Privacy Policy

1. EMCOR UK Website Privacy Policy

Effective: February 1, 2024

Welcome to the EMCOR Group (UK) plc (“EMCOR”, “we”, “us” or “our”) privacy statement.

EMCOR respects your privacy and is committed to protecting your personal data.

This privacy statement applies to the collection and use of personal data by EMCOR that is subject to the UK General Data Protection Regulation (“UK GDPR”), and the EU General Data Protection Regulation (“EU GDPR”), which applies in relation to products and services we offer in the UK and the European Economic Area (“EEA”), respectively.

Important information and who we are

This privacy statement relates to your use of our website only and aims to give you information on how EMCOR collects and processes your personal data.

It is important that you read this privacy statement together with any other privacy statement or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy statement supplements the other statements and notices and is not intended to override them.

EMCOR is the data controller (as such term is defined in the EU GDPR/UK GDPR, as applicable) of your personal data collected pursuant to this privacy statement.

If you have any questions about this privacy statement, including any requests to exercise your legal rights, please contact the Data Privacy Manager using the details set out below.

Contact details

Full name of legal entity: EMCOR Group (UK) plc
Email address: privacy@emcoruk.com
Postal address: 1 The Crescent, Surbiton, Surrey KT6 4BN, UK
Telephone number: 0345 600 2300

Changes to the privacy statement

This version is effective on 1 February 2024. Historic versions can be obtained by contacting us. We may change this privacy statement from time to time—when we make significant changes we will take steps to inform you, for example by including a prominent link to a description of those changes on our website for a reasonable period or by other means, such as email.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

2. How We Collect and Process Personal Data

“Personal data” means any information about an individual from which that person can be identified. It does not include data where the identifying information has been removed (anonymous data).

We collect personal data from you:

• directly, when you enter or send us information, such as when you contact us (including via email), send us feedback, request materials or services via our website, and
• indirectly, such as your browsing activity while on our website; we will usually collect information indirectly using the technologies explained in the section on ‘Use of Cookies’ below.

We may collect, use, store and transfer different kinds of personal data about you. The UK GDPR/EU GDPR requires us to have a sound legal basis for processing your information. The list below, while not exhaustive, shows the main categories of information we may collect:

• Identity data includes: first name, last name, username or similar identifier, title.
• Contact data includes: email addresses, telephone numbers.
• Recruitment data includes: resumes, work history, background information.
• Transaction data includes: details of products and/or services you may have purchased from us, or we have provided to you.
• Profile data includes: username and password if relevant, orders made by you, your interests, preferences and feedback if provided.
• Usage data includes: information about how you use our products and services.
• Marketing and Communications data includes: your preferences in receiving marketing from us if requested and your communication preferences.
• Log File data includes IP addresses, browser type, internet service provider, referring/exit pages, operating system, date/time stamp and/or clickstream data
• Cookies, Analytics and Related Technologies data includes those data listed in the “Use of Cookie” section below.

We may also collect, use and share statistical or demographic data (“Aggregated data”) for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your usage data (as described above) to calculate the percentage of users accessing a specific website feature.

The table that follows shows the purposes for which personal data might be used and the legal basis for doing so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one legal basis, depending on the specific purpose for which we are using the information. Please contact us if you need further details about the specific legal basis we are relying on to process your information where more than one basis has been set out in the table.

 

 

In addition to the uses described above, we may use your personal data for the following purposes, which uses may under certain circumstances be based on your consent, may be necessary to fulfil our contractual commitments to you, and are necessary to serve our legitimate interest in the following business operations:

• Operating our business, administering our products and services;
• Conducting market research, surveys, and similar inquiries to help us understand trends and customer needs;
• Preventing, investigating, or providing notice of fraud, unlawful or criminal activity, or unauthorised access to or use of personal data, our website or data systems; or to meet legal obligations; or
• Enforcing our agreements.

We may receive additional personal data from third-party sources, such as public databases, which we may append to existing data, such as email address verification. We may use this supplemental information to process transactions that you request and to prevent fraud, deliver relevant offers to you and to improve our operations, services and products.

3. Use of Cookies

A cookie is a small text file which is placed onto your device (e.g. computer, smartphone or other electronic device) when you use our website. We use cookies and related technologies (“Cookies”) on our websites that link to this privacy statement (“Sites”) to administer the Sites. We use the following types of Cookies.

• Necessary Cookies:  Necessary cookies help make our Sites usable by enabling basic functions like page navigation and access to secure areas of the website. Our Sites cannot function properly without these cookies.
• Functional Cookies:  Functional cookies allow our Sites to remember the choices you make – e.g. any customisations you make to the website pages during your visit. They assist in providing features and services specific to individual users.
• Analytics Cookies: Analytical cookies are used to understand how visitors interact with our Sites. These cookies help provide information on metrics such as the number of visitors, bounce rate and traffic source.

How to control Cookies: You have the right to manage or disable cookies via your browser settings or by using the privacy trigger button located on the bottom left of your screen whilst visiting any of our webpages. You can review your Internet browser settings, typically under the sections "Help" or "Internet Options," to exercise choices you have for certain Cookies. If you disable or delete certain Cookies in your settings, this may impact your experience on, and you may not be able to use features of, the Sites.

We use a cookie operated by our third party Customer Relationship Management (CRM) vendor, HubSpot, on our Sites for analytics purposes. HubSpot’s tracking tools are used to help us understand how visitors interact with our Sites and emails, including monitoring actions like page views, form submissions, and email opens. These tools help improve the user experience and support our marketing efforts.

Third party vendor [Usercentric] operates the cookie banner displayed on our Sites, and through this its tracking tools monitors consents obtained from users through this banner. These tracking tools process the IP address of the users in order to do this.

4. Marketing

We may use your personal data to send your business updates (by email, text message, telephone or post) about our products and services, including new products and services.

We have a legitimate interest in using your personal data for marketing purposes (see above ‘How We Collect and Process Personal Data’). This means we do not need your consent to send you marketing information. If we change our marketing approach in the future so that consent is needed, for example, by marketing directly to consumers, we will ask for this separately and clearly.

You have the right to opt out of receiving marketing communications at any time by:

• contacting us at marketing@emcoruk.com
• using the ‘unsubscribe’ link in emails or ‘STOP’ number in texts

We may ask you to confirm or update your marketing preferences if you ask us to provide further products, services or materials in the future, or if there are changes in the law, regulation, or the structure of our business.

We will always treat your personal data with the utmost respect and never sell or share it with other organisations outside the EMCOR group for marketing purposes.

For more information on your right to object at any time to your personal data being used for marketing purposes, see ‘Your rights’ below.

5. Automated Decision-making and Profiling

Our Sites are not configured to use any form of profiling or automated decision-making.

6. How We Share your Information

We may share your information, including your personal data, among our affiliated companies.

We may also share your information with third parties that provide services to us or on our behalf, including marketing and other services that help us operate our business.

We use HubSpot as a CRM system to manage and process customer data efficiently. This includes using HubSpot to send marketing communications, manage your inquiries, and enhance customer service.

We may also disclose certain personal data as required by law or in connection with a legal claim or proceeding, or as we may reasonably determine to be necessary or appropriate to protect our rights or the rights of others or to avert loss or harm to persons or property.

We may also transfer your personal data to a third party in connection with a merger, sale, reorganisation or similar transaction involving all or part of our affiliated companies.

Where we have clearly stated and made you aware of the fact, and where you have given your express permission, we may use your details to send your business products/services information through a mailing list system. This is done in accordance with applicable data protection and privacy laws.

7. International Transfers

We do not plan to share your personal data outside the EEA and the UK except to our service providers as noted in Section 6 above.

Under applicable data protection laws, we can only transfer your personal data to a country outside the UK/EEA where:

• the UK government has decided the particular country ensures an adequate level of protection of personal data (known as an ‘adequacy regulation’) further to Article 45 of the UK GDPR. A list of countries the UK currently has adequacy regulations in relation to is available on the ICO website (https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-transfers-a-guide/#Q1). We rely on adequacy regulations for transfers to the following countries: countries in the EEA;
• in the case of transfers subject to EEA data protection laws, the European Commission has decided that the particular country ensures an adequate level of protection of personal data (known as an ‘adequacy decision’) further to Article 45 of the EU GDPR. A list of countries the European Commission has currently made adequacy decisions in relation to is available on the European Commission website (https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en). We rely on adequacy decisions for transfers to the following countries: UK;
• there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for you; or
• a specific exception applies under applicable data protection laws.

Where we transfer your personal data outside the UK we do so: (i) on the basis of an adequacy regulation; or (ii) (where this is not available) legally-approved standard data protection clauses/agreements recognised or issued by the UK Government from time to time further to Article 46(2) of the UK GDPR. In the event we cannot or choose not to continue to rely on either of those mechanisms at any time we will not transfer your personal data outside the UK unless we can do so on the basis of an alternative mechanism or exception provided by UK data protection law and reflected in an update to this policy.

Where we transfer your personal data outside the EEA we do so: (i) on the basis of an adequacy decision; or (ii) (where this is not available) legally-approved standard data protection clauses issued by the European Commission from time to time further to Article 46(2) of the EU GDPR. In the event we cannot or choose not to continue to rely on either of those mechanisms at any time we will not transfer your personal data outside the EEA unless we can do so on the basis of an alternative mechanism or exception provided by applicable data protection law and reflected in an update to this policy.

Any changes to the destinations to which we send personal data or in the transfer mechanisms we rely on to transfer personal data internationally will be notified to you in accordance with the section on ‘Changes to the privacy statement’ above.

8. Your Rights

In cases where our processing of your personal data is subject to the GDPR/UK GDPR, you have the following rights as described in more detail below:

• The right to access your personal data
• The right to edit and update your personal data
• The right to data portability
• The right to request to have your personal data deleted
• The right to withdraw consent at any time
• The right to restrict processing of your personal data
• The right to object
• Rights in relation to automated decision making and profiling
• The right to lodge a complaint with a supervisory authority

These rights are not absolute and come with some exceptions according to the law. For example, if a request to exercise these rights is manifestly unfounded or excessive, we may refuse to comply with it. Where we have grounds to refuse, we will inform you of the reasons for this.

8.1. The right to access your personal data

You have the right to obtain confirmation from us that your personal data is being processed by us, including supplementary information such as what personal data we hold, why we are processing it, with whom we share your personal data, the expected retention period and the safeguards regarding transfers to non-UK/EEA countries, subject to the limitations set out in applicable statutes, regulations and other laws.

If you ask, we will provide you with a copy of your personal data free of charge. We may be entitled to charge a fee to cover our administrative costs in some circumstances.

8.2. The right to edit and update your personal data

We will comply with your request to edit and update any incorrect or incomplete personal data that we hold about you promptly.

8.3. The right to data portability

At your request, we will provide you with your personal data in a structured, commonly used and machine readable format if:

• you provided us with personal data;
• the processing of your personal data is based on your consent or required for the performance of a contract; or
• the processing is carried out by automated means.

8.4. The right to request to have your personal data deleted

Upon receipt of your request, we will delete your personal data promptly if:

• it is no longer necessary to retain your personal data;
• you withdraw the consent which formed the basis of the processing of your personal data;
• you successfully exercised your right to object to processing (see below);
• we processed your personal data unlawfully; or
• the personal data must be deleted for us to comply with our legal obligations.

In so far as practicable, we will inform any third parties we might have shared your personal data with of your deletion request.

We will decline your request for deletion if processing of your personal data is necessary:

• to comply with our legal obligations;
• in pursuit of a legal action;
• to detect and monitor fraud; or
• for the performance of a task in the public interest.

8.5. The right to withdraw consent at any time

You have the right to withdraw your consent to our processing of your personal data, where our processing is solely based on your consent. If you withdraw your consent to the use or sharing of your personal data for the purposes set out in this privacy statement, you may not have access to all (or any) of our services, and we might not be able to provide you all (or any) of the services. Please note that, in certain cases, we may continue to process your personal data after you have withdrawn consent and requested that we delete your personal data, if we have a legal basis to do so. For example, we may retain certain information if we need to do so to comply with an independent legal obligation.

If you want to withdraw any consent you may have previously given and/or you do not want to receive email from us in the future, please contact us at: privacy@emcoruk.com or use the opt-out mechanism provided in our marketing emails.

8.6. The right to restrict processing of your personal data

You have the right to limit our processing of your personal data if:

• you dispute the accuracy of your personal data;
• your personal data was processed unlawfully and you request a limitation on processing, rather than a deletion of your personal data;
• we no longer need to process your personal data, but you need your personal data to establish, exercise or defend a legal claim; or
• you objected to processing based on our legitimate interest and we are in the process of determining whether our legitimate interest identified as the grounds for said processing overrides your rights and freedoms.

Please note that we may continue to store your personal data to the extent required to ensure that your request to limit the processing is respected in the future.

8.7. The right to object

You have the right to object to the processing of your personal data for marketing and research purposes (including profiling). You have the right to object from the very first communication from us and every marketing communication we send after. We will stop any marketing related processing of your personal data as soon as we receive your request.

Where we process your personal data based upon our legitimate interest (or that of a third party), then you have the right to object to this processing on grounds relating to your particular situation if you feel it impacts on your fundamental rights and freedoms. We will comply with your request unless we have compelling legitimate grounds for the processing which override your rights and freedoms, or where the processing is in connection with the establishment, exercise or defence of legal claims.

8.8. Your rights in relation to automated decision making and profiling

You have the right not to be subject to decisions that are based solely on automated processing (including profiling) if they would produce legal effects or a similarly significant effect on you, unless you gave us your explicit consent or where they are necessary for a contract with us.

You can read more about your rights here – https://ico.org.uk/for-the-public/.

In order to exercise any of your rights above please email us at privacy@emcoruk.com. We seek to respond to your written request within 30 days however it may take longer under certain circumstances. Where necessary, we may ask you to provide proof of identity before we can respond to your request.

8.9. The right to lodge a complaint with a supervisory authority

If you wish to complain or seek advice from a supervisory authority and you are a UK resident, please contact:

Information Governance department
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: +0303 123 1113.

Website: www.ico.org.uk

If you are an EEA resident, please contact the relevant data protection supervisory authority in the EEA state of your habitual residence, place of work or of an alleged infringement of data protection laws in the EEA. For a list of EEA data protection supervisory authorities and their contact details see: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en.

9. How We Protect the Information

We take steps to implement and maintain suitable security measures for any personal data we collect. In addition to technological protections such as firewalls and anti-virus software, EMCOR is accredited to ISO/IEC 27001:2013, the international standard for Information Security. Access to your personal data is also limited by technical means to those employees, agents and contractors who have an authorised business need to know. All our employees receive appropriate training on Information Security and Data Protection and are subject to non-disclosure agreements. However, no storage or transmission of personal data can be guaranteed to be 100% secure.

10. Social Media Policy & Usage

We adopt a Social Media Policy to ensure our business and our staff conduct themselves accordingly online. While we may have official profiles on social media platforms, users are advised to verify authenticity of such profiles before engaging with, or sharing information with such profiles. We will never ask for user passwords or personal details on social media platforms. Users are requested to conduct themselves appropriately when engaging with us on social media.

There may be instances where our website features social sharing buttons, which help share web content directly from web pages to the respective social media platforms. You use social sharing buttons at your own discretion and accept that doing so may publish content to your social media profile feed or page.

11. Third Party Websites

This Privacy Statement applies only to the Sites and does not apply to websites that are linked to the Sites and not operated by or on behalf of us. Links to third-party web sites are provided solely as a convenience to you. All content accessed via links to outside websites belongs to the respective owners of those websites and content and services available via or provided to such websites are governed by the terms and conditions or privacy policies of those websites. When you leave our website, we encourage you to read the privacy statement of every website you visit.

12. Our retention policy

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements or as needed to resolve disputes or protect our legal rights.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Following the end of the of the relevant retention period, we will delete or anonymise your personal data.