Privacy Notice

Definitions

‘Processing’ is obtaining, recording, using, holding, organising, adapting, altering, disclosing, destroying and deleting personal data which includes both electronic data and printed documents.

Personal data is any information which relates to an identified or identifiable individual (a data subject). We also have a duty to safeguard ‘sensitive personal data’, which is personal data consisting of information as to race, ethnic origin, political opinions, religious beliefs, physical or mental health or condition, sexual orientation or details of any offence and any proceedings for any offence committed or allegedly committed.

Cookies are small data files that contain a string of characters, which may be stored or sent a data subject’s electronic device.

An internet protocol ("IP") addresses is a unique number assigned to each device (such as a computer) that allows it to communicate with other devices on a computer network (such as printers or other computers).

CEPA is committed to protecting individual’s privacy. This CEPA Privacy Notice (“Notice”), together with our Personal Data Privacy Notice for CEPA staff and any other documents referred to in it, sets out the types of personal information we collect, how we collect and process that information, who we share it with in relation to the services we provide and certain rights and options that data subjects have in these respects.

It is necessary for CEPA to store certain information about clients, individuals in client organisations, individuals who subscribe to marketing mailings, directors, staff, individuals who are suppliers or partners, individuals in supplier or partner organisations and others, to carry out its day to day consulting practice, to meet its objectives and to comply with legal obligations.

Responsibility for personal data

“CEPA” is the trading name of Cambridge Economic Policy Associates Ltd (Registered: England & Wales, 04077684), CEPA LLP (A Limited Liability Partnership. Registered: England & Wales, OC326074), CEPA Energy Modelling Ltd (Registered: England & Wales, 12283833) and Cambridge Economic Policy Associates Pty Ltd (ABN 16 606 266 602).

CEPA owns and operates the website domains: www.cepa.co.uk, www.cepaem.com, www.cepaem.co.uk and www.cepa.net.au.

Personal data we collect

We collect and process the following:

• Identity and contact information including, but not limited to names, postal addresses, email addresses, telephone numbers, passport number, employment history, educational or professional background, tax registration, employee number, job title and function and other personal data relevant to our services;
• Financial and payment details, including bank account numbers and other data necessary for processing payments and fraud prevention;
• Business information: including information provided in the course of the contractual or client relationship between individuals or organisations and CEPA, or otherwise voluntarily provided;
• Information relevant to our advice, including personal data relevant to any project we have been engaged to undertake by a client;
• Profile and usage data, including passwords to CEPA websites, protected platforms or services, data subject’s preferences for receiving marketing information, communication preferences and information about how visitors use our websites, including the services they may have viewed or searched for, page response times, download errors, length of visits and page interaction information (such as scrolling, clicks, and mouse-overs).
• Physical access data, relating to details of individual’s visits to our premises;
• Cookies, unless users have adjusted their browser setting so that it will refuse them, cookies may be sent to data subject’s devices when visiting CEPA’s websites or using other web-based services. Cookies help us to improve our site and to deliver a better and more personalised service, for instance by storing information about preferences and allowing us to recognise visitors if they return to our websites. The general expiry date for cookies is 12 months. CEPA may use the following types of cookie:
  • Performance cookies - to collect information about how visitors use our websites, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies don’t collect information that identifies the visitor. All information these cookies collect is aggregated and therefore anonymous.
  • Functionality cookies - that allow a website to remember choices visitors make (such as language preference or the region they are in) and provide enhanced, more personal features. These cookies can also be used to remember changes visitors have made to text size, fonts and other parts of web pages that can be customised. The information these cookies collect may be anonymised and they cannot track browsing activity on other websites.
  • Social media cookies – which allow visitors to share what they’ve been doing on the website on social media sites such as LinkedIn and Twitter. These cookies are not within CEPA’s control. These features are governed by the privacy policy of the company providing them.
  • Google analytics cookies – which are used by Google Analytics to monitor traffic levels, search queries and visits to our websites. Google Analytics stores IP addresses on its servers. However, neither CEPA nor Google associate IP addresses with any information that can identify the user personally. These cookies enable Google to determine whether visitors return to the site, and to track the pages that they visit during a session. For more information about Google analytic cookies, please see Google's privacy policy.
  • Marketing cookies: We will sometimes send optional, marketing communications by email and if recipients click through from one of our emails to our website, we may use additional cookies to connect this action with the website journey.
• Consent for cookies: On the first visit to a website that uses cookies which convey personal data to CEPA, visitors will see a pop-up to inform them about the purposes for which cookies are being used and the means to opt-out. Although this pop-up will not usually appear on subsequent visits, data subjects may withdraw their consent at any time by contacting CEPA’s Privacy officer.

If visitors don’t want to allow cookies at all, or only want to allow use of certain cookies, they can use their browser settings to withdraw consent to our use of cookies at any time and also delete cookies that have already been set.

Information about other people

If individuals or organisations provide information to CEPA about any person other than themselves, their employees, counterparties, advisers or suppliers, they must ensure that the data subjects understand how their information will be used, and that they have given their permission for their data to be disclosed to us and to allow us, and our outsourced service providers, to use it.

How we collect personal data

The circumstances in which we may collect personal data include:

• when individuals or organisation seek advice from us or use any of our online services;
• when individuals or organisations offer to provide, or provides, services to us;
• when it is provided to us by a third party, where we are contracted to provide advice;
• when individuals correspond with us by phone, email or other electronic means, or in writing, or they provide other information directly to us, including in conversation with our directors, consultants or staff;
• when individuals or organisations browse, complete a form or make an enquiry or otherwise interact on our website or other online platforms;
• when individuals attend our seminars or other events or sign up to receive information from us, including training;
• by making enquiries from organisations with whom the data subject has had dealings such as former employers and educational institutions, or from third party sources such as government agencies, credit reporting agencies, information service providers or from public records.

Failure to provide personal data

Where we need to collect personal data by law, to process instructions or perform a contract and there is a failure to provide that data when requested, we may not be able to carry out the instructions or perform the contract we have or are trying to enter into. In this case, we may have to cancel our engagement or contract, but we will notify parties if this is the case at the time.

How we use personal data

We use personal data only for the following purposes:

• To fulfil a contract, or take steps linked to a contract, with individuals or their organisations. This includes:
  • to register as a client of CEPA;
  • to provide and administer advisory services or other services or solutions, as instructed;
  • to process payments, billing and collection; and
  • to process applications for employment.
• As required by CEPA to conduct our business and pursue our legitimate interests, in particular:
  • to administer and manage our relationships, including accounting, auditing, and taking other steps linked to the performance of our business relationship;
  • to carry out background checks, where permitted;
  • to analyse and improve our services and communications and to monitor compliance with our policies and standards;
  • to manage access to our premises and for security purposes;
  • to protect the security of our communications and other systems and to prevent and detect security threats, frauds or other criminal or malicious activities;
  • for insurance purposes;
  • to exercise or defend our legal rights or to comply with court orders;
  • to provide advice and services to our clients;
  • to communicate with individuals to keep them up-to-date on the latest developments, announcements, and other information about our services and solutions (including briefings, newsletters and other information), events and initiatives; to send client surveys, marketing campaigns, market analysis, or other promotional activities; and
  • to collect information about data subject’s preferences. Please note that we will only provide optional, marketing-related information when we have a previous contractual relationship or a business relationship with the recipient and provided they have not opted-out to receive those communications. Individuals have the opportunity to opt-out at any time as explained in the "Right to withdraw consent" section of this Notice.
• For purposes required by law, including maintaining records, compliance checks or screening and recording (e.g. anti-money laundering, financial and credit checks, fraud and crime prevention and detection, trade sanctions and embargo laws). This can include automated checks of personal data against relevant databases and contacting individuals to confirm their identity or making records of communications for compliance purposes.
• We will not use personal data for taking any automated decisions affecting or creating profiles other than as described above.

Disclosure of personal data

We share personal data, in the following circumstances:

with our subsidiary undertakings and/or affiliates for the purposes of providing our services as described in this Notice;

with third parties including certain service providers we have retained in connection with the services we provide, such as lawyers, translators, expert advisors, couriers, or other necessary entities;

if we have collected personal data in the course of providing services to any of our clients, we may disclose it to that client, and where permitted by law to others for the purpose of providing those services;

on a confidential basis with third parties for the purposes of collecting feedback about the firm’s service provision, to help us measure our performance and to improve and promote our services;

with companies providing services for money laundering and terrorist financing checks, credit risk reduction and other fraud and crime prevention purposes and companies providing similar services, including financial institutions, credit reference agencies and regulatory bodies with whom such personal data is shared;

with courts, law enforcement authorities, regulators, government officials or attorneys or other parties where it is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim, or for the purposes of a confidential alternative dispute resolution process;

with service providers who we engage within or outside of CEPA, domestically or abroad, e.g. shared service centres, to process personal data for any of the purposes listed above on our behalf and in accordance with our instructions only; and

if we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets to whom we assign or novate any of our rights and obligations.

Information we transfer

If we transfer personal data to other countries, we will use, share and safeguard that information as described in this Notice. To provide our services, we may transfer the personal information we collect to countries outside of the EEA which do not provide the same level of data protection as the country in which the data subject resides and are not recognised by the European Commission as providing an adequate level of data protection. We only transfer personal information to these countries when it is necessary for the services we provide, or it is necessary for the establishment, exercise or defence of legal claims or subject to safeguards that assure the protection of personal information, such as standard contractual clauses.

All CEPA offices throughout the world ensure a level of data protection at least as protective as that required in the European Economic Area.

Security of personal data

We have put in place appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We have also put in place procedures to deal with any suspected personal data breach and will notify the data subject and any applicable regulator of a breach where we are legally required to do so.

Updating personal data

If any of the personal data that has been provided to us changes, for example if there’s a change to an email address, the subject’s preferences change or if individuals become aware that we have any inaccurate personal data, please let us know by email to gdpr@cepa.co.uk or by post. We will not be responsible for any losses arising from any inaccurate, inauthentic, deficient or incomplete personal data that is provided to us.

Rights

Data subjects have various rights with respect to our use of their personal data:

• Access: Data subjects have the right to request a copy of the personal data that we hold about them. There are exceptions to this right, so that access may be denied if, for example, making the information available would reveal personal data about another person, or if we are legally prevented from disclosing such information. Should data subjects wish to request a copy of their data, they should contact CEPA using the details provided below.
• Accuracy: We aim to keep personal data accurate, current, and complete. We encourage contact to let us know if the personal data we have is not accurate or changes, so that we can keep the personal data up-to-date.
• Objecting: In certain circumstances, data subjects also have the right to object to processing of their personal data and to ask us to block, erase and restrict their personal data. If you would like us to stop using your personal data, they should contact CEPA using the details provided below.
• Porting: Data subjects have the right to request that some of their personal data is provided to them, or to another data controller, in a commonly used, machine-readable format.
• Erasure: Data subjects have the right to ask us to erase their personal data when the personal data is no longer necessary for the purposes for which it was collected, or when, among other things, their personal data may have been unlawfully processed.
• Complaints: If a data subject believes that their data protection rights may have been breached, they have the right to lodge a complaint with the applicable supervisory authority, or to seek a remedy through the courts.

Individuals may, at any time, exercise any of the above rights, by contacting CEPA together with a proof of their identity, i.e. a copy of their ID card, or passport, or any other valid identifying document.

Right to withdraw consent

If a data subject has provided their consent to the collection, processing and transfer of their personal data, they have the right to fully or partly withdraw their consent. Once we have received notification that they have withdrawn their consent, we will no longer process the information for the purpose(s) to which were originally consented unless there is another legal ground for the processing.

To opt-out of receiving our marketing communications, recipients may follow the opt-out links on any marketing message sent or contact CEPA. Opting out of receiving marketing communications will not affect the processing of personal data for the provision of our services.

How long we keep personal data

We will only retain personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements and, where required for CEPA to assert or defend against legal claims, until the end of the relevant retention period or until the claims in question have been settled.

To learn more about our specific retention periods for personal data, contact us by email to: gdpr@cepa.co.uk or by post. Upon expiry of the applicable retention period we will securely destroy personal data in accordance with applicable laws and regulations.

Changes to our Privacy Policy

We reserve the right to update and change this Notice from time to time in order to reflect any changes to the way in which we process personal data or changing legal requirements. Any changes we may make to our Notice in the future will be posted on our website and where appropriate, notified to individuals or organisations by email.

Supplemental privacy provisions concerning Australia

The following provisions apply in Australia in addition to those set out in the rest of the Notice.

Personal data we collect: In Australia, sensitive personal data also includes philosophical beliefs or membership of a political association or a professional or trade association.

Information we transfer: We may share personal information with offices of CEPA and its affiliated and associated businesses outside Australia.

Contact

We will take reasonable steps to address matters as soon as practicable. In some cases we may not be able to give access to personal information we hold if making such a disclosure would breach our legal obligations or if prevented by any applicable law or regulation.

Questions, comments and requests regarding data privacy should be addressed to the Privacy Officer by E. gdpr@cepa.co.uk or by post to any of CEPA’s registered business addresses.

A copy of this policy is also available to download.