About | Community Engagement | Contact
Dungavel Logo

Carscreugh
Wind Farm

The Carscreugh Wind Farm is located in Dumfries & Galloway, Scotland

Number of Turbines

0

Capacity

0

mw

Equivalent Homes Served

0

Number of Turbines

0

Capacity

0

mw

Equivalent Homes Served

0

Carscreugh
Wind Farm

The Carscreugh Wind Farm is owned by Carscreugh Renewable Energy Park Limited.

The Carscreugh Wind Farm comprises of

18

Gamesa G52 turbines each with a three-bladed rotor, active pitch control and variable speed operation with a rated power of 850kW each.

Sustainability

Each year an average of 35,875 MWh of renewable electricity is produced, enough to power 8,626 residential properties based upon the national average electricity consumption statistics.

Community Engagement

The Carscreugh wind farm makes an annual community benefit contribution of c. £45,000 to Foundation Scotland. Six community councils are eligible for funding through the Carscreugh community fund – Cree Valley; Kirkcowan; New Luce; Port William; Stoneykirk; Old Luce. If groups from one of the above community council areas wish to apply for CREPL funds they should contact their local Community representative directly. 

Contact Us

Privacy Notice | Cookie Policy | Carscreugh Wind Farm, Dumfries & Galloway, Scotland.

Website design and build by dink consultants.

COOKIE POLICY

Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site.

A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer’s hard drive. You can find out more about cookies, how to manage and delete them, and how to manage your browser settings, at www.allaboutcookies.org.

We use the following cookies on our website:

  • Strictly necessary cookies. These are cookies that are required for the operation of our website. They enable core functionality such as page navigation. The website cannot function properly without these cookies. They include, for example, cookies that enable you to log into secure areas of our website.
  • Analytical or performance cookies. These allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
  • Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
  • Targeting cookies. These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests.

 

Below is a list of all the cookies we use on our website

Cookie Name: _ga |  Default expiration date: 2 years
Description: Used to distinguish users.

Cookie Name: _gid  |  Default expiration date: 24 hours
Description: Used to distinguish users.

Cookie Name: _gat  |  Default expiration date: 1 minute
Description: Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_.

Cookie Name: AMP_TOKEN |  Default expiration date: 30 seconds to 1 year
Description: Contains a token that can be used to retrieve a Client ID from AMP Client ID service. Other possible values indicate opt-out, inflight request or an error retrieving a Client ID from AMP Client ID service.

Cookie Name: _gac_ |  Default expiration date: 90 days
Description: Contains campaign related information for the user. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out

 

Google Analytics

Our website uses Google Analytics, a web analytics service provided by Google Inc. Google Analytics uses cookies to help the website analyse how users use the site. We use the information to compile reports and to help us improve the website. The cookies collect information in a way that does not directly identify anyone, including the number of visitors to our website, where visitors have come to our website from and the pages they visited. Please see Google’s privacy policy for further information on the data Google collects and how it is processed: https://policies.google.com/privacy. If you prefer to not have data reported by Google Analytics, you can install the Google Analytics Opt-Out Browser Add-On, by following the instructions here: https://tools.google.com/dlpage/gaoptout.]

 

Blocking Cookies

You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our website. Any changes we may make to our cookie policy in the future will be posted on this page.

Privacy Policy

Carscreugh Renewable Energy Park Limited (Company) recognises its responsibility and is committed to respecting the personal data and privacy of our investors, directors, officers, suppliers and other third parties as required by the General Data Protection Regulation (GDPR). As a result, directors and officers of the Company share the Company’s responsibility and must ensure that their conduct in their work complies with this Policy. The Company has delegated responsibility for the Company complying with the GDPR to Foresight Group LLP (Foresight Group). If you, as a director or an officer of Foresight VCT plc or an employee of Foresight Group, are unsure of your responsibilities or need guidance, you must speak to a member of the Foresight Group ISMS & GDPR Panel.

The GDPR and this Policy apply to the processing by the Company of the Personal Data of individuals located in the UK, Guernsey, Jersey or the EEA in the context of its activities (even if the Personal Data concerned is held and processed outside those territories).

The version of the GDPR which became part of UK law from 1 January 2021 as a result of the Brexit Withdrawal Agreement is identical in all material respects with the original version of the GDPR as implemented by national legislation in Guernsey, Jersey and the European Economic Area (EEA). References to the GDPR in this Policy are to the version of the GDPR which applies to the particular processes being undertaken.

The key principles relating to processing of Personal Data set out in the GDPR require Personal Data to be:

  • processed lawfully, fairly and in a transparent manner;
  • collected only for specified, explicit and legitimate purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
  • accurate and where necessary kept up to date;
  • not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed;
  • processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage;
  • not transferred to another country without appropriate safeguards being in place; and
  • made available to data subjects and allow data subjects to exercise certain rights in relation to their Personal Data, including:
    • the right to be informed;
    • the right of access;
    • the right to rectification;
    • the right to erasure;
    • the right to restrict processing;
    • the right to data portability;
    • the right to object; and
    • rights in relation to automated decision making and profiling.

Organisations are responsible for and must be able to demonstrate compliance with the principles listed above.

The meaning of “processing” is wide ranging and includes merely holding Personal Data (see the definition below) and the GDPR applies to Personal Data whether it is used in a corporate or private context (for example it applies to personal work email addresses, as well as private email addresses).

This Policy outlines the standards that will promote compliance across the activities of the Company with applicable data protection laws.

It is recognised that, because of the nature of the Company and its activities, alongside Foresight Group being responsible for the Company complying with GDPR, the majority of the Processing of Personal Data will be carried out on its behalf by Foresight Group as a Processor of Personal Data on behalf of the Company as Controller of that Personal Data. The Company’s instructions to its Processor will be required to be consistent with this Policy.

1.  Interpretation

1.1 Definitions:

Automated Decision-Making (ADM): when a decision is made which is based solely on Automated Processing (including profiling) which produces legal effects or significantly affects an individual. The GDPR prohibits Automated Decision-Making (unless certain conditions are met) but not Automated Processing.

Automated Processing: any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of Automated Processing.

Board: the board of directors of the Company from time to time.

Company, we, our or us: Foresight VCT plc.

Company Personnel or you: all directors, officers, consultants and others engaged by the Company, including employees of Foresight Group.

Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject’s wishes by which he/she, by a statement or by a clear positive action, signifies agreement to the Processing of Personal Data relating to them.

Criminal Convictions Data: means personal data relating to criminal convictions and offences and includes personal data relating to criminal allegations and proceedings.

Data Controller: the person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in line with the GDPR. We are the Data Controller of all Personal Data relating to Company Personnel and Personal Data used in our business for our own commercial purposes.

Data Subject: a living, identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.

Data Privacy Impact Assessment (DPIA): tools and assessments used to identify and reduce risks of a data processing activity. DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programs involving the Processing of Personal Data.

EEA: the 27 countries in the EU, Iceland, Liechtenstein and Norway.

Explicit Consent: consent that requires a very clear and specific (ideally written) statement (that is, not just action).

Foresight: Foresight Group LLP.

Foresight Group: Foresight Group Holdings Limited and its direct and indirect subsidiary undertakings.

Foresight GDPR Panel: the panel established by Foresight Group’s Executive Committee to ensure that its business (including that of the funds managed by it, including their subsidiaries, or a Foresight Group entity) is compliant with GDPR. Details of panel members (including contact details) will be provided to Company Personnel.

General Data Protection Regulation (GDPR): the General Data Protection Regulation ((EU) 2016/679) or, as applicable, that Regulation as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act of 2018. Personal Data is subject to the legal safeguards specified in the GDPR.

Personal Data: any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data includes Special Category Data and Pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal Data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.

Personal Data Breach: any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical, administrative or organisational safeguards that we or our third-party service providers put in place to protect it. The loss, or unauthorised access, disclosure or acquisition, of Personal Data is a Personal Data Breach.

Privacy by Design: implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the GDPR.

Privacy Guidelines: any privacy/GDPR related guidelines provided or adopted by Foresight from time to time to assist in interpreting and implementing this Privacy Policy and Related Policies which shall apply to the Company as if it was its own policy.

Processor: a person or entity that carries out Processing.

Privacy Notices (also referred to as Fair Processing Notices) or Privacy Policies: separate notices setting out information that may be provided or made available to Data Subjects when the Company collects information about them. These notices may take the form of general privacy statements applicable to a specific group of individuals (for example, employee privacy notices or the website privacy policy) or they may be stand-alone, one-time privacy statements covering Processing related to a specific purpose. These notices will be incorporated into and/or form part of notices provided or made available to Data Subjects by Foresight in respect of its or the Company’s business.

Processing or Process: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.

Pseudonymisation or Pseudonymised: replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and securely.

Related Policies: such policies, operating procedures or processes as are provided or adopted by Foresight from time to time related to this Privacy Policy and designed to protect Personal Data which shall apply to the Company as if it was its own policy.

Special Category Data (also previously referred to as Sensitive Personal Data): information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.

2. Introduction
 

This Privacy Policy sets out how the Company handles the Personal Data of our members, directors, officers, suppliers and other third parties.

This Privacy Policy applies to all Personal Data processed by the Company (including on our behalf by Company Personnel) regardless of the media on which that data is stored or whether it relates to members, clients or supplier contacts, website users or any other Data Subject.

This Privacy Policy applies to all Company Personnel who must read, understand and comply with this Privacy Policy when Processing Personal Data on our behalf and attend training on its requirements. This Privacy Policy sets out what we need from you in order for the Company to comply with applicable law and so your compliance with this Privacy Policy is mandatory. Related Policies and Privacy Guidelines may become available to help you interpret and act in accordance with this Privacy Policy in order to prevent a breach of this Privacy Policy.

As stated above, it is recognised that, because of the nature of the Company and its activities, the majority of the Processing of Personal Data will be carried out on its behalf by Foresight or a third-party service provider overseen by Foresight as a Processor of Personal Data on behalf of the Company as Controller of that Personal Data. As the Company is unstaffed, most of the Company’s operations are delegated to third parties and the Company consists of only the Board, which has no employees or internal operations. The Company’s instructions to its Processor will be required to be consistent with this Policy.

This Privacy Policy (together with Related Policies and Privacy Guidelines) is an internal document and cannot be shared with third parties, clients or regulators (other than Foresight Group and the Company’s and Foresight Group’s advisers) without prior authorisation from a director of the Company and a member of the Foresight Group GDPR Panel.

3. Scope
 

We recognise that the correct and lawful treatment of Personal Data will maintain confidence in the Company and will provide for our successful business operations.

Protecting the confidentiality and integrity of Personal Data is a critical responsibility that we are committed to respect at all times. The Company is exposed to potential fines of up to EUR20 million (approximately £18 million) or 4% of total worldwide annual turnover, whichever is higher and depending on the breach, for failure to comply with the provisions of the GDPR. Therefore, your understanding of this Privacy Policy and your support is essential.

The Board is responsible for overseeing the operations resulting from this Privacy Policy and, as applicable, developing Related Policies and Privacy Guidelines. The Board has delegated day to day responsibility to Foresight.

The Board is also responsible for ensuring all Company Personnel comply with this Privacy Policy and for providing assistance to Company Personnel to implement appropriate practices, processes, controls and training to ensure compliance. The Board has delegated day to day responsibility to Foresight.

Please contact a member of the Foresight Group GDPR Panel with any questions about the operation of this Privacy Policy or the GDPR or if you have any concerns that it is not being or has not been followed:

GDPR Panel Members:
Jo Nicolle, Director, Head of Governance
Chris Tanner, Partner

GDPR Email Address:
DProtection@foresightgroup.eu

In particular, a member of the Foresight Group GDPR Panel must always be contacted in the following circumstances:

(a) if there has been a Personal Data Breach (see section 10.2 below);

(b) if you become aware of or believe there to be any rights invoked by a Data Subject (see section 12 below);

(c) if you need help with any contracts or other areas in relation to sharing Personal Data with third parties (see section 13.7 below)

(d) if you are unsure of the lawful basis which you are relying on to process Personal Data (including the legitimate interests used by the Company) (see section 5.1 below);

(e) if you need to rely on Consent and/or need to capture Explicit Consent (see section 5.2 below);

(f) if you need to draft Privacy Notices or Fair Processing Notices (see section 5.3 below);

(g) if you are unsure about the retention period for the Personal Data being Processed (see section 9 below);

(h) if you are unsure about what security or other measures you need to implement to protect Personal Data (see section 10.1 below);

(i) if you are unsure on what basis to transfer Personal Data outside the UK, Guernsey, Jersey and the EEA (see section 11 below);

(j) whenever you are engaging in a significant new, or change in, Processing activity which is likely to require a DPIA (see section 13.4 below) or plan to use Personal Data for purposes others than what it was collected for;

(k) If you plan to undertake any activities involving Automated Processing including profiling or Automated Decision-Making (see section 13.5 below); or

(l) If you need help complying with applicable law when carrying out direct marketing activities (see section 13.6 below).

4. Personal data protection principles

We are committed to apply the principles relating to Processing of Personal Data set out in the GDPR which require Personal Data to be:

(a) Processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency).

(b) Collected only for specified, explicit and legitimate purposes (Purpose Limitation).

(c) Adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (Data Minimisation).

(d) Accurate and where necessary kept up to date (Accuracy).

(e) Not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed (Storage Limitation).

(f) Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality).

(g) Not transferred to another country without appropriate safeguards being in place (Transfer Limitation).

(h) Made available to Data Subjects and Data Subjects allowed to exercise certain rights in relation to their Personal Data (Data Subject’s Rights and Requests).

It is important that you understand that the Company is responsible for and must be able to demonstrate compliance with the data protection principles listed above (Accountability) and that you play an important part in helping the Company to achieve that.

5.  Lawfulness, fairness, transparency

5.1 Lawfulness and fairness

It is important to ensure that Personal Data is Processed lawfully, fairly and in a transparent manner in relation to the Data Subject.

You may only collect, Process and share Personal Data fairly and lawfully and for specified purposes. The GDPR restricts our actions regarding Personal Data to specified lawful purposes. These restrictions are not intended to prevent Processing but ensure that we Process Personal Data fairly and without adversely affecting the Data Subject.

The GDPR allows Processing for specific purposes, some of which are set out below:

(a) the Data Subject has given his or her Consent;

(b) the Processing is necessary for the performance of a contract with the Data Subject;

(c) to meet our legal compliance obligations;

(d) to protect the Data Subject’s vital interests; or

(e) to pursue our legitimate interests for purposes where they are not overridden because the Processing prejudices the interests or fundamental rights and freedoms of Data Subjects. The purposes for which we process Personal Data for legitimate interests need to be set out in applicable Privacy Notices or Fair Processing Notices.

In order to evidence our consideration in respect of each Processing activity, you are required to identify and document the legal ground being relied on.

5.2 Consent

In our role as a Data Controller, we must only process Personal Data on the basis of one or more of the lawful bases set out in the GDPR, which include Consent.

Consent by a Data Subject to permit us to Process their Personal Data is only valid if they indicate agreement clearly either by a statement or positive/affirmative action and so silence, pre-ticked boxes or inactivity are not sufficient. Consent must also be clear and not hidden, so if it is given in a document which deals with other matters, then the Consent must be kept separate from those other matters.

Once a Data Subject has given Consent, they must be able to easily withdraw that Consent at any time and we must endeavour to facilitate that withdrawal without delay. Additionally, Consent may need to be refreshed if the Personal Data is to be Processed for a different and incompatible purpose than that described at the time the original Consent was given. In that case, we must ensure that we set out the nature and purpose of the proposed Processing when asking the Data Subject to “re-Consent”.

When processing Special Category Data or Criminal Convictions Data, we will usually rely on a legal basis for processing other than Explicit Consent or Consent if possible. Where Explicit Consent is relied on, you must issue a Privacy Notice to the Data Subject to capture Explicit Consent. In the rare situations where Explicit Consent is relied on, we need to provide the Data Subject with more information on the nature and purpose of our requirement as it may be that Explicit Consent is required. In these situations you must refer to the Foresight Group GDPR Panel for guidance on the arrangements required, as the Foresight Group GDPR Panel will need to ensure appropriate controls are in place to manage that Sensitive Data, and also that the Explicit Consent, which must be in writing, is appropriately worded. The Foresight Group GDPR Panel will also consider whether or not we can rely on another legal basis of Processing. Similarly, Explicit Consent is also required for Automated Decision-Making and for cross border data transfers. Where Explicit Consent is required, a Fair Processing Notice is required to be sent to the Data Subject to capture Explicit Consent, though, as stipulated above, that must be reviewed by the Foresight Group GDPR Panel before being finalised/ sent. Guidance on the content of the Fair Processing Notice is provided in 5.3 below.

You will need to evidence Consent captured and keep records of all Consents so that the Company can demonstrate compliance with Consent requirements.

5.3 Transparency (notifying data subjects)

The GDPR requires us as a Data Controller to provide detailed, specific information to Data Subjects depending on whether the information was collected directly from Data Subjects or from elsewhere. That information must be provided through appropriate Privacy Notices or Fair Processing Notices, which must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that a Data Subject can easily understand them, but in all cases, the wording must be approved by the Foresight Group GDPR Panel before finalising/issuing.

Whenever we collect Personal Data directly from Data Subjects, including for human resources or employment purposes, we must provide the Data Subject with all the information required by the GDPR including the identity of the Data Controller, Foresight Group’s Data Protection email address: DProtection@foresightgroup.eu, how and why we will use, Process, disclose, protect and retain that Personal Data through a Fair Processing Notice which must be presented when the Data Subject first provides the Personal Data.

Where we Process Personal Data via a third party or from a publicly available source, it will be necessary to implement controls and procedures to ensure that:

  • the Data Subject is provided with all the information required by the GDPR as soon as possible after collecting/receiving the data; and
  • the Personal Data was collected by the third party in accordance with the GDPR and on a basis which contemplates our proposed Processing of that Personal Data.

Where we record your image via CCTV at one of our sites, we will provide you with all the information required by the GDPR including the reason for having CCTV installed, who is responsible for the CCTV and who to contact.

Ideally, the controls and procedures should be in writing, and where necessary, include a checklist in order to ensure and evidence that all steps identified as required are taken.

6.  Purpose limitation

It is necessary to ensure that Personal Data is only collected for specified, explicit and legitimate purposes. It must not be further Processed in any manner incompatible with those purposes, and so you should not request Personal Data on the basis that it may be required in the future or is a “nice to have”.

You cannot use Personal Data for new, different or incompatible purposes from that disclosed when it was first obtained unless you have informed the Data Subject of the new purposes and they have Consented where necessary. If you are in any doubt over whether you are using Personal Data for anything other than the purposes it was originally provided, please refer to a member of the Foresight Group GDPR Panel.

7. Data minimisation

As mentioned above, it is important to ensure that we do not ask for more Personal Data than is needed. Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed.

You may only Process Personal Data when performing your duties requires it, and if the Processing is either as disclosed when the Personal Data was first obtained or was consented to subsequently. You cannot Process Personal Data for any reason unrelated to the purpose for which it was obtained.

You may only collect Personal Data that we require to enable us to carry out the Processing for which it was obtained: do not collect excessive Personal Data and ensure any Personal Data collected is adequate and relevant for the intended purposes only.

You must ensure that when Personal Data is no longer needed for specified purposes, it is held securely, and that you notify a member of the Foresight Group ISMS & GDPR Panel to determine whether that data may be deleted or anonymised in accordance with any applicable data retention guidelines.

Note: different retention periods will apply to different data types and these are set out in Foresight Group’s guidelines. If you are in any doubt over what applies to the Personal Data you are dealing with, please speak to a member of the Foresight Group GDPR Panel before taking any action. It is important that no personal data is deleted before the relevant retention period has expired, and that no personal data is deleted or anonymised without the prior authorisation of the Foresight Group GDPR Panel.

8.  Accuracy

Personal Data must be accurate and, where necessary, kept up to date. If we discover or are made aware that Personal Data held is not accurate, it must be corrected or deleted without delay in accordance with procedures or guidance from the Foresight Group GDPR Panel.

As mentioned, it is important that the Personal Data we use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it. You are required to implement controls and procedures that check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards, where appropriate. Where we hold inaccurate or out-of-date Personal Data, we must take appropriate steps to ensure it is amended or deleted, however please adhere to the protocols noted in this document as regards deletion and seek the necessary advice before taking any action.

9. Storage limitation

We are required to ensure that Personal Data is not kept in an identifiable form for longer than is necessary for the purposes for which the data is processed. As a general rule, we will hold Personal Data as long as the following criteria remains relevant:

  • Business relationships: for as long as we have reasonable business needs, such as managing relationships with our clients, suppliers, agents, etc;
  • Company Personnel: in line with legal and regulatory requirements;
  • General/other: retention periods in line with legal and regulatory requirements or guidance.

General guidance on retention periods will be issued by the Foresight Group GDPR Panel from time to time.

We are required to ensure that we do not keep Personal Data in a form which permits the identification of the Data Subject for longer than needed for the legitimate business purpose or purposes for which we originally collected it including for the purpose of satisfying any legal, accounting or reporting requirements. Where that situation does arise, it is necessary to understand what retention arrangements apply to that Personal Data, and to escalate to the Foresight Group GDPR Panel where it is believed that the retention period has expired or is due to expire imminently.

The Company will maintain retention policies and procedures to ensure Personal Data is deleted (as advised by the Foresight Group GDPR Panel) after a reasonable time for the purposes for which it was being held, unless a law requires such data to be kept for a minimum time. In that regard, it is extremely important to comply with Foresight’s guidelines on Data Retention and to ensure that only the Foresight Group GDPR Panel can arrange and/or authorise the destruction of Personal Data.

The Foresight Group GDPR Panel will take all reasonable steps when arranging to destroy or erase from our systems all and any Personal Data that we no longer require in accordance with all the Company’s applicable records retention schedules and policies. This includes requiring third parties to delete such data where applicable.

It is necessary to ensure that Data Subjects are informed of the period for which data is stored and how that period is determined in any applicable Privacy Notice or Fair Processing Notice. Appropriate wording should be agreed with the Foresight Group GDPR Panel before finalising/ issuing any notice.

10.  Security Integrity and Confidentiality

10.1 Protecting Personal Data

The Foresight Group GDPR Panel will work with Company Personnel to ensure that Personal Data must be secured by appropriate technical and organisational measures against unauthorised or unlawful Processing, and against accidental loss, destruction or damage. However, if Company Personnel discover any such situation, this must be immediately escalated to the Foresight Group GDPR Panel.

We will, in consultation with Company Personnel and experts as appropriate:

  • develop, implement and maintain safeguards appropriate to our size, scope and business, our available resources, the amount of Personal Data that we own or maintain on behalf of others and identified risks (including use of encryption and Pseudonymisation where applicable);
  • regularly evaluate and test the effectiveness of those safeguards to ensure security of our Processing of Personal Data.
    • You must understand your responsibilities for protecting the Personal Data we hold and act accordingly.
    • You must implement reasonable and appropriate security measures against unlawful or unauthorised Processing of Personal Data and against the accidental loss of, or damage to, Personal Data.
    • You must exercise particular care in protecting Special Category Data from loss and unauthorised access, use or disclosure.

We require that you follow all procedures and utilise technologies we put in place to maintain the security of all Personal Data from the point of collection to the point of destruction. The transfer of Personal Data may only take place where it is being sent to third-party service providers who agree to comply with the required policies and procedures and who agree to put adequate measures in place. However, any transfer must only be facilitated upon the prior authorisation of the Foresight Group GDPR Panel. Data security must be maintained by protecting the confidentiality, integrity and availability of the Personal Data, defined as follows:

(a) Confidentiality means that only people who have a need to know and are authorised to use the Personal Data can access it.

(b) Integrity means that Personal Data is accurate and suitable for the purpose for which it is processed.

(c) Availability means that authorised users are able to access the Personal Data when they need it for authorised purposes.

In order for you to comply with all applicable aspects of any Information Security Policy/ies adopted by the Company, appropriate controls and procedures must be implemented. Those procedures and controls, whether administrative, physical and/or technical, are all safeguards and must be in accordance with the GDPR and any relevant standards to protect Personal Data.

10.2 Reporting a Personal Data Breach

The GDPR requires Data Controllers to notify any Personal Data Breach to the applicable regulator and, in certain instances, the Data Subject. Note that the definition of Personal Data Breach is wide and includes, for example, the unauthorised receipt of Personal Data.

We are under a 72-hour time constraint to make a breach notification, and so it is extremely important that you escalate any situation where you believe that a breach may have taken place to the Foresight Group GDPR Panel.

Foresight have put in place procedures to deal with any suspected Personal Data Breach which will involve the notification to Data Subjects or any applicable regulator where we are legally required to do so.  This includes the Foresight Group GDPR Panel acting on behalf of the Company to investigate any incident or data breach and notifying the relevant regulator where necessary.

If you know or suspect that a Personal Data Breach has occurred, you must not attempt to investigate the matter yourself. You must immediately contact the Foresight Group GDPR Panel for Personal Data Breaches and incidents. However, you must preserve all evidence relating to the potential Personal Data Breach in the manner specified in the Information Security Incident Management Policy located in Foresight’s Governance & Compliance Library

11. Transfer limitation

The GDPR restricts data transfers to countries outside the UK, Guernsey, Jersey and the EEA in order to ensure that the level of data protection afforded to individuals by the GDPR is not undermined. Transfers of this kind occur when Personal Data originating in one country is transmitted, sent, viewed and/ or accessed in or to a different country.

The transfer of Personal Data outside the United Kingdom, Guernsey, Jersey and the EEA can only be facilitated upon the prior authorisation of the Foresight Group GDPR Panel if one of the following conditions applies:

(a) as applicable, the European Commission or the UK Government has issued a decision confirming that the country to which we transfer the Personal Data ensures an adequate level of protection for the Data Subjects’ rights and freedoms (for these purposes, Guernsey and Jersey have been formally recognised by the EU: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside- eu/adequacy-protection-personal-data-non-eu-countries_en) and the UK;

(b) appropriate safeguards are in place such as binding corporate rules (BCR), standard contractual clauses approved by the European Commission or the UK Government, an approved code of conduct or a certification mechanism, a copy of which can be obtained from the Foresight Group ISMS & GDPR Panel;

(c) the Data Subject has provided Explicit Consent to the particular proposed transfer after being informed of any potential risks; or

(d) the transfer is necessary for one of the other reasons set out in the GDPR including the performance of a contract between us and the Data Subject (including an employment contract), reasons of public interest, to establish, exercise or defend legal claims or to protect the vital interests of the Data Subject where the Data Subject is physically or legally incapable of giving Consent and, in some limited cases, for our legitimate interest.

12. Data Subject’s rights and requests

Data Subjects have rights when it comes to how we handle their Personal Data. These include rights to:

(a) withdraw Consent to Processing at any time (where Consent is the lawful basis on which the personal data is Processed);

(b) receive certain information about the Data Controller’s Processing activities;

(c) request access to their Personal Data that we hold;

(d) prevent our use of their Personal Data for direct marketing purposes;

(e) ask us to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or Processed or to rectify inaccurate data or to complete incomplete data (for example if the Data Subject believes we hold inaccurate Personal Data about them, or Personal Data which we do not need to have in order to carry out Processing for them);

(f) restrict Processing in specific circumstances;

(g) challenge Processing which has been justified on the basis of our legitimate interests or in the public interest;

(h) request a copy of an agreement under which Personal Data is transferred outside of the United Kingdom, Guernsey, Jersey or the EEA;

(i) object to decisions based solely on Automated Processing, including profiling (ADM);

(j) prevent Processing that is likely to cause damage or distress to the Data Subject or anyone else;

(k) be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms;

(l) make a complaint to the supervisory authority; and

(m) in limited circumstances, receive or ask for their Personal Data to be transferred to a third party in a structured, commonly used and machine-readable format.

In view of the above, it is essential that you verify the identity of an individual requesting data under any of the rights listed above (do not allow third parties to persuade you into disclosing Personal Data without proper authorisation). Requests may take any number of forms, including a telephone call, email and letter. Where a request is made by telephone, you must take all reasonable measures to ensure you are talking to the Data Subject or a person appropriately authorised by the Data Subject to have access to the data requested. In any case, if you are not sure, please refer to your line manager for guidance.

You must immediately forward any Data Subject request you receive to the Foresight Group GDPR Panel.

13. Accountability

13.1 The Company (as a Data Controller) is required to implement appropriate technical and organisational measures in an effective manner, to ensure compliance with data protection principles. This must be done via our Company Personnel and/or Foresight in such a manner as to enable us to be able to demonstrate, compliance with the data protection principles. This means that you and your team must ensure you have:

  • appropriate controls and procedures in place; and
  • be able to evidence all the measures we take in relation to complying with the GDPR. Evidence may take the form of copies of checklists, communications trails, notes of meetings/ calls, etc.

The Company must have adequate resources and controls in place to ensure and to document GDPR compliance including:

(a) establishing suitable governance responsibilities for data privacy;

(b) implementing Privacy by Design when Processing Personal Data and completing DPIAs where Processing presents a high risk to rights and freedoms of Data Subjects;

(c) integrating data protection into internal documents including this Privacy Policy, Related Policies, Privacy Guidelines, Privacy Notices or Fair Processing Notices;

(d) to the extent applicable, training Company Personnel on the GDPR, this Privacy Policy, Related Policies and Privacy Guidelines and data protection matters including, for example, Data Subject’s rights, Consent, legal basis, DPIA and Personal Data Breaches. The Company must maintain a record of training attendance by Company Personnel; and

(e) regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort.

13.2 Record keeping

The GDPR requires us to keep full and accurate records of all our data Processing activities.

As noted in 13.1 above, we require that you keep and maintain accurate corporate records reflecting our Processing including records of Data Subjects’ Consents and procedures for obtaining Consents.

These records should include, as a minimum, the name and contact details of the Data Controller and the Foresight Group GDPR Panel, clear descriptions of the Personal Data types, Data Subject types, Processing activities, Processing purposes, third-party recipients of the Personal Data, Personal Data storage locations, Personal Data transfers, the Personal Data’s retention period and a description of the security measures in place. In order to create such records, data maps should be created which should include the detail set out above together with appropriate data flows.

13.3  Training and audit

We are required to ensure all Company Personnel have undergone adequate training to enable them to comply with data privacy laws. We must also test our systems and processes to assess compliance.

It is important that you undergo all mandatory data privacy related training. If you feel that you require additional training, please speak to the Foresight Group GDPR Panel.

As part of our ongoing obligation to ensure our systems, controls and procedures remain relevant and sufficient in order to comply with the GDPR, you must regularly review all the processes under your control to ensure they comply with this Privacy Policy and check that adequate governance controls and resources are in place to ensure proper use and protection of Personal Data. All support will be provided by the Foresight Group GDPR Panel to assist with such reviews, and also in updating or introducing new systems, controls and procedures as may be considered necessary.

13.4 Privacy By Design and Data Protection Impact Assessment (DPIA) 

We are required to implement Privacy by Design measures when Processing Personal Data by implementing appropriate technical and organisational measures in an effective manner, to ensure compliance with data privacy principles.

Privacy by design is an approach that promotes privacy and data protection compliance from the start and is an essential tool in minimising privacy risks and building trust with our Data Subjects.

In establishing and following controls and procedures, it will be necessary for you to assess what Privacy by Design measures can be implemented on all programs/systems/processes that Process Personal Data by taking into account the following:

(a) the state of the art;

(b) the cost of implementation;

(c) the nature, scope, context and purposes of Processing; and

(d) the risks of varying likelihood and severity for rights and freedoms of Data Subjects posed by the Processing.

As a Data Controller, the Company must also conduct DPIAs in respect to high risk Processing.

DPIAs are required (and discuss your findings with the Foresight Group ISMS & GDPR Panel) when implementing major system or business change programs involving the Processing of Personal Data including:

(e) use of new technologies (programs, systems or processes), or changing technologies (programs, systems or processes);

(f) Automated Processing including profiling and ADM;

(g) large scale Processing of Sensitive Data or Criminal Convictions Data; and

(h) large scale, systematic monitoring of a publicly accessible area.

We also undertake DPIAs on other kinds of Personal Data processing in order to determine the level of risk involved.

A DPIA template is available from the Foresight Group ISMS & GDPR Panel and will include:

(i) a description of the Processing, its purposes and the Data Controller’s legitimate interests if appropriate;

(j) an assessment of the necessity and proportionality of the Processing in relation to its purpose;

(k) an assessment of the risk to individuals; and

(l) the risk mitigation measures in place and demonstration of compliance.

13.5  Automated Processing (including profiling) and Automated Decision-Making

The Company, at the date of this policy, does not use profiling or ADM.

However, generally, ADM is prohibited when a decision has a legal or similar significant effect on an individual unless:

(a) a Data Subject has Explicitly Consented;

(b) the Processing is authorised by law; or

(c) the Processing is necessary for the performance of or entering into a contract.

If certain types of Sensitive Data or Criminal Convictions Data are being processed, then grounds (b) or (c) will not be allowed but such Sensitive Data and Criminal Convictions Data can be Processed where it is necessary (unless less intrusive means can be used) for substantial public interest like fraud prevention.

If a decision is to be based solely on Automated Processing (including profiling), then Data Subjects must be informed when you first communicate with them of their right to object. This right must be explicitly brought to their attention and presented clearly and separately from other information. Further, suitable measures must be put in place to safeguard the Data Subject’s rights and freedoms and legitimate interests.

We must also inform the Data Subject of the logic involved in the decision making or profiling, the significance and envisaged consequences and give the Data Subject the right to request human intervention, express their point of view or challenge the decision.

Where you utilise a form of ADM or Automated Processing, a DPIA must be carried out before any such activities are undertaken.

13.6 Sharing Personal Data

Generally, we are not allowed to share Personal Data with third parties unless certain safeguards and contractual arrangements have been put in place.

You may only share the Personal Data we hold with other Company Personnel, any agent or representative of the Company or Foresight (which includes Foresight’s subsidiaries and our ultimate holding company along with its subsidiaries) if the recipient has a job-related need to know the information, is authorised to see the data and the transfer complies with any applicable cross-border transfer restrictions.

You may only share the Personal Data we hold with third parties, such as our service providers if:

(a) they have a need to know the information for the purposes of providing the contracted services;

(b) sharing the Personal Data complies with the Privacy Notice provided to the Data Subject and, if required, the Data Subject’s Consent has been obtained;

(c) the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;

(d) the transfer complies with any applicable cross border transfer restrictions; and

(e) a fully executed written contract that contains GDPR approved third party clauses obtained.

14.  Changes to this Privacy Policy

We reserve the right to change this Privacy Policy at any time without notice to you so please check back regularly to obtain the latest copy of this Privacy Policy.

This Privacy Policy does not override any applicable national data privacy laws and regulations in countries where the Company operates.