The UK General Data Protection Regulation (UK GDPR), the Data Protection Act (DPA 2018) and the Privacy and Electronic Communications Regulations (PECR) seek to protect and enhance the rights of UK data subjects. These rights cover the safeguarding of personal identifiable data and protection against the unlawful processing of personal data.
The MCS Service Company Limited is pleased to provide the following information:
BUS – Boiler Upgrade Scheme.
Data Subjects – individuals who have shared personal data either directly with MCS or via a third party such as an Installer.
Department for Energy Security and Net Zero (DESNZ) – formerly known as BEIS the Department for Business, Energy & Industrial Strategy.
Devolved Governments – means the Governments of Scotland, Wales and the Northern Ireland Executive.
FiT – means the Feed-in Tariff scheme, which is a government scheme to encourage uptake of small-scale renewable and low-carbon electricity generation technologies.
MID – MCS Installations Database used by MCS and scheme operators for recording MCS Contractor and installation data.
RHI – means the domestic and non-domestic Renewable Heat Incentive schemes which are government financial incentive schemes to promote the use of renewable heat.
Users – means an individual or a body who is authorised to access and use the MID, including an Administrator, Certification Body, Installer, Market Operator, Consumer Code, Department for Energy Security and Net Zero and Ofgem.
Other Persons – householders who have an installation, third party providers of services, partners who MCS works with and Government, where we hold certain personal identifiable data.
Until April 2018, MCS was operated by the Department for Business, Energy, and Industrial Strategy (BEIS). BEIS has been superseded by the Department for Energy Security and Net Zero (DESNZ).
In April 2018, under a process of novation, MCS was transferred to the MCS Charitable Foundation, with the Scheme operated by the MCS Service Company Limited.
Personal data collected is held by the MCS Service Company Limited.
The MCS Service Company Limited is incorporated under the Laws of England and Wales with registration number 07759366 and is based at First Floor, Violet 3, Sci-Tech Daresbury, Keckwick Lane, Daresbury, WA4 4AB.
MCS primarily certifies microgeneration products used to produce electricity and heat from renewable sources. MCS also certifies installation companies to ensure the microgeneration products have been installed and commissioned to industry standard for the consumer. MCS owns the MID, which enables the creation, amendment, and storage of MCS certificates for systems, which have been installed under MCS rules, and the website, which provides general information regarding MCS, contact details and access to the MID. The MID also holds information about the MCS Installers who undertook the installation.
MCS is a data controller of Users’ and Other Persons’ personal data.
WHAT DATA DO WE COLLECT?
Personal data comprising personal identifiable information (PID) about data subjects, which allows them to be identified. It does not include data where their identity has been removed (called anonymous data).
MCS collects, uses, stores, and transfers different kinds of PID about data subjects which may include some or all of the following information:
(a) Your name.
(b) Your email address and phone number.
(c) Name of the company that you represent and your job title.
(d) Your username, and password.
(e) Technical Data includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website (such as smart phones, laptops and desktops).
(f) Information about how you use our website, including your traffic data
(g) Your correspondence and feedback to us.
If you are another person whose personal data was provided to us by Users, we process your:
(a) Identity Data
(b) Contact Data
(c) Property Data
(d) Certificate Data
Whereby MCS needs to collect personal data from you by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter with you (for example, to provide you with access to the database). In this case, we may have to cancel a service you have with us, but we will notify you if this is the case at the time.
HOW DO WE COLLECT PERSONAL DATA?
MCS uses different methods for the collection of Users’ data through:
Direct interactions. You may give us your identity, contact, company, user account and customer care data when you:
- Register as a database User.
- Provide documents or information to us.
- Fill in forms on our website or on hard copies.
- Correspond with us by telephone, email or otherwise.
- Complete surveys for research or statistical purposes in relation to MCS and/or the Department for Energy Security and Net Zero policy development and research.
HOW DO WE RECEIVE PERSONAL DATA?
If you are a User, we may also receive additional information about you from:
- Credit Reference Agency engaged by us to verify the information you have provided and to prevent and detect fraud.
- MCS Certification Bodies.
- Ofgem as the Administrator of Government incentives, including the Boiler Upgrade Scheme (BUS), Renewable Heat Incentive (RHI), Feed-in Tariff (FiT) schemes and the Northern Ireland Renewables Obligation (NIRO) – which is no longer accepting new applications.
- Chartered Trading Standards Institute Approved Consumer Codes (CTSI), including but not limited to:
- The Renewable Energy Consumer Code (RECC)
- The Home Insulation & Energy Systems Contractors Scheme (HIES)
- If you are another person who owns installations that are installed and certified under the MCS, we will receive your personal data from a User who will insert it into the MID.
Employees – personal data is also collected from those employed by MCS, please consult the Staff Handbook and your Contract of Employment for more details.
HOW WE USE PERSONAL DATA?
We will process your personal data when data protection legislation allows us to, most commonly, in the following circumstances:
- Where we need to deliver services at your request and in accordance with specific terms and conditions; where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests; where we need to comply with a legal or regulatory obligation.
Below we have listed most of the ways we use your personal data and further below the legal basis we rely on to do so.
To supply services you request, including the registration for the database, its usage and troubleshooting.
To charge for any services requested.
To carry out investigations in relation to compliance and complaints regarding our services, as well as site inspections and audits.
To prevent and detect criminal activities.
To complete a survey for purely research and statistical purposes.
To use data analytics to improve our services, customer relationships and experiences, providing data for the data dashboard and where applicable secure our website.
As we are requested to do so by law and the contract with a User.
If you are an Installer or Contractor, to share your details on the basis of legitimate interests with parties and individuals who may be interested in using your services and/or are researching the renewables market.
LAWFUL BASIS FOR PROCESSING
Please note that we may process your PID for more than one lawful basis depending on the specific purposes for which we are using your personal data.
1 – Vital interests
To provide information where we believe it is in the vital interest of those registered on the MID to receive it, such as health and safety warnings, servicing information etc.
2 – Contractual
Performance of the MCS MID services in accordance with its Terms and Conditions and/or any other contractual obligations.
3 – Legal
Necessary to comply with a legal obligation.
4 – Legitimate interests
To promote MCS to individuals, Installers, the renewables industry, government departments, (including the devolved nations) government agencies, trade associations and all other relevant parties, to increase awareness of the Certification Scheme and the services offered by MCS.
To survey end user installations or planned end user installations to ensure that the service offered is meeting their expectations.
To protect data subjects and the business from criminal and illegal activities.
To allow MCS to provide its customers and potential customers with information. These communications may include social media direct messaging, email, newsletters, telephone calls, text messages and any other channels to reach those who may be interested in using or are already using some of the services offered by MCS.
To share information concerning Installers, Contractors and Product Companies with those wishing to either engage their services and/or develop the market for renewables.
5 – Public interest
In a limited number of circumstances, we are permitted to process personal data where it is deemed to be in the public interest. This includes sharing certain data including your name, address and email with government (including the devolved governments) and their relevant contractors. On occasion and with the consent of MCS, government contractors may share your personally identifiable data with their subcontractors. It also includes universities, distribution network operators, local authorities, ‘think tanks’, and other not for profit organisations.
6 – Consent
In certain circumstances we may seek your consent to process your data, however where possible we will try and process using one of the other five lawful methods.
Please see our separate cookies policy.
TO WHOM DO WE DISCLOSE PERSONAL DATA?
We do not disclose personal data to anyone, except when we need to share it with:
- External third parties that provide specific services to us, such as the website, database design and management, data storage, online phone helpline, government departments and agencies (including those within the devolved nations), payments processing, external auditors, accountants, insurance providers, marketing agencies and where applicable payroll companies.
- Credit Reference Agencies for the prevention and detection of fraud or non-compliance with government financial incentives such as the Boiler Upgrade Scheme, Feed-in Tariff, Domestic Renewable Heat Incentive and others as applicable.
- Detection of fraud or non-compliance with respect to government incentives including Domestic Renewable Heat Incentive, Boiler Upgrade Scheme and the Feed-in Tariff schemes.
- Regulatory and judicial authorities who require reporting of processing activities in certain circumstances. More specifically, we may need to disclose personal data of installation companies to:
- Ofgem for reporting, monitoring, application processing, compliance and complaints handling purposes for the administration of the Domestic and Non-Domestic Renewable Heat Incentive, Boiler Upgrade Scheme and the Feed-in Tariff Scheme and others as applicable. As well as in support of any criminal or civil investigations carried out by relevant authorities.
- MCS Certification Bodies for reporting, monitoring, application processing, compliance and complaints handling purposes for the administration of the MCS, as well as in support of any criminal or civil investigations carried out by relevant authorities.
- Feed-in Tariff and Smart Export Guarantee (SEG) Licensees for reporting, monitoring, application processing, compliance and complaints handling purposes for the administration of the Feed-in Tariff Scheme, as well as in support of any criminal or civil investigations carried out by relevant authorities.
- The Department for Energy Security and Net Zero and their own contractors for meeting MCS’s legal obligations in relation to periodic provision of information to the Department for Energy Security and Net Zero who will use the information for market research purposes to develop: (i) its understanding of the deployment and performance of renewable energy technologies in relation to any relevant government schemes including the Domestic Renewable Heat Incentive scheme, the Feed-in Tariff scheme, Boiler Upgrade scheme and (ii) the impact of Government policies upon these schemes and any others that may be developed in the future. In particular, the data will be used to contact Installers in order to conduct surveys or consensuses and to assist with technical research. Individuals’ personal data may be also disclosed to the Department for Energy Security and Net Zero and its contractors for statistical and research purposes to conduct research projects, including engineering, social, economic and statistical, for the evaluation and development of policy, to enable delivery partners to effectively identify and investigate potential cases of fraud and non-compliance, and to improve the quality of data which is used in policy development. On occasion and with the consent of MCS, government contractors may share your personally identifiable data with their subcontractors for the same purposes described above.
- CTSI, including but not limited to RECC and HIES for reporting, monitoring, application processing, compliance and complaints handling purposes for the administration of the MCS, as well as in support of any criminal or civil investigations carried out by the relevant authorities.
MCS has various data sharing arrangements with government departments (and their contractors), including the devolved nations, government agencies, local authorities, universities, think tanks, distribution network operators and other not for profit organisations where the installation address data, and sometimes the installation company names are shared for research purposes. These are managed via Data Sharing Agreements and/or Data Processing Agreements and/or Non-disclosure Agreements.
We may also provide third parties with aggregate and non-attributable information about installation owners and product companies.
If you are an Installer, Contractor and/or Product Company, to share your details with parties and individuals who may be interested in using your services and/or are researching the renewables market.
In certain circumstances, we also work with local authorities, government departments including government agencies (and their contractors), the devolved governments, not for profit organisations and commercial entities to provide them with a list of MCS certified Contractors and Installers from the Contractor directory for their procurement requirements.
Where applicable, we require all external third parties to respect the security of your personal data and to treat it in accordance with all applicable data protection legislation. We do not allow third party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our legally binding Data Sharing Agreement and/or Data Processing Agreement and instructions.
WHERE IS PERSONAL DATA STORED?
All information about you is stored on our servers or, in the case of hard copies, in locked cabinets. Data is held within the United Kingdom. However, there are occasions when we need to commission certain services from third party processors such as Mailchimp, SurveyMonkey and Maximiser CRM based outside the UK. We will only share your data with these third parties where we have in place appropriate safeguards such as Standard Contractual Clauses, Data Processing Agreements and/or International Data Transfer Agreements to ensure the safety of your personal data.
If you wish to receive more detailed information about your personal data, please send your request to GDPR@mcscertified.com
HOW DO WE SECURE PERSONAL DATA?
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those staff members or other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a strict duty of confidentiality.
Processes to deal with any suspected personal data breach have been put in place and MCS will notify you and any applicable supervisory authority of a breach, where we are legally required to do so.
HOW LONG DO WE RETAIN PERSONAL DATA?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
For further information concerning specific data retention periods, please ask for a copy of our Data Retention Schedule.
CCTV is in operation outside the premises of MCS which is operated and managed independently by Sci-Tech Daresbury. For further information please contact the landlord via telephone: 01925 984 046 or email: firstname.lastname@example.org or by letter: Sci-Tech Daresbury, Keckwick Lane, Daresbury WA4 4FS.
WHAT ARE YOUR PRIVACY RIGHTS?
All data subjects have certain rights in relation to their personal data which are as follows:
- Access to your personal data – This enables you to receive a copy of the personal data MCS holds about you and to check how we process it.
- Correction of your personal data – This enables you to have any incomplete or inaccurate data MCS holds about you corrected or completed, though we may need to verify the accuracy of the new data you provide to us.
- Erasure of your personal data – This enables you to ask MCS to delete personal data where there is no legitimate reason for us to continue processing it. Note, however, that MCS may not always be able to comply with your request for erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Object to the processing of your personal data – This allows you to ask MCS to terminate the processing of your personal data where we are relying on a legitimate interest or one of the other five processing options. In some cases, we may demonstrate that we have a lawful reason for processing your information which overrides your request.
- Restriction of processing your personal data – This enables you to ask MCS to suspend the processing of your personal data in certain circumstances.
- Transfer of your personal data – This enables you to ask us to transfer your personal data to you or to another service provider. MCS will provide to you, or your nominated representative, your personal data in a structured, commonly used, machine-readable format.
Note, however, that this right only applies to automated information which you may have provided under Terms and Conditions to us.
No fee usually required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee for subsequent requests if they are found to be repetitive and/or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
What we may need from you
Before complying with a Data Subject Access Request, MCS may need certain information from you to help us confirm your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. MCS will provide the requested information within 30 days after we are satisfied as to your identity.
Time limit to respond.
If MCS is unable to respond within 30 days, for example if your request is particularly complex or you have made a number of requests. MCS will notify you and keep you updated.
Your right to lodge a complaint.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO). However, we would appreciate the chance to deal with your concerns first before you approach the supervisory authority, so please do contact us in the first instance.
HOW TO CONTACT US
For compliance questions in relation to this policy, you may contact us by email at: GDPR@mcscertified.com by telephone: 0333 103 8130 or post: First Floor, Violet 3, Sci-Tech Daresbury, Keckwick Lane, Daresbury, Cheshire, WA4 4AB.