Site Visitor Privacy Notice - Drax

What is the purpose of this document?

This Privacy Notice (“Notice”) is intended to provide information regarding how any personal information we collect from you before, during and after you’re a visitor to one of our sites will be processed within the Drax Group of companies.  It relates to personal data (defined under data protection law) about you that we refer to as personal information in this Notice.

Who collects the information

Drax Group companies, including Drax Corporate Limited, Drax Power Limited, Drax Generation Enterprise Limited, SMW Limited, Haven Power Limited and Opus Energy Limited (“Company”, “we”, “us”, or “our”), are the data controllers of personal information provided by you or collected about you. This means that we are responsible for deciding how we hold and use personal information about you and that we are required to notify you of the information contained in this Notice. It is important that you read this Notice so that you are aware of how and why we are using your personal information and how we will treat it.

We may update this Notice at any time, so you are advised to review this Notice at regular intervals.

It is important that you read this Notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.  In particular, you should read our CCTV Privacy Notices and our Tours Privacy Notices (if relevant to you) that are available on our websites.

Please read this Notice as if it’s from the Company whose site you are visiting.  However, your personal information may also be shared within our group of companies (our “group companies”) and so, in this Notice, references to ‘we’ or ‘us’ mean the Company and our group companies.

We respect your privacy and are committed to protecting your personal information.  Our Group Data Protection Officer is responsible for overseeing questions in relation to this Notice.  If you have any questions about this Notice, please use the contact details set out at the end of this Notice in the “Contacting Us” section.

How we will use your information

When you arrange in advance to, or arrive at, one of our sites, we will need to collect the following information about you and*/**:

  • First and last name
  • Business name
  • Vehicle registration number (if applicable)
  • Arrival and departure times

This information will be used for the following purposes:

  • In case there is an emergency on site
  • To ensure site security is maintained
  • To ensure appropriate and safe use of our car parks

Depending on your reasons for visiting our site, we may take photographs of you and if that is the case, we will make you aware that images are being recorded and for what purpose.  If you do not want to have your image recorded (e.g. photo or video), then if it is not a security requirement, we will respect your wishes and not record you, or obfuscate your image from the record.

Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will usually notify you and we will explain the legal basis which allows us to do so.

Disclosure of your information

We are unlikely to share your personal information with anyone outside of the Company but if we do, we require all service providers (e.g. security or occupational health) and our Group companies that we share your personal information with to respect the privacy and security of your personal information and to treat it in accordance with the law. We do not allow our third-party service providers, including Group companies, to use your personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions.

A service provider or their sub-processor may be based in the United Kingdom (UK) or European Union (EU) and so, they are required to comply with UK or European data protection law. On occasion, we may appoint a third-party service provider whose operation or a server or sub-processor may be based outside of the UK or EU. As part of our Third-Party Onboarding Privacy Policy, we carry out due diligence on our third-party providers and assess whether your personal information will be transferred to them or accessed by them from outside the UK or EU. If that is the case, we ensure a similar degree of protection is afforded to it by ensuring appropriate safeguards are in place.

Storage of your personal information

We will only keep your personal information for as long as necessary to fulfil the relevant purpose(s) we collected it for, as set out above in this Notice, and for as long as we are required to keep it for legal purposes.

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know that information. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal information breach and will notify you and any applicable regulator where appropriate.

Your rights

Data protection laws provide you with the following rights where we are processing your personal information (but not in respect of information about a corporation) to:

  • request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;
  • request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;
  • request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below);
  • request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it; and
  • request a copy of your personal information which you have provided to us, in a structured, commonly used and machine-readable format and the right to transfer it, or to require us to transfer it directly, to another controller.

You also have the “right to object” to the processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights above). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. The ICO can be contacted by telephone on 0303 123 1113 or by post as follows: Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or via email at [email protected] We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance using any of the details set out below in the “Contacting Us” section.

Data Protection Officer and contacting us

Our Group Data Protection Officer (GDPO) oversees compliance with this Notice.

If you have any queries, comments or requests regarding this Notice or you would like to exercise any of your rights set out above, you can contact us as follows:

Drax Power, Hydro and Thermal visitors

  • by post to our GDPO at Drax Power Limited, Drax Power Station, Selby, North Yorkshire, YO8 8PH; or
  • by email to our GDPO at [email protected]

Haven Power visitors

  • by post to our Data Protection Practitioner, Haven Power Limited, 32 The Havens, Ransomes Europark, Ipswich, IP3 9SJH; or
  • by email to our Data Protection Practitioner at [email protected]

Opus Energy visitors

  • by post to our Data Protection Practitioner, Opus Energy Limited, Opus Energy House, The Lakes, Northampton, NN4 7YD; or
  • by email to our Data Protection Practitioner at [email protected]