PRIVACY NOTICE

Introduction

Ballard Motive Solutions is committed to protecting the privacy of all those who are involved with it. We are also committed to being transparent about how collect and use personally identifiable information. We hope that this document answers any questions you may have, but if not, please do not hesitate to get in touch with us.

The purpose of this document is to tell you how we collect, store and use your personally identifiable information. This includes any information we receive from third parties. It covers all of the activities of Ballard Motive Solutions (formerly Arcola Energy) (company number 7257863), registered at 24 Ashwin Street, London E8 3DL, United Kingdom. These activities include providing education workshops and integrating hydrogen fuel cell systems. This document is relevant to anyone who we collect or hold personally identifiable information about, including customers, suppliers, partners, interns, employees, participants in our education programmes, and parents or guardians of participants in our education programmes.

We collect, store and process personally identifiable information in accordance with all applicable laws, including the UK Data Protection Act 2018, Privacy and Electronic Communication Regulations 2003 (PECR), and UK General Data Protection Regulation (GDPR).

This document covers the following topics, for each of the activities that we collect, or use personal information for:

• what information we may collect about you
• how we may use it
• why we do so, including the legal basis and how this balances with your right to privacy, if relevant
• how long we will keep your personal information

It also covers the following:

• Children's data
• When we disclose personal information to anyone else or store it or process it on computer systems based in other countries
• Keeping your personal information correct and up to date
• Your right to check what information we hold about you, and to have us delete it or stop processing it in some circumstances
• How we keep it secure from unauthorised access
• Cookies and analytics on our website
• How to get in touch with us or make a complaint
• How we change this document

Because we collect, store and use personal information about people with a range of different relationships with us, information in this document may not all be relevant to you.

Personal information collected from customers partners, suppliers and employees

We collect contact information about business contacts at suppliers, partners, and business associates when given this information by them or their colleagues, or from their public websites. We store this in our supply chain management system and other internal documents, using and referring to it when needed to purchase products, seek quotes or information about them, contact them for information, or to collaborate on projects we are involved in with partners. We also publish the information of employees of partners in project documents, where the information is already available to others involved in the project who are given access to these, or publicly where it is already publicly available. We keep this for up to fifty years after the conclusion of a project for our archival purposes, for the defence of legal claims, and in case further work on the project is required. This information is held for the purposes of entering into a contract, performance of a contract, or for our legitimate interest in management of our business.

We collect some analytics information about people using our website, and monitor how our website is being used, by using cookies. Information on website use, for the purposes on monitoring the effectiveness of our website, is anonymised after collection and only processed in this form. Information about users visiting our website, including IP address, site pages visited and web browser information (User Agent string), collectively referred to as website logging information, is collected when you visit our website, for the purposes of debugging the website, and detecting malicious attacks on it. We also keep records of contact with customers, potential customers, business partners, potential business partners, and media contacts, in our Customer Relationship Management (CRM) system. For all of website logging information, analytics information, and information kept in our CRM system, this information is processed by HubSpot Inc. Please see When we disclose personal information to anyone else or store it or process it on computer systems based in other countries for more information.

We process information on behalf of certain clients (list available on legitimate request), when hosting and running services developed for them, in accordance with their instruction. Their privacy policies are available on request, from us or from them. Where this includes personally identifiable information, the people it applies to should have been informed when this was collected.

We also collect the age and names of participants in our education programme, or applicants to participate in our programme, including the Hydrogen Hack. In addition to the name and age of participants, we collect the home address, phone number and email of either the participant's parent or guardian, if the participant is younger than sixteen years old, or the participant themself if they are older than sixteen years old. If we collect the information of a parent or guardian, we also collect their name. We keep this for us to be able to contact them further, for our records, and for reporting on the reach of our education programme, for up to three years after the series of events has concluded, and do so because our legitimate interest in running and reporting on the programme, and in marketing it to people who we think may be interested.

We keep information about education programme facilitators, and those applying to be facilitators, including their name, email address, phone number, home address. For facilitators who we hire or accept as volunteers, we also keep information about their DBS status, a copy of their passport, and, if they are paid, their bank account details. We hold this information for applicants, until the programme for which they are applying is concluded, and for facilitators, for up to three years afterwards if they were volunteers, in case we need to contact them about further opportunities, or for up to seven years if they were paid, in order to provide references.

When searching for potential participants in our education programme, we collect the contact details of employees of schools, local councils or other organisations who serve children who may benefit from our programme. We collect this from publicly available sources, from local councils, or the organisations themselves or their partners. We use this information to contact people who work for organisations who may be interested in hosting or participating in our education programme, and we keep this information for up to five years after the series of events which we are marketing have finished. We keep this information because we believe the same organisations may be interested in future events, and may wish to contact them about these opportunities in future, and do so using our legitimate interest in marketing the programmes we offer.

In order to promote our educational programme and other work, we keep the contact details of some media contacts. These are given to us either by the people themselves or their colleagues, in order that we be able to contact them, and are only used to contact them with information that we believe they may be interested in reporting. We keep this information for as long as it is relevant to promote these projects and related projects.

When people apply for internships with us, we collect some information including their email address or phone number. We keep this until either their application is accepted, rejected or withdrawn. If they are accepted for an internship, we collect the same information as we do about employees (detailed below), and we keep this for the same period.

We collect the name, email address, phone number(s), next of kin information, gender identity, marital status, date of birth, relationship status (if the employee chooses to provide it), tax and national insurance information, bank account details, and disability information about employees, interns and work experience people. We collect this for employment, payment and tax related reasons, and we hold this for up to ten years after the end of the financial year after the person leaves the company, for tax, accounting, and reference purposes, and in case we need to contact them about their employment.

We will produce and store information about performance and disciplinary matters related to the employment of employees, for the purposes of managing their employment, performance and carrying out appropriate disciplinary matters. We will hold this for six years after the conclusion of employment, for the purposes of providing references.

We may collect additional information about medical status of employees for employment and health and safety reasons. This is detailed in our internal Special Category Personally Identifiable Information Policy (ITD004 Arcola Special Category Personally Identifiable Information Policy.pdf) available to employees.

Sometimes participants in educational programmes or employees of partners are captured in photographs that we wish to use for marketing purposes. In these cases, we collect the name and contact details of the people included in them, and whether they give permission for the photo to be used. If the person included is under sixteen years of age, we collect their name, and the name and contact details of their parent or guardian. We keep this permission information for as long as we think that we may use the photo, and for ten years after any use of it, in order to defend against copyright claims.

We keep a list of the names, job titles, work phone numbers and work email addresses of employees of our parent company, Ballard Power Systems, and its other subsidiaries. This is distributed to all of our employees.

There are further details, relevant to employees only, in the internal document titled 'ITD007 Employee Privacy Notice Appendix'. Employees should consult this for additional details.

Children's data

We will not knowingly collect personal information from those under 16 without their parent or guardian's consent. Where we expect to be collecting the personal information of under 16s, for example when collecting information about participants in educational programmes, we will ask people's age when collecting their information, and get parent's or guardian's permission where they are under 16.

Disclosing personal information to third parties and processing personal information abroad

We may need to disclose your personal information, to the appropriate authorities, if we become aware of a concern about the welfare of a child or vulnerable adult. We will only do this inline with our safeguarding policy.

If you have worked for us, we may provide information about your involvement or employment, your role and duties and your attendance and performance, in the form of a reference, to anyone asking for it, with your prior permission.

If you are a paid employee of ours, we will share any relevant information about your tax or student loan repayment status with HMRC as required to, and store it in our payroll system, currently Kashflow Payroll, for the purposes of running our payroll.

If you work for us, and receive any training supplied by an external body, we may provide your information to the company providing the training for the purposes of administering the course or confirming requests to verify that you have received that training.

We may share employment related information (including employee contact details, bank account details, performance and disciplinary information, information about disabilities or medical conditions that affect their work, next of kin details, and medical information necessary for managing health and safety related to communicable diseases) with our parent company, Ballard Power Systems, where necessary for us to get advice about legal or employment related matters, where necessary for their accounting purposes, or where necessary for health and safety reasons, or for them to advise us on health and safety matters. You name, job title, work phone number (if relevant) and work email address will be published in the employee directory for all employees of Ballard Power Systems and their other subsidiaries to see. Ballard Power Systems are based in Canada. You can contact us if you have questions about how they are processing your personally identifiable information, or to make requests about it.

We may ask if you wish to have your contact details shared with other companies we work with, but we will only share them where you have agreed to us sharing them with the particular company in question. Where it is required as part of your job that we share contact details with partners, we will share only your name and the work email address we provide you, except where we have your permission to share other details.

We store much of our own data on Google Drive, as part of our organisation Google Workspace account (rather than on personal Google Drive accounts, which are subject to different confidentiality agreements), and we may store any information we have mentioned that we collect or store in this document in this. We may also store any of the information we have mentioned that we collect or store in databases or on servers controlled by us on Amazon Web Services (AWS) and Google Cloud Platform (GCP). AWS and GCP are major global cloud computing providers, providing us with cloud computing services, and our use of them does not give them additional rights to market to you as a result. With regard to the AWS or GCP cloud platforms, we will always use the UK or Ireland regions where possible. We use HubSpot Inc to process information about visits to our website, and contact with some people. Please see Personal information collected from customers, partners, suppliers and employees for more information. HubSpot are based in the US, and process some of this information in the US. All of these may involve storing or processing your information on servers outside the UK or EU, where they are controlled by these third-parties, but we will always require them to only do so in countries where your rights under the GDPR are appropriately protected and enforceable - i.e. where there is an adequacy decision in place from the European Commission and/or adequacy regulation in place from the UK government, or where they have a representative in the EU and agree to model contract clauses approved by the European Commission and Information Commissioner's Office that ensure that your rights under the GDPR are appropriately protected and enforceable. As well as these safeguards, we have conducted a risk assessment, and concluded that there is not a significant risk to your rights and freedoms guaranteed by the GDPR in relation to these transfers. In the case of data processed by HubSpot Inc, our agreement with HubSpot Inc guarantees your rights by including the model contract clauses approved by the European Commission and ICO.

Keeping your personal information correct and up to date

We will try to keep your personal information up to date, and may contact you from time to time to ask you to check the information we hold about you is still correct. You may contact us at any time to ask us to update this or inform us if it has changed.

Your rights to access or ask us to delete your personal information or to object to processing

You may ask us at any time for details of all of the personal information we hold about you, or for the information itself, in an appropriate machine readable format if desired, and we will provide this provided you are not making excessive or unfounded requests. We will need to verify your identify to be able to complete these requests.

Please get in touch if you object to anything in this document or about how we collect, use or store your personal information. We can erase you personal information if you ask us to where we are processing it based on your consent alone, where it is no longer necessary for the purposes for which it was collected, or any other circumstances where we are otherwise legally required to, or, at our discretion, wherever we able to do so.

Security

We have policies in place to prevent people from accessing personally identifiable information unless needed to do their job. We require all of our employees not to disclose personally identifiable information they come into in contact with at work against the wishes of the person it is about, except in line with this notice.

Access to personally identifiable information is restricted to specific accounts belonging to people who need to access it to work. We use individual accounts wherever possible, and limit access where possible for shared accounts for people doing the same job. We secure access to all accounts via the use of strong passwords, and in some cases where security is particularly important because of the access someone has, with security tokens or secondary authentication methods (for example having to login with a password as well as confirming the attempt to login on a phone linked to the account).

We endeavour to apply security updates to devices we use, and software installations we maintain, as soon as possible, proactively monitoring news for details about new threats. We apply updates regularly, or as they become available if they present a significant threat to the security of our devices.

We keep devices on our internal network secure by limiting untrusted devices to parts of the network where they are not able to contact devices which we use to access personally identifiable information. We also block external traffic from entering our network where it is not in response to a request from inside the network, except in cases where access is needed to a device from outside our internal network, where requests from outside are only allowed to access that specific device, using secure credentials.

We require employees to only access accounts that have access to personal information from secure devices. While we do allow employees to use personal computers for work, we only do so where we are convinced that they are kept secure, we are allowed access to them to verify this, and where personal information is removed when it is no longer needed to perform the task they are using it for.

We will contact you promptly to let you know, if we have your contact details, if there has been a breach of the security of your personal information, unless the breach just allows other internal employees to access the information and they are forbidden to so by own internal policies, or encryption, anonymisation, or pseudo-anonymisation (where this is maintained despite the breach so you cannot be identified by anyone not authorised to do so) of the data prevents unauthorised people accessing your personal information or identifying you, or where the consequences are otherwise minor and informing you is disproportionate.

Cookies and analytics on our website

Cookies are small text files which are automatically stored by your web browser (such as Microsoft Internet Explorer or Edge, Google Chrome, Mozilla Firefox, Apple Safari etc) on your computer at the instruction of a website. When you visit the same site again, another page on the same site, or sometimes another site, these are requested by the website, allowing it to know some information about you from when you last visited, or from when you visited the site that the cookie originated from.

Cookies are widely used, and are used by us to track the effectiveness of our adverts and to monitor how many repeat visitors we get to our website. We only use this to generate anonymised statistics which do not identify you personally.

We store access logs to help secure our website and to ensure it is working properly. These store only the IP address access is from, the web browser and version (the User-Agent) you are using, and the URL (address) accessed. We never attempt to identify individuals from these except where we suspect a deliberate attack on our site, or with the permission of someone who is experiencing a problem. These are stored no longer than one year, unless part of an ongoing investigation into a suspected attack, where they are kept until we are sure we will not be prosecuting anyone using them.

We use HubSpot to host our main website, to help us understand our website's audience, and to log visits and to protect our site from attack. This allows us access to information like the site or link from which you reached our site, including if it is from a specific social media post, which pages you visited on our site, in what order, and when, and what actions you take on the site (such as contacting us). In general, this is used only to understand aggregate data, and individuals are usually not identifiable to us. To avoid this, you can use decline cookies when visiting our site. Please contact us for more information if you need help with this.

Getting in touch

If you have any questions, concerns or requests, you think we have made a mistake with your personal information, or you would like to know more, please get in touch with us. You can do so by emailing us at dataprotection.uk@ballard.com, phoning our office on +44 (0) 207 503 1386, or by writing to us at the following address:

Ben Todd, Ballard Motive Solutions, 24 Ashwin Street, London E8 3DL United Kingdom

We endeavour to respect your privacy, keep your personal information secure, and to use it fairly and reasonably. If you think we have failed to do so, we encourage you to get in touch with us first so that we can fix the problem as soon as possible, but you have the right to complain to the Information Commissioner instead or as well. At the time of writing, the following webpage provided details about how to do that: https://ico.org.uk/make-a-complaint/

Changes to this document

We will update details in this document as we change how we operate, or if we find ways to improve it. We will get in touch if there are changes to what purposes we use your information for, or if we collect new types of information, or in new circumstances. The most up to date version of this notice is available at https://www.ballardmotivesolutions.com/privacy-notice. This document was last updated on 17/02/2023.