Privacy Policy

Most of the personal data we process is provided by you as part of your interactions with us. It usually
includes the following items:

• your name(s), title and employer details;
• your address, email address and/or telephone number; and
• your billing details if you are an end user customer of ours.

We may also process information we obtain or are provided by third parties (such as Glenigans Lead Generation Database) in order to send direct marketing material to our current or prospective clients and customers.

If you are one of our employees, we will collect some additional personal data in relation to your employment with us, which will include:

•  your gender and date of birth;
• your health information;
• your driving licence details;
• your right to work information, which may include passport or birth certificate and biometric permit or work visa where applicable;
• your bank account number and sort code;
• your CV; and
• name(s), address(es), email address(es) and telephone number(s) of family contact(s) (for example, for emergency contact details).

We will usually collect some or all of this information in relation to job applicants and new employees,too. We might also retain some of this information in relation to former employees for record-keeping purposes.

Your personal information is likely to be contained in:

• updates to your contact details (such as address, email address and telephone number);
• emails and other correspondence that you sent to us, or that were sent to you by us;
• records of conversations and meetings;
• website contact forms and marketing preferences;
• project-related documents such as tenders and responses, contact lists, approvals and similar
  paperwork;
• internal business systems such as HR, payroll and finance systems; and
• CCTV that we control on our business premises for the purposes of safety and security.

Our regulated businesses are also legally required to access industry-wide databases that contain personal data in the form of names, addresses, and alphanumeric identifiers such as “Meter Point Reference Numbers” (MPRNs) and “Meter Point Address Numbers” (MPANs). Some of these databases might also indicate whether a person is vulnerable for health or other reasons. This information is used to identify the end users of our energy networks and, in relevant cases, any special or additional support they might need.

Most personal data is kept within the Last Mile Infrastructure Group of companies but shared between
the data controllers named at the bottom of this notice. Personal data might be shared with third
parties where that is necessary to comply with the law, protect our rights and operate our usual
business practices. For example:

• some of our systems are cloud-based, so some personal data may be transferred to servers
  controlled by the providers of these cloud-based systems (who have no direct access to the
  personal data);
• some employees are insured to drive our fleet vehicles, so their personal data will be sent to
  the providers of those vehicles and any related insurance provider;
• some of our employee benefits are provided by third parties (such as pensions and health
  insurance), so their personal data will be sent to those providers;
• personal data might be included in records sent to our professional advisers, such as lawyers,
  accountants and insurance brokers;
• where we might engage with an external customer billing partner, we will need to share billing
  and payment history data;
• our outsourced IT providers may have access to personal data on our IT systems if such access
  is required to enable them to resolve problems with our IT systems;
• some employees are lone workers and have agreed to use a lone working app, so their personal
  data will be shared with the developers of this mobile app;
• we might need to provide personal details to subcontractors or emergency service providers
  who perform services on our behalf – for example, details of contacts on site;
• clients will receive employee personal data during routine communications in the form of
  contact details (and vice versa);
• we will have to provide personal data to some of our regulators and auditors – for example,
• HMRC, the Home Office (for sponsored employees) Ofgem, the HSE, the Environment Agency,
  the Drinking Water Inspectorate and Lloyds Register – to fulfil our legal obligations and to assist
  them in fulfilling their regulatory functions; and
• potential purchasers of our business, subject to those persons entering into strict
  confidentiality obligations with us and only to the extent permissible under data protection law.

We review all contractual arrangements we have in place with third parties who receive personal data
from us to ensure such third parties have robust systems and procedures to ensure compliance with
Data Protection Legislation.
To the best of our knowledge, understanding and belief, any personal data we collect will be kept within
the United Kingdom and will not be transferred outside of the European Economic Area (EEA) or to an
international organisation. We keep this under review with our third party providers and if this changes,
then we will let you know.

We only keep your personal data for so long as it is reasonably necessary. When setting our data retention periods, we consider the amount, nature and sensitivity of the data we hold, the potential risk of harm from unauthorised use or disclosure of the data and the purposes for which we process the data. Most personal data will be kept for the duration of our relationship with you plus an additional six (6) years (or any longer period required by law). The reason for this is that if we have to respond to a legal claim, we might need to use records that contain your personal data and most legal claims have to be brought within six (6) years.

You have the following rights in respect of your personal data:

• Access to your personal data – you have the right to a copy of any personal data we hold in
  relation to you, as well as information about how we process that personal data (which is
  already set out in this notice). This is known as a “Subject Access Request” and all Subject
  Access Requests should be made in writing and sent to the email or postal address shown
  below. To make this as easy as possible for you, a Subject Access Request Form is available for
  you to use which, while you do not have to use this form, it is the easiest way to tell us
  everything we need to know to respond to your request as quickly as possible.
• Rectification of your personal data – you have the right to have any inaccurate personal data
  about you corrected. You also have the right to have any incomplete personal data completed.
• Right to erasure / “right to be forgotten” – in certain circumstances, you have the right for
  personal data about you to be erased. We are not required to erase your personal data if we
  need to keep it in order to comply with legal obligations or to establish, exercise or defend legal
  claims.
• Right to restrict processing – in certain circumstances, you have the right to restrict how we
  process your personal data. There are some purposes for which we can continue to process
  your personal data even if you ask for it to be restricted. These include storage; the
  establishment, exercise or defence of legal claims; or for the protection of the rights of another
  legal or natural person (which includes companies).
• Right to object – if we process your personal data on the basis of our legitimate interests, you
  can object to that processing. If you object, we may have to stop processing that personal data
  (and this may mean we are no longer able to interact with you in ways that rely on that personal
  data). However, we are not required to stop processing your personal data where our
  legitimate grounds for processing it override your interests, rights or freedoms, or are
  necessary to establish, exercise or defend legal claims.
• Right to data portability – if we process your personal data on the basis of a contract you have
  with us as an individual, and that data is automatically processed, you have the right to receive
  that personal data from us in a commonly-used and machine-readable format so that you can
  transmit it to another data controller (or you can ask us to transmit it for you where technically
  feasible)

Requests to exercise any these rights should be sent to dataprotection@lastmile-group.com.
If requests are manifestly unfounded, excessive or repetitive we are allowed to charge a reasonable fee
for fulfilling the request or refuse to fulfil the request.

We will always store your digital information on secure servers. Unfortunately, however, the transmission of information via the internet is not completely secure. Although we will do our best to protect your information, we cannot guarantee the security of your information transmitted to our site or otherwise to our servers (such as by e-mail). Any such transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

We may use cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our site and also allows us to improve our site from time to time. We also use cookies in order to ensure page continuity and for the interactive sections of our site. Visitors to our website who do not wish to have cookies placed on their IT equipment should set their browsers to refuse cookies before using our website. This will mean that some features of our site may not function properly without the aid of cookies.

Our websites may contain links to other websites. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy notice. You should exercise caution and look at the privacy notice applicable to the website in question.

The appointed representative for each of the Last Mile Infrastructure Group data controllers is:

Data Protection Officer
Last Mile Infrastructure Group
Fenick House
Lister Way
Hamilton International Technology Park
Glasgow
G72 0FT

Queries for the appointed representative should be sent to dataprotection@lastmile-group.com
If you are not satisfied by our response, you may lodge a complaint directly to the Information Commissioner’s Office (www.ico.org.uk). The Information Commissioner is the UK regulator for data
protection.

The following Last Mile Infrastructure Group companies are data controllers processing personal data
under this privacy notice:

• Last Mile Infrastructure (Holdings) Limited
• Last Mile Infrastructure Holdco1 Limited
• Last Mile Infrastructure Holdco2 Limited
• Last Mile Infrastructure Group Limited
• Last Mile Infrastructure Holdco Limited
• Last Mile Infrastructure Limited
• Last Mile Infrastructure UK Limited
• Last Mile Asset Management Limited
• Last Mile Meters Limited
• Last Mile Water Limited
• Last Mile Heat Limited
• Energetics Design and Build Limited
• UK Power Solutions Limited
• Icosa Water Limited
• Icosa Water Services Limited

This notice was last updated on 1 October 2021. We may change this Privacy Notice from time to time.
This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection.

Any material changes we may make to our Privacy Notice in the future will be uploaded to our website
and you will be deemed to have accepted the terms of the Privacy Notice either when you first use our
website following the alterations, or when the revised version is exhibited to you. A copy of our Privacy
Notice is also available on request from our Data Protection Officer.