Privacy Policy
INTRODUCTION
The UK General Data Protection Regulation (UK GDPR), the Data Protection Act (DPA 2018) and the Privacy and Electronic Communications Regulations (PECR) seek to protect and enhance the rights of UK data subjects. These rights cover the safeguarding of Personal Data and its protection against unlawful processing.
The MCS Service Company Limited is pleased to provide the following information:
INTERPRETATION
API – Application Programming Interface, functionality allowing MCS to automatically share or receive Personal Data (such as installation details including the name of the property owner) with or from Government, industry partners, and associated product manufacturers.
Data Subjects – individuals who have shared their Personal Data either directly with MCS or via a third party.
Government – this includes the devolved nations, different government departments, government agencies and regulators such as Ofgem, across the UK.
Householders – those who have an MCS certified installation.
ICO – the Information Commissioner’s Office.
Installer – the person or company that issues the MCS certificate for a system. For the purposes of this Privacy Policy, the term Contractor is interchangeable with Installer.
MCS – for the purposes of simplicity, the letters MCS are interchangeable throughout this Privacy Policy with the MCS Service Company Limited and the Microgeneration Certification Scheme.
MID – Microgeneration Installations Database used by MCS and scheme operators for recording MCS installation and installer data.
Users – means an individual or a body who is authorised to access and use the MID or other MCS apps or services including an Administrator, Certification Body, Installer, Market Operator, Consumer Code, Government and Regulators.
Other Persons – third party providers of services and other partners that MCS works with where we hold some Personal Data.
Personal Data – is also called personal identifiable data, which can identify Data Subjects.
This Privacy Policy concerns the collection, storage and processing of Personal Data concerning all Data Subjects.
ABOUT US
The MCS Service Company Limited is incorporated under the Laws of England and Wales with registration number 07759366 and is based at First Floor, Violet 3, Sci-Tech Daresbury, Keckwick Lane, Daresbury, WA4 4AB.
MCS certifies microgeneration products used to produce electricity and heat from renewable sources. MCS also certifies installers to ensure the microgeneration products have been installed and commissioned to the required industry standard for the customer.
MCS owns the MID, which enables the creation, amendment, and storage of MCS installation certificates for systems which have been design and installed against MCS Standards.
Personal Data is also obtained from other sources including the MCS websites, MCS Apps, the MCS Helpdesk, and third-party providers.
MCS is a data controller of Householder, Users’, Employees’ and Other Persons’ Personal Data.
WHAT DATA DO WE COLLECT?
Personal Data about Data Subjects, which may allow them to be identified.
MCS collects, uses, stores, and transfers different kinds of data, some of which is Personal Data. This may include some or all of the following information:
- Your name.
- Your email address and phone number.
- The company name you represent and your job title (if applicable).
- Your username, and password.
- Technical Data includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website (such as smartphones, laptops and desktop PCs).
- Information about how you use our website, including your traffic data.
- Your correspondence and feedback to us.
- Any personal details captured through MCS Apps and those shared with us by others.
If you are a householder or another person whose Personal Data was provided to us by one of the Users, we may process your:
- Identity data
- Contact data
- Property address data
- Certificate data
Whereby MCS needs to collect Personal Data from you to fulfil any of our obligations, and you fail to provide that data when requested, we may not be able to fulfil these such as providing access to the MID, registering your installation, and/or any of our legal obligations.
HOW DO WE COLLECT PERSONAL DATA?
MCS uses different methods for the collection of Personal Data through:
- Direct interactions.
You may give us your identity, contact, company, user account and customer care data when you:
- Register as a database User.
- Provide documents or information to us.
- Fill in forms on our website or on hard copies.
- Correspond with us by telephone, email or otherwise.
- Complete surveys for research or statistical purposes in relation to MCS and/or Government.
- Use specific apps hosted by MCS.
Third party interactions.
Such as third-party APIs and/or when you interact with our website or other apps. This could include the automatic collection of Personal Data, when you visit our website. Please see our cookie policy for further details.
HOW DO WE RECEIVE PERSONAL DATA?
We may also receive additional information about you from:
- Group entities
- Third-party marketing data
- Credit reference agencies engaged by us to verify the information you have provided and to prevent and detect fraud.
- MCS Certification Bodies.
- Administrators of different Government financial incentive schemes.
- Installers who share Personal Data with MCS.
HOW WE USE PERSONAL DATA?
We will process your Personal Data most commonly in the following circumstances:
- Where we need to deliver services at your request and in accordance with specific terms and conditions; where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests; where we need to comply with a legal or regulatory obligation.
We have listed below examples of the ways we use your Personal Data and further below the legal basis we rely on to do so.
To supply services you request, including registration for the MID.
To charge for any services requested.
To manage our relationship with you, including notification about changes to our Terms and Conditions and services.
To carry out quality assurance investigations in relation to compliance and complaints regarding our services, as well as site inspections and audits.
To prevent and detect criminal activities.
To complete a survey for purely research and statistical purposes.
To use data analytics to improve our services, customer relationships and experiences, providing data for the data dashboard and where applicable secure our website.
If you are an Installer, to share your details on the basis of legitimate interests with parties and individuals who may be interested in using your services and/or are researching the renewable energy market.
LAWFUL BASIS FOR PROCESSING
Please note that we may process a Data Subject’s Personal Data for more than one lawful basis depending on the specific purposes for which we are using your details.
1 – Vital interests
To provide information where we believe it is in your vital interests to receive it, such as health and safety warnings, servicing information etc.
2 – Contractual
Performance of services in accordance with our Terms and Conditions and/or any other contractual obligations.
3 – Legal
Necessary to comply with a legal obligation.
4 – Legitimate interests
To promote MCS to individuals, Installers, the renewables industry, Government, local authorities, trade associations and all other relevant parties, to increase awareness of the Certification Scheme and the services offered by MCS.
To facilitate quality assurance, surveillance, compliance assessments and installation visits to deliver customer protection and ensure that the service offered is meeting their expectations.
To protect Data Subjects and MCS from illegal activities.
To allow MCS to provide Users, Householders and Other Persons with information. These communications may include social media direct messaging, email, newsletters, telephone calls, text messages and any other channels to reach those who may be interested in using or are already using some of the services offered by MCS.
5 – Public interest
In a limited number of circumstances, we are permitted to process appropriate Personal Data where it is deemed to be in the public interest.
This includes sharing certain data including your name, address and email with Government and its relevant contractors, universities, network operators, local authorities, think tanks, and other MCS approved third party organisations.
6 – Consent
In certain circumstances we may seek your Consent to process your personal data, however where possible we will try and process personal data without the need for Consent by relying on one of the other five lawful methods of processing.
In a limited number of circumstances, we will need to seek your Consent, such as when we collect special categories of personal data such as information appertaining to your health. This is so that MCS and the third parties who we work with like installers can provide you with specialist assistance to accommodate your specific needs.
COOKIES
Please see our separate cookies policy.
TO WHOM DO WE DISCLOSE PERSONAL DATA?
- External third parties that provide specific services to us, including suppliers of the website, MID, cloud storage, the online phone helpline, payments processing, auditors, accountants, insurance providers, marketing agencies and where applicable payroll companies.
- Credit reference agencies, the police and Government for non-compliance, the prevention and detection of fraud and/or other illegal activities.
- Regulatory and judicial authorities who require reporting of processing activities in certain circumstances. More specifically, we may need to disclose the Personal Data of Installers to:
- Government for reporting, monitoring, application processing, compliance appertaining to the different incentive schemes and for market research purposes to develop new policies.
- Support any investigations carried out by relevant authorities.
- MCS Certification Bodies for reporting, monitoring, application processing, compliance and complaint handling purposes.
- Product manufacturers for certification, warranty and recall purposes.
- MCS has various data sharing arrangements with local authorities, universities, think tanks, network operators and MCS approved third party organisations where the installation address data, and sometimes the Installer’s name and Householder name, are shared for research purposes. These are strictly governed by (as applicable): Data Sharing Agreements, Data Processing Agreements, Non-disclosure Agreements and if required, International Data Transfer Agreements.
- Where you have consented to the sharing of health information and/or other special categories of personal data that is needed so that MCS and its partners can support you, we have put in place additional safeguards and require any third parties handling this personal data to sign an enhanced Data Sharing Agreement.
- We may also provide third parties with aggregate and non-attributable information about installations and Installers.
- If you are an Installer, MCS may share your details with Government, local authorities, and other parties and individuals who may be interested in using your services and/or are researching the renewables market. Your details may also be listed in the MCS certified contractor directory to assist with third party procurement requirements. This information may also be promoted by Google using their API, where you have agreed for them to do so.
WHERE IS PERSONAL DATA STORED?
All Personal Data where possible is held within the United Kingdom. However, there are occasions when we need to commission certain services from third party processors such as Mailchimp, SurveyMonkey and Maximiser CRM based outside the UK. We will only share your data with these third parties where we have in place appropriate safeguards such as Standard Contractual Clauses, Data Processing Agreements and/or International Data Transfer Agreements to ensure the safety of your Personal Data.
If you wish to receive more detailed information about how we process your Personal Data, please send your request to GDPR@mcscertified.com
HOW DO WE SECURE PERSONAL DATA?
We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to those staff members or other third parties who have a business need to know.
They will only process your Personal Data on our instructions, and they are subject to a strict duty of confidentiality.
Processes to deal with any suspected Personal Data breach have been put in place and MCS will notify you and the ICO of a data breach, where we are legally required to do so.
HOW LONG DO WE RETAIN PERSONAL DATA?
We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.
For further information concerning specific data retention periods, please ask for a copy of our Data Retention Schedule.
CCTV
CCTV is in operation outside the premises of MCS and is operated and managed independently by Sci-Tech Daresbury. For further information please contact the building owner via telephone: 01925 984 046 or
email: info@sci-techdaresbury.com or by letter: Sci-Tech Daresbury, Keckwick Lane, Daresbury WA4 4FS.
WHAT ARE YOUR PRIVACY RIGHTS?
All Data Subjects have certain rights in relation to their Personal Data which are as follows:
- Access to your Personal Data – this enables you to receive a copy of the Personal Data MCS holds about you and to check how we process it.
- Correction of your Personal Data – this enables you to have any incomplete or inaccurate data MCS holds about you corrected or completed, though we may need to verify the accuracy of the new data you provide to us.
- Erasure of your Personal Data – this enables you to ask MCS to delete Personal Data where there is no legitimate reason for us to continue processing it. Note, however, that MCS may not always be able to comply with your request for erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Object to the processing of your Personal Data – this allows you to ask MCS to terminate the processing of your Personal Data where we are relying on a legitimate interest or one of the other five processing options. In some cases, we may demonstrate that we have a lawful reason for processing your information which overrides your request.
- Restriction of processing your Personal Data – this enables you to ask MCS to suspend the processing of your Personal Data in certain circumstances.
- Transfer of your Personal Data – this enables you to ask us to transfer your Personal Data to you or to another service provider. MCS will provide to you, or your nominated representative, your Personal Data in a structured, commonly used, machine-readable format.
If you wish to exercise any of the above rights, please use the contact details provided at the end of this Privacy Policy.
No fee usually required
You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee for subsequent requests if they are found to be repetitive and/or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
What we may need from you
Before complying with a Data Subject Access Request, MCS will need certain information from you to help us confirm your identity. Please ask for a copy of our Data Subject Access Request form, which lists the verification documents needed. This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. MCS will provide the requested information within 30 days after we are satisfied as to your identity.
Time limit to respond.
If MCS is unable to respond within 30 days, for example if your request is particularly complex or you have made a number of requests. MCS will notify you and keep you updated.
Your right to lodge a complaint.
You have the right to make a complaint at any time to the ICO. However, we would appreciate the chance to deal with your concerns first before you approach the supervisory authority, so please do contact us in the first instance.
HOW TO CONTACT US
For compliance questions in relation to this policy, you may contact us by email at: GDPR@mcscertified.com by telephone: 0333 103 8130 or post: First Floor, Violet 3, Sci-Tech Daresbury, Keckwick Lane, Daresbury, Cheshire, WA4 4AB.
Revisions to this Privacy Policy will be made as required; the latest version is always displayed on the MCS website.