Privacy Policy

Your data security and privacy are important to us.

Evident ensures integrity and confidentiality in the process of collecting and storing personal data. We will only use and collect personal information that is necessary for our business operations, and it will be handled and used in accordance with our Privacy Policy.

This privacy policy covers the processing of your data while using this website as well as a guide tohow we process data in the course of a commercial relationship with Evident. This Privacy policy complies with the EU GDPR, UK GDPR, and Data Protection Act, and global data protection legislation and best practices.

Our Contact Details

Registered Office:

400 Springvale Road, Sheffield, S10 1LP, United Kingdom

General Enquiries: helpdesk@evident.global

Privacy/Data processing enquires: helpdesk@evident.global

Definitions:

Personal information: Data that can identify an individual and can include but is not limited to: a person’s name, address, email address, phone number. Personal data does not include encoded and anonymised data.

We/Our/Us/the Company: refers to Evident Ev Limited, also known as Evident.

Site User: refers to the website user but who is not necessarily in a commercial relationship with us.

You/Your/Data Subject: refers to a site user, an individual in a commercial relationship with us or an employee or agent of a company/business in a commercial relationship with us. Please note, a data subject can fit more than one of these criteria.

The Site: refers to our websites.

Subject Access Request: a request made by you to us about what data we have on you as well as to request the status of our processing of your data.

EU GDPR: European Union General Data Protection Regulations.

UK GDPR: United Kingdom General Data Protection Regulations (different from the Data Protection Act 1998 which supplements the UK GDPR).

Principles

We process your data in accordance with the principles of:

  • Fairness, lawfulness and transparency.
  • Collection of data for specific, explicit and legitimate purposes.
  • Adequacy, relevance and limitation of data to what is necessary.
  • Accuracy of data and facilitating rectification of inaccurate data.
  • Reasonable retention of data for no longer than is necessary.
  • Security of data
  • Safeguarding data during transfers.


Legal basis for data collection and processing.

As a site user, the legal basis for collecting and processing data about the use of the website is ourlegitimate interest. As an individual in a commercial relationship with us, the legal basis for collection and processing of your data is part of our contractual obligation. For employees or agents of a company in a commercial relationship with us, we rely on our legitimate interest arising from the contract between your employer and us as the legal basis for the collection and processing of your personal data. For individuals who have been in communication with us beyond the website but are not yet in a commercial relationship with us, the legal basis for processing your data is our legitimate interests and your consent if you contact was initiated by you.

Information we collect, how we collect it and how it is used.

We collect information with regards to how the Site User uses the Site, this is usually anonymous and helps to provide information as to the ease of use, accessibility and performance of the website. We also collect information from individuals at the start of a commercial relationship, this may include name, address, email, phone number, national identification documents and work information. This information is required at the start of a commercial relationship to facilitate the provision of our services to you. This information is usually collected through the appropriate application forms on the Issuer or Code Manager’s website.

When you send communications to us, we may retain and use these communications in order to process your enquiries, respond to your requests, and improve our services.

We will share this information with other organisations, if necessary for the provision of our service to you or in facilitating the exercise of your right to portability, where that applies. Please see the Business Transfers section of this policy for more information.

It is our policy not to use or disclose confidential or non-public information received from clients except in connection with the provision and improvement of our services. Such uses or disclosures may include, for example, those that are usual, appropriate, or acceptable to carry out the service for which the information was given.

We do not disclose confidential or non-public information to third parties for their direct marketing purposes nor do we endorse or promote offers from third party advertisers.

We may from time to time, in accordance with this Privacy Policy, use personal, confidential, or non-public data to inform a client or customer about products and services that we expect may be of interest to them. Individuals may object to any such data being used for such marketing purposes by contacting us in writing at the address or email below.

External websites

Our website occasionally links to other websites for additional information. The Company does not control and is not responsible for how these external web sites collect and use information. This privacy statement applies only to our own domains, evident.global and evident.app

Your right to opt out

As a site user, you can opt out of data collection and usage. Please see our cookie policy for more information on how to opt out of data collection. You can also contact us to request restricted processing or erasure of your data.

As an individual in a commercial relationship with us, consent to collecting and processing data is drawn from the contractual agreement. To end the processing of data, you may contact us to request a restriction of processing, such that no other communication is made with you other than for the purpose of ensuring termination of the contract. Upon termination of the contract, data will be retained in line with the retention policy set out in this policy and will only be stored in line with our obligations under the retention policy.

As an employee or agent of a company or business in a commercial relationship with us, you have a right to restrict processing of your information by contacting us. Reasonable steps will be taken alongside your principal or employer to ensure that a replacement contact at the company is made available, after which your data will be fully and permanently deleted.

Third Party Processors

We may provide your data to third parties to process on our behalf. We work only with third parties who adhere to data protection legislation in the UK, EU, and globally. Additional safeguards are put in place by us to ensure that data is kept securely, processed in line with this policy and protected where international transfers take place.

Data storage and retention

For individuals in a commercial relationship with us, data that is provided to us at the start of the commercial relationship will be kept throughout the course of the relationship with us. For employees of companies in a commercial relationship with us, data is kept throughout the course of your principal’s relationship with us or until you request restriction or objection to processing of your data.

Data on the Registry is never deleted. This is needed for our audit trail purposes. These audit purposes are for our legitimate interests and fall under the scope of lawful basis for processing relating to archiving data for historical research purposes. Such data will include, usernames, names, telephone number and emails that have been provided in the course of your commercial relationship with us. We will employ further safeguards of restricted processing, pseudonymisation, and invisibility of such data. You retain the right to access or request what information we have on you in the registry. However, once a commercial relationship has ended, the right to rectification no longer applies as the data is historical.

Only data on the Registry is kept in this manner, where the data is kept elsewhere, we keep your data for eighteen months, except contracts which we will maintain a copy of for our business records. We keep data for this period for dispute resolution purposes, national legislation compliance purposes, and outstanding billing purposes. After this time period, data is deleted.

We take reasonable precautions to protect personal, confidential, and non-public information. It is our policy to restrict access to confidential, non-public, and personal information to those employees who need to know such information in order to provide our services or as otherwise appropriate and consistent with this Privacy Policy.

Your rights

  • You have a right to be informed of the data we collect, when we collect it, how we use it and changes to the way we process your data.
  • You have a right of access to the data we hold on you by submitting a subject access request to us through the stipulated means in the next section of this policy.
  • You also have a right to rectify data that is held by us, where there is reason to believe that such data is inaccurate.
  • You have a right to the erasure of your data (in line with our retention policy). You have a right to restrict processing of your data.
  • You have a right to object to automated decision-making including profiling.
  • Site users and employees or agents of companies in a commercial relationship with us have an additional right to object to our processing of your data, please see the information above on data storage and retention. You do not have a right to data portability as our processing of your data is only for our legitimate interests.
  • While the right to object does not apply to individuals in a commercial relationship with us, the right to withdraw consent and restrict processing in line with the right to opt out will apply.
  • Individuals in a commercial relationship with us also have a right to portability in order to securely move and use your data across a range of services without having to provide such data again, also see the business transfers section for more information.
  • Individuals who have been in communication with us beyond the website but are not yet in a commercial relationship with us have the same rights as employees of client companies.

The ways in which these rights can be exercised and clearly stated throughout this policy document, and you can contact us for more information or to make a request to exercise these rights.

Additionally, employees or agents of companies in a commercial relationship with us must bear in mind, that we act as a joint controller with their principal who provided their details to us, for the purposes of fulfilling our contractual obligation, hence, the employer or principal, themselves must be contacted by you for processing of your data that does not relate to the commercial relationship, we have with them.

Subject Access Request

EU data subjects: Email or write to us or the EU Representative.

Data subjects in non-EU countries: Email or write to us.

It is recommended that a copy of ID is attached to your letter or email, as we cannot process a request unless we are able to identify the individual. More information may be requested for the purpose of identifying the individual to prevent unauthorised access.

More information may also be requested with regards to the Subject Access Request itself to ensure that the request is dealt with effectively.

While, legally, we have a month to respond to requests, we aim to acknowledge receipt of subject access requests and request additional information, if necessary, within seven business days of receiving the request. Upon the receipt of all necessary information and proper identification of the data subject, we aim to process and complete the request within a further 14 business days.

Where there is an urgent reason for faster processing of a subject access request, the data subject must state that it is urgent and the reason for such urgency. It is recommended that urgent subject access requests be by email.

Requests will be responded to in the same manner as it has been received unless the data subject requests otherwise in the initial or subsequent communication.

EU representative

Under the EU GDPR, we hereby provide the EU representative below as an additional contact point

for data subjects based in the EU. Please note the EU representative can only deal with requests relating to data subjects in the EU.

Name: Jared Braslawsky

Correspondence Address: De Mortel 2D, 5211 HV ‘s-Hertogenbosch, The Netherlands

Information Disclosure Obligations under national laws

Personal data held by us will be treated with the utmost confidentiality. However, where we reasonably suspect criminal activity, we will disclose such information to the appropriate authorities.

Likewise, where we are bound by national laws to make certain disclosures to public authorities or regulatory bodies or bound by court order to make such disclosures in a legal proceeding, we will comply with such obligations.

We will only inform the data subject of such a disclosure if the law or court order in question permits it.

Public Data published by other sources

This policy does not apply to data that is publicly available. However, where such data has been deleted/erased from the source upon the request of the data subject or to comply with a court order, law or other code of conducts/guidelines, we will also erase any duplicates of such data on our systems at the request of the data subject.

Public Data Published by us:

Data may be made public by us, this may include client energy device information (which stays on forever, but upon termination of our contractual relationship, it will be made clear that I-RECs are no longer being issued against the device), list of participants and registrants (information here will be removed upon contract termination). Such data is only made public according to the Standard terms agreed upon between you and us upon the commencement or continuation of a commercial relationship and in fulfilling our obligations in line with regulations. Where our commercial relationship comes to an end, and such data is no longer public, and we will take reasonable and practical steps to ensure that processors or joint controllers whom we have shared such data with and other parties who access this data from us also erase their copies of the data. However, we cannot guarantee that such data will be made completely private due to the nature of the internet, especially as the basis of making the data public was based on the terms of our contract.

Data security and protection

We ensure that data is kept secure using industry standards on information security management. However, there is no guarantee that measures for security will always prevent unauthorised access. Where unauthorised access occurs, we will notify you, take reasonable steps to remedy the situation and to mitigate it in the future.

Where we communicate through electronic means with you, we will also ensure that we take all reasonable steps to ensure that our medium is free from viruses and is secure. However, we cannot guarantee absolute security as no method of transmission over the internet is 100% secure. Consequently, we cannot ensure or warrant the security of any information you transmit to us, and you do so at your own risk.

We also urge you to take reasonable steps to ensure that there is no unauthorised access to your data by ensuring that your devices and credentials are kept safe and private.

Breach

In the event of a data breach, the Information Commissioner’s Office (ICO) and/or Dutch Data Protection Authority and the affected data subjects involved will be notified. Where it is not possible to give individual notice to you, a public notice will be placed on this website.

Business transfers

Apart from processing with the aforementioned processors, we also share data with the Central Issuer, your country’s Issuer, Registry operators, Platform operators, and the International REC Standard Foundation. This will be in order to comply with the Foundation’s International Attribute Tracking Standard, the Evident Product Code, appropriate contractual obligations, and national legislation.

We may also get information from the Businesses we have commercial relationships with in the course of providing services to you and them. The information we get is your name, contact details, activities carried out between parties under contract relating to the issuance or redemption of I-RECs. We get this information from the Central Issuers, your country’s Issuer, Registry operators, Platform operators.

When making such data transfers, we will ensure the security of that data by using means which are encrypted and free from viruses. We will also ensure that only data that is necessary for the transfer or processing by the recipient is transferred to comply with the data minimisation principle. Where any records of your data have been erased in compliance with this policy, we will alert any recipients of such data to delete their copy of the data.

More information on the relationships between different Accredited Entities and Market Entities and reasons for sharing data between them, are made available in the Product Code or International Attribute Tracking Standard. Data is only shared in this manner to comply with our obligations, provide our services to you or other related entities and for our legitimate interest. Data will never be shared for the purposes of direct marketing.

For MiQ users

We share your data frequently with MiQ Services for the purposes of delivering their product on our Registry and in compliance with the MiQ Program Guide and MiQ Standard. We have an EU GDPR and UK GDPR compliant Data Sharing Agreement with MiQ Services. Our processing of your data on the Registry will continue to be in line with this Privacy Notice, however, MiQ Services is also a joint controller of your data on the Registry.

Changes to this policy

If in the future, changes are made to this Privacy Policy, we will post the new policy on this website. If the new policy is somehow materially less restrictive or protective of your privacy than the current policy, we will not apply the less protective aspects of the revised policy to information you have previously provided to us without first obtaining your consent.

We reserve the right to change this Privacy Policy in the future. Your continued use of this website and our services following a change in the Privacy Policy represents consent to the new policy to the fullest extent permitted by law.

We will not process your data in any way that violates your contractual agreement with us.

We encourage you to periodically review this Privacy Policy.

This Privacy Statement was last updated on 05 September 2022.

Questions

For questions regarding this policy or your data and how we process it, please contact us.

Further details on the acceptable use of our services can be found in our Standard Terms and Conditions for the respective services we provide to you.


How to complain.

You can contact us directly to complain at helpdesk@evident.global. You can also complain to the Dutch Data Protection Authority if you are unhappy with how we have used your data or managed your complaints about your data. You can contact them by writing to them: Autoriteit Persoonsgegevens, PO Box 93374, 2509 AJ DEN HAAG or by telephone +31(0)708888500.

You also have a right to complain to your local data protection authority where appropriate.