EDF Energy employee privacy policy
EDF respects your privacy and values the trust you place in us when you share your personal information with us. This notice sets out how we, as a controller, collect and use your personal information during and after your working relationship with us, why we use it, with whom we share it, and the rights to which you may be entitled.
This notice will be changed from time to time but if we change anything important about it (e.g. the information we collect, how we use it or why) we will highlight those changes to you. If you have any questions please get in touch with our Data Protection Officer at dpo@edfenergy.com or EDF Energy, 90 Whitfield Street, London, W1T 4EZ.
Summary – what we collect; how we collect and why we collect information about you
We collect certain types of information from, or about, you throughout our interaction with you, from third-party service providers or from publicly available sources. This information may include items such as your name, address, contact details, curriculum vitae, appraisal and other management information, information about your employment and information regarding your fitness for work. We use this information to recruit, comply with our obligations under your employment contract; provide you with a safe working environment; manage your employment and comply with other legal and regulatory obligations.
Information we share and who we share it with
There are certain circumstances where we may share your personal data with other employees and third parties Some examples of when your personal information may be shared with third party organisations are as follows:
- we may share information about you with other members of our group of companies so that we can provide the best service across our group (such as if your employing entity is EDF Energy (Nuclear Generation) Limited and payroll services are provided to the EDF Energy group by EDF Energy plc). They are bound to keep your information in accordance with this Privacy Notice;
- we may also share your information with certain suppliers and service providers (and their staff) such as payroll administrators, IT service providers, pension administrators, benefits providers, occupational health service providers, recruitment and other consultants, managed service workers and agency supplied workers that EDF Energy engages from time to time and they may process your personal data for us. They are always required to meet our standards on processing information and on security. The information we provide them, including your information, will only be provided in connection with the performance of their function;
- if we're discussing selling or transferring part or all of our business, information about relevant employees may be transferred to prospective purchasers under suitable terms as to confidentiality. Or, if sold, to buyers;
- if we're required to do so by law, or under any regulatory code or practice we follow, or if we are asked to do so by any public or regulatory authority – for example the Police; HMRC or Office for Nuclear Regulation (“ONR”) or to defend any legal claims; and/or
- your personal data may be shared if it is made anonymous and aggregated, as in such circumstances the information will cease to be personal data.
Circumstances where we will ask for your consent
We do not need your consent if we use personal data, even sensitive personal data (also known as “special categories of personal data”), in accordance with our written practice and guidance to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. It is not a condition of your contract with us that you agree to any request for consent from us.
Where your information will be held
When we share your information, your information may be transferred outside the European Economic Area.
We store information on cloud servers located in the USA, and may engage suppliers or service providers based in countries which may not have equivalent data protection laws to those applicable in Europe. The transfer of this information is therefore governed by a contract between EDF Energy and the external organisation including standard contractual clauses (SCCs) approved by the European Commission. For example, certain support services are carried out for us in India which does not have equivalent data protection laws to those applicable in Europe. The transfer of information to the service provider is according to company rules that set out how information is to be treated and protected.
We will keep your information for as long as is set out in our data retention practice and guidance (which will be available on pulse or in your candidate portal).
We will only transfer data to jurisdictions outside the scope of the General Data Protection Regulation (“GDPR”) where the appropriate safeguards required by GDPR are in place.
How long is your data held for?
The retention periods for personal data that is common to all Business Units is set out as follows:
Record Type |
Classification |
Retention Period |
Employee files (inc Payroll, benefits, health records, criminal check outcomes) |
Protect Private |
Date of birth + 100 years |
Employee Travel & Expense |
Protect Private |
7 years from entry; or |
Unsuccessful Job Applicants |
Protect Private |
purged 2 years following recruitment process end date |
Wifi Registration Details |
Protect Private |
1 year from creation |
CCTV |
Protect Private |
30 days from recording |
Site Access – Access Gate Control Data |
Protect Private |
1 year from site entry |
Site Access – Permanent Access |
Protect Private |
1 year from receipt of application |
Site Access – Escorted Access |
Protect Private |
1 year after site entry |
Physical Site Visitor Logs |
Protect Private |
2 years after site entry |
Electronic Site Visitor Logs |
Protect Private |
1 year after site entry |
IT Performance Management – End User Computing Experience |
Protect Private |
3 months from capture |
IT Operational Security Monitoring |
OFFICIAL SENSITIVE – SNI |
12 months from capture |
Monitoring
We monitor your usage of our IT systems, such as email, internet, printing, chat and Yammer forums. This is to protect confidential business information and intellectual property and to monitor for inappropriate behavior or use of systems. In relation to Yammer we also use it as a way of measuring employee engagement and responding to concerns which arise. We also use CCTV and entry and exit gates on EDF Energy sites. Some EDF Energy vehicles have been installed with telematics devices which monitor driver behaviour.
Your rights and how to exercise them
You may have certain rights in relation to your information including a right to access or to correct the information we hold on you. However, some of these rights will only apply in certain circumstances, such as the right to be forgotten or the right to request that we move your information to another company. They will generally not be available if you remain employed, if we still require the data for the purposes for which we collected it, if we are required by law to keep the information, or if the information is relevant to a legal dispute. If you would like to exercise, or discuss, any of these rights you can do so by logging into your account on MyHR and raising a query through AskHR.
- You can remove consent, where you have provided it, at any time, as well as update any of your opt-in marketing preferences
- You can ask us to confirm if we are processing your information
- You can ask for access to your information
- You can ask to correct your information if it's wrong
- You can ask us to delete your information (the right to be forgotten), but only in certain cases
- You can ask us to restrict how we use your information, but only in certain cases
- You can ask us to help you move your information to other companies, but only in certain cases
- You can object to us processing your information based on legitimate interests, but only in certain cases
- You can object to us processing your information in relation to direct marketing
- If you are not satisfied with the way that we have handled your data, please contact the Data Protection Officer by email at dpo@edfenergy.com. You also have the right to complain to the relevant supervisory authority, the Information Commissioner’s Office (“ICO”)
Your obligations to safeguard personal data of others
You will have access to the personal data of other individuals during the course of your employment. You must undertake anymandatory EDF Energy data protection training, and ensure that you do not inappropriately obtain, retain, amend, use, delete, transmit or compromise the security of the personal data of others. You must:
- only seek to access the personal data that you are authorised to access and only use that data for the specified, explicit and legitimate purposes for which it was obtained by EDF Energy;
- not make any amendments to personal data or share it with others either within or without EDF Energy without being authorised to do so;
- not inappropriately store other people’s personal data outside of EDF Energy systems;
- take appropriate steps to safeguard the security of personal data. These include, but may not be limited to, ensuring equipment is made secure if unattended for any time; keeping passwords secure and not sharing them; ensuring that paper records are stored securely when not in use; ensuring appropriate security measures are in place before personal data and devices containing personal data or devices that can be used to access personal data are removed from EDF Energy’s premises; and
- report any data security concerns or incidents immediately in accordance with the Incident Management Procedure which will be available on pulse or by phoning the EDF Energy Service Desk 777 or 01392 353955. Concerns or incidents may include, but may not be limited to, you believing or suspecting that one of the following has taken place (or is likely to take place): there has been any data breach; there has been unauthorised access to or removal from the premises of personal data; personal data is not secure; or you are aware of any other breach of data protection legislation
Failure to comply with your data protection obligations puts at risk the individuals whose personal information is being processed, carries the risk of significant civil and criminal sanctions for you and EDF Energy; and may, in some circumstances, amount to a criminal offence for which you are personally liable. Because of the importance of data protection obligations, it may lead to disciplinary action under our procedures, up to and including dismissal for gross misconduct.
Security and Accuracy
We are committed to keeping your personal information safe. We've got physical, technical and administrative measures in place to prevent unauthorised access or use of your information. We also require that our suppliers protect such information from unauthorised access use and disclosure. Please see our: Security Practice & Guidance, which is available on Pulse or on request.
We will also routinely refresh our information or ask you to refresh your details to ensure we keep it up-to-date.
Website terms and conditions and cookies
Our website terms and conditions can be found here.
How we protect your personal information:
What we collect This category of information we collect about you includes: |
How we use it We use this information for certain activities, including to: |
Why we use it We use this information because: |
|
---|---|---|---|
Information collected during the recruitment process: |
|
|
|
Information obtained as a result of a criminal records check |
|
|
|
Information we need to contact you, pay you and provide benefits to you: |
|
|
|
Information about your role, workplace performance, conduct, training, progression, feedback you have given and received and information held on HR systems such as ImageNow, myHR, myCampus etc: |
|
|
|
Information about your fitness for work: |
|
|
|
Information we collect in relation to our work-related systems such as email, sharepoint, Microsoft Teams, Viva Engage, etc: |
|
|
|
Information contained within work products such as documents, presentations etc, and within internal directories such as on Pulse |
|
|
|
Information we collect in our travel, facilities and expenses systems including Concur, Carlson Wagonlit, Europcar, Matrix booking etc |
|
|
|
Information that we collect from you in order to comply with all relevant laws, regulations, industry codes and regulatory obligations: |
|
|
|
Information we use to monitor behaviour and track data transfer activities: |
|
|
|
Information provided to us in relation to business related driving |
|
|
|
Information you have provided to us in order to access your personal devices (BYOD) |
|
|
|
Information that we collect from you and/or from our records, during any testing for Covid-19 with which you take part |
|
|
|