Privacy Notice for Energy Suppliers
This privacy notice explains to energy suppliers (“you/your”) how Smart Metering Systems plc and each of our group companies (“we, us, SMS”) uses personal information, which you share with us including about your employees or your end consumers (from both a domestic and I&C perspective).
See our privacy policies on our website specific to i) domestic; and ii) I&C customers, for details on how their personal data may be processed.
This privacy notice covers:-
- Why we use personal information;
- What personal information we use;
- How we use personal information;
- Individuals’ rights under data protection legislation; and
We carry out services relating to gas and electric meters on your behalf (these services include meter installations, maintenance, data services, and management and support services). These services are governed by a contract between us.
We may also require to process your employee’s personal information in the course of carrying out the services.
We require to process the personal information of your end consumers to enable us to carry out certain services for you, or in relation to the energy meters or data relating to them.
Where we are providing services on your behalf, we are acting as a data processor.
In some cases, we may own the gas and/or electricity meters installed at your end consumers properties/premises. Where that is the case we may require to retain personal information to allow us to maintain and manage the assets. In those cases, we may be the data controller. We may also wish to make our services available, to customise them, to understand individuals’ needs, and to provide improved services, newsletters and other communications. In those cases, we are the data controller.
In order to carry out the services for you, we may obtain and process the following information:
- Name, address and telephone number;
- Meter reference numbers;
- Meter readings and usage information;
- Details relating to the property, such as access information;
- Energy consumption data; and
- Details of any of employees or customer’s needs or needs of others in a household such as, age, health or vulnerability status to the extent it may be relevant for the carrying out of the services (for example a disability), to ensure that the service we provide and health and safety considerations are tailored to such vulnerability.
- In relation to your employees we may require the following:-
- Name, address and telephone number of your employees, which will normally be business contacts details, unless the employee chooses to provide us with personal contact details.
We take all necessary steps to ensure that personal information is kept safe and confidential during storage, processing and transit (where applicable).
Personal data may be held at our offices, our information processing centres and those of our third party service providers, representatives and agents.
Some of those third parties may be based outside of the UK and/or European Economic Area (“EEA”). For more information, including on how we safeguard personal data when this happens, see below “Transferring personal data outside of the UK and EEA”.
Under certain circumstances, we may be required to share personal information with our third party suppliers, partners and subcontractors who are assisting with the carrying out of the services and in connection with our business operations. These include:
- Subcontracted engineering workforce;
- Outsourced service providers (e.g. call centre services);
- Professional advisors;
- Logistics providers;
- Security providers; and
- Cloud service providers.
- We may be obliged to disclose personal information to any competent legal or regulatory authority conducting an investigation in relation to criminal activity.
We keep personal information only for so long as we need it. Once we no longer need it, we arrange for it to be deleted from our systems. Where we are required to retain personal information to allow us to maintain and manage the assets, we will do so only for so long as we have maintenance and/or management obligations. We may retain certain personal information for legal or regulatory purposes only.
In some circumstances, we might anonymise personal data (so that it can no longer be associated with an individual) and use this indefinitely.
We (or a third party who we share personal data with) might process that personal data outside of the UK and EEA. In those cases we will comply with applicable UK and EEA laws designed to ensure the privacy of personal data.
When we send data outside of the UK/EEA, we will make sure that the correct safeguards have been put in place to protect personal data, including:
ensuring that the country where any data will be transferred to is subject to an “adequacy decision” by the UK government and/or European Commission. This is to ensure that the particular country ensures an adequate level of protection of personal data under their domestic laws; or
ensuring that there are appropriate safeguards in place, together with enforceable rights and effective legal remedies; or
a specific exception applies under relevant data protection law; or
ensuring that standard, legally approved, data protection clauses recognised or issues further to Article 46(2) of the UK GDPR or EU GDPR (as applicable) are included in our contracts with those third parties.
In the event we cannot or choose not to continue to rely on either of those mechanisms at any time, we will not transfer personal data outside the UK unless we can do so on the basis of an alternative mechanism or exception provided by UK data protection law and reflected in an update to this policy.
The legal bases on which we will use personal data provided to us are as follows:
in connection with our contract with the third party who we provide services to; or
in connection with our legal obligations, including regulatory or industry regulations; or
legitimate interests; or
Individuals rights under data protection legislation
- Right to request a copy of personal information that we process;
- Right to request that personal information is updated or removed;
- Right to make a complaint to the Information Commissioner’s Office due to concerns about the way we are processing personal information; and
- Right to withdraw consent to us processing personal information.
To get in touch with us about any of the above, please email or write to our data protection officer at: firstname.lastname@example.org / Data Protection Officer, SMS plc, 2nd Floor, 48 St Vincent Street, Glasgow, G2 5TS.
If an individual is not happy with our reply to any complaint or thinks our processing of their personal data doesn’t comply with data protection law, a complaint can be made to the Information Commissioner’s Office (ICO). Just use these details: Address: Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF
Telephone number: 0303 123 1113