privacy-notice/data-protection

EG Renewals Privacy Notice/Data Protection

EG Renewals Ltd Privacy Notice/Data protection

This document (together with our contractual terms with you) sets out how we’ll process personal information about prospective, current, and past customers.

This notice only applies to our use of “personal data” about “data subjects” (as defined by data protection law and called personal information in this notice). This includes personal information relating to our prospective, current and past customers who are sole traders or non-limited partnerships, and contacts at corporate customers (“you” or “your”). This notice does not apply to information which you provide to us or which we collect about corporations (e.g. limited companies).

We’ll be the data controller of your personal information you provide to us, or which we collect from you or third parties. This means that we are responsible for deciding how we hold and use personal information about you, and that we’re required to notify you of the information contained in this notice.

It’s important that you read this notice so you’re aware of how and why we’re using such information and how we’ll treat it.

The information which you provide to us may include information about other individuals associated with the management of your business, the administration of your account with us or, contacts within your business.

If you intend to provide us with information about such individuals, it is important that you give them a copy of this notice before providing us with that information. You must also share with them any updated notices we provide in future.

PURPOSE AND LEGAL BASIS FOR PROCESSING

We offer energy and water services to the business community. Therefore, our collection of personal data is limited to the personal information of individuals representing our customers that will enable us to manage our commercial relationship with you. We explain this further within this notice.

We will collect various types of personal information from you, and more details about how we’ll use it are set out below.

We have indicated whether we need to process your personal information using a different number of asterisks, as follows:

• * to enter into and/or to perform a contract with you

• ** to pursue our legitimate interests, provided that your interests and fundamental rights don’t override those interests

• *** to enable us to comply with our legal obligations

• **** with your consent

HOW WE’LL USE YOUR INFORMATION

Providing you with a quote

When you request a quote from us via by email, or telephone, we will need to collect all the following information about your business to allow us to provide that quote**:

• First and last name

• Business name

• Postcode of your business

• Email address

• Telephone number

• Type of energy quote

• Meter point administration number (MPAN)

• Meter point reference number (MPRN)

• How much electricity and/or gas you use - you can provide this in pounds or kilowatts per year/6-monthly/quarterly/monthly

• What time of day it’s best to call you?

Electricity Central Online Enquiry Service - ECOES

As we prepare your quote, we will use your MPAN while using the ECOES database to determine what type of meter you are using. This will help us to provide an accurate quote to you.

Onboarding you as a business customer

If you join us as a customer, we will need to collect the following additional information about you. This will allow us to complete your onboarding process, so the supplier can verify your identity and carrying out a credit check and to provide the products or services you have requested from us*:

• Personal details – title, name, phone number, email address, time at address

• Job title (where you are representing a limited company)

• Date of birth (of sole traders and partners) for credit checking (see below)

• Domestic address(es) of sole traders and partners – for credit checking (see below)

• Contact and billing address(es)

• Business bank account details

Recording and monitoring

We’ll record and monitor our telephone calls with you for the purposes of quality assurance, our mutual protection, staff training, improving customer service, fraud detection, and – if you’re a customer – administering your account*/**/***.

Credit checking

During the customer onboarding process and while you have an account with the supplier, they may use the above personal information to search the files of credit reference and fraud prevention agencies.

This is for the purposes of making decisions about your customer account, assessing your creditworthiness and product suitability, checking your identity, managing your account, tracing and recovering debts, and preventing criminal activity**/***.

Credit Reference Agencies (CRAs) collect and maintain information about credit behaviour. This includes data sourced from the Electoral Register, fraud prevention, and credit information - including details of previous credit applications and your payment history. It also includes public information such as County Court Judgements and bankruptcies. CRAs will give us information about you, such as your financial history.

When any credit check is carried out on you, your credit records (along with those of any financially associated individuals such as your spouse or partner when you are a sole trader) will be searched. The CRA will keep a record of this search and place a "footprint" on your credit file.

The information that is provided to CRAs about you (e.g. your payment history, details of false or inaccurate information you are provided, or if we suspect fraud), may be provided to other organisations and used by them to:

• Help make decisions e.g. when managing credit and credit-related accounts or facilities

• Detect and prevent crime, fraud and money laundering

• Check your credit history

• Verify your identity

• Trace your whereabouts

• Undertake research, statistical analysis and systems testing

they also continue to exchange information about you, including your settled accounts and any debts not fully repaid on time, with CRAs. They will share your information with other organisations.

The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail at http://www.experian.co.uk/crain/index.html

Other uses of your information

We may also use your personal information in the following ways:

• To invite you to let us re-quote for your energy supply**

CHANGE OF PURPOSE

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If we need to use your personal information for an unrelated purpose, we will usually notify you and explain the legal basis that allows us to do so.

DISCLOSURE OF YOUR INFORMATION

We may share your personal information with the third parties set out below for the purposes described:

• With energy suppliers we are seeking quotes from, and with whom you will ultimately enter into a contract*

• If you have consented, we will share your personal information with third parties who may be able to offer products and services different to our own****

• We may share your information with third parties so we can enhance the data we already hold, and to make sure we have your most up to date contact information*

• Service providers such as those who provide IT and system administration services, and those that support the delivery of our marketing materials to you (marketing agencies), or provide us with market research services */**/***

• If we are under a duty to disclose or share your personal information to comply with any legal obligation***

• In the event that we transfer, sell or buy any business or assets, in which case we may (where relevant) disclose your personal information to the prospective seller or buyer*

• If we, or substantially all of our assets, are acquired by a third party, in which case personal information we hold will be one of the transferred assets*

• To protect the rights, property or safety of us, our customers and others. This includes exchanging information with other organisations (e.g. credit reference, fraud and theft prevention agencies) for the purposes of reducing credit risk, fraud and energy theft**

We require all service providers and partners that we share your personal information with to respect the privacy and security of your personal information and to treat it in accordance with the law. We don’t allow our third-party service providers to use your personal information for their own purposes, and only permit them to process your personal information for specified purposes and in accordance with our instructions.

Most of the personal information we collect about you is based in the United Kingdom or, in some cases, a service provider or their sub-processor based elsewhere in the European Union (EU). This means they’re required to comply with European data protection law.

On occasion, we may appoint a third- party service provider whose operation (or server or sub-processor) may be based outside of the EU. We carry out due diligence on our third-party providers and assess whether your personal information will be transferred to them or accessed by them from outside the EU. If that’s the case, we make sure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• We’ll only transfer your personal information to countries that have been deemed to provide an adequate level of protection for personal information by the European Commission

• Where we use providers based in the US, we may transfer personal information to them if they’re part of the Privacy Shield – this requires them to provide similar protection to personal information shared between the EU and the US. You can view certifications at www.privacyshield.gov

• Where we use certain service providers that aren’t in an ‘adequate’ country, or part of the Privacy Shield, we may use a specific contract (called an EU Model Clause Agreement ) that’s approved by the European Commission and gives personal information the same protection it has in the EU

If you’d like to know the specific mechanism we use when transferring your personal information out of the EU, please contact us (see the “Contacting us” section at the end of this notice).

STORAGE OF YOUR PERSONAL INFORMATION

We’ll only keep your personal information for as long as necessary to fulfil the relevant purpose(s) we collected it for, as set out above in this notice, and for as long as we’re required to keep it for legal purposes.

To determine the appropriate retention period for personal information, we consider:

• The amount, nature, and sensitivity of the personal information

• The potential risk of harm from unauthorised use or disclosure of your personal information

• The purposes for which we process your personal information and whether we can achieve those purposes through other means

• The applicable legal requirements

For example, by law and for tax purposes, we must keep basic information about our customers (including contact, identity, financial and transactional data) for six years after they cease being a customer.

In some circumstances:

• You can ask us to delete your personal information (see “Your rights”, below, for further details)

• We may anonymise your personal information (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you

We have appropriate security measures in place to prevent your personal information from being accidentally lost; used or accessed in an unauthorised way; altered or disclosed.

In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know that information. They will only process your personal information on our instructions, and they’re subject to a duty of confidentiality.

We have procedures to deal with any suspected personal information breach and will notify you, and any applicable regulator, where appropriate.

YOUR RIGHTS

Data protection laws provide you with the following rights where we’re processing your personal information (but not in respect of information about a corporation) to request:

• Access to your personal information (commonly known as a “data subject access request”) – enabling you to receive a copy of the personal information we hold about you and to check that were lawfully processing it

• Correction of the personal information that we hold about you – enabling you to make sure we correct any incomplete or inaccurate information we hold about you

• Erasure of your personal information – enabling you to ask us to delete or remove personal information where there’s no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you’ve exercised your right to object to processing (see below)

• Restriction of processing your personal information – enabling you to ask us to suspend the processing of personal information about you e.g. if you want us to establish its accuracy or the reason for processing it

• A copy of your personal information which you’ve provided to us – we must comply using a structured, commonly used and machine-readable format. You also have the right to transfer it, or to require us to transfer it directly, to another controller

You also have the “right to object” to the processing of your personal information where we’re relying on a legitimate interest (or those of a third party) and there’s something about your situation that means you want to object to processing on this basis. You also have the right to object where we are processing your personal information for direct marketing purposes.

You won’t have to pay a fee to access your personal information (or to exercise any of the other rights above). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, in such circumstances, we may refuse to comply with the request.

We may need to request specific information from you to help us confirm your identity and to make sure of your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to make sure that no personal information is disclosed to any person who has no right to receive it.

You have the right to make a complaint at any time to the data protection regulator, the Information Commissioner’s Office (ICO).

You can call the ICO on 0303 123 1113 or send a letter by post to: Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Alternatively, you can email casework@ico.org.uk

However, if you’re considering an approach to the ICO, we’d appreciate the chance to deal with your concerns beforehand. Please contact us, as set out below.

CHANGES TO OUR PRIVACY NOTICE

If we make any changes to our notice in the future, we will update our website and, where appropriate, notify you in writing.

CONTACTING US

If you have any queries, comments or requests regarding this notice, or you would like to exercise any of your rights as set out above, you can contact us as follows:

Ainsley Peters

Administration Manager/Data Controller

EG Renewals Ltd

27 Wilton Ave

Old Trafford

Manchester

M16 0JH

chris@egrenewals.co.uk

01618509591

ICO registration number ZA272784

Data Breach Incident Response Plan

The importance of Data Breach Incident Response cannot be overstated. EG Renewals have to be in a position to deal with data security threats every day and even the most minor data security issues can escalate into a full-blown catastrophe.

1. Preparation

The preparation phase consists of ensuring that EG Renewals employees are well trained and ensuring that the necessary technology has been implemented. Data backups should be taken, and mock data breaches are conducted to evaluate the effectiveness of the plan.

2. Data Access Security

We have no external access to data that we hold, and we also limit access to your critical data or assets, where those data or assets are located, and when they are being accessed. Solutions such as the file server auditing component.

4. Containment/Intelligence Gathering

Data is stored and managed separate within the business and files are stored on non-internet accessed computers for further protection

5. Eradication/Remediation

Naturally, if a threat has been detected, contained and analysed, we will remove the actual threat from the network and restore the system to a functional, uninfected state. Any compromised credentials will need to be reviewed and reset, and this must be well-communicated to those involved.

6. Recovery

The recovery phase is where all systems are put back into production and monitored to ensure that they are functional and showing no signs that they have been compromised.

Whose Responsibility is Data Breach Incident Response?

The Directors of the business are fully responsible for the response plan and any data breaches

Response to a Data Breach

Following any incident, we will remedy review how well our data breach response plan did and how we handled the breach. Is there anywhere you can make improvements?