Personal Data we collect and how we use it
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
- Identity and Contact Data: including your first name, surname, title, email address, postal address, telephone number, mobile number, date of birth, and information as to whether you are a taxpayer to help us to claim gift aid;
- A record that you are an investor in one or more of our projects including the name of the project, amount of investment, number of shares, the reference number that we attribute to you when you become a member, the votes you cast;
- Financial and Payment Data: including bank account name, bank account number, sort code and other data necessary for processing payments and fraud prevention;
- Representatives details: Proof of any changes to the details that we hold about you including details of any representatives such as a Power of Attorney or Executor;
- Third party publications/media source where you first heard about The Highland Community Energy Society Limited;
- Your preferences in receiving marketing information from us including mode of communication;
- Images and video;
In addition to the above, where you are a website visitor, we may collect any of the following:
- Profile and Usage Data: your preferences in receiving marketing information from us, your communication preferences and information about how you use our website including the services/pages you viewed or searched for, page response times, download errors, length of visits, referring website/page and page interaction information (such as scrolling, clicks, and mouse-overs);
- Technical Data, including information collected during your visits to our website(s), the Internet Protocol (IP) address, login data, browser type and version, device type, time zone setting, browser plug-in types and versions, operating system and platform;
- Any other information you give us: such as information provided in an online enquiry form or email or other correspondence.
Special Categories of Personal Data
Special Category Personal Data specifically means personal data relating to race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data.
The Highland Community Energy Society Limited does not expect to routinely collect or process special categories of personal data unless you give this information to us.
Neither do we routinely collect any information about criminal convictions (including offences and alleged offences and any court proceedings or sentence) unless you give this sort of information to us.
Source of your personal information
The Highland Community Energy Society Limited expects to collect your personal information directly from you and from third party sources. For example:
- Directly from you: when you contact us via our website or complete our online contact form or “Register Your Interest” form or share application form;
- Indirectly from third parties: where information is provided by third parties such as any nominated representative or agent of yours;
- Indirectly via our website: from connection data sent to our webserver by your browser when you connect to The Highland Community Energy Society Limited;
- Indirectly via web-based services: for example, where analytical information is collected through electronic platforms made available to you in connection with services that we provide to you.
How will we use your personal information?
We use your personal information (with the support of Energy4All, our main service provider)
- to administer, process and manage your communications (including your online enquiry) and our relationship;
- to manage your shareholding;
- to keep our members register up-to-date and to comply with our various legal obligations;
- to notify you of member-related information, including important information about dividend distributions, member resolutions, reports and meetings, including details of our Annual General Meeting;
- to send you relevant information relating to The Highland Community Energy Society Limited’s other community energy project/s such as investment opportunities, and our Newsletter;
- To process payments, billings and collection of payments;
- For promotional, and marketing purposes;
- We use the logs from our servers to assist in our security, as well as to develop our online strategy. For example, where they have not been disabled, our cookies may be used to improve the user-friendliness of our website, enhance your experience using our website and help us work out which pages are most popular.
Legal Basis for processing your personal data
The UK General Data Protection Regulation (GDPR) requires us to provide you with information about the legal reason (or “legal basis”) for processing your personal data.
We may need to use your personal data in order to comply with our legal obligations. For example:
- If you opt-out of receiving our marketing information, we will delete your personal information except for your basic contact information which will be transferred into a secure separate list known as a direct marketing suppression list, to ensure that we comply with your objection to direct marketing. The legal basis for retaining your basic contact details is that it is necessary to do so in order to comply with our legal obligation under data protection law.
- To comply with our various statutory obligations and your rights as a member in accordance with our Articles of Association and any applicable laws including notifying you of meetings where you have a right to vote such as the Annual General Meeting. We will also process your personal data to notify you of any dividends or interest payments that are due to be paid to you.
- To maintain a record of your investment so that we can comply with anti-money laundering and tax laws.
If you enter into a contract with The Highland Community Energy Society Limited, we will need to collect and process some personal information in order to administer that contract. Where this happens, our legal basis for processing your personal information is contractual.
In most other cases, our use of your personal data will be on the legal basis that it is necessary for our legitimate interests, or those of a trusted third party such as Energy4All (Energy4All is our community energy partner https://energy4all.co.uk/), providing those interests are not overridden by your own interests or fundamental rights and freedoms. For example:
- We will need to process your personal information in order to respond to and administer your enquiry or correspondence;
- To keep you informed about important information, developments and updates;
- We may process your personal information for security purposes or to develop our business generally;
- to send you promotional and direct marketing material by post.
Where you have provided your consent we may process your personal information in the following circumstances:
- to send you marketing information by post, email and telephone;
- to send you electronic direct marketing that you haven’t specifically requested;
- to publish a testimonial, you have provided in conjunction with your name;
- to publish an image or video of you where you are the main focus (or your image is accompanied by your name), on our website or on a third-party social networking platform such as LinkedIn, Facebook or Twitter;
- to share your personal data with any third party for marketing purposes. For example, we may share your information with Energy4All but only with your specific consent.
The Highland Community Energy Society Limited processes personal data for the purposes of direct marketing and promoting our organisation. However, unless you consent, we will never sell or rent your personal information to a third party, for that third party’s marketing purposes.
We rely on your specific opt-in consent to process your personal information to send you direct marketing that you haven’t specifically requested. For example, when we send you updates via email or post.
You can stop receiving our marketing at any time by clicking on the “unsubscribe” option in our email communications or by emailing us at email@example.com or you can write to us. Our contact details can be found here.
Where we require your consent to send you direct marketing, you have the legal right to withdraw that consent at any time.
Withdrawal of consent to receive marketing communications will not affect the processing of your personal data for the provision of our other services which do not rely upon your consent. For example, if you are an investor in any of our projects and withdraw your marketing consent, you will continue to be sent only communications which relate directly to the operation of the project(s) in which you invested.
However, by withdrawing or not providing your consent to direct marketing, you may not receive information about The Highland Community Energy Society Limited’s projects including other investment opportunities and our Newsletter.
Explicit Consent and Substantial Public Interests Based Upon Law
Rarely, The Highland Community Energy Society Limited need to process special categories of personal data such as health or medical information. For example, in order that we can cater for specific dietary needs or a hearing impairment at an event you are attending. We will only process this sort of information with your explicit consent or where it is necessary for reasons of substantial public interest that are based upon a law.
The Highland Community Energy Society Limited may process special category personal information where it is necessary to establish, exercise or defence legal claims or where a court is acting in a judicial capacity.
How we share your personal data
Normally, we wouldn’t expect to share your personal data with another organisation except in the following circumstances:
- on a confidential basis with third parties for the purposes of collecting your feedback on our services, to help us measure our performance and to improve and promote our services;
- with trusted service providers who we engage. For example, external software providers, payment providers who help us manage dividend and other payments to our shareholders and mailers. Where we do this, the service providers are contractually required by us to keep your personal data secure and to only process it strictly in accordance with our instructions and in accordance with data protection laws;
- where you have consented, with third parties for their marketing purposes;
- with third party data controllers where we have a legal obligation to do so including regulators who regulate how we operate such as HMRC, Companies House, Financial Conduct Authority and the Information Commissioner's Office;
- with any individual or company to whom we propose to transfer our obligations and rights in relation to the administration of our share register;
- with any third-party at your request or with your specific consent. For example, with your agent or other representative;
- with any third-party where if the law requires or permits disclosure, or there is a duty to the public to share or disclose your personal information. For example, for the purpose of verifying shareholdings or contacting shareholders about matters relating to the company, their shareholding or a related exercise of rights;
- Working with regulators and fraud prevention and detection agencies:
- We may use your personal information to help us to detect and prevent fraud, fight financial crime and meet our regulatory responsibilities. This may involve checking public registers (e.g. the electoral roll or registers of county court judgments, bankruptcy orders or repossessions), conducting online searches from websites and other information sharing platforms and using databases managed by credit reference agencies and other reputable organisations. This will help us verify your identity and carry out tracing exercises. We may also share your information and undertake searches with third party organisations such as public bodies, credit reference agencies, fraud prevention agencies and our regulators (which include the FCA, and ICO).
If you provide us with false or inaccurate information and we suspect fraud, we will record this to prevent further fraud and money laundering.
Information we transfer outside the UK
In delivering our services to you, it is sometimes necessary for us to share your personal data outside the UK. This might arise where, for example, we are facilitating a payment to your bank which is located overseas, or where our service providers are located/store data outside the UK (for example, we use Mailchimp when sending out membership communications).
We have taken steps to implement appropriate safeguards to ensure that the personal data we process is protected in accordance with data protection law (including the UK GDPR) when transferred outside the UK. The safeguards we have taken include:
- Checking whether there is an adequacy decision in place in respect of any countries outside the UK to which we transfer or receive your personal data;
- Implementing the European Commission's Standard Contractual Clauses (which are recognised as a valid personal data transfer mechanism in the UK) for transfers of personal data, or another adequate transfer mechanism.
Please contact us if you want further information on the specific mechanisms used by us when transferring your personal data out of the UK.
Cookies and similar technologies
Just like many other websites, our website uses some standard technology to store and manage user preferences.
For example, to allow members to log into the secure member area of our website. These are necessary for security purposes and gather analytic and usage data. For example, we use Google Analytics, a service of Google Inc. to track the usage of our website. As a consequence, if you allow your web browser to accept cookies from Google Analytics or accept third-party cookies while browsing our website, data provided automatically by your web browser will be transmitted to and stored on Google’s servers.
What are cookies?
The cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
Controlling and deleting cookies
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser settings to decline cookies if you prefer. This may prevent you from taking full advantage of our website.
The Highland Community Energy Society Limited uses ReCAPTCHA on our website. ReCAPTCHA is a Google service that collects the personal information of users to protect our site against spam and bots.
ReCAPTCHA works by implementing an algorithm to analyse a user's activity by taking a screenshot of the user's browser window. If the activity is deemed as mechanical or a made-up word is used, the activity is flagged by the system.
Activity and user information ReCAPTCHA collects and analyses include the following:
- Typing patterns of the user
- The amount of mouse clicks a user has done on the site or touches on an app
- What language the user's browser is using
- Google cookies that have been placed on the site
- The answers to question fields on the site
- CSS information
- Plug-ins installed on the browser
The algorithm also recognises IP addresses that have been previously recognised as humans through cookies.
Security of your personal data
The Highland Community Energy Society Limited has put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
For example, your personal data is held in a secure password-protected database accessible only by those staff or IT service providers that need access. Where it is necessary to do so, some of your data may be downloaded and stored on paper at our office while we carry out analysis of data. Paper based data is securely shredded and disposed of at the end of any analysis work.
If you would like more specific information about our security measures please contact us at firstname.lastname@example.org.