data; - Identification information such as passports, driving licences etc.; - Curriculum Vitae - Your gender - Video and audio recordings	- Report to the Department for Energy Security and Net Zero (DESNZ); - Respond to requests made by law enforcement or regulatory authorities, bodies or agencies, or in relation to a legal claim - To ensure personnel are suitably qualified and experienced for the work being carried out - To ensure specific risks are considered for those women who may be pregnant or breastfeeding	- We need to comply with legal obligations; - We have a legitimate business interest in: - resolving any complaints we may receive; - ensuring that we comply with our regulatory and legislative obligations; - maintaining appropriate records for in relation to potential legal claims;
Information obtained for third party contractors and other visitors to sites, as a result of a criminal records check, the security vetting process and ongoing security surveillance	- Criminal records information - Baseline Personnel Security Standard check information; - National Security Vetting application information; - Photographs and CCTV footage.	- To complete our security checks - To comply with our regulatory obligations in relation to Office of Nuclear Regulation - To assess your suitability to hold a Baseline Personnel Security Standard and/or National Security Vetting Clearance; - To ensure safety and security of sites and people including e.g. staff, third party contractors and visitors.	- It is necessary for compliance with a legal obligation to which EDF Energy is subject; - It is necessary for contractors to work on our sites; - It is necessary for the purposes of the legitimate interests of EDF Energy to: - Ensure the safety and security of nuclear power stations and other connected sites; - Ensure the suitability of contracted staff in relation to relevant roles; - To maintain appropriate records in relation to potential legal claims; - And in all cases is carried out only under the control of an official authority
Information we need to contact you and provide benefits to you	- Your personal and work contact details including your name, address, email address; - Your date of birth - Your benefits’ information	- To contact you; -To provide you with benefits	- It is necessary to perform our duties under a contract with your employer; - It is necessary for the purposes of the legitimate interests of EDF Energy to: - Ensure appropriate records are kept of third parties on site; - To maintain appropriate records in relation to potential legal claims
Information about your third-party contractors’ role, training, workplace performance and progression	- Your National Insurance number; - Commercial data from your contracting employer; - Your training records; - Which member of EDF Energy staff you report to; - Your role and employment history; - Your attendance record; - Your sickness records - Skills & Experience	- To evidence your qualifications and capability for carrying out work; - To manage our workforce and ensure you integrate into the team on the particular project on which you are working - For medical and health purposes e.g. pregnancy	- It is necessary for the purposes of the legitimate interests of EDF Energy to: - manage the performance of its contractors; - manage contractors’ attendance at work; - manage contractors’ health and safety at work; - To maintain appropriate records in relation to potential legal claims
Information about third-party contractors’ fitness for work	- your attendance record; - your sickness records; - results of drugs and alcohol testing; - Display Screen Equipment Assessments; - Personal Evacuation Plans; - Information provided to us by your employer regarding your health and/or reasonable adjustments which you need in the workplace	- to assess your fitness for work; - to provide appropriate support to contractors with health and wellbeing issues; - to comply with our legal obligations, such as the duty to make reasonable adjustments and provide a safe working environment; - to manage our workforce if you are sick or not well	- it is necessary for compliance with our legal obligations (such as health and safety obligations); - it is necessary for the purposes of the legitimate interests of EDF Energy to: - plan and manage its workforce; - to maintain appropriate records in relation to potential legal claims - it is necessary for the purposes of preventive or occupational medicine, for the assessment of your working capacity, medical diagnosis, or the provision of health or social care or treatment
Information required to allow you to access systems in order to effectively carry out your role	- Your contact details	- Monitoring of our services - To enable third-party contractors to view active/closed systems and therefore view data held on databases - To enable third-party contractors to log their work	- We have a legitimate business interest in: - Providing access to users to systems required for EDF Energy to properly carry out its business
Information that we collect from you or your employer and/or from our records, during any testing for the Covid-19 virus (“Covid-19) with which you take part	- Your contact details including your name, email address and mobile phone number - Your employee number or your national insurance number - the result of each Covid-19 test - In the event of a positive test: - your postal address; - your date of birth; - your gender; and - the people you have recently been in contact with or close to.	- Contact you to inform you of the results of your test; - Assess your fitness for work; - Fulfil our obligation to report to Public Health for England and/or Public Health for Scotland should you test positive for Covid-19; - Inform people you have been in contact with or close to, should you test positive for Covid-19; - Provide a safe working environment by minimising the transmission of Covid-19.	- It is necessary for EDF to comply with its legal obligations (such as health and safety obligations); - It is necessary for the purposes of the legitimate interests of EDF Energy to: - manage health and safety risks; - plan and manage its workforce; - continue to operate its nuclear power stations and other connected sites in the manner required. - It is necessary for reasons of public interest in the area of public health by helping to minimise the spread of Covid-19.

Information we share and who we share it with

There are certain circumstances where we may transfer your personal data to employees, contractors and to other third parties. Some examples of when your personal information is transferred to other third party organisations are as follows:

We may share information about you with other members of our group of companies so that we can provide the best service across our group. They are bound to keep your information in accordance with this Privacy Notice;
We may also share your information with certain contractors or service providers and they may process your personal data for us. They are always required to meet our standards on processing information and security. The information we provide them, including your information, will only be provided in connection with the performance of their function;
If we're discussing selling or transferring part or all of our business – the information may be transferred to prospective purchasers under suitable terms as to confidentiality – or if sold, to buyers who can continue to provide services to you;
If we're required to by law, or under any regulatory code or practice we follow, or if we are asked by any public or regulatory authority – for example, the Police; OFGEM or DESNZ – or to defend any legal claims.
Your personal data may be shared if it is made anonymous and aggregated, as in such circumstances the information will cease to be personal data

Where your information will be held

When we share your information, your information may be transferred outside the European Economic Area. We will only transfer data to jurisdictions outside the scope of the General Data Protection Regulation (GDPR) where the appropriate safeguards required by the GDPR are in place. We store our information on cloud servers located in the USA, or engage vendors which do not always have equivalent data protection laws to those applicable in Europe. The transfer of this information is therefore governed by a contract including standard contractual clauses (SCCs) approved by the European Commission. We will keep your information for as long as it is reasonably necessary. It will depend on factors such as whether you are working on our site or have attended one of our visitor centres recently. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Your rights

You may have certain rights in relation to your information including a right to access or to correct the information we hold on you. Some of these rights will only apply in certain circumstances, however, such as the right to be forgotten or the right to request that we move your information to another company. They will generally not be available if there are outstanding contracts between us if you continue to be employed as a contractor on one of our sites, if we required by law to keep the information or if the information is relevant to a legal dispute. If you would like to exercise or discuss, any of these rights, please contact the Data Protection Officer.

You can remove consent, where you have provided it, at any time, as well as update any of your opt-in marketing preferences by sending the Data Protection Officer an email at dpo@edfenergy.com, a letter at EDF Energy, 90 Whitfield Street, London, W1T 4EZ.

You can ask us to confirm if we are processing your information
You can ask for access to your information
You can ask to correct your information if it's wrong
You can ask us to delete your information (the right to be forgotten), but only in certain cases
You can ask us to restrict how we use your information, but only in certain cases
You can ask us to help you move your information to other companies, but only in certain cases
You can object to us processing your information based on legitimate interests, but only in certain cases
You can object to processing your information in relation to direct marketing
You can ask us to stop using your personal information, but only in certain cases
You have the right to complain to the relevant supervisory authority

Security and Accuracy

We are committed to keeping your personal information safe. We've got physical, technical and administrative measures in place to prevent unauthorised access or use of your information. We also require that our suppliers protect such information from unauthorised access use and disclosure. We will also routinely refresh our information to ensure we keep it up-to-date.

Website terms and conditions and cookies

Our website terms and conditions can be found on this page.