The summary of our Website T&Cs
Welcome to our website. You will see the most important aspects of our Terms and Conditions (T&Cs) below. If you want to see the details, please see the second tab, Terms & Conditions.
The content of the pages of this website is for your general information and use only. It is subject to change without notice.
functionality cookies, performance cookies, and strictly necessary cookies. All to enhance your experience on our website. For more detail, see our Cookies Policy.
Your use of any information or materials on this website is entirely at your own risk, for which we shall not be liable. It shall be your own responsibility to ensure that any products, services or information available through this website meet your specific requirements.
This website contains material which is owned by or licensed to us. This material includes, but is not limited to, the design, layout, look, appearance and graphics. Reproduction is prohibited other than in accordance with the copyright notice, which forms part of these terms and conditions.
All trademarks reproduced in this website which are not the property of, or licensed to, the operator are acknowledged on the website.
From time to time this website may also include links to other websites. These links are provided for your convenience to provide further information. They do not signify that we endorse the website(s). We have no responsibility for the content of the linked website(s).
Your use of this website and any dispute arising out of such use of the website is subject to the laws of England, Northern Ireland, Scotland and Wales
Full Terms and Conditions
These Website Standard Terms And Conditions (these “Terms” or these “Website Standard Terms And Conditions”, or simply these “T&Cs”) on this webpage, shall govern Your use of this website, including all pages within this website (collectively referred to herein below as this “Website”). These Terms apply in full force and effect to your use of this Website and by using this Website, you expressly accept all terms and conditions contained herein in full. You must not use this Website, if you have any objection to any of these Website Standard Terms And Conditions.
The term ‘Engaged Tracking (ET) Index Ltd’ or ‘Us’ or ‘We’ refers to the owner of the website whose registered office is Level39, One Canada Square, Canary Wharf, London, E14 5AB. The term ‘You’ refers to the User or Viewer of our website (i.e. any third party that accesses the website and is not (a) employed Engaged Tracking (ET) Index Ltd, or (b) engaged as a consultant or provides services to Engaged Tracking (ET) Index Ltd.
Minors or people below 18 years old are not allowed to use this Website.
Intellectual Property Rights
All contents on the website, unless uploaded by Users is the property of Engaged Tracking (ET) Index Ltd. In this context Content means text, graphics, images, audio, video, software, data, page layout, underlying code and software, and any other information that can be stored on a computer that appears on or forms part of the Website. By continuing to use the Website you acknowledge that such Content might be protected by copyright, trademarks, database rights, and/or other intellectual property rights.
You are granted a limited license only, subject to the restrictions provided in these Terms, for your personal use for purposes of the following:
Retrieve, view, use website content on your own device
Other than the content you own, under these Terms, Engaged Tracking (ET) Index Ltd and/or its licensors own all the intellectual property rights and materials contained in this Website.
You are expressly and emphatically restricted from using ET data/content from the website without a written consent by ET (Owner). Also, see Rankings T&Cs.
You are specifically restricted from all of the following (you must not):
publishing any Website material in any other media;
selling, sublicensing and/or otherwise commercializing any Website material;
publicly performing and/or showing any Website material.
Exempt from the above:
NGOs, think tanks, research organisations, universities
Members of our Membership programme
Our corporate partners where a contractual exempt applies
using this Website in any way that is or may be damaging to this Website;
using this Website in any way that impacts user access to this Website;
using this Website contrary to applicable laws and regulations, or in any way may cause harm to the Website, or to any person or business entity;
engaging in any data mining, data harvesting, data extracting or any other similar activity in relation to this Website;
using this Website to engage in any advertising or marketing
Certain areas of this Website are restricted from being accessed by you and may further restrict access by you to any areas of this Website, at any time, in absolute discretion. Any user ID and password you may have for this Website are confidential and you must maintain confidentiality as well.
In these Website Standard Terms and Conditions, “Your Content” shall mean any audio, video text, images or other material you choose to display on this Website. By displaying Your Content, you grant Engaged Tracking (ET) Index Ltd a non-exclusive, worldwide irrevocable, sub licensable license to use, reproduce, adapt, publish, translate and distribute it in any and all media.
Your Content must be your own and must not be invading any third-party’s rights. Engaged Tracking (ET) Index Ltd reserves the right to remove any of Your Content from this Website at any time without notice.
You must not submit any user content to the website that is or has ever been the subject of any threatened or actual legal proceedings or other similar complaint.
Engaged Tracking (ET) Index Ltd reserves the right to edit or remove any material submitted to this website, or stored on Engaged Tracking (ET) Index Ltd’s servers, or hosted or published upon this website.
This Website is provided “as is,” with all faults, and Engaged Tracking (ET) Index Ltd express no representations or warranties, of any kind related to this Website or the materials contained on this Website.
Without prejudice to the generality of the foregoing paragraph, Engaged Tracking (ET) Index Ltd does not warrant that:
this website will be constantly available, or available at all; or
the information on this website is complete, true, accurate or non-misleading.
Nothing on this website constitutes, or is meant to constitute, advice of any kind. If you require advice in relation to any [legal or financial] matter you should consult an appropriate professional (also see Rankings T&Cs).
Limitation of liability
In no event shall Engaged Tracking (ET) Index Ltd, nor any of its officers, directors and employees, shall be held liable for anything arising out of or in any way connected with your use of this Website whether such liability is under contract.
Engaged Tracking (ET) Index Ltd , including its officers, directors and employees shall not be held liable for any indirect, consequential or special liability arising out of or in any way related to your use of this Website.
Engaged Tracking (ET) Index Ltd will not be liable to you (whether under the law of contract, the law of torts or otherwise) in relation to the contents of, or use of, or otherwise in connection with, this website:
for any indirect, special or consequential loss; or
for any business losses, loss of revenue, income, profits or anticipated savings, loss of contracts or business relationships, loss of reputation or goodwill, or loss or corruption of information or data.
By using this website, you agree that the limitations of liability set out in this website disclaimer are reasonable.
If you do not think they are reasonable, you must not use this website
You hereby indemnify to the fullest extent Engaged Tracking (ET) Index Ltd from and against any and/or all liabilities, costs, demands, causes of action, damages and expenses arising in any way related to your breach of any of the provisions of these Terms.
Breaches of these terms and conditions
Without prejudice to Engaged Tracking (ET) Index Ltd’s other rights under these terms and conditions, if you breach these terms and conditions in any way, Engaged Tracking (ET) Index Ltd may take such action as Engaged Tracking (ET) Index Ltd deems appropriate to deal with the breach, including suspending your access to the website, prohibiting you from accessing the website, blocking computers using your IP address from accessing the website, contacting your internet service provider to request that they block your access to the website and/or bringing court proceedings against you.
If any provision of these Terms is found to be invalid under any applicable law, such provisions shall be deleted without affecting the remaining provisions herein.
Variation of Terms
Engaged Tracking (ET) Index Ltd is permitted to revise these Terms at any time as it sees fit, and by using this Website you are expected to review these Terms on a regular basis.
Engaged Tracking (ET) Index Ltd is allowed to assign, transfer, and subcontract its rights and/or obligations under these Terms without any notification. However, you are not allowed to assign, transfer, or subcontract any of your rights and/or obligations under these Terms.
These Terms together with our Privacy Notice and Cookies Policy constitute the entire agreement between Engaged Tracking (ET) Index Ltd and you in relation to your use of this Website, and supersede all prior agreements and understandings.
Governing Law & Jurisdiction
These Terms will be governed by and interpreted in accordance with the laws of England and Wales and you submit to the non-exclusive jurisdiction of the state and federal courts located in for the resolution of any dispute
Engaged Tracking (ET) Index Ltd’s details
Full name of our organisations: Engaged Tracking (ET) Index Ltd
Our company is incorporated under the laws of England and Wales under the registration number 08876852, of 61 Waverton House, London, E3 2LQ (“ET Index”)
To contact a member of the team regarding the website T&Cs, please email firstname.lastname@example.org
Use of the service constitutes your acceptance of these terms and conditions, which take effect immediately on your first use of the service. Engaged Tracking (ET) Index Ltd reserves the right to change these terms and conditions at any time by posting changes online.
Engaged Tracking (ET) Index Ltd reserves the right to update the ET Carbon Ranking Series as it deems appropriate.
Any member of the public is permitted to use the information provided in the ET Carbon Ranking Series for non-commercial purposes, provided that ‘Engaged Tracking’ or ‘ET Carbon Ranking Series’ is cited as a source.
Use of the ET Carbon Rankings is currently authorised for all forms of media dissemination. The use for academic, research and all other non-commercial purposes is authorised with prior written consent.
Reproduction of the ET Carbon Ranking Series and associated data for commercial purposes is not permissible without a license agreement from Engaged Tracking (ET) Index Ltd. This means that no data on the ET website can be sold, resold, transferred, assigned, distributed or otherwise commercially exploited or made available to any third party in any way without the prior written consent of Engaged Tracking (ET) Index Ltd.
The information provided in the ET Carbon Ranking Series is derived from publicly available sources but no guarantee can be offered to its absolute reliability.
Particular caution should be exercised when interpreting an inferred figure. This should not be considered an estimate of a company’s actual carbon emissions. The purpose of an inferred figure is only to incentivise disclosure by the company.
Engaged Tracking (ET) Index Ltd reserves the right to use inferred figures as a tool for incentivising companies to disclose information regarding their carbon emissions.
Wherever data is not complete, which means Scope 1 and 2 have not been reported for the company’s entire operations (or they have not been expressed in a sufficiently clear manner, or no public and freely available data is available) a worst case figure is inferred based on the highest reported emissions intensity by any company within the same industry, sub-sector or sector within the ET Carbon Ranking Series.
Engaged Tracking (ET) Index Ltd makes no warranty as to the reliability of independent third-party assurance.
Questions relating to the standard of assurance should in all cases be addressed to the company in question directly.
It is your responsibility to review the most up-to-date information on the engagedtracking.com website, in order to be aware of any changes made by Engaged Tracking (ET) Index Ltd. Your continued use of this service after changes are posted constitutes your acceptance of this agreement as modified by the posted changes.
These terms and conditions are governed by the laws of England and Wales. If you do not accept these terms and conditions, please stop using the website and any information proprietary to Engaged Tracking (ET) Index Ltd which has been copied, downloaded or reproduced.
For standard terms and conditions of use of the website, please see Terms and Conditions.
To contact a member of the team about licensing the data please email email@example.com
Engaged Tracking (ET) Index Ltd protects the confidentiality and security of client information. We implement robust security procedures to ensure the ongoing protection of all client data.
We are committed to protecting the privacy and the confidentiality of your personal information. Access to personal information is limited to Engaged Tracking (ET) Index Ltd personnel and those authorized third parties who may host your data on our behalf (such as our third-party CRM provider, in our case HubSpot and Google) or may assist in providing the products and services you requested. Engaged Tracking (ET) Index Ltd maintains physical, electronic and procedural safeguards that aim to protect the information against loss, misuse, damage or modification and unauthorized access or disclosure.
Your Information Safe In Our Hands
When you contact us, provide us with your personal information or use our electronic services, you consent to Engaged Tracking (ET) Index Ltd processing the information, including but not limited to your name, company name, contact information, job role and preference information. This information is used by us and/or authorized third parties to support your interaction with us, to deliver our products and services and to contact you again about other services and products we offer. By submitting your personal information to Engaged Tracking (ET) Index Ltd you acknowledge and consent to Engaged Tracking (ET) Index Ltd processing your personal information accordingly.
By consenting to this privacy notice you are giving us permission to process your personal data specifically for the purposes identified (see details below).
Consent is required for Engaged Tracking (ET) Index Ltd to process both types of personal data, but it must be explicitly given. Where we are asking you for sensitive personal data we will always tell you why and how the information will be used.
You may withdraw consent at any time by filling out the Setting Your Preferences form. You can either revoke your consent to certain types of communications or ask for your removal from our database. Any changes you apply will be applied with immediate effect and you will receive an email confirming the changes.
Changes To Policy
This policy provides a general statement of the ways in which Engaged Tracking (ET) Index Ltd aims to protect your personal information. This policy may be changed from time to time to reflect changes in our practices concerning the collection and use of personal information. The revised policy will be effective immediately upon posting to our website.
This version of the policy is effective May 2018.
What is personal data?
Under the EU’s General Data Protection Regulation (GDPR) personal data is defined as: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
What personal data do we collect?
We only collect, process and store the minimum necessary personal data. We may collect the following information:
name and job title,
country of operations,
contact information including email address, and phone number
We are not collecting sensitive personal data; such as ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences.
Why are we collecting this data?
We require this information to understand your needs and provide you with a better service, and in particular for the following reasons:
to be able to perform our services
for detailed service provision (see Preferences)
to be able to disseminate our research output and webinar (event) invites
for correspondence purposes (see Preferences)
to periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided
In any event, we are committed to ensuring that the information we collect and use is appropriate for the above purposes, and does not constitute an invasion of your privacy. Furthermore, your information will only be used for the purposes you give your consent to in the Set Your Preferences section.
In terms of being contacted for marketing purposes Engaged Tracking (ET) Ltd would contact you for additional and specific consent.
How is your data used by us?
In order for us to provide you with our services, we need to collect personal data. In essence, we use Personal data in Operations, Product improvements and Communications. We use your (personal) data to:
manage our website’s traffic and for internal record keeping
we may use the information to improve our products and services. We may contact you by email, phone, fax or mail,
keep your email and marketing preferences up-to-date and the content of our communications relevant to you,
we may also use your information to contact you for market research purposes.
we do not use your data to make automated decisions – such as credit scoring, loan screening, profiling users or making employment decision
We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so. We may use your personal information to send you promotional information about third parties which we think you may find interesting only if you tell us that you wish this to happen.
How do we collect our data?
We collect Personal Data in a fair manner. We process (collect, store and use) the information you provide in a manner compatible with the EU’s General Data Protection Regulation (GDPR).
Personal data is collected from, either
public sources (company annual reports, CSR reports, websites)
events (event attendee guestlist, business cards)
professional networking sites (where being contacted with relevant material is expected and implied; e.g. LinkedIn InMail)
website registry/subscription (granular communications consent given by you)
What are the legal bases of processing the data?
We process data only for business-to-business (B2B) communications.Our legal bases for processing for the personal data:
Consent given by subject
The data is processed for the specific purpose(s) the data subject identifies.
The data subject is free to change the communications preferences at any time.
Consent can be revoked at any time.
Processing of data is necessary in order to be able to fulfill our contractual obligations.
We collect contact details (e.g. phone numbers) for communication purposes with minimal privacy impact.
We only collect personal data on subject who can reasonably expect the kind of communications (i.e. certain job titles, such as Responsible Investment Officer fall into this category).
We might contact subjects via various third-party professional network channels (e.g. LinkedIn InMail, Bloomberg Terminal Email Platform) as the subjects by agreeing to the T&Cs of such networks imply interest in professional communications.
How do you access the Rankings’ pages? (providing your data is mandatory)
In order to access the full Rankings database you are required to provide us with personal data, this enables us to create a user account to log into.
In most cases you are allowed to visit our site without telling us who you are. However, to access the Rankings service’s pages we require you to provide us with your Personal data. If you choose to withhold any Personal data requested by us it may not be possible for you to gain access to certain parts of the site.
Personal Data provided for accessing the public facing Rankings database will only be used to maintain records of the site’s users and we will not contact you with insights, communications or marketing materials, unless you specify it otherwise in your Setting Your Preferences.
For how long are we keeping the personal data?
We will endeavour to keep your information accurate and up to date, and not keep it for longer than is necessary.
How long certain kinds of personal data should be kept may also be governed by specific business-sector requirements and agreed practices.
We hold on to your Personal Data for the minimum amount of time necessary, usually for 6-12 months (as it is deemed acceptable and in-line with the industry we work in), or until you require us to remove your data.
Who gets to see your data?
In short, only us and our contracted third-party data-processors (HubSpot and Google analytics) get to see your data.
We may pass your personal data on to third-party service providers contracted to Engaged Tracking (ET) Index Ltd in the course of dealing with you.
Any third parties that we may share your data with are obliged to keep your details securely, and to use them only to fulfil the service they provide you on our behalf
When they no longer need your data to fulfil this service, they will dispose of the details in line with Engaged Tracking (ET) Index Ltd’s procedures.
If we wish to pass your sensitive personal data onto a third party we will only do so once we have obtained your consent, unless we are legally required to do otherwise.
We distinguish two types of information we share with the above third parties; namely:
Personally identifiable information
we may share such information with HubSpot (our CRM service provider) for data storage and management purposes
we may store such information in locations outside our direct control. E.g. servers where some of our storage capacity is hosted, such as Google Drive (cloud storage).
under no circumstances such information is rented or sold to others by Engaged Tracking (ET) Index Ltd
Non-personally identifiable information
we may share anonymous usage data, referring/exit pages, URLs with Google analytics
Google and its wholly owned subsidiaries may retain and use information collected during Your use of our Website. Google will not share Your Data with any third parties unless Google
has Your consent;
concludes that it is required by law or to protect the rights, property or safety of Google, its users or the public.
When are you going to be contacted by Engaged Tracking (ET) Index Ltd?
Our aim is not to be intrusive, and we undertake not to ask irrelevant or unnecessary questions. Moreover, the information you provide will be subject to rigorous measures and procedures to minimise the risk of unauthorised access or disclosure.
We will only communicate the kind of information you are interested in (e.g. research output, webinar invite, etc.) via the channels you choose (e.g. phone, email). See Setting Your Preferences.
How do we store and process your data?
We store, process and maintain our databases using a third-party CRM software, HubSpot and our cloud based servers, hosted by Google (Google Drive).
We only collect and store the minimum necessary data, we do not retain data for longer than necessary, and we do not execute highly personalised e-marketing campaigns (our processing is simple, we assign you to lists, according to the preferences you set).
Your information may be stored and processed in Europe (in the EU and in non-EU countries as well), or any other country in which Engaged Tracking (ET) Index Ltd or its service providers maintain facilities.
Engaged Tracking (ET) Index Ltd may transfer your personal information to third parties across borders and from your country or jurisdiction to other countries or jurisdictions around the world. If you are located in the European Union, please note that we will only transfer personal information to a country and jurisdiction if they meet the same data protection laws as your jurisdiction.
Our CRM provider, HubSpot, has a robust privacy program that is designed to align with many regions’ data hosting needs. HubSpot offers a Data Processing Agreement for EU-based customers.
Similarly, Google has robust physical, software and personnel safeguards in place to protect our and your data (Google Cloud security).
How do we ensure your data is secure?
Engaged Tracking (ET) Index Ltd is concerned with protecting your privacy and data, however, no method of transmission over the Internet or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security.
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the Your information.
When you enter sensitive information (such as login credentials) on our registration or order forms, we encrypt that information using secure socket layer technology (SSL).
HubSpot’s service is Privacy Shield certified. HubSpot is committed to subjecting all personal data received from European Union (EU) member countries and Switzerland, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles.
The cloud storage of Google Drive is considered safe because, among other safeguards, before your data leaves our devices, it is encrypted before the data is stored, which prevents the possible leakage of unencrypted data on their drives. Metadata is also encrypted while stored and data is encrypted when moved between Google’s own data centers.
Our staff is trained with regards to data security. We use two-factor authentication when accessing our accounts on Google Drive. We only use cloud stored Google sheets to compile contact lists (if we must handle data outside HubSpot) and never extract them as Excel files. Our staff never transfer contact details or contact lists neither via Skype nor other unencrypted means, nor on portable (USB) devices. We do not print hard copies of contact lists.
For more details, please read our Security Policy.
How do we treat cookies?
Please see our Cookies Policy for further details.
Are we transferring personal data outside the EU?
Yes, to the US as the products of our CRM service provider, HubSpot, are currently hosted in U.S.-based data centers. HubSpot is considered GDPR compliant.
Moreover, your information may be stored in our Google drive (encrypted cloud storage); Google has its data centre facilities in the US, Chile, Singapore and in Taiwan outside the EU. Google services are considered GDPR compliant.
Currently we do not have any overseas operation, that is, we do not transfer your data to outside the EU for processing. If we expand and opt-for overseas operations, the current policy will be revised and updated and the overseas office will be set up according to the EU GDPR regulations and all the mandatory data controller/processor and data transfer contracts will be implemented and enforced to make sure adequate level of protection is established.
Who is the DPO/GDPR Owner?
The Data Protection Officer will ensure that documentation to demonstrate compliance with the GDPR such as policies and procedures are kept up to date.
Furthermore, the Data Protection Officer will plan and schedule data processing audits regularly, monitoring core activities to ensure they comply with the EU GDPR.
The Data Protection Officer is the main contact point for employees and will liaise with all members of staff on matters of data protection.
DPO contact details: Greg Fonai; firstname.lastname@example.org
Who is the Data controller?
Us, Engaged Tracking (ET) Index Ltd. as we determine the purposes and means of the processing of personal data.
Please contact us with your queries via email@example.com
What are your rights as a data subject?
At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:
Right of access – you have the right to request a copy of the information that we hold about you.
Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
Right of portability – you have the right to have the data we hold about you transferred to another organisation.
Right to object – you have the right to object to certain types of processing such as direct marketing.
Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
Right to judicial review – in the event that Engaged Tracking (ET) Index Ltd refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined below.
Controlling your information – How can you find out the personal data that we hold about you?
Engaged Tracking (ET) Index Ltd at your request, can confirm what information we hold about you and how it is processed. You can put your request for information through our Data Request for; such requests are processed and responded to within 30 days after the request is submitted.
If Engaged Tracking (ET) Index Ltd does hold personal data about you, you can request the following information:
Identity and the contact details of the person or organisation that has determined how and why to process your data.
Contact details of the data protection officer (DPO), where applicable.
The purpose of the processing as well as the legal basis for processing.
If the processing is based on the legitimate interests of Engaged Tracking (ET) Index Ltd or a third party, information about those interests.
The categories of personal data collected, stored and processed.
Recipient(s) or categories of recipients that the data is/will be disclosed to.
If we intend to transfer the personal data to a third country or international organisation, information about how we ensure this is done securely. The EU has approved sending personal data to some countries because they meet a minimum standard of data protection. In other cases, we will ensure there are specific measures in place to secure your information.
How long the data will be stored.
Details of your rights to correct, erase, restrict or object to such processing.
Information about your right to withdraw consent at any time.
How to lodge a complaint with the supervisory authority.
Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.
The source of personal data if it wasn’t collected directly from you.
Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.
If you believe that any information we are holding on you is incorrect or incomplete, please write to or email us as soon as possible at [firstname.lastname@example.org] or contact our DPO directly (see contact details above) or alternatively you can request an information review and correction using the relevant form (Data Request & Correction Form). We will promptly correct any information found to be incorrect.
Controlling your information – How can you change your preferences?
You may choose to restrict the collection or use of your personal information in the following ways:
whenever you are asked to fill in a form on the website, look for the box that you can click to indicate that you do not want the information to be used by anybody for direct marketing purposes
if you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind and reset your preferences any time on the Setting Your Preferences section of our website.
at any point you can change your preferences, i.e. you can give and revoke your consent to various communications
How can you handle complaints?
In the event that you wish to make a complaint about how your personal data is being processed by Engaged Tracking (ET) Index Ltd (or third parties as described above), or how your data request or correction request has been handled, you have the right to lodge a complaint directly with the supervisory authority and Engaged Tracking (ET) Index Ltd’s data protection representatives Data Protection Officer.
The details for each of these contacts are:
What is the rule for links to other websites?
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
Our IT security policy is to helps us:
Reduce the risk of IT problems
Plan for problems and deal with them when they happen
Keep working if something does go wrong
Protect company, client and employee data
Keep valuable company information, such as plans and designs, secret
Meet our legal obligations under the General Data Protection Regulation and other laws
Meet our professional obligations towards our clients and customers
Under the GDPR, where a data breach is likely to result in a ‘risk for the rights and freedoms of individuals’ we must notify the customers and data controllers ‘without undue delay’. We will ensure we inform them within 72 hours.
Our senior management holds overall responsibility for our IT security strategy.
Greg Fonai is the data protection officer to advise on data protection best practices and has day-to-day operational responsibility for implementing this policy.
We will review this policy annually.
In the meantime, if you have any questions, suggestions or feedback, please contact Greg Fonai at email@example.com.
We will only classify information which is necessary for the completion of our duties. We will also limit access to personal data to only those that need it for processing. We classify information into different categories so that we can ensure that it is protected properly and that we allocate security resources appropriately:
Unclassified. This is information that can be made public without any implications for the company, such as information that is already in the public domain.
Company confidential. Such as contracts, source code, business plans, passwords for critical IT systems, client contact records, accounts etc.
Client confidential. This includes personally identifiable information such as name or address, passwords to client systems, client business plans, new product information, market sensitive information etc.
The deliberate or accidental disclosure of any confidential information has the potential to harm the business. This policy is designed to minimise that risk.
Internally, as far as possible, we operate on a ‘need to share’ rather than a ‘need to know’ basis with respect to company confidential information. This means that our bias and intention is to share information to help people do their jobs rather than raise barriers to access needlessly.
As for client information, we operate in compliance with the GDPR ‘Right to Access’. This is the right of data subjects to obtain confirmation as to whether we are processing their data, where we are processing it and for what purpose. Further, we shall provide, upon request, a copy of their personal data, free of charge in an electronic format.
However, in general, to protect confidential information we implement the following access controls:
Company confidential information:
source codes and technical data are only accessible by our Technical team,
client contact records are accessible by our Engagement and Account Managers,
other company confidential information (see above) is accessible by the senior management.
Client confidential information:
identifiable personal information is available to our Account and Engagement Managers; our third-party CRM host and data processor is HubSpot.
The senior management has access to business sensitive information
The product team control over product related information
In addition, admin privileges to company systems will be restricted to specific, authorised individuals for the proper performance of their duties as follows:
Sam Gill (CEO), Greg Fonai (DPO).
Joiners – When a new employee joins the company, we give them access to our Google Drive; all employees’ access is limited, according to the Job Description (see examples above).
Leavers – When people leave a project or leave the company, we will promptly revoke their access privileges to company systems.
General Training – We will provide training to new staff and support for existing staff to implement this policy. This includes:
An initial introduction to IT security, covering the risks, basic security measures, company policies and where to get help
Training on how to use company systems and security software properly
On request, a security health check on their computer, tablet or phone
Training – security risks
While technology can prevent many security incidents, our actions and habits are also important. With this in mind we train our staff to
Take time to learn about IT security and keep ourselves informed. Get Safe Online is a good source for general awareness
Use extreme caution when opening email attachments from unknown senders or unexpected attachments from any sender.
Be on guard against social engineering, such as attempts by outsiders to persuade you to disclose confidential information, including employee, client or company confidential information. Fraudsters and hackers can be extremely persuasive and manipulative.
Be wary of fake websites and phishing emails. Don’t click on links in emails or social media.
Do not disclose passwords and other confidential information unless we are sure you are on a legitimate website.
Use social media, including personal blogs, in a professional and responsible way, without violating company policies or disclosing confidential information.
Take particular care of our computers and mobile devices when we are away from home or out of the office.
If anyone is to leave the company, they will return any company property, transfer any company work-related files back to the company and delete all confidential information from systems as soon as is practicable.
Ensure where confidential information is stored on paper, it should be kept in a secure place where unauthorised people cannot see it and shredded when no longer required.
The following things (among others) are, in general, prohibited on company systems and while carrying out your duties for the company and may result in disciplinary action:
Anything that contradicts our equality and diversity policy, including harassment.
Circumventing user authentication or security of any system, network or account.
Downloading or installing pirated software.
Disclosure of confidential information at any time
Employee (Our) responsibilities
We are personally responsible for the secure handling of confidential information that is entrusted to us. We may access, use or share confidential information only to the extent it is authorised and necessary for the proper performance of our duties. Employees are to promptly report any theft, loss or unauthorised disclosure of protected information or any breach of this policy to Greg Fonai (DPO) and Sam Gill (CEO).
Device control – It is also our employee’s responsibility to use their devices (computer, phone, tablet etc.) in a secure way. However, we will provide training and support to enable them to do so (see below). At a minimum:
Remove software that they do not use or need
Update operating system and applications regularly
Keep computer firewall switched on
For Windows users to install anti-malware software (or use the built-in Windows Defender) and keep it up to date. For Mac users, consider getting anti-malware software.
Store files in official company storage locations so that it is backed up properly and available in an emergency.
Understand the privacy and security settings on your phone and social media accounts
Have separate user accounts for other people, including other family members, if they use your computer. Ideally, keep your work computer separate from any family or shared computers.
Don’t use an administrator account on your computer for everyday use
Make sure your computer and phone logs out automatically after 15 minutes and requires a password to log back in.
Only the nominated member of staff has access to their own laptops and only they keep their passwords
Any data transferred must be in password protected encrypted files with passwords sent in separate communications
Change default passwords and PINs on computers, phones and all network devices
Consider using password management software
Don’t share your password with other people or disclose it to anyone else
Don’t write down PINs and passwords next to computers and phones
Use strong passwords
Change them regularly
Don’t use the same password for multiple critical systems
Data breach policy
This procedure applies in the event of a personal data breach under Article 33 of the GDPR – Notification of a personal data breach to the supervisory authority – and Article 34 – Communication of a personal data breach to the data subject.
The GDPR draws a distinction between a ‘data controller’ and a ‘data processor’ in order to recognise that not all organisations involved in the processing of personal data have the same degree of responsibility. Each organisation should establish whether it is data controller, or a data processor for the same data processing activity; or whether it is a joint controller.
All users (whether Employees/Staff, contractors or temporary Employees/Staff and third party users) of Engaged Tracking (ET) Index Ltd. are required to be aware of, and to follow this procedure in the event of a personal data breach.
All Employees/Staff, contractors or temporary personnel are responsible for reporting any personal data breach to the Data Protection Officer.
Procedure – Breach notification data controller to supervisory authority
Engaged Tracking (ET) Index Ltd. determines if the supervisory authority need to be notified in the event of a breach.
Engaged Tracking (ET) Index Ltd. assesses whether the personal data breach is likely to result in a risk to the rights and freedoms of the data subjects affected by the personal data breach, by conducting regular impact assessments (including data breach).
If a risk to data subject(s) is likely, Engaged Tracking (ET) Index Ltd. reports the personal data breach to the supervisory authority (in the UK it is the ICO) without undue delay, and not later than 72 hours.
If the data breach notification to the supervisory authority is not made within 72 hours, Engaged Tracking (ET) Index Ltd.’s Data Protection Officer submits it electronically with a justification for the delay.
If it is not possible to provide all the necessary information at the same time Engaged Tracking (ET) Index Ltd. will provide the information in phases without undue further delay.
The following information needs to be provided to the supervisory authority:
A description of the nature of the breach.
The categories of personal data affected.
Approximate number of data subjects affected.
Approximate number of personal data records affected.
Name and contact details of the Data Protection Officer.
Consequences of the breach.
Any measures taken to address the breach.
Any information relating to the data breach.
The Data Protection Officer notifies the supervisory authority, the ICO.
In the event the supervisory authority assigns a specific contact in relation to a breach, these details are recorded in the Internal Breach Register.
The breach notification is made by our DPO.
Procedure – Breach notification data controller to data subject
If the personal data breach is likely to result in high risk to the rights and freedoms of the data subject, Engaged Tracking (ET) Index Ltd. notifies those/the data subjects affected immediately.
The notification to the data subject describes the breach in clear and plain language, in addition to information specified in clause 3.6 above.
Engaged Tracking (ET) Index Ltd. takes measures to render the personal data unusable to any person who is not authorised to access it using (we use encryption).
The data controller takes subsequent measures to ensure that any risks to the rights and freedoms of the data subjects are no longer likely to occur.
If the breach affects a high volume of data subjects and personal data records, Engaged Tracking (ET) Index Ltd. makes a decision based on assessment of the amount of effort involved in notifying each data subject individually, and whether it will hinder the Engaged Tracking (ET) Index Ltd.’s ability to appropriately provide the notification within the specified time frame. In such a scenario a public communication or similar measure informs those affected in an equally effective manner.
If Engaged Tracking (ET) Index Ltd. has not notified the data subject(s), and the supervisory authority considers the likelihood of a data breach will result in high risk, Engaged Tracking (ET) Index Ltd. will communicate the data breach to the data subject.
Engaged Tracking (ET) Index Ltd. documents any personal data breach(es), incorporating the facts relating to the personal data breach, its effects and the remedial action(s) taken.
To improve the user experience of the website, we occasionally place several small data files on your computer, which are known as cookies.
Some examples of how cookies improve your visit to the Engaged Tracking (ET) Index Ltd website would be:
Records choice you made previously, so you don’t have to keep re-entering them (known as functionality cookies)
Measures how you use the website so we can make make continuous user experience improvements (known as ‘performance cookies’). These cookies identify which pages are being used. This helps us analyse data about webpage traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.
A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
To learn more about cookies and how to manage or delete them, visit www.aboutcookies.org
None of the information contained in our factsheet publications, research, marketing material or website (“Information”) constitutes a recommendation, promotion or offer by Engaged Tracking (ET) Index Ltd to buy or sell any asset, product or trading strategy, nor is it to be considered investment advice or a recommendation to make (or refrain from making) any kind of investment decision and may not be relied on as such.
The Information should not be acted upon without obtaining specific legal, tax, and investment advice from a licensed professional.
While Engaged Tracking (ET) Index Ltd endeavours to take all reasonable steps to ensure that the data disclosed by companies is accurate before being categorised as “Complete” within the ET Carbon Dataset, including but not limited to performing statistical analyses to identify anomalies in the data, Engaged Tracking (ET) Index Ltd accepts no liability for data reported by companies that is found to be inaccurate or have been misrepresented by companies. Engaged Tracking (ET) Index Ltd warrants that at the time of publication the data is, to the best of its knowledge, a true and accurate representation.The user of the Information assumes the entire risk of any use it may make or permit to be made of the Information.
No representation or warranty (express or implied) is given by Engaged Tracking (ET) Index Ltd as to the accuracy or completeness of the Information.
The Information may not be used to verify or correct other data, to create indexes, risk models, or analytics, or in connection with issuing, offering, sponsoring, managing or marketing any securities, portfolios, financial products or other investment vehicles without the written permission of Engaged Tracking (ET) Index Ltd.
Guest commentaries, where included within the Information, reflect the views of their respective authors; their inclusion is not an endorsement of them.
Engaged Tracking (ET) Index Ltd, their respective shareholders, members, partners, principals, directors and/or employees, may have a position in the securities of the companies discussed in the Information.
Is ET GDPR compliant?
Based on our self-assessment we are currently compliant.
What information are you storing? Where is it stored?
We store only necessary information (e.g. contact details). You can keep your details accurate and up to date via the Setting Your Preferences form.
Your information is stored
Who is the DPO?
Greg Fonai, you can contact him with any personal data related queries via email at firstname.lastname@example.org
Do you have a training programme in place for staff?
Yes, our management and staff is trained to ensure we are compliant with the stipulations of GDPR. The training includes guidelines to data collection, contacting contacts and data breach procedures.
Can I access or delete all my data at any time?
Yes, we can provide a full data export on request. This also includes any data held by our 3rd party providers. The usual turn around of such requests is one month (30 days).
Yes, we can provide full data deletion as well. Just ask us to remove your data from our database and we will comply with your request within one calendar month, as per the regulation.
Do you have a process in place for reporting personal data breaches to affected companies and the relevant data protection authority, and in some circumstances, to the affected data subjects, where feasible, within 72 hours of having become aware of it?
Yes, we have developed a coherent data Breach Procedure (see relevant Data Breach Policy below) to deal with security breaches.
You can read it in the Privacy Notice tab above.