Drax Power Limited (“Drax Power”) respects the privacy of everyone who uses our services. We are obligated by data protection law to inform you about the way we use your personal information. Please read our privacy notice to understand our approach to processing your personal data.

  • Introduction

    Drax Group plc (“Drax”, “we”, “us” or “our”) is committed to protecting and respecting your privacy.

    This privacy notice (together with our Terms of Use, Website terms and conditions and any other documents referred to in it) sets out the basis on which any personal data (called personal information in this notice) we collect from you, or that you provide to us, via www.cruachanprod.wpengine.com (our “Website”) will be processed by us.

    We are primarily designed as a tourist attraction, shop, café and provider of tours of our hydro-electric pumped storage plant, Cruachan Power Station. The collection of personal information is limited to personal information of individual visitors or enterprise/business entities representing groups of visitors that will enable us to manage our relationship with you, as explained further in this notice.

    We will be the data controller of your personal information which you provide to us or which is collected by us via our Website. This means that we are responsible for deciding how we hold and use personal information about you and that we are required to notify you of the information contained in this notice. It is important that you read this notice so that you are aware of how and why we are using such information and how we will treat it.

    The information which you provide to us may include information about other individuals who are associated with you (e.g. your children), your organisation (e.g. your school) or business. If you provide us with information about such individuals, except in relation to children you are responsible for, it is important that you provide them with a copy of this notice prior to providing us with the information and that you provide them with any updated notices we provide from time to time.

    Our Group Data Protection Officer is responsible for overseeing questions in relation to this notice and is contactable via data.protection@drax.com. You can also contact us using the details provided at the end of this notice in the “Contacting Us” section.

  • How we use your information

    This notice tells you what to expect when we collect your personal information. It applies to information we collect:

    1. When you interact with us on our Website or communicate with us by phone, email or otherwise;
    2. Automatically when you use our Website;
    3. Automatically when you visit our locations;

    1. Website interaction and communication by phone, email or otherwise

    If you interact with us via our Website, for example by filling in the ‘contact us enquiry’ form, the ‘enquire about a tour’ form or if you communicate with us by phone, email or otherwise, then we will collect your name, contact details, and any other personal information that you provide to us.

    We will only use this personal information for the purpose of providing you with any information you request from us, or to deal with your enquiry. If you have provided any feedback to us, then we may use this feedback to improve our Website and/or the services we provide.

    It is in our legitimate interests to process your personal information in this way, as it is necessary to respond to your request or enquiry and to help improve our Website and our services, and these interests are not overridden by any detriment to your rights or freedoms.

    2. Automatically when you use our Website

    Our Website uses cookies to allow us to improve the functionality and content of the Website. If you prefer not to have cookies active, then you may disable them at any time. To do this, use a popular search engine and search for ‘Disable cookies in my browser’. The search engine will point you in the direction of instructions allowing you to “block all cookies”.  You can reset your preferences or settings at any time by repeating these processes.

    Each time you use our Website, we will automatically collect:

    • technical information such as your IP address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our Website; and
    • information about your visit such as the pages you request, clickstream to, through and from our Website, download errors and page interaction information such as scrolling, clicks and mouse-overs.

    This information is only processed by us or a third-party provider such as Google Analytics in a way that does not identify individuals. We do not make any attempt to find out the identities of those visiting our website.

    We will use this information:

    • to administer and improve our Website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
    • to investigate and respond to website security incidents;
    • for the purposes of conversion tracking and serving ads targeted to users’ interest; and
    • to ensure that content from our Website is presented in the most effective manner for you and your computer.

    We will also disclose this information to selected third parties, including analytics, search engine and social media providers, that assist us with the improvement and optimisation of our Website (see the Disclosure of your Information section below for more information).

    It is in our legitimate interests to use this personal information for the limited purposes set out above, which are not overridden by any detriment to your rights and freedoms, particularly as the information is only processed by us in a way that does not identify individuals.

    If you prefer to opt out of some third-party, interest-based advertising you may disable this in several ways:

    1. Through the Do Not Track functionality in your web browser. To do this, use a popular search engine and search for ‘Enable Do Not Track in my browser’. You will find resources to guide you through the process, and can reset your preferences or settings at any time by repeating these processes.
    2. Through the Digital Advertising Alliance’s consumer choice tool. You can find this at optout.aboutads.info to opt out of seeing interest-based advertising from participating companies in your current browser.
    3. On your mobile device. You can enable the ‘Limit Ad Tracking’ setting in your iOS phone’s settings, or the setting to ‘Opt out of Ads Personalisation’ in your Android phone’s settings.

    We will not carry out any solely automated decision-making using your personal information obtained via our Website.

    3. Automatically when you visit our locations

    We are committed to the safety of our colleagues and visitors, protecting our buildings and assets and identifying, apprehending and prosecuting any offenders on our sites. As a result, we have invested in a closed-circuit television system (“CCTV”) at our Cruachan site.

    Here we set out how the CCTV system will be managed and used by us and to inform individuals, whose personal data may be captured on the CCTV system, about how and why that personal data may be processed by us.

    The use of the CCTV  system is overseen by our Group Data Protection Officer who can be contacted at data.protection@drax.com or using the contact details in the “Contacting Us” section below. The day-to-day operation of the CCTV system is managed by a third-party service provider under the direction of our  Security Operations Manager, with local oversight by our security staff at our Cruachan site.

    We are aware that images of recognisable individuals, such as colleagues and site visitors (“data subjects”), captured by the CCTV system constitute ‘personal data’, use of which is governed by data protection law (“the law”).

    We will ensure that our use of the CCTV system and the personal data that it captures complies with the law.

    The cameras are in operation 24 hours a day, 7 days a week and they will be monitored from our Cruachan Power Station Control Room. Until around Q2 2019, the Scottish Power HQ Security Control Room in Glasgow also monitors Cruachan CCTV. In Q2 2019, this role will be transitioned to the Drax Power Station Control Room in North Yorkshire. In addition, our third-party security providers will regularly check and confirm the efficiency of the system, including that the equipment is properly recording, that the cameras are functional, that the time and date are correct and that that footage is being deleted or retained in accordance with this document.

    The images captured by the CCTV System will not be stored for any longer than is required in order to achieve the purposes identified above. CCTV footage will automatically be deleted on a rolling basis, unless specific images are required to be retained in order to deal with an incident or in order to respond to a request by an individual made under the law.

    Further information on CCTV privacy can be found on the Drax website https://www.drax.com/drax-power-limited-cctv-privacy-notice/

  • Disclosure of your information

    Our Website may, from time to time, contain links to and from other websites, plug-ins and applications.  Clicking on those links or enabling those connections may allow third parties to collect or share information about you.   We do not control those third-party websites and are not responsible for their privacy notices / policies.  When you leave our Website, we encourage you to read the privacy notice of every website you visit before you provide them with personal information.

    We may share your personal information with the third parties set out below:

    • service providers who provide digital services (such as Group SJR or WP Engine) and analytics and search engine providers (such as Google Analytics);
    • other companies in our Drax group of companies such as Drax Power Limited or Drax Generation Enterprise Limited who provide CCTV security, information security, IT, system administration, stakeholder management and customer services and undertake management reporting;
    • if we are under a duty to disclose or share your personal information in order to comply with any legal obligation, or in order to enforce or apply any contractual terms or our Terms of Use;

    We require all service providers and Drax companies that we share your personal information with to respect the privacy and security of your personal information and to treat it in accordance with the law.  We do not allow our third-party service providers, including Drax companies, to use your personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions.

    Most of the personal information we collect about you is based in the United Kingdom or in some cases, a service provider or their sub-processor may be based elsewhere in the European Union (EU) and so, they are required to comply with European data protection law.  On occasion, we may appoint a third-party service provider whose operation or a server or sub-processor may be based outside of the EU.  As part of our Vendor Management Policy, we carry out due diligence on our third-party providers and assess whether your personal information will be transferred to them or accessed by them from outside the EU.  If that is the case, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

    • we will only transfer your personal information to countries that have been deemed to provide an adequate level of protection for personal information by the European Commission[1]; or
    • where we use providers based in the US, we may transfer personal information to them if they are part of the Privacy Shield which requires them to provide similar protection to personal information shared between the EU and the US. You can view certifications at privacyshield.gov[2]; or
    • where we use certain service providers who are not in a ‘adequate’ country or part of the Privacy Shield, we may use specific contracts approved by the European Commission which give personal information the same protection it has in the EU, called an EU Model Clause Agreement[3].

    If you would like to know the specific mechanism used by us when transferring your personal information out of the EU, please contact us using the details set out in the “Contacting Us” section at the end of this notice.

    [1] Article 45 of the GDPR

    [2] Article 46 of the GDPR

    [3] Article 46 of the GDPR

  • Storage of your personal information

    We will only keep your personal information for as long as necessary to fulfil the relevant purpose(s) we collected it for, as set out above in this notice, and for as long as we are required to keep it for legal purposes.

    To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.

    For example, we will hold personal information on people and groups of people who apply, via our website’s tour enquiries form, by phone or email, to undertake a tour of Cruachan Power Station. This is so we can inform the operational power station of upcoming visits and also so we can reserve space on the tours.

    In some circumstances:

    • you can ask us to delete your personal information, see Your Rights below for further details; and
    • we may anonymise your personal information (so that it can no-longer be associated with you) for research, planning application or statistical purpose in which case, we may use this information indefinitely without further notice to you.

    We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

    In addition, we limit access to your personal information to those colleagues, contractors and other third parties who have a business need to know.  They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

    We have put in place procedures to deal with any suspected personal information breach and will notify you and any applicable regulator where we are legally required to do so.

  • Your rights

    Data protection laws provide you with the following rights, to:

    • request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;
    • request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;
    • request erasure of your personal information in certain circumstances. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below);
    • request the restriction of processing of your personal information in certain circumstances. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it; and
    • request the transfer of your personal information to another party.

    You also have the right to object to the processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.

    You will not have to pay a fee to access your personal information (or to exercise any of the other rights above). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

    We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

    You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.  The ICO can be contacted by telephone on 0303 123 1113 or by post as follows: Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow,
    Cheshire, SK9 5AF or via email at casework@ico.org.uk.  We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance using any of the details set out below in the “Contacting Us” section.

  • Changes to our privacy notice

    Any changes we make to our notice in the future will be posted on this page.

  • Contacting us

    If you have any queries, comments or requests regarding this notice or you would like to exercise any of your rights set out above, you can contact us as follows:

    • Contact: Group Data Protection Officer
    • Email: protection@drax.com
    • Address: Drax Power Limited, Drax Power Station, Selby, North Yorkshire, YO8 8PH