The EMA is committed to respecting the privacy of individuals and is compliant with the requirements of the UK General Data Protection Regulation (GDPR), which is designed to ensure personal data is processed lawfully, fairly, transparently and for specific, explicit and legitimate purposes. The EMA is registered with the Office of the Information Commissioner, registration number ZA384449.
1. Collection of data
1.1. During the course of its work, the EMA collects personal data which identifies individuals or that can be used to identify individuals when combined with other information in the possession of the EMA or likely to come into its possession.
1.2. Personal data is collected by a variety of means, face-to-face, mail, phone, internet and e-mail, at events, conferences, exhibitions and training courses. This personal data may include information such as name, age, home address, telephone number, fax number, e-mail address, organisation name, job title, business address, IP address, membership number and grade, examination records, bank and payment details, education and training details, CPD records, application details, CVs and assessment records.
2. Use of data
2.1. Personal data held by the EMA may be accessed and used by the EMA and trusted associates as necessary in order to fulfil the EMA’s role and to complete its activities.
2.2. All personal data is processed and stored securely, for no longer than is necessary in light of the reason(s) for which it was first collected and consented for. We will comply with our obligations and safeguard your rights under the GDPR at all times.
2.3. Our use of your personal data will always have a lawful basis, either because it is necessary for our performance of a contract with you, because you have consented, or we have a legitimate interest for the use of your personal data for the fulfilment of our role and/or activities.
2.4. We believe that it is reasonable to expect that if you applied for one of our services you are content for us to collect and otherwise use your personal data to offer or provide the services that you have signed up to.
2.4.1. If you are part of the EMA membership, we use your personal data to administer and manage your membership, for the purposes of assessing membership applications, allocating a membership level, providing member benefits, internal administration of your membership, and for statistical and analytical purposes.
2.4.2. If you are part of the EMA ESOS Lead Assessor Register, we use your personal data to administer and manage your ESOS Lead Assessor process and registration, for the purposes of assessing the process applications, CVs, qualifications, assessment grades, for awarding a Lead Assessor status and allocating a registration number, providing industry updates, for continuous administration of your ESOS Lead Assessor registration, statistical and analytical purposes, and for auditing purposes by the Environment Agency.
2.4.3 If you have registered for any EMA products or services including events, training and publications, you will receive essential communications relating to the fulfilment of those products and services.
2.4.4. We may also use your personal data to send e-mail notifications alerting you to EMA information which may be of interest and to promote and develop our activities, products and services.
2.5. The data you provide to us will be held on our servers in the UK and our databases and cloud storage are protected by industry standard security technology, such as industry standard firewalls and password protection. Furthermore, the employees who have access to Personal Data shall handle such data properly and in accordance with our security protocols and strict standards of confidentiality.
2.6. You have the right to withdraw your consent to using your personal data at any time, and to request that it is deleted (please contact us using the details in section 7).
3. Data sharing
3.1. As data controller, the EMA takes all reasonable steps to ensure that personal data remains in a secure environment and we will never sell personal data to third parties, but we may share it with trusted associates, suppliers and contractors for the purposes of administering and managing our services and activities.
3.2. The EMA may also share personal data with government authorities, if legally required to do so, or if the EMA believes it necessary in connection with an investigation of any activity that is illegal.
4. Data processing
Personal data held by the EMA may be managed by trusted third party data processors.
4.1. The EMA holds personal data relating to members and contacts on a database provided by a third party provider, Zoho Office Suite. Zoho Office Suite demonstrated their commitment to data privacy and protection by meeting the industry standards for ISO 27001 and SOC 2 Type 2, is certified by the EU-US ‘Privacy Shield’, and provides a secure service that is compliant with the requirements of data protection law. Further information can be found at: https://www.zoho.eu/gdpr.html
4.2. Some personal data is stored using Dropbox, file sharing and storage solution. Dropbox complies with the EU-U.S. and Swiss–U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the European Economic Area, and Switzerland to the United States. You can find Dropbox’s Privacy Shield certification here. You can also learn more about Privacy Shield at https://www.privacyshield.gov
4.3. We also use a third party provider, MailChimp, to manage the delivery of our emails. MailChimp is certified by the EU-US ‘Privacy Shield’ and obligated to comply with the European General Data Protection Regulation. If you do not wish to receive these materials, simply click the Unsubscribe link in any email. Further information can be found at http://mailchimp.com/legal/privacy
4.4. To host digital events and training, we use Zoom and Microsoft Teams, both organisations operate globally, which means that personal data may be transferred, stored (for example, in a data center), and processed outside of the country or region where it was initially collected.
Zoom protects personal data in accordance with their Privacy Statement wherever it is processed and takes appropriate contractual or other steps to protect it under applicable laws. Where personal data of users in the UK are being transferred to another country outside the UK which has not been recognised as having an adequate level of data protection, they ensure that the transfer is governed by the European Commission’s standard contractual clauses.
Microsoft adheres to the principles of the EU-U.S. and Swiss-U.S. Privacy Shield frameworks, although Microsoft does not rely on the EU-U.S. Privacy Shield Framework as a legal basis for transfers of personal data in light of the judgment of the Court of Justice of the EU in Case C-311/18. To learn more, visit the U.S. Department of Commerce’s Privacy Shield website. Further information can be found at https://privacy.microsoft.com/en-gb/privacystatement.
4.5. To enable online payments, we use Stripe Services, Stripe Payments Europe transfers personal data to Stripe, Inc., in the U.S. To ensure the adequate protection of personal data, Stripe is certified to the EU-U.S. and Swiss-U.S. Privacy Shield Framework. For more information, please read Stripe’s Privacy Shield Policy at https://stripe.com/gb/privacy
5. Our website
5.2. Throughout our website we have integrated social media share buttons from third party websites such as LinkedIn and Twitter. Pages with this embedded content may present cookies from these websites over which the EMA has no control. You should check the relevant third party website for more information about how these cookies are controlled.
6. Your Rights
6.1. The right to be informed about our collection and use of personal data (please contact us using the details in section 7);
6.2. The right of access to the personal data we hold about you (please contact us using the details in section 7);
6.3. The right to rectification if any personal data we hold about you is inaccurate or incomplete (please contact us using the details in section 7);
6.4. The right to be forgotten – i.e. the right to ask us to delete any personal data we hold about you (please contact us using the details in section 7);
6.5. The right to restrict (i.e. prevent) the processing of your personal data (please contact us using the details in section 7);
6.6. The right to object to us using your personal data for particular purposes (please contact us using the details in section 7);
6.7. For further information about your rights, please contact the Information Commissioner’s Office https://ico.org.uk/concerns
7. Contact details
If you have any comments, questions or concerns about how the EMA handles personal data, or in relation to your personal data held by the EMA, please contact the EMA’s Data Protection Officer: Jana Skodlova, Data Protection Officer, Energy Managers Association, Suite 77, 95 Mortimer Street, London, W1W 7GB; [email protected]