Who are we
For the purpose of Data Protection Requirements*, the Data Controller is Environment Bank Limited, registered in England & Wales (company no. 05944540), registered office: C/O External Services Limited, Central House, 20 Central Avenue, St Andrews Business Park, Norwich, NR7 0HR.
We are registered as a Data Controller with the ICO: Ref ZB146268.
If you want to request further information about this privacy notice or exercise any of your rights, please contact us by phone on 01904 202990 or by email at [email protected] or through our Data Protection Officer on 01904 217788 or
Our commitment to you
Environment Bank is committed to protecting the privacy and personal data of all those whose data we are handling and to working within the guidelines set out by data protection law. This privacy information notice aims to provide you with information about how and why we use information about you. It also explains how you can exercise the rights you have in law and how you can contact us if you have any concerns or questions about data protection.
This policy relates to personal data collected and processed relating to our customers and suppliers, prospective customers and former customers and suppliers.
Your Data Protection Rights
We take the protection of your personal data very seriously and respect your privacy in accordance with data protection legislation and best practice. You have rights relating to your personal information. You can find more information about your privacy rights on the Information Commissioner’s Office website www.ico.org.uk
You have the right to be informed
You have the right to be informed about how and why we process your personal information. Any time you give us personal information you have the right to be informed about why we need it and how we'll use it.
You can find most of the information you need in this Privacy Notice.
You have a right of access to your own information
You have a right of access to any of your personal data that we hold about you. You can contact us at any time to gain information about what data we hold about you and why we hold it.
If you make a formal request, we will acknowledge we have received it and may require further information to be able to comply with your request. Firstly, where appropriate we may require you to prove your identity. We may also ask you about any specific information you are seeking, this will help us make sure we meet your request fully and speed up the process.
If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.
We will provide you with the information that you are entitled to as soon as possible, without unreasonable delay and at the latest within one month of your identity being verified by us.
In exceptional cases we may extend the period of compliance by a further two months if the request(s) is complex or numerous. If this is the case, we will inform you within one month of the receipt of the request and explain why the extension is necessary.
In the majority of cases there is no charge made by Environment Bank for this right of access.
To make a request for any personal information we may hold we would ask that you contact our Data Protection Officer through the above channels.
You have the right to ask us to correct inaccurate personal information
If you believe information we hold about you to be inaccurate or incomplete, you can ask us to correct it or complete it at any time e.g.the spelling of your name or your contact information.
You have the right to object and restrict the processing of your personal information
You also have the right to ask for our processing of your personal data to be restricted. For example, if you are contesting the accuracy of data we are using about you. In such case we will restrict our processing while we verify the accuracy of the data that we hold.
You have a right to object to our processing of your personal data where the basis of the processing is our legitimate interests including but not limited to direct marketing and profiling.
You can ask for certain information about you to be deleted
You can also ask for certain information about you to be deleted. For example, if you are moving out of the area.
In certain cases, we will be unable to delete your information, for example if there are statutory grounds requiring us to retain it.
You have the right to data portability
You have the right to data portability where processing is automated, although we don't currently carry out any such processing. If we do in future, you can make a request and this data can be exported from our systems for you.
What information we collect about you and what we do with it
It is important to us that we inform you about the information we collect and why we collect it.
Why we need to collect your data
We collect, process and store information about you for the following reasons:
- to verify your identity and help us prevent fraud
- to manage, administer and provide services to you, such as providing quotes, advice, our professional services to you, and request and receive payments
- to contact and communicate with you
- for internal record keeping, administrative purposes and for our legitimate business functions
- to improve and develop our business generally
- to create a data base of people who have expressed interest in our company or products and services
- for advertising and marketing, including to send you promotional information about our products and services.
- to handle any complaints
- to undertake market research and statistical analysis, including analysing your use of our website
- to comply with our legal obligations.
We will only use your personal data for the purpose it was collected for or a reasonably compatible purpose where necessary. If we use your personal details for any other purpose, we will let you know and explain the legal grounds for that new processing.
What information we collect from you
The type of information collected from you and obtained about you will vary depending on your relationship or intended relationship with us, the products or services you are requesting and your chosen method of contacting us.
We may collect, use, store and transfer different kinds of personal data, these include (but not strictly limited to):
- Business name
- Job title
- Email address
- Phone/ Mobile number
- Bank Details – note we do not store credit card details
- Social media identifiers
- Site details
- Records of communication
- Details of your visits to our website including your IP address, pages visited, dwell time, and page referred from i.e. search providers.
We do not routinely collect any Special Categories of Personal Data about you, this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data.
Should we require to process such data about you, for example; to make reasonable adjustments because of any health-related conditions which may affect our site visits or meeting locations etc., we will inform you in advance why we need this information.
We do not collect any information about criminal convictions and offences, and we do not carry out automated decision making or any type of automated profiling using your personal data.
We need all the types of personal information listed above to enable us to work together and to enable us to comply with our legal obligations.
How we collect your data
We may collect data about you if you provide your information directly to us. This is one of the ways we can ensure the data we collect is as accurate and as up to date as possible, for example via any communication you send to us, whether that be through email, text, through the enquiry or registration forms on our website or any other communication you give or send to us. We ensure that any data we process is kept up to date and that any preferences indicated by customers are adhered to.
We may also receive and process data from publicly available materials (such as planning websites, electoral roll etc.) or from trusted third parties such as marketing and research partners.
If you use our website, we will retain a record of the contact and we may collect additional data about you to provide a better digital service and website functionality.
Our use of photography, filming and drones
Our ecologists assess land in detail. To support our assessment of habitat options and agree a management plan, Environment Bank staff occasionally photograph and/or film potential sites and locations that we have been asked to assess by a developer or landowner. This forms an important role in providing our services. We may obtain photos and video footage to ensure the best outcomes for nature and for landowners.
Capturing images helps us ensure our customers benefit from current and emerging agricultural schemes and may be used by us in our promotion and marketing materials, including Print material (posters, flyers, leaflets), on our Website, in our Social media, Email communications etc.
Our camera and drone operators are always conscious of the potential to invade individual’s privacy when using drones to take photos and videos. They respect other people and their privacy and are aware they must respect other people’s privacy whenever you use them.
We do not use these devices where people can expect privacy, such as inside their home or private garden. Photos or recordings we capture are processed in accordance with the UK General Data Protection Regulation (UK GDPR).
How we obtain imagery and video footage
Photography and video are often obtained as part of an organised site visit and assessment, photo opportunity with our teams and customers or a planned interview. Where appropriate considering the reason for the recording some individuals may be asked to sign Environment Bank’s consent form which specifies how their personal images may be used.
Filming of conferences and other organised events
If filming and photography is taking place at an event, clear signage is used to inform the public that filming, and photography is taking place and that the designated officer is to be approached if they do not wish to be filmed.
Every effort is made to only capture video and/or photographs associated with the event or planned project. If individuals are captured on camera and can be identified, then processes are in place to manage personal data in accordance with Data Protection legislation.
Our relevant staff comply with UK Civil Aviation Authority drone requirements when operating drones.
Our use of drones include:
- Filming and photography at site visits or as an assessment of the landscape and site in question
- Filming and photography for promotional materials or at marketing events
- Observing the progress of land development or maturity.
We understand that the use of drones may have a higher impact on individual privacy, and as such we will carry out a Privacy Impact Assessment before performing any drone operations.
Video footage and photographs are captured on a memory card on board the drone, and this footage is then transferred to Environment Bank’s secure server before being deleted from the memory card.
How we store images or footage
Photographs and video clips are stored on the Environment Bank’s secure servers alongside a signed copy of any consent form.
Legal basis for using your personal information
Our primary lawful basis for processing your data is under the UK GDPR Article 6(1)(f) in that it is reasonable for us to do so for the purposes of our legitimate interests (or the legitimate interests of a third party) as a commercial business helping developers and landowners to implement Biodiversity Net Gains and provide landowners with an opportunity to diversity their business. By doing so we seek to promote, develop and grow our business through the sale of products and services and to provide excellent customer services, unless there is a good reason to protect your personal data where it may override our legitimate interests.
Environment Bank also relies on the following lawful bases under the UK General Data Protection Regulation to use your personal information:
Article 6(1)(b) which relates to processing necessary for the performance of a contract, or because they have asked us to take specific steps before entering into a contract. For example if you engage us to provide any products or services the legal basis for processing personal data about you in those circumstances is the fulfilment of our contract with you brought about by a transaction,
Article 6(1)(c) where the processing is necessary for us to comply with our legal obligations,
Article 6(1)(a) where you indicate consent for us to process your personal data for a specific purpose, though this will be in rare circumstances. We will ensure you are informed of the right to withdraw this consent if this is the appropriate lawful basis that we are using.
Communicating with you
Contacting us by telephone
When you contact us by telephone, if visible, your telephone number will be added to our records so that we can contact you in future. We use a telephone number listed on your account to contact you to discuss potential services or services we provide to you.
Contacting us by post
Where the post relates to an identifiable account, we may store the letter and any attachments in our records for future use. Post that we receive is stored and processed in a secure area of our premises. The retention of hard-copy documents and electronic images of post received complies with our data retention rules.
If you email us, we’ll respond to you using the email address you gave us. We may add your email address to your account, and it may be used for future communications.
Any email sent to us, including any attachments, may be monitored, and used by us for reasons of security and for monitoring compliance. Emails are sorted, archived, and deleted in line with our information security and data retention policies.
Contacting us via social media
We strongly advise not to post your personal contact or other sensitive information on a public social media site. If you contact us using social media to report an issue, we’ll ask you to private message us to gather suitable information. We may suggest an alternative contact method if we think this is more appropriate.
Our lawful ground for processing your personal data to send you marketing communications is our legitimate interests (see above) to promote and grow our business. We may use your personal data to contact you by email, telephone and or by post with information, news, updates and offers about our products or services that we believe could be relevant and of interest to you.
We will only use the contact information we have obtained over the course of our customer relationship or engagement with to ‘opt’ you into our communications.
How you can stop receiving any marketing communications from us
You can ‘opt-out’ of receiving marketing communications at any time by clicking the 'unsubscribe' link at the bottom of each marketing email or you can ‘manage your preferences’ via a link at the bottom of each marketing email or by contacting us at the email address: [email protected] or calling 01904 or to our Data Protection Officer via the above channels.
We will always work to protect your rights under the UK GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003 and you will always have the opportunity to opt out of receiving marketing emails from us at any time.
Information we share with third parties
We never sell your data or share your data with any third parties for their own marketing purposes.
We may disclose information about you with some of our suppliers who process data on our behalf to help us to provide services to you. We undertake this data sharing on the basis of our legitimate interests to procure high quality and cost-effective services. The table below provides you with information about the categories of organisation we may share information with:
Categories of Organisation
Marketing agencies, database hosting companies, data cleansing companies, mailing housing, and email broadcasters.
To provide marketing services and fulfil our CRM and email programmes and campaigns.
Research on Social Media platforms which may include but not be limited to: Facebook, Twitter, Linked In, Instagram, Pinterest, YouTube etc.
To verify your identify when you register on our web site.
External IT providers
To check for potential threats to our systems from virus etc.
External Data Protection officer
To facilitate your rights under the UK GDPR, in the event of a complaint concerning our use of your data or in the event of a data breach.
Where personal data associated with invoicing is transferred outside of the European Economic Area, it will only be transferred to countries that have been identified as providing adequate protection for EEA data, or to a third party where there is an approved transfer mechanism in place to protect personal data – i.e. by entering into the European Commission’s Standard Contractual Clauses, or, for transfers to US-based third parties, by ensuring the entity is Privacy Shield certified.
We may also share information about you with other companies within our if we think you may have an interest in their products and services. We undertake this on the basis of their legitimate interests in promoting their products and services and undertaking direct marketing.
We may also disclose your personal information to third parties from time to time:
- a) if we are under a duty to disclose or share your personal data in order to comply with any legal obligation; for example to the HMRC,
- b) to fulfil any order that you place with us (i.e. we would share data with our credit card companies and banks etc.);
- d) to protect the rights, property, or safety of our business, our customers, our staff or others, including exchanging information with other companies and organisations for the purposes of fraud protection and credit risk assessment and reduction.
How we store and keep your information secure
All client personal data is stored on secure servers, with data centres located in the UK. We operate a suite of IT and security policies to ensure your data is kept secure, including appropriate access and auditing controls.
All of the laptops and pc’s used within Environment Bank use anti-virus software and fire walls to protect against cyber-attack. We ensure that there are technical controls in place to protect your personal details. Regrettably, the transmission of data via the internet is not entirely secure.
Although we will do our best to protect your personal data, we cannot guarantee the security of data you send to us that is outside of our security arrangements; any transmission is at your own risk.
We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff or contractors.
On occasions we may need to disclose your details if required, to the police, regulatory bodies or legal advisors. You may not be informed when this happens.
How long we store personal information
We will only use and store personal information for as long as it is required for the purposes it was collected for.
We have a data retention policy (available on request) that sets out the different periods we retain personal information in accordance with our duties under applicable data protection law and various legislative requirements.
We continually review what personal information and records we hold and delete what is no longer required.
Cookies are small pieces of data which your browser stores on your machine as you use our website. Cookies are sometimes used to provide the user with a tailored experience when revisiting a site e.g.remembering preferences, so you don’t have to submit the same information twice etc.
What Cookies do we use
Third Party Requests
These cookies are used to collect information about how visitors use our site, which we use to help improve it. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited.
Making a complaint
Environment Bank strives to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive details of all aspects of Environment Bank’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to us or our Data Protection Officer.
If you believe that Environment Bank has not complied with your data protection rights, you can complain to the Information Commissioner’s Office; their address is Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or by calling 0303 123 1113.
Changes to this notice
This privacy notice may be updated from time to time, so you may wish to check it each time you submit information to Environment Bank. The date of the most recent revisions will appear on this page. We may notify supporters of any major changes by placing a notice on the website or by contacting you directly.
This version was last updated March 2023.
* Data Protection Requirements means the Human Rights Act 1998, Data Protection Act 2018, the UK General Data Protection Regulation, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000 (SI 2000/2699), the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, and all other applicable laws and regulations relating to processing of personal data and privacy in any applicable jurisdiction as amended and replaced, including where applicable the guidance and codes of practice issued by the UK Information Commissioner or such other relevant data protection authority.