CY

Privacy Policy

1. Purpose

Great British Energy – Nuclear (GBE-N) is committed to protecting the privacy and security of your personal information. This privacy notice sets out the standards you can expect from us when we collect, hold or use your personal information.

2. Scope

This privacy notice only relates to the general processing of personal data carried out by Great British Energy – Nuclear, this includes making a subject access request. This notice also reflects obligations under the Data (Use and Access) Act 2025, including transparency around data reuse, access pathways, and individual rights.

3. Policy details

3.1. General

We will ensure that we treat all personal information in accordance with data protection legislation, including the General Data Protection Regulation (GDPR), Data Protection Act 2018 (DPA) and the Data (Use and Access) Act 2025 (DUAA), which governs lawful reuse and access to personal data.

We are registered as a Data Controller with the Information Commissioner’s Office (ICO). This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.

It is important that you read this notice, together with any other privacy notice we may provide when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.

3.2. Our Contact Details

Data Protection Officer
Great British Energy – Nuclear
Renaissance House
Lakeside Drive
Warrington Centre Park
Warrington
WA1 1QF

Email: dataprotection@greatbritishnuclear.uk

3.3. Data Protection Principles

We will comply with data protection law. This says that the personal information we hold about you must be:

  • Used lawfully, fairly and in a transparent way.
  • Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  • Relevant to the purposes we have told you about and limited only to those purposes.
  • Accurate and kept up to date.
  • Kept only as long as necessary for the purposes we have told you about.
  • Kept securely.

3.4. What type of information we have

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymised data). There are certain types of more sensitive personal data (special category data) which require a higher level of protection, such as information about a person’s health or criminal convictions.

We may collect, store, and use the following categories of personal information about you:

  • Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses.
  • Date of birth.
  • Gender.
  • Marital status and dependents.
  • Next of kin and emergency contact information.
  • National Insurance number.
  • Bank account details, payroll records and tax status information.
  • Salary, annual leave, pension and benefits information.
  • Start date and, if different, the date of your continuous employment.
  • Leaving date and your reason for leaving.
  • Location of employment or workplace.
  • Copy of driving licence and car insurance.
  • Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process).
  • Employment records (including job titles, work history, working hours, holidays, training records and professional memberships).

Please note, the above list is not exhaustive.

We may also collect, store and use the following more sensitive types of personal data:

  • Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions for equality and diversity monitoring purposes.
  • Information about your health, including any medical condition, health and sickness records.
  • Details of any absences (other than holidays) from work including time on statutory parental leave and sick leave.
  • Information about criminal convictions and offences, including any criminal conviction information held outside of the UK.

3.5. How did we get the information and why do we have it?

Most of the personal information we collect and process is provided to us directly by you. The most common reasons that we will hold your information are if you:

  • Are a current or previous supplier, contractor or employee.
  • Previously applied or are in the process of applying for work with GBE-N.
  • Subscribe to GBE-N newsletters or publications.
  • Attended a GBE-N hosted event or course.
  • Visited GBE-N offices recently.
  • Applied for funding or a bursary.
  • Have submitted an information request under the Freedom of Information Act 2000 or Environmental Information Regulations 2004, or made a Subject Access Request under Data Protection Act 2018.
  • Have responded to a consultation document.

This is not an exhaustive set of circumstances.

In limited circumstances, we may obtain personal data from publicly accessible sources such as Companies House, the open electoral register, or professional social media platforms (e.g. LinkedIn), where this is necessary for due diligence, verification, or engagement purposes. Where applicable, you will be informed of such collection and its purpose.

The lawful basis for processing your personal data depends on the processing activity and we rely on the following lawful basis for processing your personal data under the UK Data Protection Act 2018/UK GDPR:

  • Article 6(1)(a) where we have your consent.
  • Article 6(1)(b) which relates to processing necessary for the performance of a contract.
  • Article 6(1)(c) so we can comply with our legal obligations as your employer.
  • Article 6(1)(d) in order to protect your vital interests or those of another person.
  • Article 6(1)(e) for the performance of our public task.
  • Article 6(1)(f) for the purposes of our legitimate interest. (In accordance with best practice a Legitimate Interests Assessment (LIA) will always be conducted when this lawful basis is used).

As part of our statutory and corporate functions we may also process special category and criminal conviction data under:

  • Article 9(2)(b) – where processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on GBE-N or the data subject in connection with employment, social security or social protection.
  • Article 9(2)(f) – for the establishment, exercise or defence of legal claims.
  • Article 9(2)(a) – explicit consent.
  • Article 9(2)(c) – where processing is necessary to protect the vital interests of the data subject or of another natural person.
  • Article 9(2)(h) – processing is necessary for the purposes of occupational medicine.

We process criminal offence data under Article 10 of the GDPR.

Under DUAA, personal data may be reused for internal analytics, regulatory reporting, or lawful authority requests. Reuse is subject to lawful basis, proportionality, and safeguards. Individuals will be informed of any reuse beyond the original purpose and may object unless required by law or justified by public interest.

The Data Protection Policy sets out how we protect special category and criminal convictions personal data.

Please see the ‘Your data protection rights’ section for more information on withdrawing your consent.

3.6. Cookies

Cookies are files saved on your phone, tablet or computer when you visit a website. We use cookies to store information about how you use our website, such as the pages you visit. It does not store any personal information and will not allow us to identify individual users.

3.7. What we do with the information

GBE-N is the data controller of personal information held by GBE-N for the purposes of GDPR. A data controller determines the purposes for which, and the manner in which, any personal data is to be processed (either alone or jointly or in common with others). We therefore have the responsibility for the safety and security of all the data we hold.

We may have originally shared your data with third parties, including data processors who process data on our behalf. We make sure that our data processors comply with all relevant requirements under data protection legislation. This is defined in the contractual arrangements. We may have also transferred your personal data outside of the EU. If this was the case, you can expect a similar degree of protection in respect of your personal information.

In accordance with DUAA, personal data may be accessed or reused for secondary purposes such as internal analytics, workforce planning, and regulatory reporting, where such reuse is lawful and proportionate.

3.8. Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so.

In accordance with the Data (Use and Access) Act 2025, personal data may be reused for secondary purposes such as internal analytics, regulatory reporting, or lawful public authority access, where such reuse is compatible with the original purpose or otherwise permitted by law. All such processing is subject to appropriate safeguards and governance controls.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

3.9. Do we need your consent?

We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.

3.10. How do we store your information?

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality. Details of these measures may be obtained from the Data Protection Officer.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

We will only hold onto your personal information for as long as necessary to fulfil the purposes we collected it for. All records are retained and securely destroyed in accordance with our records retention schedule. Details of retention periods for different aspects of your personal information are available upon request. However, your information may be held beyond the specified retention periods where there is the potential for it to fall under the remit of ongoing government Independent Inquiries.

3.11. Your data protection rights

You have a number of rights in relation to your data. These are:

  • The right to be informed when data is collected.
  • The right of access to your data.
  • The right to rectification of your data – to correct inaccurate or incomplete data.
  • The right to erasure of your data (except in certain circumstances) – we will delete your data if requested unless there is a legal obligation to process your data.
  • The right to restrict processing – we can retain as much data as is necessary to ensure the restriction is respected in the future.
  • The right to data portability – where we can, where possible, provide your information in a structured, commonly used, machine readable form when asked.
  • The right to object to the processing of data – where you can object to the processing of data for direct marketing or research purposes.
  • Rights in relation to automated decision making and profiling, to reduce the risk that a potentially damaging decision is taken without human intervention.

Under DUAA, you have the right to be informed of any reuse of your personal data beyond its original purpose. You may object to such reuse unless it is required by law or justified by public interest.

You also have a right to withdraw any consent you may have given us to process your data and a right to lodge a complaint with the Information Commissioner’s Office (ICO).

3.12. Accessibility

This privacy notice is designed to be accessible to all users. If you need the information in a different format — such as large print, audio, Braille, or a translated version — please contact the Data Protection Officer:

Email: dataprotection@greatbritishnuclear.uk

Data Protection Officer
Great British Energy – Nuclear
Renaissance House
Lakeside Drive
Warrington Centre Park
Warrington
WA1 1QF

Alternative formats will be provided where reasonably practicable to ensure everyone can access and understand how their personal data is used.

3.13. How to complain

If you wish to make a complaint to GBE-N about the way in which we have processed your personal information, please get in touch with our Data Protection Officer via the contact details supplied above.

If you remain dissatisfied with the response received, you have the right to lodge a complaint to the Information Commissioner’s Office (ICO). The ICO is the UK’s independent body set up to uphold information rights, and they can investigate and adjudicate on any data protection related concerns you raise with them. They can be contacted at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113