Your privacy

What is this and why should I read this?

SmartestEnergy Limited and SmartestEnergy Business Limited (‘SEL’, ‘SEBL’, ‘we’ ‘us’) are committed to protecting the privacy and security of your Personal Data, and we want to ensure you understand your rights and our responsibilities when it comes to your Personal Data.

This data privacy notice (‘Notice’) describes how we handle your Personal Data throughout our relationship, whether you are a client or prospect, a potential business partner, or just a member of the public. As such, both your engagement with us online, as well as contractually through any business dealings, are covered by this overarching data privacy notice. This is also held on our website for all to access.

We have tried to keep this notice straight forward with related sub-headings to help you navigate to the relevant sections. Please read below for more information and contact us if you have any questions.

You can also download a pdf version of the notice here.

What if I have questions or concerns?

Our Data Privacy Manager is responsible for overseeing and coordinating our privacy program. If you ever have any questions or concerns about how we handle your Personal Data, please contact:

Head of Data Protection & Privacy
SmartestEnergy Limited
Brooke Lawrance House
80 Civic Drive
Ipswich
Suffolk
IP1 2AN
Tel: +44 (0)1473234136
Email: [email protected]

Our commitment to your privacy (Personal Data Processing Principles)

Regardless of where, why or how we obtain or process your personal data, we comply with Data Protection Law (DP Law). DP Law protects ‘Data Subjects’ in the UK and EU by imposing stricter obligations on ‘Data Controllers’ and ‘Data Processors’ when we process personal data. See below for a glossary of these terms.

DP Law applies to any data that might identify you, wherever or however we got it, whatever we do with it and wherever we process it, even if someone else processes it on our behalf, and even if we send it outside the European Economic Area (EEA).

This means that whenever we process your personal data we do so

  • Lawfully: Only if we can justify it on one of the following Lawful Bases:
Lawful Bases What this means
Consent You have given us permission, which you can withdraw at any time. We need your explicit consent to process sensitive data like health-related data (special data) or to transfer your personal data outside the EEA where we don’t have another basis for doing so, or for any Automated Decision Making (‘ADM’) that has significant legal or other effects.
Legitimate Interests To help fulfil a legitimate business objective (see the ‘Why’ column of the Your Data At-a-Glance chart) after confirming we’ve only used what’s reasonably necessary and proportionate to meet that objective and struck the right balance between our interests and yours (Legitimate Interests Assessment (LIA)). Generally speaking, we have a Legitimate Interest in Processing Personal Data to operate our business, generate leads and sales, make sure our relationship with you runs smoothly, and protect the personal and commercial data we hold by securing our network and information systems.
Contractual Necessity To enter into or fulfil our contract, including to generate a quote.
Legal Obligation To comply with the law (e.g. tax reporting, anti-corruption).
Vital Interests In rare instances where one of the others don’t apply but we need your personal data to protect your vital interests or those of another person.
Public Task The processing is necessary to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  • Fairly and transparently: we strike the right balance between our interests and yours and we tell you what we do with your personal data.
  • For a specific purpose: we won’t use your personal data for another incompatible purpose unless the law permits or requires us to.
  • Using the least amount reasonably necessary.
  • Ensuring it is accurate, complete and up-to-date.
  • For a limited time: Only for as long as reasonably necessary, and then we either destroy it or de-identify it so it can’t be linked back to you.
  • Securely: managing our people and designing our processes and technology to ensure end-to-end confidentiality, integrity and availability.
  • Within the UK/EEA: we don’t transfer your personal data outside the EEA except as permitted under DP Law. We use appropriate safeguards for consistent protection and ensure third parties we rely on do so as well.
  • With your rights in mind: We make it easy for you to exercise your rights (see Your Rights, below).

The types of personal data we process about you are grouped under the following categories:

Category of Data Details
Prospects Lists of potential contacts within companies we wish to target derived from social media, internet research and your profile on your company website. We also check for matches between this prospect list and individuals who have registered for webinars or downloaded educational content from our website to gauge level of interest and engagement to identify marketing and sales leads.
Web analytics Standard internet log information and visitor behaviour patterns obtained using Google Analytics and other tools (see our Cookie Notice): pages visited, time on page, interactions / clicks. Processed in aggregated form in ways that can’t be used to identify you. We don’t permit anyone to reverse engineer the data to identify individuals.
Website Content Management System Our website is powered by Umbraco, which provides the Content Management System on which our site is built. Search queries and results are logged anonymously to help us improve our website and search functionality. See Umbraco’s Privacy Notice here.
Cookie data We use a cookie tool on our website powered by Cookiebot which by default requires explicit action by website visitors to opt-in or opt-out of cookies. Find out more in our Cookie Notice.
Technical data Internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, smartphone MAC address, and other technology on the devices you use to access our website or Network and Information Systems (i.e. if you use our Wi-Fi).
Engagement data Engagement with our website and educational content: webinars registered for and viewed, questions submitted, length of viewing, video playback, repeat visits, downloads, newsletter subscriptions (e.g. Informer), marketing emails read / unread, frequency and recency, all of which we use to generate an ‘engagement score’ to determine whether you are a possible lead.
Basic ID First name, last name, or similar identifier, title, role, company (if applicable), date of birth (‘DOB’) where relevant, and gender.
Contact data Billing address, delivery address, email address and telephone numbers, entry codes if applicable.
Marketing Your preferences in receiving marketing from us – including do-not-call and unsubscribe requests (suppression lists). Our online forms are powered by Pardot (a Salesforce company). Contact information you input is captured by Pardot to make it easier for us to communicate with you (if you consent).
Financial data Bank account and payment card details, invoices, financial statements and accounts, business history (e.g. previous businesses and filing / compliance history) insofar as it relates or can be linked to an identifiable individual (e.g. a sole proprietor, a franchisee, a generation client, a partner, a Person of Significant Control or non-resident principal / director, shareholders undergoing a credit risk assessment or anti-bribery check). It does not refer to company account details.
National ID Passport number, driver’s licence, national insurance number, citizenship or immigration / visa status, residency status.
Credit risk details Application information you or your broker provides; letters of reference, letters of credit, for the purposes of screening in accordance with the Company’s Bribery Rules, publicly available information about your business and business history with different companies and relevant filing history, statements of account on Companies House, risk intelligence through online database subscription services [Bureau van Dijk / Dow Jones / Thomson Reuters World Check…], Google searches, partnership agreement if applicable, credit risk scores we generate using the foregoing. foregoing. This includes data considered Criminal Records Data under DP Law.
Regulatory Compliance Checks Due diligence reviews for Anti-Corruption, Anti-Bribery, Anti-Money Laundering regulations: rumours of corruption or bribes, proof of address and ID for know-your-client requirements, risk intelligence through online database subscription services [Bureau van Dijk / Dow Jones / Thomson Reuters World Check…], Google searches. 
Customer service & profile data Contract details, payments to and from you and other details of services you have purchased from us or for which you have sought a quote, customer service interactions, complaints, customer portal activity and content, login credentials [in encrypted format], correspondence, notes Sales or Customer Service team or other personnel input into our databases relating to you interactions. Again, this would be data linkable to an individual, not the company itself.
Website security & performance We host our website on Microsoft Azure and use it to help maintain the security and performance of our website.
Feedback Personal Data we receive in relation to third-party surveys in which you’ve participated to share your views regarding our products and services or your electricity/generation needs; complaints, compliments or enquiries you make to customer service via phone or through our website.
Electricity/Gas usage and consumption data, generation data / energy transactions Personal Data we receive or generate in connection with matters for which you’ve sought our expertise or services, such as asset optimisation or flexible energy solutions, independent generation and market access, trades, metering data, insofar as the data can be attributed to an identifiable individual (e.g. a small generator, a sole proprietor or franchisee).
Recruitment details Personal Data of individuals who apply to work with us or inquire about joining our team. When you’re a candidate, recruit or agency worker, we collect Personal Data about you directly from you through the application and recruitment process (when you email or upload a CV or enquire about opportunities, or from one of our recruitment agencies, through the employee placement agency that placed you with us if you’re a contractor, or through our refer a friend scheme. SmartestEnergy use Teamtailor for managing recruitment activities and applicants can ‘self-serve to manage their preferences, consent & access to data via the Data & Privacy section).
Suppliers & Partners Consultants, suppliers, freelancers contact details, professional backgrounds, contracts and agreements, correspondence, engagement / productivity, Financial Data (see above).
ECOES (Electricity Central Online Enquiry Service) This is a market information system which holds data that is used to support the electricity customer transfer process in Great Britain.
Smart Meter Data

Processing of Smart Meter Data & Advanced Meter Data for billing and settlement purposes: consumption data at monthly, daily and half-hourly granularity, MPAN.
As of 1st December 2022, customers with a Smart meter can request access to their consumption data for free. If you would like to submit a request, please email your Customer Service Executive with the following information: Company name; Account number; and MPAN number(s).

If you are you a Third Party, requesting this information on behalf of your client, please attach a letter of authority as proof of consent from your customer.

Your Data At-a-Glance

Our table below summarises what information we collect, why and how we use it and who we share it with. If we need to use your personal data for an unrelated purpose, we will notify you, explaining the Lawful Basis.

Why What From Whom Lawful Basis With Whom
To generate leads, deliver great content, and get in touch

Identity

Contact

Marketing and Communications preferences

Meter point information & consumption data relating to previous SEL & SEBL customers

You (business card, email)

Your contacts (referrals, intros)

Data brokers or aggregators

Publicly available information (Social Media)

Conference attendee lists
Legitimate Interests (to grow our business) Marketing and Sales Personnel

Directors

Senior Management

Vendors who help deliver our services

External consultants
To facilitate the customer transfer process and ensure we maintain accurate information about your meter point Identity

Contact

Meter point Information

Consumption Data

You

ECOES

Distribution Network Operator

Your previous Supplier

Meter Operator

Data Collector

Data Aggregator

Legitimate Interests (to operate our business with you)

Contract

Customer Service

Sales

Renewables

Trading

Metering and Settlements

Utiligroup

 

To register you as a new member, subscriber or customer Identity

Contact

Marketing and Communications preferences
You Contract

Legitimate Interests (Direct marketing)
Marketing, Sales and Customer Service personnel

External consultants
To respond to an enquiry, process your order, finalise a transaction, resolve a dispute & monitor customer service performance

Identity

Contact

Financial

Transactions

Debt information

Technical

Information about matters for which you require our assistance

Voice recordings (calls to our offices)

Written communication (letters, e-mails)

You

Account Managers (who manage the customer relationship)

Customer Service or Sales personnel

Trading Team

Compliance and Regulation Team
Contractual Necessity (e.g. responding to an enquiry, issuing an alert, processing a transaction)

Legitimate Interests (recover payments; protect our business; meet client needs)

Customer Service/ Sales and Marketing personnel

Trading Team

Vendors who help deliver our services

3rd party payment card service

3rd party debt collection agencies

Finance Team

IT administrator on a need-to-know basis (‘Help Desk’)

External consultants

For SmartestEnergy Business Limited: Third party Customer Service provided by Amplify5 Limited 

To confirm identity, address, residency, screen against fraud or sanctions lists, and address money laundering and credit risks Identity

Profile

Financial data
You (passport or government ID; proof of address; tax / National Insurance number)

Know-Your-Client services, credit check services, references, your financial institution

Internet research and public sources e.g. Companies House
Legal Obligation (Anti-Money Laundering, Sanctions, Know-Your-Client laws)

Legitimate Interest (to protect our business)
Operations / internal audit and finance personnel/internal credit risk team

Vendors providing credit check, background check and identity verification services

Insurers and underwriters

External consultants
To manage our relationship with you and deliver what we promised Identity

Contact

Profile

Usage

Client Data

Consumption data

Meter point information
You

Website (e.g. forms)

Account Managers

Agents who are appointed to deliver our services

Distribution Network Operators and Independent Distribution Network Operators
Contractual Necessity (fulfil our contract with you)

Legal obligation (notify you of privacy updates)

Legitimate Interests (feedback; QA; reputation management)
Customer Service and Sales personnel

Vendors who help deliver our services

Agents who are appointed to deliver our services such as Meter Operators, Data Collectors (meter readers) and Data Aggregators

External consultants
To provide access to web-based services and content that we offer under license. Identity

Contact
You Legitimate Interests (to protect our business) External vendors who help deliver the web-based services
To manage our finances, generate and manage invoices, produce accounting, audit and sales reports, and manage credit Financial Data

Transaction Data
You

Us (internal reports, spreadsheets, software, email)
Contractual Necessity

Legitimate Interests (to optimise our finances, set the right price, forecast)
Finance team

External accounting services

External auditors

Insurers

External consultants
To run marketing campaigns Identity

Contact

Profile

Usage (Open, read, unread to confirm engagement)

Marketing and Communications preferences
You

Marketing platform (our website and email delivery system)
Consent (B2C)

Legitimate Interests (soft opt-in; solicited; B2B)
Marketing personnel

External marketing team / providers

CRM provider

Marketing platform provider

External consultants
To comply with marketing and cookie rules Identity

Contact

Marketing and Communications preferences
You

Marketing platform

Cookie Dashboard provider
Legal Obligation (GDPR and PECR rules on direct marketing and cookies) Marketing personnel

External marketing team / providers

External consultants

See our cookie policy for detail
To measure effectiveness of marketing campaigns and optimise future campaigns Usage

Technical

Marketing and Communications preferences
You (enquiries, Google Analytics, engagement)

Marketing platform

External consultants who use aggregated data: Google Analytics (anonymised); Conversion / engagement statistics; Open, read, unread unsubscribe statistics)
Legitimate Interests

(develop our business and inform our marketing strategy)
Marketing and Sales personnel

Analytics specialists

Analytics provider

Search Engine Optimisation specialists

External marketing team

Vendors providing marketing platforms and CRM
To improve our services and products Identity

Profile

Usage

Voice recordings

Call notes
You (Voice recordings, surveys)

Customer Service (call notes)

Publicly available information

Media monitoring services

Survey provider (DJS Research)
Legitimate Interests (define customer segments for our products and services, keep our website and communications updated and relevant, develop our business and inform our marketing strategy)

Customer Service and Sales Personnel

Marketing and sales consultants

Product Development Personnel

Survey Provider (Identity and Contact Data)
Recording and processing customer complaints (via Salesforce)

Basic ID

Employee details- team/dept.

Customer contact details

Details of Complaint

Address

Details of Dispute

Customer

SEL/SEBL Employee

Line Manager

Department Head
Contractual Necessity

Legal Obligation

Legitimate Interests (to improve and maintain high Customer Service standards)

Relevant SEL/SEBL department i.e.:

HR

Compliance and Regulation Team

Customer Services

Line Manager

Department Head

Board and Senior Management

Ombudsman

To analyse and optimise website use and performance Identity

Usage

Profile

Technical

Marketing and Communications preferences
You (clicks, and other interactions, number and duration of visits, social sharing, links to our website and cookies we place on 3rd party sites, cookies and beacons)

Analytics services (aggregated)
Legitimate Interests

(to study how visitors use our website and engage with our communications channels)
Marketing personnel

External marketing team / providers

External consultants

See our cookie policy for detail
To deliver relevant website content and understand the effectiveness of communications and educational content such as webinars Identity

Contact

Technical

Usage

Profile (limited automated processing of your viewing behaviour and website to generate an engagement score to identify leads)

Marketing and Communications preferences
You (survey, preference form)

Analytics

Profiling (based on website use)

Matching what we know / have deduced about you with broader consumer profiles created through data analytics and market research
Legitimate Interests (to study how customers or visitors use our products / services, to develop them, to grow our business and to inform our marketing strategy) Analytics specialist

External analytics consultants

Vendors providing marketing and sales platforms

CRM database provider
To administer and protect our business and the security of our Network and Information Systems (NIS), including our website Identity

Contact

Technical

Usage
You

Technical data from your use of our NIS (to monitor activity not people and only consider individual activity if further action / investigation required)

Alerts from third-party tools to “out of policy”, or suspicious activity
Legitimate Interests (establish baseline or ‘normal’ activity patterns; identify abnormal activity

Legal Obligation
IT administrator

External IT security provider

Cybersecurity services provider
To investigate criminal wrongdoing or assist law enforcement (rarely) Any of the categories of information we already have about you.

Publicly available information

Court-ordered or regulator-ordered disclosure

You Publicly available information

Third parties permitted by law to share the information, e.g. in response to a subpoena or
Legal Obligation

Legitimate Interests
Strictly need-to-know personnel and the third parties involved in disclosure (law enforcement, external legal counsel, forensics experts, auditors, external investigators)
To comply with our Supply Licence obligations to detect and prevent theft of electricity and gas Identity

Contact

Energy Consumption

Meter point details
Data held in our customer services database Legal Obligation

The Theft Risk Assessment Service (TRAS)

Allocation of Unidentified Gas Expert (AUGE)

Elexon

To manage Change of Tenancy instances and offer suitable alternative contract options for customers on deemed rates MPAN, Customer name, Profile class (HH, NHH)
Monthly consumption Annual consumption (EAC)
Contact name
Contact number Contact email
SEL
You
Legitimate Interests

SEBL Sales Team
SEBL Customer Services

Provision of Data to RECCo:
To ensure the ongoing and disruption free access to the ECOES database by ECOES users, allowing the ongoing provision of services
ECOES database: MPAN Core, Metering point address, Postcode MRASCo
SEL
Legitimate interest

Retail Energy Code Company Limited (RECCo)

To ensure that contracts held by bill payers can continue to be administered and enacted

GDCC database: Green Deal MPAN Core, Bill Payer Name & Address

 

Contractual Obligations.

 

To allow RECCo to have a historical overview of audits in the case of issues going forward.

Audit Reports: Name, Address, MPAN

 

Legitimate Interest     

 

To provide accurate forecasting and pricing

Historic consumption data, MPAN, MPRN, MSN, Site Address

Electralink

Contract (existing customers) Legitimate Interests (potential customers)

SEL IT, Forecasting & Trading

Processing of Smart Meter Data & Advanced Meter Data for billing and settlement purposes

Consumption data at monthly, daily and half-hourly granularity, MPAN

You – SEL & SEBL customers

Contract

Legal Obligation: Supply Licence Conditions

SEL & SEBL Billing, Settlement, Finance teams

To support administration of the Energy Bills Support Scheme (EBSS)

MPAN,  whether you have received and redeemed each EBSS payment and data about your meter point including your billing cycle and how you pay your bill

You – SEL & SEBL customers

Task carried out in the public interest, under Article 6(1)(e)) of GDPR and in the exercise of official authority vested in the Secretary of State for BEIS.

Department for Business, Energy and Industrial Strategy (BEIS) - now known as the Department for
Energy Security
& Net Zero (DESNZ)

To support administration of the Energy Bills Relief Scheme (EBRS) and the Energy Bills Discount Scheme (EBDS)

Meter Point Administration Number (MPAN or MPRN in NI) – electricity meter number
Meter Point Reference Number (MPRN or MPAN in NI) – gas meter number
business name
meter addresses
billing addresses
Unique Property Reference Number (UPRN)
aggregated meter consumption data
data about each meter (for example profile class, energisation status)
data about how the meter point is billed (for example contract start date, contract end date, billing cycle, tariff type and payment in arrears status)
energy bill amount
subsidy provided on bills
data about the business (for example sector, turnover and organisation size)

You – SEL & SEBL customers

Task carried out in the public interest, under Article 6(1)(e)) of GDPR and in the exercise of official authority vested in the Secretary of State for BEIS.

Department for Business, Energy and Industrial Strategy (BEIS) - now known as the Department for 
Energy Security 
& Net Zero (DESNZ) 

(BEIS Privacy Notice here) 

Fit and Proper Person Declaration Form for new appointments (internal or external) for persons who are to be appointed into a role which is classed as SMRI or PSC – typically VPs or C-suite. 

 

SmartestEnergy Fit and Proper Persons Declaration Form, including: Signature Name Job role 

SEL & SEBL VP and C-Suite level candidates 

Legal Obligation – Ofgem requirement) 

Compliance & Regulation  

HR  

Ofgem 

Recruitment- New starters and internal roles

Basic ID
Contact
Referee details
Recruitment (all information gathered through the process)
Interview & reference check notes

CV information

Optional Equal Opportunities Survey answers (via Teamtailor)

You
Your References
SEL/SEBL hiring team HR

Contractual Necessity

Legal Obligation (Employment Law & Equal Opportunities)

HR personnel
Line manager
Hiring Team
Recruitment Agency

Teamtailor

BambooHR

Making and negotiating an employment offer, Acceptance of employment offer

Recruitment
Compensation & Benefits
Employment details (Offer)
Declarations / Acknowledgments
Correspondence (if negotiated)

You
HR
Line Manager

Contractual Necessity

HR personnel
Relevant Line Manager
Marubeni Payroll
Finance personnel

BambooHR

Teamtailor

How do you strike the right balance when you rely on Legitimate Interests?

We conduct Legitimate Interests Assessments (LIA’s) whenever we rely on Legitimate Interests and, where appropriate, Data Protection Impact Assessments (DPIAs). You can obtain more detailed information by contacting our Privacy Manager.

For example, we do some limited profiling to target products and services to you that we’re quite confident your company will like and avoid bombarding you with those you won’t. To do this, we need to learn more about you and your preferences, your role in the company, in addition to company data such as your company’s energy needs. We ensure we have appropriate safeguards to prevent this information from being misused and ensure we strike the right balance:

  • Only what we need - We use aggregated or pseudonymised data as much as possible to create profiles and segments and match them to our products and services. Then, we use Pardot to assign an engagement score based on your viewing behaviour (e.g. whether you watch an entire webinar or leave early, how often you register for content or download our materials), your use of our website if you have opted into marketing and targeting cookies, or other information you provide directly or indirectly to us, e.g. through a query, online form or conversation. Based on that engagement score and our analysis of your preferences and your sector, we identify products and services that are likely to be of greatest interest to you in light of your role within your company or the industry and determine when (or if) to contact you for business development purposes.
  • When we need it and only by those who need it - 
    • Our Customer Service, Billing teams and Finance team only see what they need to answer your billing and customer service queries.
    • We never let third parties use your information for their own purposes, and we prevent this by giving them only what they need and as little Personal Data as possible, by pseudonymising and encrypting it wherever possible to protect your identity.
  • We’ve built in privacy and security - We conduct Data Protection Impact Assessments (DPIAs) where appropriate and use what we learn to implement Data Protection by Design and Default into our business.
  • Even so, it’s optional - You can object to this activity by opting out at any time. Simply disable targeting / marketing cookies on our Cookie Dashboard (see our Cookie Notice here for more information). Tell us you no longer want to receive marketing calls or emails and we’ll remove you from our list immediately.

However, in certain cases (outside marketing) our Legitimate Interests may override yours. For example, to conduct due diligence reviews for potential fraud or an unacceptable level of credit risk.

What happens if you can’t get this Personal Data?

If we can’t process this Personal Data, or if it’s inaccurate, we may not be able to perform the contract we have entered into with you (e.g. proceed with your application), or we may be prevented from complying with our legal obligations (e.g. doing our due diligence under Anti-Money Laundering rules). If we aren’t able to get profile, technical, usage and marketing and communications data (e.g. click and view data, customer feedback, page visits) it will be difficult for us to optimise our services or meet consumer demands and serve up content we think you’ll like. This means you might either receive communications that aren’t suited to you, or you may miss out ones tailored to you, like alerts for educational content or the latest industry developments.

What about sensitive Personal Data (Special Data) and Criminal Records Data?

Special Data requires higher levels of protection. Our internal Data Protection Policy combined with appropriate safeguards and controls ensure we only collect, use or share Special Data where reasonably necessary and where the law allows or requires us to do so.

We do not process Criminal Records Data, though we do run DBS checks for certain contractors.

We rarely process Special Data, unless:

  • You have given your explicit written consent;
  • We need to carry out our Legal Obligations or prepare for or defend legal claims; or
  • Where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent (Vital Interests), or
  • Where you have already made the information manifestly public.

What about third-party links, plug-ins, content or cookies on your website:

If you click on a link to third-party content, or like or share specific content, this will either take you to those third-party sites or applications or send your Personal Data to that third party related to your click. We have no control over their use of your Personal Data in this regard. However, we do get aggregated data about clicks and shares which are not attributable to individual visitors. We encourage you to read the Data Privacy Notice of websites you visit. See our Cookie Declaration for a list of Third-Party cookies and trackers at https://www.smartestenergy.com/cookie-declaration/ and links to their Privacy Notices.

Who else can see my Personal Data?

Need-to-know is the default…

Within the company… Only those individuals within our company or the third parties listed under the ‘With Whom’ column of the At-a-Glance table can see or access your Personal Data, and they only Process the specific data they need to fulfil their tasks. We have implemented internal measures to enforce this need-to-know access and to ensure those who do Process it do so on our instructions and under a duty of confidentiality.

We will share your Personal Data with our parent company and sister businesses within the Marubeni group, as appropriate, as part of our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, for system maintenance support and hosting of data.

With our service providers and vendors… We do not allow our third-party service providers to use your Personal Data for their own purposes. We only permit Processors to Process your Personal Data for specified purposes and in accordance with our instructions. We minimise how much of your Personal Data needs to be transferred to ensure this objective is met.

We do not share the outcome of our credit risk assessments with our insurer. The insurance company will conduct its own due diligence and let us know whether they are prepared to offer cover for your contract.

If your details have been provided to us by an agent or broker, we will only inform your broker of our ultimate decision to accept or deny your application. We won’t share details of our credit risk assessment with your broker without your written consent.

Wherever we Process your Personal Data jointly with another Controller (Joint Controller), we establish clear lines of accountability to ensure your rights are respected and our obligations are met, and we adhere to the principles and approach we mention in this document to minimise how much Personal Data we use.

In all cases, we require third parties to respect the security of your Personal Data and to treat it in accordance with DP Law through binding contracts.

Do you share my Personal Data with other third parties?

If we sell or restructure all or part of the business, we will share some of your Personal Data with other third parties in the context of the transaction. In this situation we will, so far as possible, share anonymised data with the other parties before the transaction completes. Once the transaction is completed, we will share your Personal Data with the other parties if and to the extent required under the terms of the transaction and on the basis of Legitimate Interests. This ensures seamless service for you, regardless of who owns the business, and data due diligence by us. We will notify you in such circumstances and you may object to this transfer.

We may also need to share your Personal Data with a regulator or to otherwise comply with the law. This may include making returns to HMRC, disclosures to financial services regulators and disclosures to shareholders such as directors’ remuneration reporting requirements.

Do you transfer my Personal Data outside the EEA?

We primarily Process your Personal Data – including back-ups and archives - in the EEA and in countries the UK has recognised as providing adequate levels of protection (Adequate countries), specifically Japan. Where we work with third parties that necessitate data transfer, we use appropriate safeguards for consistent protection and ensure the third parties that we rely on do so as well. 

Is my Personal Data secure?

We’ve implemented measures to prevent your Personal Data from accidental loss, unauthorised use, access, alteration or disclosure. We’ve implemented procedures and safeguards to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where legally required to do so. Details of these measures are available upon request.

How long will you use my Personal Data?

We will only retain your Personal Data for as long as necessary to fulfil the purposes we mentioned in our At-a-Glance table, including to satisfy any legal, accounting, or reporting requirements. This will vary according to the Personal Data involved and the purpose.

We consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we use it, whether we can achieve those purposes through other means, and the applicable legal requirements. To illustrate:

  • We generally hold onto Financial Data for 7 years to satisfy tax and corporate reporting requirements.
  • We hold onto identifiable Marketing Data for 1-year post-campaign.
  • We retain our suppression lists (do-not-call / unsubscribe) because we have an ongoing legal obligation under Direct Marketing rules.

In some circumstances we may aggregate or anonymise your Personal Data so that it can no longer be associated with you, in which case we may use it without further notice to you. We do this for purchasing statistics, historical operations data, or to analyse sales and marketing trends. For more information on our Data Retention Policy please contact the Privacy Manager.

What rights do I have over my Personal Data?

You have various rights with respect to your Personal Data:

Right What this means
Access Receive a copy of the Personal Data we hold about you and confirm we’re lawfully Processing it by making a Data Subject Access Request (DSAR). It’s free of charge unless your request is clearly unfounded or excessive.
Rectification Ask us to update, complete or correct your Personal Data at any time if you detect an inaccuracy. In fact, we encourage you to do so.
Portability Get any Personal Data you’ve given us in electronic form on the basis of Consent or Contractual Necessity in a common machine-readable format. We can also transfer it to a third party if you ask.
Erasure Ask us to delete or remove Personal Data where there is no good reason or Lawful Basis for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have exercised your right to Objection. We are allowed to refuse in certain circumstances. Find out more, here.
Objection Object to any Processing we do based on Legitimate Interests. You also have the right to object where we are processing your Personal Data for direct marketing purposes.
Automated processing Not to be subject to automated decision-making without human intervention that has significant legal or other affects.
Restriction Suspend the Processing of some of your Personal Data, for example if you want us to establish its accuracy or the reason for processing it.
Withdrawal of consent Withdraw consent at any time and we will stop Processing it unless we have another legitimate basis for doing so in law. Where we rely on your consent we also explain how you can easily withdraw it.

We will need to confirm your identity to confirm your right to access the information or exercise any of your other rights. This is to prevent Personal Data being disclosed to anyone who has no right to receive it.

You can find out more about your rights by visiting the Information Commissioner’s Office website.

How can I make a complaint?

If you are unhappy with the way we handle your personal data, we encourage you to contact our Data Protection Team first, so we can try to promptly address your concerns:

Head of Data Protection & Privacy
SmartestEnergy Limited
Brooke Lawrance House
80 Civic Drive
Ipswich
Suffolk
IP1 2AN
Tel: +44 (0)1473234136
Email: [email protected]

You may complain to the Information Commissioner’s Office. You can find details here.

Glossary

Right

What this means

Data Subject

A living individual. We’ll just say ‘you’, ‘your’ or ‘individuals’ in this Notice.

Data Controller

The person or entity that decides what, how and why to Process Personal Data. We’ll use ‘we’ ‘our’ and ‘us,’ since we’re the Data Controller.

Data Processor

The person or entity that Processes Personal Data on behalf of a Data Controller according to their instructions.

Data Protection Law (DP Law)

The General Data Protection Regulation (GDPR), the UK Data Protection Act 2018 (DPA 2018), the Privacy and Electronic Communications Regulation 2003 (UK PECR), and other data protection legislation, as amended from time to time.

Joint Controller

A person or entity that decides what, how and why to Process Personal Data jointly with another Data Controller.

Process or Processing

Anything we do to Personal Data throughout its lifecycle: generating, scraping, collecting, sharing, storing, accessing, deleting, recording, organising – whether manually or using automation.

Personal Data

Any information relating to an identifiable individual, even if we don’t know their name. That means that any data that, alone or with other information, can be used to figure out who an individual is or to target or impact an individual – like location, IP address, ID number, image or voice, or identifiable cookies – is likely to be Personal Data. Even Personal Data that’s been ‘pseudonymised’ (i.e. identifiers have been stripped away but the pseudonym could be reverse-engineered or linked back to the individual) is Personal Data.

Special Data

Special categories of more sensitive Personal Data that requires a higher level of protection, such as information about a person’s health or sexual orientation. Special Data is subject to more stringent safeguards, and we’re only allowed to Process it in certain cases.