EDF Energy respects your privacy and values the trust you place in us when you share your personal information with us. This notice sets out how we, as controller, collect and use your personal information during and after your working relationship with us, why we use it, with whom we share it, and the rights to which you may be entitled.

This notice will be changed from time to time but if we change anything important about it (e.g. the information we collect, how we use it or why) we will highlight those changes to you. If you have any questions please get in touch with our Data Protection Officer at dpo@edfenergy.com or EDF Energy, 90 Whitfield Street, London, W1T 4EZ.

Summary – what we collect; how we collect and why we collect information about you

We collect certain types of information from, or about, you throughout our interaction with you, from third party service providers or from publicly available sources. This information may include items such as your name, address, contact details, curriculum vitae, appraisal and other management information, information about your employment and information regarding your fitness for work. We use this information to recruit, comply with our obligations under your employment contract; provide you with a safe working environment; manage your employment and comply with other legal and regulatory obligations.

For full details, please see the schedule.

Information we share and who we share it with

There are certain circumstances where we may share your personal data with other employees and third parties Some examples of when your personal information may be shared with third party organisations are as follows:

  • we may share information about you with other members of our group of companies so that we can provide the best service across our group (such as if your employing entity is EDF Energy (Nuclear Generation) Limited and payroll services are provided to the EDF Energy group by EDF Energy plc). They are bound to keep your information in accordance with this Privacy Notice;
  • we may also share your information with certain suppliers and service providers (and their staff) such as payroll administrators, IT service providers, pension administrators, benefits providers, occupational health service providers, recruitment and other consultants, managed service workers and agency supplied workers that EDF Energy engages from time to time and they may process your personal data for us. They are always required to meet our standards on processing information and on security. The information we provide them, including your information, will only be provided in connection with the performance of their function;
  • if we're discussing selling or transferring part or all of our business, information about relevant employees may be transferred to prospective purchasers under suitable terms as to confidentiality.  Or, if sold, to buyers;
  • if we're required to do so by law, or under any regulatory code or practice we follow, or if we are asked to do so by any public or regulatory authority – for example the Police; HMRC or Office for Nuclear Regulation (“ONR”) or to defend any legal claims; and/or
  • your personal data may be shared if it is made anonymous and aggregated, as in such circumstances the information will cease to be personal data.

Circumstances where we will ask for your consent

We do not need your consent if we use personal data, even sensitive personal data (also known as “special categories of personal data”), in accordance with our written practice and guidance to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. It is not a condition of your contract with us that you agree to any request for consent from us.

Where your information will be held

When we share your information, your information may be transferred outside the European Economic Area.

We store information on cloud servers located in the USA, and may engage suppliers or service providers based in countries which may not have equivalent data protection laws to those applicable in Europe. The transfer of this information is therefore governed by a contract between EDF Energy and the external organisation including standard contractual clauses (SCCs) approved by the European Commission. For example, certain support services are carried out for us in India which does not have equivalent data protection laws to those applicable in Europe. The transfer of information to the service provider is according to company rules that set out how information is to be treated and protected.

We will keep your information for as long as is set out in our data retention practice and guidance (which will be available on pulse or in your candidate portal).

We will only transfer data to jurisdictions outside the scope of the General Data Protection Regulation (“GDPR”) where the appropriate safeguards required by GDPR are in place.

Monitoring 

We monitor your usage of our IT systems, such as email, internet, printing, chat and Yammer forums. This is to protect confidential business information and intellectual property and to monitor for inappropriate behavior or use of systems. In relation to Yammer we also use it as a way of measuring employee engagement and responding to concerns which arise. We also use CCTV and entry and exit gates on EDF Energy sites. Some EDF Energy vehicles have been installed with telematics devices which monitor driver behaviour.

Your rights and how to exercise them

You may have certain rights in relation to your information including a right to access or to correct the information we hold on you. However, some of these rights will only apply in certain circumstances, such as the right to be forgotten or the right to request that we move your information to another company. They will generally not be available if you remain employed, if we still require the data for the purposes for which we collected it, if we are required by law to keep the information, or if the information is relevant to a legal dispute. If you would like to exercise, or discuss, any of these rights you can do so by logging into your account on MyHR and raising a query through AskHR. 

  • You can remove consent, where you have provided it, at any time, as well as update any of your opt-in marketing preferences
  • You can ask us to confirm if we are processing your information
  • You can ask for access to your information
  • You can ask to correct your information if it's wrong
  • You can ask us to delete your information (the right to be forgotten), but only in certain cases
  • You can ask us to restrict how we use your information, but only in certain cases
  • You can ask us to help you move your information to other companies, but only in certain cases
  • You can object to us processing your information based on legitimate interests, but only in certain cases
  • You can object to us processing your information in relation to direct marketing
  • If you are not satisfied with the way that we have handled your data, please contact the Data Protection Officer by email at dpo@edfenergy.com. You also have the right to complain to the relevant supervisory authority, the Information Commissioner’s Office (“ICO”)

Your obligations to safeguard personal data of others

You will have access to the personal data of other individuals during the course of your employment. You must undertake anymandatory EDF Energy data protection training, and ensure that you do not inappropriately obtain, retain, amend, use, delete, transmit or compromise the security of the personal data of others. You must:

  • only seek to access the personal data that you are authorised to access and only use that data for the specified, explicit and legitimate purposes for which it was obtained by EDF Energy;
  • not make any amendments to personal data or share it with others either within or without EDF Energy without being authorised to do so;
  • not inappropriately store other people’s personal data outside of EDF Energy systems;
  • take appropriate steps to safeguard the security of personal data.  These include, but may not be limited to, ensuring equipment is made secure if unattended for any time; keeping passwords secure and not sharing them; ensuring that paper records are stored securely when not in use; ensuring appropriate security measures are in place before personal data and devices containing personal data or devices that can be used to access personal data are removed from EDF Energy’s premises; and
  • report any data security concerns or incidents immediately in accordance with the Incident Management Procedure which will be available on pulse or by phoning the EDF Energy Service Desk 777 or 01392 353955.  Concerns or incidents may include, but may not be limited to, you believing or suspecting that one of the following has taken place (or is likely to take place): there has been any data breach; there has been unauthorised access to or removal from the premises of personal data; personal data is not secure; or you are aware of any other breach of data protection legislation


​Failure to comply with your data protection obligations puts at risk the individuals whose personal information is being processed, carries the risk of significant civil and criminal sanctions for you and EDF Energy; and may, in some circumstances, amount to a criminal offence for which you are personally liable. Because of the importance of data protection obligations, it may lead to disciplinary action under our procedures, up to and including dismissal for gross misconduct.

Security and Accuracy

We are committed to keeping your personal information safe. We've got physical, technical and administrative measures in place to prevent unauthorised access or use of your information. We also require that our suppliers protect such information from unauthorised access use and disclosure. Please see our: Security Practice & Guidance, which is available on Pulse or on request.

We will also routinely refresh our information or ask you to refresh your details to ensure we keep it up-to-date.

Website terms and conditions and cookies

Our website terms and conditions can be found here.

How we protect your personal information

 

What we collect

This category of information we collect about you includes:

How we use it

We use this information for certain activities, including to:

Why we use it

We use this information because:

Information collected during the recruitment process: 

  • your personal contact details;
  • your CV
  • interview information, including opinions;
  • references, pre-employment checks;
  • health information;
  • beneficiary information in relation to benefits;

 

  • contact you;
  • decide whether you are suitable for a role you have applied for;
  • contact you in relation to future roles which you have indicated that you might be interested in;
  • prepare for the provision of benefits to you;
  • consider and make reasonable adjustments if required

 

  • it is necessary to meet future requirements under your employment contract;
  • it is necessary for compliance with a legal obligation to which EDF Energy is subject (such as Equality Act 2010 obligations);
  • it is necessary for the purposes of the legitimate interests of EDF Energy to:
    - ensure the suitability of job applicants;
    - communicate with job applicants;
    - recruit employees and ensure that we can onboard you as an employee;
    - consider and make appropriate reasonable adjustments;
    - maintain appropriate records for the purposes of defending legal claims
Information obtained as a result of a criminal records check
  • criminal records information
  • to complete our security checks;
  • comply with our regulatory obligations in relation to ONR
  • it is necessary under your employment contract;
  • it is necessary for compliance with a legal obligation to which EDF Energy is subject;
  • it is necessary for the purposes of the legitimate interests of EDF Energy to:
    - ensure the safety and security of
    - nuclear power stations and other connected sites;
    - ensure the suitability of staff in relation to relevant roles;​- maintain appropriate records for the purposes of defending legal claims
  • and in all cases is carried out only under the control of an official authority

Information we need to contact you, pay you and provide benefits to you:

  • your personal and work contact details;
  • financial information such as bank details;
  • your salary and benefits information;
  • your employee ID number
  • your gender and marital status;
  • your date of birth;
  • details in relation to nominated beneficiaries or dependents;
  • contact you;
  • pay you;
  • provide you and your dependents with benefits;
  • calculate gender pay gap information
  • it is necessary for compliance with our legal obligations (gender pay gap reporting obligations)
  • it’s necessary to perform our duties under your employment contract (for example in relation to our obligation to pay your salary);
  • it is necessary for the purposes of the legitimate interests of EDF Energy to:
    - provide suitable benefits to employees and their dependents;
    - incentivise its employees;
    - maintain appropriate records for the purposes of defending legal claims

Information about your role, workplace performance, conduct, training, progression, feedback you have given and received and information held on HR systems such as ImageNow, myHR, myCampus etc:

  • your home and personal contact details;
  • emergency contact information;
  • your date of birth;
  • your immigration status and/or nationality;
  • who your line manager is;
  • your home and personal contact details;
  • emergency contact information;
  • your date of birth;
  • your immigration status and/or nationality;
  • who your line manager is;
  • your salary and benefits choices;
  • your role and employment history;
  • your appraisal content, feedback and scores;
  • your attendance record;
  • information about your conduct;
  • information about complaints you have raised;
  • information about your work performance;
  • your sickness records and health information;
  • the results of drug and alcohol tests;
  • telematics information;
  • user inputted information (including data you provide for equality monitoring purposes such as sexual orientation and ethnic origin and your feedback and opinions on employment matters);
  • to manage your attendance, performance and conduct;
  • to manage HR processes;
  • to answer your questions about HR matters and deal with any complaints you have raised;
  • to answer your questions about HR matters and deal with any complaints you have raised;
  • to review your salary and assess your eligibility for bonus and other benefits;
  • to conduct risk assessments;
  • to facilitate, book and provide training
  • for equal opportunities monitoring
  • to understand the views of our employees
  • it is necessary for compliance with our legal obligations (such as health and safety obligations, reporting requirements);
  • it is necessary for the purposes of the legitimate interests of EDF Energy to:
    - provide HR advice to its managers;
    - administer HR records and processes;
    - manage queries and complaints raised by employees;
    - manage employees’ performance, conduct and training;
    - manage employees’ attendance at work;
    review and determine remuneration of employees;
    - manage health and safety risks;
    - manage site security;
    - report employee matters to other group companies and appropriate external bodies (such as HMRC, HSE);
  • maintain appropriate records for the purposes of defending legal claims;
  • considering feedback and information about our employees to ensure effective employment practices

Information about your fitness for work:

  • your attendance record;
  • your sickness records;
  • ​details of Occupational Health referrals, reports and recommendations;
  • the results of drug and alcohol tests;
  • information regarding your physical attributes such as height, weight etc;
  • to assess your fitness for work;
  • to manage your sick pay entitlements;
  • to provide appropriate support to staff with health and wellbeing issues;
  • to comply with our legal obligations, such as the duty to make reasonable adjustments and 
  • provide a safe working environment;
  • to manage you if you are sick or not well;
  • to assess and make reasonable adjustments if required;
  • to provide PPE and other equipment to ensure that the workplace is a safe environment;
  • it is necessary for us in order to comply with your employment contract;
  • it is necessary for compliance with our legal obligations (such as health and safety obligations);
  • it is necessary for the purposes of the legitimate interests of EDF Energy to:
    - plan and manage its workforce;
    - manage employees’ attendance at work;
    - to determine remuneration of employees;
    - to assess employees’ fitness for work;
    - to manage health and safety risks;
    - to consider and make reasonable adjustments;
    - to manage site security;
    - maintain appropriate records for the purposes of defending legal claims
  • processing is necessary for the purposes of preventive or occupational medicine, for the assessment of your working capacity, medical diagnosis, or the provision of health or social care or treatment

Information we collect in relation to our work-related systems such as email, sharepoint, Skype, VEOL, Yammer, etc:

  • work contact details,
  • job title, department, work location;
  • work IP address, work device ID;
  • device location;
  • LAN ID;
  • user inputted information (including conversation histories and opinions);
  • to allow you to access systems which allow you to contact and communicate with people internally and externally and collaborate on work products and documents;
  • to identify the user or author;
  • to allow help desk services to be provided to users;
  • to audit IT applications;
  • to analyse IT costs per user/location;
  • to monitor employee engagement;
  • to monitor inappropriate use;
  • it is necessary for the purposes of the legitimate interests of EDF Energy to:
    - enable its employees access to systems for the purposes of contact, communication and collaborative working; - provide IT contact systems for external parties to make contact with its employees;
    - provide an audit trail of work-related discussions or iterative collaboration to create a work product; 
    - allow IT and helpdesk teams to resolve user problems;
    - allow EDF Energy to assess usage and efficiency of systems and providers;
    - to monitor employee engagement;
    - to monitor inappropriate use of work systems;
    - maintain appropriate records for the purposes of defending legal claims;

Information contained within work products such as documents, presentations etc, and within internal directories such as on Pulse

  • role, job title;
  • work contact details;
  • work location;
  • line manager;
  • business unit;
  • user added information (such as photos and opinions)
  • to monitor the progress and achievement of outcomes in projects and work tasks including identifying the author
  • to allow colleagues to look up your contact details and work information;
  • to track time spent on particular projects
  • it is necessary for the purposes of the legitimate interests of EDF Energy to:
    - enable its employees and third parties to contact EDF Energy employees;
    - to send targeted information to employees (for example if only relevant to employees within one business unit);
    - to keep a record of who has authored or contributed to a work product;
    - to keep track of employee time spent on projects;
    - maintain appropriate records for the purposes of defending legal claims;

Information we collect in our travel, facilities and expenses systems including Concur, Carlson Wagonlit, Europcar, Matrix booking etc

  • name, employee ID, home and work contact details;
  • IP address;
  • work Amex card details;
  • passport details;
  • vehicle registration;
  • loyalty cards, travel preferences; 
  • to facilitate work related travel, accommodation and expense submissions;
  • to manage facilities including meeting room and car park bookings;
  • to facilitate, evaluate and process expense claims;
  • to monitor usage for commercial negotiation purposes;
  • it is necessary for the purposes of the legitimate interests of EDF Energy to:
    - enable its employees to book travel and accommodation;
    - to manage workplace facilities like meeting rooms and parking spaces;
    - to manage and audit expenses;
    - to assess the tax status of expenses claimed;
    - locate employees if necessary for work or health and safety purposes;
    - maintain travel insurance arrangements;
    - maintain appropriate records for the purposes of defending legal claims;
  • it is necessary for compliance with our legal obligations (such as providing remittances to HMRC)

Information that we collect from you in order to comply with all relevant laws, regulations, industry codes and regulatory obligations:

  • your date of birth;
  • your pay and benefits information;
  • your national insurance number;
  • copies of identity documents;
  • your nationality and immigration status
  • report to HMRC;
  • administer PAYE and National Insurance deductions;
  • confirm your right to work in the UK
  • it is necessary under your employment contract;
  • it is necessary for compliance with a legal obligation to which EDF Energy is subject;
  • it is necessary for the purposes of the legitimate interests of EDF Energy to:
    - ensure its business is compliant with industry codes and   regulatory obligations;
    - maintain appropriate records for the purposes of defending legal claims
Information we use to monitor behaviour and track data transfer activities: 
  • email content (potentially including all categories of personal data and special categories of personal data)
  • to monitor behaviour and data usage and track data transfer activities;
  • to investigate results showing inappropriate transfer of data and take appropriate action;  
  • it is necessary for compliance with a legal obligation to which EDF Energy is subject;
  • it is necessary for the purposes of the legitimate interests of EDF Energy to:
  • safeguard data;
  • protect its confidential information and intellectual property; and
  • ensure appropriate technical measures are in place to protect data;
  • identify inappropriate transfers of information

Information provided to us in relation to business related driving

  • vehicle information;
  • insurance documentation;
  • results of licence checks;
  • (in relation to some users) telematics data regarding driving behaviours
  • to make sure that employees are legally permitted to drive;
  • to ensure that adequate insurance is in place;
  • to ensure the health and safety of their employees;
  • to appropriately manage driving risks;
  • to ensure that fleet vehicles are appropriately maintained;
  • to locate an employee or a vehicle in exceptional circumstances;
  • it is necessary for compliance with a legal obligation to which EDF Energy is subject;
    - it is necessary for the purposes of the legitimate interests of EDF Energy to:
    - ensure the safety and security of employees driving on company business;
    - conduct appropriate risk assessments;
    - ensure that drivers are legally permitted to drive and have appropriate insurance in place;
    - to locate an employee or a vehicle in exceptional circumstances;
    - maintain appropriate records for the purposes of defending legal claims
  • driver licence checking is carried out only under the control of an official authority

Information you have provided to us in order to access your personal devices (BYOD)

  • Log-in details and personal mobile information
  • allow you to access to emails on a personal electronic device`
  • you have elected to bring your own device to work and consented to us using your information in this way. You can withdraw your consent by notifying us that you are doing so and removing the app