What is this and why should I read this?
SmartestEnergy Limited and SmartestEnergy Business Limited (‘SEL’, ‘SEBL’, ‘we’ ‘us’) are committed to protecting the privacy and security of your Personal Data, and we want to ensure you understand your rights and our responsibilities when it comes to your Personal Data.
This data privacy notice (‘Notice’) describes how we handle your Personal Data throughout our relationship, whether you are a client or prospect, a potential business partner, or just a member of the public. As such, both your engagement with us online, as well as contractually through any business dealings, are covered by this overarching data privacy notice. This is also held on our website for all to access.
We have tried to keep this notice straight forward with related sub-headings to help you navigate to the relevant sections. Please read below for more information and contact us if you have any questions.
You can also download a pdf version of the notice here.
What if I have questions or concerns?
Our Data Privacy Manager is responsible for overseeing and coordinating our privacy program. If you ever have any questions or concerns about how we handle your Personal Data, please contact:
Head of Data Protection & Privacy
SmartestEnergy Limited
Brooke Lawrance House
80 Civic Drive
Ipswich
Suffolk
IP1 2AN
Tel: +44 (0)1473234136
Email: [email protected]
Our commitment to your privacy (Personal Data Processing Principles)
Regardless of where, why or how we obtain or process your personal data, we comply with Data Protection Law (DP Law). DP Law protects ‘Data Subjects’ in the UK and EU by imposing stricter obligations on ‘Data Controllers’ and ‘Data Processors’ when we process personal data. See below for a glossary of these terms.
DP Law applies to any data that might identify you, wherever or however we got it, whatever we do with it and wherever we process it, even if someone else processes it on our behalf, and even if we send it outside the European Economic Area (EEA).
This means that whenever we process your personal data we do so
- Lawfully: Only if we can justify it on one of the following Lawful Bases:
Lawful Bases | What this means |
---|---|
Consent | You have given us permission, which you can withdraw at any time. We need your explicit consent to process sensitive data like health-related data (special data) or to transfer your personal data outside the EEA where we don’t have another basis for doing so, or for any Automated Decision Making (‘ADM’) that has significant legal or other effects. |
Legitimate Interests | To help fulfil a legitimate business objective (see the ‘Why’ column of the Your Data At-a-Glance chart) after confirming we’ve only used what’s reasonably necessary and proportionate to meet that objective and struck the right balance between our interests and yours (Legitimate Interests Assessment (LIA)). Generally speaking, we have a Legitimate Interest in Processing Personal Data to operate our business, generate leads and sales, make sure our relationship with you runs smoothly, and protect the personal and commercial data we hold by securing our network and information systems. |
Contractual Necessity | To enter into or fulfil our contract, including to generate a quote. |
Legal Obligation | To comply with the law (e.g. tax reporting, anti-corruption). |
Vital Interests | In rare instances where one of the others don’t apply but we need your personal data to protect your vital interests or those of another person. |
Public Task | The processing is necessary to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. |
- Fairly and transparently: we strike the right balance between our interests and yours and we tell you what we do with your personal data.
- For a specific purpose: we won’t use your personal data for another incompatible purpose unless the law permits or requires us to.
- Using the least amount reasonably necessary.
- Ensuring it is accurate, complete and up-to-date.
- For a limited time: Only for as long as reasonably necessary, and then we either destroy it or de-identify it so it can’t be linked back to you.
- Securely: managing our people and designing our processes and technology to ensure end-to-end confidentiality, integrity and availability.
- Within the UK/EEA: we don’t transfer your personal data outside the EEA except as permitted under DP Law. We use appropriate safeguards for consistent protection and ensure third parties we rely on do so as well.
- With your rights in mind: We make it easy for you to exercise your rights (see Your Rights, below).
The types of personal data we process about you are grouped under the following categories:
Category of Data | Details |
---|---|
Prospects | Lists of potential contacts within companies we wish to target derived from social media, internet research and your profile on your company website. We also check for matches between this prospect list and individuals who have registered for webinars or downloaded educational content from our website to gauge level of interest and engagement to identify marketing and sales leads. |
Web analytics | Standard internet log information and visitor behaviour patterns obtained using Google Analytics and other tools (see our Cookie Notice): pages visited, time on page, interactions / clicks. Processed in aggregated form in ways that can’t be used to identify you. We don’t permit anyone to reverse engineer the data to identify individuals. |
Website Content Management System | Our website is powered by Umbraco, which provides the Content Management System on which our site is built. Search queries and results are logged anonymously to help us improve our website and search functionality. See Umbraco’s Privacy Notice here. |
Cookie data | We use a cookie tool on our website powered by Cookiebot which by default requires explicit action by website visitors to opt-in or opt-out of cookies. Find out more in our Cookie Notice. |
Technical data | Internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, smartphone MAC address, and other technology on the devices you use to access our website or Network and Information Systems (i.e. if you use our Wi-Fi). |
Engagement data | Engagement with our website and educational content: webinars registered for and viewed, questions submitted, length of viewing, video playback, repeat visits, downloads, newsletter subscriptions (e.g. Informer), marketing emails read / unread, frequency and recency, all of which we use to generate an ‘engagement score’ to determine whether you are a possible lead. |
Basic ID | First name, last name, or similar identifier, title, role, company (if applicable), date of birth (‘DOB’) where relevant, and gender. |
Contact data | Billing address, delivery address, email address and telephone numbers, entry codes if applicable. |
Marketing | Your preferences in receiving marketing from us – including do-not-call and unsubscribe requests (suppression lists). Our online forms are powered by Pardot (a Salesforce company). Contact information you input is captured by Pardot to make it easier for us to communicate with you (if you consent). |
Financial data | Bank account and payment card details, invoices, financial statements and accounts, business history (e.g. previous businesses and filing / compliance history) insofar as it relates or can be linked to an identifiable individual (e.g. a sole proprietor, a franchisee, a generation client, a partner, a Person of Significant Control or non-resident principal / director, shareholders undergoing a credit risk assessment or anti-bribery check). It does not refer to company account details. |
National ID | Passport number, driver’s licence, national insurance number, citizenship or immigration / visa status, residency status. |
Credit risk details |
Application information you or your broker provides; letters of reference, letters of credit, for the purposes of screening in accordance with the Company’s Bribery Rules, publicly available information about your business and business history with different companies and relevant filing history, statements of account on Companies House, risk intelligence through online database subscription services [Bureau van Dijk / Dow Jones / Thomson Reuters World Check…], Google searches, partnership agreement if applicable, credit risk scores we generate using the foregoing. foregoing. This includes data considered Criminal Records Data under DP Law. In order to process your application, we will supply your personal information to credit reference agencies (CRAs) and they will give us information about you, such as about your financial history. We do this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity. We will also continue to exchange information about you with CRAs on an ongoing basis, including about your settled accounts and any debts not fully repaid on time. CRAs will share your information with other organisations. The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail at Credit Reference Agency Information Notice (CRAIN) | Experian. |
Regulatory Compliance Checks | Due diligence reviews for Anti-Corruption, Anti-Bribery, Anti-Money Laundering regulations: rumours of corruption or bribes, proof of address and ID for know-your-client requirements, risk intelligence through online database subscription services [Bureau van Dijk / Dow Jones / Thomson Reuters World Check…], Google searches. |
Customer service & profile data | Contract details, payments to and from you and other details of services you have purchased from us or for which you have sought a quote, customer service interactions, complaints, customer portal activity and content, login credentials [in encrypted format], correspondence, notes Sales or Customer Service team or other personnel input into our databases relating to you interactions. Again, this would be data linkable to an individual, not the company itself. |
Website security & performance | We host our website on Microsoft Azure and use it to help maintain the security and performance of our website. |
Feedback | Personal Data we receive in relation to third-party surveys in which you’ve participated to share your views regarding our products and services or your electricity/generation needs; complaints, compliments or enquiries you make to customer service via phone or through our website. |
Electricity/Gas usage and consumption data, generation data / energy transactions | Personal Data we receive or generate in connection with matters for which you’ve sought our expertise or services, such as asset optimisation or flexible energy solutions, independent generation and market access, trades, metering data, insofar as the data can be attributed to an identifiable individual (e.g. a small generator, a sole proprietor or franchisee). |
Recruitment details | Personal Data of individuals who apply to work with us or inquire about joining our team. When you’re a candidate, recruit or agency worker, we collect Personal Data about you directly from you through the application and recruitment process (when you email or upload a CV or enquire about opportunities, or from one of our recruitment agencies, through the employee placement agency that placed you with us if you’re a contractor, or through our refer a friend scheme. SmartestEnergy use Teamtailor for managing recruitment activities and applicants can ‘self-serve to manage their preferences, consent & access to data via the Data & Privacy section). |
Suppliers & Partners | Consultants, suppliers, freelancers contact details, professional backgrounds, contracts and agreements, correspondence, engagement / productivity, Financial Data (see above). |
ECOES (Electricity Central Online Enquiry Service) | This is a market information system which holds data that is used to support the electricity customer transfer process in Great Britain. |
Smart Meter Data |
Processing of Smart Meter Data & Advanced Meter Data for billing and settlement purposes: consumption data at monthly, daily and half-hourly granularity, MPAN. If you are you a Third Party, requesting this information on behalf of your client, please attach a letter of authority as proof of consent from your customer. |
Your Data At-a-Glance
Our table below summarises what information we collect, why and how we use it and who we share it with. If we need to use your personal data for an unrelated purpose, we will notify you, explaining the Lawful Basis.
Why | What | From Whom | Lawful Basis | With Whom |
---|---|---|---|---|
To generate leads, deliver great content, and get in touch |
Identity Meter point information & consumption data relating to previous SEL & SEBL customers |
You (business card, email) Your contacts (referrals, intros) Data brokers or aggregators Publicly available information (Social Media) Conference attendee lists |
Legitimate Interests (to grow our business) |
Marketing and Sales Personnel Highspot |
To facilitate the customer transfer process and ensure we maintain accurate information about your meter point | Identity Contact Meter point Information Consumption Data |
You ECOES Distribution Network Operator Your previous Supplier Meter Operator Data Collector Data Aggregator |
Legitimate Interests (to operate our business with you) Contract |
Customer Service
|
To register you as a new member, subscriber or customer | Identity Contact Marketing and Communications preferences |
You | Contract Legitimate Interests (Direct marketing) |
Marketing, Sales and Customer Service personnel External consultants |
To respond to an enquiry, process your order, finalise a transaction, resolve a dispute & monitor customer service performance |
Identity Contact Financial Transactions Debt information Technical Information about matters for which you require our assistance Voice recordings (calls to our offices) Written communication (letters, e-mails) |
You Account Managers (who manage the customer relationship) Customer Service or Sales personnel Trading Team Compliance and Regulation Team |
Contractual Necessity (e.g. responding to an enquiry, issuing an alert, processing a transaction) Legitimate Interests (recover payments; protect our business; meet client needs) |
Customer Service/ Sales and Marketing personnel 3rd party debt collection agencies For SmartestEnergy Business Limited: Third party Customer Service provided by Amplify5 Limited |
To confirm identity, address, residency, screen against fraud or sanctions lists, and address money laundering and credit risks | Identity Profile Financial data |
You (passport or government ID; proof of address; tax / National Insurance number) Know-Your-Client services, credit check services, references, your financial institution Internet research and public sources e.g. Companies House |
Legal Obligation (Anti-Money Laundering, Sanctions, Know-Your-Client laws) Legitimate Interest (to protect our business) |
Operations / internal audit and finance personnel/internal credit risk team Credit Reference Agencies (CRAs)
|
To manage our relationship with you and deliver what we promised | Identity Contact Profile Usage Client Data Consumption data Meter point information |
You Website (e.g. forms) Account Managers Agents who are appointed to deliver our services Distribution Network Operators and Independent Distribution Network Operators |
Contractual Necessity (fulfil our contract with you) Legal obligation (notify you of privacy updates) Legitimate Interests (feedback; QA; reputation management) |
Customer Service and Sales personnel Vendors who help deliver our services Agents who are appointed to deliver our services such as Meter Operators, Data Collectors (meter readers) and Data Aggregators External consultants |
To provide access to web-based services and content that we offer under license. | Identity Contact |
You | Legitimate Interests (to protect our business) | External vendors who help deliver the web-based services |
To manage our finances, generate and manage invoices, produce accounting, audit and sales reports, and manage credit | Financial Data Transaction Data |
You Us (internal reports, spreadsheets, software, email) |
Contractual Necessity Legitimate Interests (to optimise our finances, set the right price, forecast) |
Finance team External accounting services External auditors Insurers External consultants |
To run marketing campaigns | Identity Contact Profile Usage (Open, read, unread to confirm engagement) Marketing and Communications preferences |
You Marketing platform (our website and email delivery system) |
Consent (B2C) Legitimate Interests (soft opt-in; solicited; B2B) |
Marketing personnel External marketing team / providers CRM provider Marketing platform provider External consultants |
To comply with marketing and cookie rules | Identity Contact Marketing and Communications preferences |
You Marketing platform Cookie Dashboard provider |
Legal Obligation (GDPR and PECR rules on direct marketing and cookies) | Marketing personnel External marketing team / providers External consultants See our cookie policy for detail |
To measure effectiveness of marketing campaigns and optimise future campaigns | Usage Technical Marketing and Communications preferences |
You (enquiries, Google Analytics, engagement) Marketing platform External consultants who use aggregated data: Google Analytics (anonymised); Conversion / engagement statistics; Open, read, unread unsubscribe statistics) |
Legitimate Interests (develop our business and inform our marketing strategy) |
Marketing and Sales personnel Analytics specialists Analytics provider Search Engine Optimisation specialists External marketing team Vendors providing marketing platforms and CRM |
To improve our services and products | Identity Profile Usage Voice recordings Call notes |
You (Voice recordings, surveys) Customer Service (call notes) Publicly available information Media monitoring services Survey provider (DJS Research) |
Legitimate Interests (define customer segments for our products and services, keep our website and communications updated and relevant, develop our business and inform our marketing strategy) |
Customer Service and Sales Personnel Marketing and sales consultants Product Development Personnel Survey Provider (Identity and Contact Data) |
Recording and processing customer complaints (via Salesforce) |
Basic ID Address Details of Dispute |
Customer SEL/SEBL Employee Line Manager Department Head |
Contractual Necessity Legal Obligation Legitimate Interests (to improve and maintain high Customer Service standards) |
Relevant SEL/SEBL department i.e.: Ombudsman |
To analyse and optimise website use and performance | Identity Usage Profile Technical Marketing and Communications preferences |
You (clicks, and other interactions, number and duration of visits, social sharing, links to our website and cookies we place on 3rd party sites, cookies and beacons) Analytics services (aggregated) |
Legitimate Interests (to study how visitors use our website and engage with our communications channels) |
Marketing personnel External marketing team / providers External consultants See our cookie policy for detail |
To deliver relevant website content and understand the effectiveness of communications and educational content such as webinars | Identity Contact Technical Usage Profile (limited automated processing of your viewing behaviour and website to generate an engagement score to identify leads) Marketing and Communications preferences |
You (survey, preference form) Analytics Profiling (based on website use) Matching what we know / have deduced about you with broader consumer profiles created through data analytics and market research |
Legitimate Interests (to study how customers or visitors use our products / services, to develop them, to grow our business and to inform our marketing strategy) | Analytics specialist External analytics consultants Vendors providing marketing and sales platforms CRM database provider |
To administer and protect our business and the security of our Network and Information Systems (NIS), including our website | Identity Contact Technical Usage |
You Technical data from your use of our NIS (to monitor activity not people and only consider individual activity if further action / investigation required) Alerts from third-party tools to “out of policy”, or suspicious activity |
Legitimate Interests (establish baseline or ‘normal’ activity patterns; identify abnormal activity Legal Obligation |
IT administrator External IT security provider Cybersecurity services provider |
To investigate criminal wrongdoing or assist law enforcement (rarely) | Any of the categories of information we already have about you. Publicly available information Court-ordered or regulator-ordered disclosure |
You Publicly available information Third parties permitted by law to share the information, e.g. in response to a subpoena or |
Legal Obligation Legitimate Interests |
Strictly need-to-know personnel and the third parties involved in disclosure (law enforcement, external legal counsel, forensics experts, auditors, external investigators) |
To comply with our Supply Licence obligations to detect and prevent theft of electricity and gas | Identity Contact Energy Consumption Meter point details |
Data held in our customer services database | Legal Obligation |
The Theft Risk Assessment Service (TRAS) Allocation of Unidentified Gas Expert (AUGE) Elexon |
To manage Change of Tenancy instances and offer suitable alternative contract options for customers on deemed rates | MPAN, Customer name, Profile class (HH, NHH) Monthly consumption Annual consumption (EAC) Contact name Contact number Contact email |
SEL You |
Legitimate Interests |
SEBL Sales Team |
Provision of Data to RECCo: To ensure the ongoing and disruption free access to the ECOES database by ECOES users, allowing the ongoing provision of services |
ECOES database: MPAN Core, Metering point address, Postcode | MRASCo SEL |
Legitimate interest |
Retail Energy Code Company Limited (RECCo) |
To ensure that contracts held by bill payers can continue to be administered and enacted |
GDCC database: Green Deal MPAN Core, Bill Payer Name & Address |
Contractual Obligations. |
|
|
To allow RECCo to have a historical overview of audits in the case of issues going forward. |
Audit Reports: Name, Address, MPAN |
Legitimate Interest |
|
|
To provide accurate forecasting and pricing |
Historic consumption data, MPAN, MPRN, MSN, Site Address |
Electralink |
Contract (existing customers) Legitimate Interests (potential customers) |
SEL IT, Forecasting & Trading |
Processing of Smart Meter Data & Advanced Meter Data for billing and settlement purposes |
Consumption data at monthly, daily and half-hourly granularity, MPAN |
You – SEL & SEBL customers |
Contract Legal Obligation: Supply Licence Conditions |
SEL & SEBL Billing, Settlement, Finance teams |
To support administration of the Energy Bills Support Scheme (EBSS) |
MPAN, whether you have received and redeemed each EBSS payment and data about your meter point including your billing cycle and how you pay your bill |
You – SEL & SEBL customers |
Task carried out in the public interest, under Article 6(1)(e)) of GDPR and in the exercise of official authority vested in the Secretary of State for BEIS. |
Department for Business, Energy and Industrial Strategy (BEIS) - now known as the Department for |
To support administration of the Energy Bills Relief Scheme (EBRS) and the Energy Bills Discount Scheme (EBDS) |
Meter Point Administration Number (MPAN or MPRN in NI) – electricity meter number |
You – SEL & SEBL customers |
Task carried out in the public interest, under Article 6(1)(e)) of GDPR and in the exercise of official authority vested in the Secretary of State for BEIS. |
Department for Business, Energy and Industrial Strategy (BEIS) - now known as the Department for (BEIS Privacy Notice here) |
Fit and Proper Person Declaration Form for new appointments (internal or external) for persons who are to be appointed into a role which is classed as SMRI or PSC – typically VPs or C-suite.
|
SmartestEnergy Fit and Proper Persons Declaration Form, including: Signature Name Job role |
SEL & SEBL VP and C-Suite level candidates |
Legal Obligation – Ofgem requirement) |
Compliance & Regulation HR Ofgem |
Recruitment- New starters and internal roles |
Basic ID CV information Optional Equal Opportunities Survey answers (via Teamtailor) |
You Your References SEL/SEBL hiring team HR |
Contractual Necessity Legal Obligation (Employment Law & Equal Opportunities) |
HR personnel Teamtailor BambooHR |
Making and negotiating an employment offer, Acceptance of employment offer |
Recruitment |
You |
Contractual Necessity |
HR personnel BambooHR Teamtailor |
How do you strike the right balance when you rely on Legitimate Interests?
We conduct Legitimate Interests Assessments (LIA’s) whenever we rely on Legitimate Interests and, where appropriate, Data Protection Impact Assessments (DPIAs). You can obtain more detailed information by contacting our Privacy Manager.
For example, we do some limited profiling to target products and services to you that we’re quite confident your company will like and avoid bombarding you with those you won’t. To do this, we need to learn more about you and your preferences, your role in the company, in addition to company data such as your company’s energy needs. We ensure we have appropriate safeguards to prevent this information from being misused and ensure we strike the right balance:
- Only what we need - We use aggregated or pseudonymised data as much as possible to create profiles and segments and match them to our products and services. Then, we use Pardot to assign an engagement score based on your viewing behaviour (e.g. whether you watch an entire webinar or leave early, how often you register for content or download our materials), your use of our website if you have opted into marketing and targeting cookies, or other information you provide directly or indirectly to us, e.g. through a query, online form or conversation. Based on that engagement score and our analysis of your preferences and your sector, we identify products and services that are likely to be of greatest interest to you in light of your role within your company or the industry and determine when (or if) to contact you for business development purposes.
- When we need it and only by those who need it -
- Our Customer Service, Billing teams and Finance team only see what they need to answer your billing and customer service queries.
- We never let third parties use your information for their own purposes, and we prevent this by giving them only what they need and as little Personal Data as possible, by pseudonymising and encrypting it wherever possible to protect your identity.
- We’ve built in privacy and security - We conduct Data Protection Impact Assessments (DPIAs) where appropriate and use what we learn to implement Data Protection by Design and Default into our business.
- Even so, it’s optional - You can object to this activity by opting out at any time. Simply disable targeting / marketing cookies on our Cookie Dashboard (see our Cookie Notice here for more information). Tell us you no longer want to receive marketing calls or emails and we’ll remove you from our list immediately.
However, in certain cases (outside marketing) our Legitimate Interests may override yours. For example, to conduct due diligence reviews for potential fraud or an unacceptable level of credit risk.
What happens if you can’t get this Personal Data?
If we can’t process this Personal Data, or if it’s inaccurate, we may not be able to perform the contract we have entered into with you (e.g. proceed with your application), or we may be prevented from complying with our legal obligations (e.g. doing our due diligence under Anti-Money Laundering rules). If we aren’t able to get profile, technical, usage and marketing and communications data (e.g. click and view data, customer feedback, page visits) it will be difficult for us to optimise our services or meet consumer demands and serve up content we think you’ll like. This means you might either receive communications that aren’t suited to you, or you may miss out ones tailored to you, like alerts for educational content or the latest industry developments.
What about sensitive Personal Data (Special Data) and Criminal Records Data?
Special Data requires higher levels of protection. Our internal Data Protection Policy combined with appropriate safeguards and controls ensure we only collect, use or share Special Data where reasonably necessary and where the law allows or requires us to do so.
We do not process Criminal Records Data, though we do run DBS checks for certain contractors.
We rarely process Special Data, unless:
- You have given your explicit written consent;
- We need to carry out our Legal Obligations or prepare for or defend legal claims; or
- Where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent (Vital Interests), or
- Where you have already made the information manifestly public.
What about third-party links, plug-ins, content or cookies on your website:
If you click on a link to third-party content, or like or share specific content, this will either take you to those third-party sites or applications or send your Personal Data to that third party related to your click. We have no control over their use of your Personal Data in this regard. However, we do get aggregated data about clicks and shares which are not attributable to individual visitors. We encourage you to read the Data Privacy Notice of websites you visit. See our Cookie Declaration for a list of Third-Party cookies and trackers at https://www.smartestenergy.com/cookie-declaration/ and links to their Privacy Notices.
Who else can see my Personal Data?
Need-to-know is the default…
Within the company… Only those individuals within our company or the third parties listed under the ‘With Whom’ column of the At-a-Glance table can see or access your Personal Data, and they only Process the specific data they need to fulfil their tasks. We have implemented internal measures to enforce this need-to-know access and to ensure those who do Process it do so on our instructions and under a duty of confidentiality.
We will share your Personal Data with our parent company and sister businesses within the Marubeni group, as appropriate, as part of our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, for system maintenance support and hosting of data.
With our service providers and vendors… We do not allow our third-party service providers to use your Personal Data for their own purposes. We only permit Processors to Process your Personal Data for specified purposes and in accordance with our instructions. We minimise how much of your Personal Data needs to be transferred to ensure this objective is met.
We do not share the outcome of our credit risk assessments with our insurer. The insurance company will conduct its own due diligence and let us know whether they are prepared to offer cover for your contract.
If your details have been provided to us by an agent or broker, we will only inform your broker of our ultimate decision to accept or deny your application. We won’t share details of our credit risk assessment with your broker without your written consent.
Wherever we Process your Personal Data jointly with another Controller (Joint Controller), we establish clear lines of accountability to ensure your rights are respected and our obligations are met, and we adhere to the principles and approach we mention in this document to minimise how much Personal Data we use.
In all cases, we require third parties to respect the security of your Personal Data and to treat it in accordance with DP Law through binding contracts.
Do you share my Personal Data with other third parties?
If we sell or restructure all or part of the business, we will share some of your Personal Data with other third parties in the context of the transaction. In this situation we will, so far as possible, share anonymised data with the other parties before the transaction completes. Once the transaction is completed, we will share your Personal Data with the other parties if and to the extent required under the terms of the transaction and on the basis of Legitimate Interests. This ensures seamless service for you, regardless of who owns the business, and data due diligence by us. We will notify you in such circumstances and you may object to this transfer.
We may also need to share your Personal Data with a regulator or to otherwise comply with the law. This may include making returns to HMRC, disclosures to financial services regulators and disclosures to shareholders such as directors’ remuneration reporting requirements.
Do you transfer my Personal Data outside the EEA?
We primarily Process your Personal Data – including back-ups and archives - in the EEA and in countries the UK has recognised as providing adequate levels of protection (Adequate countries), specifically Japan. Where we work with third parties that necessitate data transfer, we use appropriate safeguards for consistent protection and ensure the third parties that we rely on do so as well.
Is my Personal Data secure?
We’ve implemented measures to prevent your Personal Data from accidental loss, unauthorised use, access, alteration or disclosure. We’ve implemented procedures and safeguards to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where legally required to do so. Details of these measures are available upon request.
How long will you use my Personal Data?
We will only retain your Personal Data for as long as necessary to fulfil the purposes we mentioned in our At-a-Glance table, including to satisfy any legal, accounting, or reporting requirements. This will vary according to the Personal Data involved and the purpose.
We consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we use it, whether we can achieve those purposes through other means, and the applicable legal requirements. To illustrate:
- We generally hold onto Financial Data for 7 years to satisfy tax and corporate reporting requirements.
- We hold onto identifiable Marketing Data for 1-year post-campaign.
- We retain our suppression lists (do-not-call / unsubscribe) because we have an ongoing legal obligation under Direct Marketing rules.
In some circumstances we may aggregate or anonymise your Personal Data so that it can no longer be associated with you, in which case we may use it without further notice to you. We do this for purchasing statistics, historical operations data, or to analyse sales and marketing trends. For more information on our Data Retention Policy please contact the Privacy Manager.
What rights do I have over my Personal Data?
You have various rights with respect to your Personal Data:
Right | What this means |
---|---|
Access | Receive a copy of the Personal Data we hold about you and confirm we’re lawfully Processing it by making a Data Subject Access Request (DSAR). It’s free of charge unless your request is clearly unfounded or excessive. |
Rectification | Ask us to update, complete or correct your Personal Data at any time if you detect an inaccuracy. In fact, we encourage you to do so. |
Portability | Get any Personal Data you’ve given us in electronic form on the basis of Consent or Contractual Necessity in a common machine-readable format. We can also transfer it to a third party if you ask. |
Erasure | Ask us to delete or remove Personal Data where there is no good reason or Lawful Basis for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have exercised your right to Objection. We are allowed to refuse in certain circumstances. Find out more, here. |
Objection | Object to any Processing we do based on Legitimate Interests. You also have the right to object where we are processing your Personal Data for direct marketing purposes. |
Automated processing | Not to be subject to automated decision-making without human intervention that has significant legal or other affects. |
Restriction | Suspend the Processing of some of your Personal Data, for example if you want us to establish its accuracy or the reason for processing it. |
Withdrawal of consent | Withdraw consent at any time and we will stop Processing it unless we have another legitimate basis for doing so in law. Where we rely on your consent we also explain how you can easily withdraw it. |
We will need to confirm your identity to confirm your right to access the information or exercise any of your other rights. This is to prevent Personal Data being disclosed to anyone who has no right to receive it.
You can find out more about your rights by visiting the Information Commissioner’s Office website.
How can I make a complaint?
If you are unhappy with the way we handle your personal data, we encourage you to contact our Data Protection Team first, so we can try to promptly address your concerns:
Head of Data Protection & Privacy
SmartestEnergy Limited
Brooke Lawrance House
80 Civic Drive
Ipswich
Suffolk
IP1 2AN
Tel: +44 (0)1473234136
Email: [email protected]
You may complain to the Information Commissioner’s Office. You can find details here.
Glossary
Right |
What this means |
Data Subject |
A living individual. We’ll just say ‘you’, ‘your’ or ‘individuals’ in this Notice. |
Data Controller |
The person or entity that decides what, how and why to Process Personal Data. We’ll use ‘we’ ‘our’ and ‘us,’ since we’re the Data Controller. |
Data Processor |
The person or entity that Processes Personal Data on behalf of a Data Controller according to their instructions. |
Data Protection Law (DP Law) |
The General Data Protection Regulation (GDPR), the UK Data Protection Act 2018 (DPA 2018), the Privacy and Electronic Communications Regulation 2003 (UK PECR), and other data protection legislation, as amended from time to time. |
Joint Controller |
A person or entity that decides what, how and why to Process Personal Data jointly with another Data Controller. |
Process or Processing |
Anything we do to Personal Data throughout its lifecycle: generating, scraping, collecting, sharing, storing, accessing, deleting, recording, organising – whether manually or using automation. |
Personal Data |
Any information relating to an identifiable individual, even if we don’t know their name. That means that any data that, alone or with other information, can be used to figure out who an individual is or to target or impact an individual – like location, IP address, ID number, image or voice, or identifiable cookies – is likely to be Personal Data. Even Personal Data that’s been ‘pseudonymised’ (i.e. identifiers have been stripped away but the pseudonym could be reverse-engineered or linked back to the individual) is Personal Data. |
Special Data |
Special categories of more sensitive Personal Data that requires a higher level of protection, such as information about a person’s health or sexual orientation. Special Data is subject to more stringent safeguards, and we’re only allowed to Process it in certain cases. |