Speak to an expert

Employee Privacy Policy

Employee Privacy Policy

CB Heating Ltd (T/A EDF Heat Pumps) Privacy Notices

CB Heating Ltd (T/A EDF Heat Pumps) (“EDF Heat Pumps”, “we”, “us”, “our”) respects your privacy and values the trust you place in us when you share your personal data with us. To find out more about what personal data we collect, how we collect it and what we use it for, click on the relevant link below. These links take you to our Privacy Notices, which also provide details on which we are the “controller” of your data and who to contact if you have any questions as to how we handle your information:

  • If you are a customer who has procured, or is seeking to procure, products and/or services from us, please click here.
  • If you are a third party, such as a visitor to our sites or a contractor working at or with us (including agency-supplied workers, managed service workers and embedded contractors), please click here.
  • If you are an employee of ours, the below policy applies to you.

We may share, or require you to share, information about you with other members of our group of companies such as EDF Energy Customers Limited and EDF Energy Limited. This is so that we can provide the best service to you, for example to resolve any dispute or queries you have in relation to the processing by us of your personal data.

 

Employee Privacy Policy – what we collect; how we collect and why we collect data about you

We collect certain types of information from, or about, you throughout our interaction with you, from third-party service providers or from publicly available sources. This information may include items such as your name, address, contact details, curriculum vitae, appraisal and other management information, information about your employment and information regarding your fitness for work. We use this information to recruit, comply with our obligations under your employment contract; provide you with a safe working environment; manage your employment and comply with other legal and regulatory obligations. This notice may change from time to time but if we change anything important (for example, the information we collect, how we use it or why) we will highlight those changes to you.

If you would like to make a complaint regarding our use of your personal data, please contact the Data Protection Officer on dpo@edfenergy.com or by letter to EDF Energy, Nova North, 11 Bressenden Place, Victoria, London, SW1E 5BY.

This policy was last updated on 02/06/2026

 

 

Summary

We are committed to keeping your personal information safe and we have technical and organisational measures in place to prevent unauthorised access or use of your information. We also require that our suppliers protect such information from unauthorised access use and disclosure. We use the information we collect from you for the activities we have listed in the table below.

 

 

What we collect 

This category of information we collect about you includes:

What we collect 

We use this information for certain activities, including to

What we collect 

We use this information because:

Information collected during the recruitment process:

  • your personal contact details;
  • your CV
  • interview information, including opinions;
  • references, pre-employment checks;
  • health information;
  • beneficiary information in relation to benefits;
  • contact you;
  • decide whether you are suitable for a role you have applied for;
  • contact you in relation to future roles which you have indicated that you might be interested in;
  • prepare for the provision of benefits to you;
  • consider and make reasonable adjustments if required
  • it is necessary to meet future requirements under your employment contract;
  • it is necessary for compliance with a legal obligation to which we are subject (such as Equality Act 2010 obligations);
  • it is necessary for the purposes of our legitimate interests to:
    – ensure the suitability of job applicants;
    – communicate with job applicants;
    – recruit employees and ensure that we can onboard you as an employee;
    – consider and make appropriate reasonable adjustments;
    – maintain appropriate records for the purposes of defending legal claims

Information obtained as a result of a criminal records check

  • criminal records information
  • to complete our security checks;
  • comply with our regulatory obligations
  • it is necessary under your employment contract;
  • it is necessary for compliance with a legal obligation to which we are subject;
  • it is necessary for the purposes of our legitimate interests to:
    – ensure the safety and security of
    – its sites;
    – ensure the suitability of staff in relation to relevant roles;​
    – maintain appropriate records for the purposes of defending legal claims
  • and in all cases is carried out only under the control of an official authority

Information we need to contact you, pay you and provide benefits to you:

  • your personal and work contact details;
  • financial information such as bank details;
  • your salary and benefits information;
  • your employee ID number
  • your gender and marital status;
  • your date of birth;
  • details in relation to nominated beneficiaries or dependents;
  • contact you;
  • pay you;
  • provide you and your dependents with benefits;
  • calculate gender pay gap information
  • it is necessary for compliance with our legal obligations (gender pay gap reporting obligations)
  • it’s necessary to perform our duties under your employment contract (for example in relation to our obligation to pay your salary);
  • it is necessary for the purposes of our legitimate interests to:
    – provide suitable benefits to employees and their dependents;
    – incentivise its employees;
    – maintain appropriate records for the purposes of defending legal claims

Information about your role, workplace performance, conduct, training, progression, feedback you have given and received and information held on HR systems

  • your home and personal contact details;
  • emergency contact information;
  • your date of birth;
  • your photograph
  • your immigration status and/or nationality;
  • who your line manager is;
  • your home and personal contact details;
  • emergency contact information;
  • your date of birth;
  • your immigration status and/or nationality;
  • who your line manager is;
  • your salary and benefits choices;
  • your role and employment history;
  • your appraisal content, feedback and scores;
  • your attendance record;
  • information about your conduct;
  • information about complaints you have raised;
  • information about your work performance;
  • your sickness records and health information;
  • the results of drug and alcohol tests;
  • telematics information;
  • video camera footage installed in company vehicles
  • user inputted information (including data you provide for equality monitoring purposes such as sexual orientation and ethnic origin and your feedback and opinions on employment matters);
  • to manage your attendance, performance and conduct;
  • to manage HR processes;
  • to answer your questions about HR matters and deal with any complaints you have raised;
  • to answer your questions about HR matters and deal with any complaints you have raised;
  • to review your salary and assess your eligibility for bonus and other benefits;
  • to conduct risk assessments;
  • to facilitate, book and provide training
  • for equal opportunities monitoring
  • to understand the views of our employees
  • it is necessary for compliance with our legal obligations (such as health and safety obligations, reporting requirements);
  • it is necessary for the purposes of our legitimate interests to:
    – provide HR advice to its managers;
    – administer HR records and processes;
    – manage queries and complaints raised by employees;
    – manage employees’ performance, conduct and training;
    – manage employees’ attendance at work;
    review and determine remuneration of employees;
    – manage health and safety risks;
    – manage site security;
    – report employee matters to other group companies and appropriate external bodies (such as HMRC);
  • maintain appropriate records for the purposes of defending legal claims;
  • considering feedback and information about our employees to ensure effective employment practices

Information about your fitness for work:

  • your attendance record;
  • your sickness records;
  • ​details of Occupational Health referrals, reports and recommendations;
  • the results of drug and alcohol tests;
  • information regarding your physical attributes such as height, weight etc;
  • to assess your fitness for work;
  • to manage your sick pay entitlements;
  • to provide appropriate support to staff with health and wellbeing issues;
  • to comply with our legal obligations, such as the duty to make reasonable adjustments and
  • provide a safe working environment;
  • to manage you if you are sick or not well;
  • to assess and make reasonable adjustments if required;
  • to provide PPE and other equipment to ensure that the workplace is a safe environment;
  • it is necessary for us in order to comply with your employment contract;
  • it is necessary for compliance with our legal obligations (such as health and safety obligations);
  • it is necessary for the purposes of our legitimate interests to:
    – plan and manage its workforce;
    – manage employees’ attendance at work;
    – to determine remuneration of employees;
    – to assess employees’ fitness for work;
    – to manage health and safety risks;
    – to consider and make reasonable adjustments;
    – to manage site security;
    – maintain appropriate records for the purposes of defending legal claims
  • processing is necessary for the purposes of preventive or occupational medicine, for the assessment of your working capacity, medical diagnosis, or the provision of health or social care or treatment

Information we collect in relation to our work-related systems:

  • work contact details,
  • job title, department, work location;
  • work IP address, work device ID;
  • device location;
  • LAN ID;
  • user inputted information (including conversation histories and opinions);
  • to allow you to access systems which allow you to contact and communicate with people internally and externally and collaborate on work products and documents;
  • to identify the user or author;
  • to allow help desk services to be provided to users;
  • to audit IT applications;
  • to analyse IT costs per user/location;
  • to monitor employee engagement;
  • to monitor inappropriate use;
  • it is necessary for the purposes of our legitimate interests to:
    – enable its employees access to systems for the purposes of contact, communication and collaborative working; – provide IT contact systems for external parties to make contact with its employees;
    – provide an audit trail of work-related discussions or iterative collaboration to create a work product;
    – allow IT and helpdesk teams to resolve user problems;
    – allow us to assess usage and efficiency of systems and providers;
    – to monitor employee engagement;
    – to monitor inappropriate use of work systems;
    – maintain appropriate records for the purposes of defending legal claims;

Information contained within work products such as documents, presentations etc, and within internal directories

  • role, job title;
  • work contact details;
  • work location;
  • line manager;
  • business unit;
  • user added information (such as photos and opinions)
  • to monitor the progress and achievement of outcomes in projects and work tasks including identifying the author
  • to allow colleagues to look up your contact details and work information;
  • to track time spent on particular projects
  • it is necessary for the purposes of our legitimate interests to:
    – enable our employees and third parties to contact our employees;
    – to send targeted information to employees (for example if only relevant to employees within one business unit);
    – to keep a record of who has authored or contributed to a work product;
    – to keep track of employee time spent on projects;
    – maintain appropriate records for the purposes of defending legal claims;

Information we collect in our travel, facilities and expenses systems

  • name, employee ID, home and work contact details;
  • IP address;
  • work credit card details;
  • passport details;
  • vehicle registration;
  • loyalty cards, travel preferences;
  • to facilitate work related travel, accommodation and expense submissions;
  • to manage facilities including meeting room and car park bookings;
  • to facilitate, evaluate and process expense claims;
  • to monitor usage for commercial negotiation purposes;
  • it is necessary for the purposes of our legitimate interests to:
    – enable its employees to book travel and accommodation;
    – to manage workplace facilities like meeting rooms and parking spaces;
    – to manage and audit expenses;
    – to assess the tax status of expenses claimed;
    – locate employees if necessary for work or health and safety purposes;
    – maintain travel insurance arrangements;
    – maintain appropriate records for the purposes of defending legal claims;
  • it is necessary for compliance with our legal obligations (such as providing remittances to HMRC)

Information that we collect from you in order to comply with all relevant laws, regulations, industry codes and regulatory obligations:

  • your date of birth;
  • your pay and benefits information;
  • your national insurance number;
  • copies of identity documents;
  • your nationality and immigration status
  • report to HMRC;
  • administer PAYE and National Insurance deductions;
  • confirm your right to work in the UK
  • it is necessary under your employment contract;
  • it is necessary for compliance with a legal obligation to which we are subject;
  • it is necessary for the purposes of our legitimate interests to:
    – ensure its business is compliant with industry codes and regulatory obligations;
    – maintain appropriate records for the purposes of defending legal claims

Information we use to monitor behaviour and track data transfer activities:

  • email content (potentially including all categories of personal data and special categories of personal data)
  • to monitor behaviour and data usage and track data transfer activities;
  • to investigate results showing inappropriate transfer of data and take appropriate action;
  • it is necessary for compliance with a legal obligation to which we are subject;
  • it is necessary for the purposes of our legitimate interests to:
  • safeguard data;
  • protect its confidential information and intellectual property; and
  • ensure appropriate technical measures are in place to protect data;
  • identify inappropriate transfers of information

Information provided to us in relation to business related driving

  • vehicle information;
  • insurance documentation;
  • drivers licence and the results of licence checks;
  • telematics data regarding driving behaviours;
  • video camera footage installed in company vehicles;
  • to make sure that employees are legally permitted to drive;
  • to ensure that adequate insurance is in place;
  • to ensure the health and safety of their employees;
  • to appropriately manage driving risks;
  • to ensure that fleet vehicles are appropriately maintained;
  • to locate an employee or a vehicle in exceptional circumstances;
  • maintain appropriate records for the purposes of defending legal claims; 
  • respond to requests made by law enforcement or regulatory authorities, bodies or agencies, or in the defence of a legal claim; 
  • to help us monitor and audit customer site visits. 
  • We need to comply with legal obligations;
  • We have a legitimate business interest to; 
    – ensure the safety and security of employees driving on company business;
    – conduct appropriate risk assessments;
    – ensure that drivers are legally permitted to drive and have appropriate insurance in place;
    – to locate an employee or a vehicle in exceptional circumstances;
  • driver licence checking is carried out only under the control of an official authority
  • resolving any complaints we may receive

Information you have provided to us in order to access your personal devices (BYOD)

  • Log-in details and personal mobile information
  • allow you to access to emails on a personal electronic device`
  • you have elected to bring your own device to work and consented to us using your information in this way. You can withdraw your consent by notifying us that you are doing so and removing the app

Information that we collect from you and/or from our records, during any testing for a pandemic virus with which you take part

  • Your contact details including your name, email address and mobile phone number
  • Your employee number or your national insurance number
  • the result of each virus test
  • In the event of a positive test:
    • your postal address;
    • your date of birth;
    • your gender; and
    • the people you have recently been in contact with or close to.
  • Contact you to inform you of the results of your test;
  • Assess your fitness for work;
  • Fulfil our obligation to report to Public Health for England and/or Public Health for Scotland should you test positive for a virus;
  • Inform people you have been in contact with or close to, should you test positive for a virus;
  • Provide a safe working environment by minimising the transmission of a virus.
  • It is necessary for us to comply with its legal obligations (such as health and safety obligations);
  • It is necessary for the purposes of our legitimate interests of to:
    • assess employees’ fitness for work;
    • manage health and safety risks;
    • plan and manage its workforce;
    • continue to operate its sites in the manner required.
  • It is necessary for reasons of public interest in the area of public health by helping to minimise the spread of a pandemic virus.

 

 

Information we share and who we share it with

There are certain circumstances where we may share your personal data with other employees and third parties. Some examples of when your personal information may be shared with third party organisations are as follows:

  • we may share information about you with other members of our group of companies so that we can provide the best service across our group;
  • we may also share your information with certain suppliers and service providers (and their staff) such as payroll administrators, IT service providers, pension administrators, benefits providers, occupational health service providers, recruitment and other consultants, managed service workers and agency supplied workers that we engage from time to time and they may process your personal data for us. They are always required to meet our standards on processing information and on security. The information we provide them, including your information, will only be provided in connection with the performance of their function;
  • if we’re discussing selling or transferring part or all of our business, information about relevant employees may be transferred to prospective purchasers under suitable terms as to confidentiality. Or, if sold, to buyers;
  • if we’re required to do so by law, or under any regulatory code or practice we follow, or if we are asked to do so by any public or regulatory authority – for example the Police, HMRC, or to defend any legal claims; and/or
  • your personal data may be shared if it is made anonymous and aggregated, as in such circumstances the information will cease to be personal data.

Circumstances where we will ask for your consent

We do not need your consent if we use personal data, even sensitive personal data (also known as “special categories of personal data”), in accordance with our written practice and guidance to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. It is not a condition of your contract with us that you agree to any request for consent from us.

Where and for how long your information will be held

We process personal information (which can be via third parties) within and outside the European Economic Area. We will make sure that the appropriate safeguards are in place prior to the transfer of personal information and in the majority of cases, we will have contractual protections in place which include standard data protection clauses.

Whenever we transfer your personal data out of the United Kingdom, we enable a similar degree of protection is afforded to it as it would benefit from in the United Kingdom by ensuring at least one of the following safeguards is implemented:

(a) We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.

(b) Where we use certain service providers, we may use specific contracts approved by the United Kingdom data protection authorities which give personal data the same protection in other jurisdictions as it has in the United Kingdom.

We will keep your information for as long as it is reasonably necessary, but retention periods for the following personal data is set out as follows:

Record Type 

Classification 

Retention Period 

Employee files (inc Payroll, benefits, health records, criminal check outcomes) 

Protect Private 

Date of birth + 100 years 

Employee Travel & Expense 

Protect Private 

7 years from entry; or 
profiles purged 1 year from employment end date 

Unsuccessful Job Applicants 

Protect Private 

18 months from last activity

CCTV 

Protect Private 

30 days from recording 

Site Access – Access Gate Control Data 

Protect Private 

1 year from site entry 

Site Access – Permanent Access 

Protect Private 

1 year from receipt of application 

Site Access – Escorted Access 

Protect Private 

1 year after site entry 

Physical Site Visitor Logs 

Protect Private 

2 years after site entry 

Electronic Site Visitor Logs 

Protect Private 

1 year after site entry 

IT Operational Security Monitoring 

OFFICIAL SENSITIVE

Up to 12 months from capture 

 

Monitoring

We monitor your usage of our IT systems, such as email, internet, printing, chat and forums. This is to protect confidential business information and intellectual property and to monitor for inappropriate behaviour or use of systems. We may also use it as a way of measuring employee engagement and responding to concerns which arise. We also use CCTV and entry and exit gates on sites. Some vehicles have been installed with telematics devices and cameras which monitor driver behaviour.

Your rights and how to exercise them

You may have certain rights in relation to your information including a right to access or to correct the information we hold on you. However, some of these rights will only apply in certain circumstances, such as the right to be forgotten or the right to request that we move your information to another company. They will generally not be available if you remain employed, if we still require the data for the purposes for which we collected it, if we are required by law to keep the information, or if the information is relevant to a legal dispute. If you would like to exercise, or discuss, any of these rights you can do so by contacting your line manager.

  • You can remove consent, where you have provided it, at any time, as well as update any of your opt-in marketing preferences
  • You can ask us to confirm if we are processing your information
  • You can ask for access to your information
  • You can ask to correct your information if it’s wrong
  • You can ask us to delete your information (the right to be forgotten), but only in certain cases
  • You can ask us to restrict how we use your information, but only in certain cases
  • You can ask us to help you move your information to other companies, but only in certain cases
  • You can object to us processing your information based on legitimate interests, but only in certain cases
  • You can object to us processing your information in relation to direct marketing

If you would like to exercise or discuss any of these rights, please contact the Data Protection Officer using the contact information provided at the start of this policy.

Your obligations to safeguard personal data of others

You will have access to the personal data of other individuals during the course of your employment. You must undertake any mandatory data protection training, and ensure that you do not inappropriately obtain, retain, amend, use, delete, transmit or compromise the security of the personal data of others.

You must:

  • only seek to access the personal data that you are authorised to access and only use that data for the specified, explicit and legitimate purposes for which it was obtained by us;
  • not make any amendments to personal data or share it with others, without being authorised to do so;
  • not inappropriately store other people’s personal data outside of our systems;
  • take appropriate steps to safeguard the security of personal data. These include, but may not be limited to, ensuring equipment is made secure if unattended for any time; keeping passwords secure and not sharing them; ensuring that paper records are stored securely when not in use; ensuring appropriate security measures are in place before personal data and devices containing personal data or devices that can be used to access personal data are removed from our premises; and
  • report any data security concerns or incidents immediately to the dpo@edfenergy.com. Concerns or incidents may include, but may not be limited to, you believing or suspecting that one of the following has taken place (or is likely to take place): there has been any data breach; there has been unauthorised access to or removal from the premises of personal data; personal data is not secure; or you are aware of any other breach of data protection legislation

​Failure to comply with your data protection obligations puts at risk the individuals whose personal information is being processed, carries the risk of significant civil and criminal sanctions for you and us; and may, in some circumstances, amount to a criminal offence for which you are personally liable. Because of the importance of data protection obligations, it may lead to disciplinary action under our procedures, up to and including dismissal for gross misconduct.

Cookie Policy
Our cookie policy can be found here.

 

 

NOTES

Indicative pricing

1. The price above reflects the £7,500 government boiler upgrade scheme and is based on our lowest priced heat pump, cylinder and controls. The figure quoted does not reflect any radiator upgrades that may be required. Your individual quote will be specific to you and your requirements may rise depending on the system required to suit your home.

Boiler upgrade scheme

2. Eligibility checks apply. Visit the UK Government website for details.

A typical customer can save £164 per year versus the current single-rate price cap tariff. This is based on the following;

3. Savings are based on a customer using Ofgem’s typical domestic consumption of 2700 kWh electricity and with heating provided by an ASHP with COP of 3.1 providing equivalent heat to that from a 94% gas boiler using 11,500 kWh of gas.

Save £260 per year

4. The Energy Saving Trust: Figures are based on fuel prices as of July 2025. Find out more about how we made these calculations. The running cost you can expect will depend on the size of your home, any heating system upgrade and any saving will also depend on the fuel type being replaced. You can expect the saving to range between old and new, depending on the age of your current heating system. 

Efficiencies

5. Heat Pump investment roadmap, UK Government 

The Heat Pump Promise

6. With our Heat Pump Promise if your heat pump doesn’t perform as promised, we’ll give you a refund. Terms & Conditions apply