1. What is the new regulation on the protection of personal data (GDPR - General Data Protection Regulation) all about?
From 25 May 2018, the General Data Protection Regulation (GDPR) is applied in all the member states of the European Union. This text deals with protecting natural persons and concerns more particularly the processing of personal data.
The above regulation is intended to give European citizens more control over their personal data, to place more responsibility on businesses and to strengthen the role of the local data protection authorities (CNPD – Commission Nationale de la Protection des Données au Luxembourg (National Commission for Data Protection in Luxembourg).
2. For whom is this notice intended?
The GDPR applies to the processing of the personal data of living persons. In the case of the Encevo Group (with its entities Enovos and Creos) these are in particular our customers, our ex-customers, prospective customers, employees and ex-employees, potential employees, suppliers, partners, etc.
Anyone whose personal data is being processed by the Encevo Group can find further information on this processing in this notice.
3. What is meant by “personal data” and “processing”?
“Personal data” or data of a personal nature:
- any information relating to an identified or identifiable natural person (“data subject”);
- an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, localisation data, an online ID or to one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of this natural person;
- any operation or set of operations which is performed on personal data or on sets of personal data, in particular: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure / transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
4. What personal data do we process?
a. Personal data sent directly by the data subject
We process the personal data that you send us. This may be by phone (for example, if you call customer service to ask a question or report a breakdown), in writing (for example, if you fill in an online order form, if you send us a text or an email, if you enter a competition or download an application), electronically, or orally (for example at one of our points of sale).
b. Personal data collected by automated means
This is the case as part of the use of IT systems, websites or meters and personal data obtained via third parties.
c. Categories of personal data
For practical reasons, the types of personal data have been grouped as follows:
- Data name: e.g. first name, surname, gender, date of birth etc.
- Contact data: e.g. Phone / mobile number, fax, home address, email address, etc.
- Sensitive data: e.g. State registration number (social security number), etc.
- Financial data: e.g. Bank accounts, contract number, contract type, etc.
- Monitoring data (data collected automatically from use of the service): Identification of the site, IP address, information from cookies, etc.
- Behavioural data: e.g. customer path, customer preferences, etc.
- Measurement data: e.g. electricity / gas consumption, meter number, etc.
- Data on your home e.g. : Presence of a surveillance system, solar panels, etc.
- Via various channels, for example competitions, promotions/actions, our websites/applications, we can collect personal data on people who are not (yet) customers in order to offer these people the most relevant selection of products and services. As part of this, we guarantee your right to information and we enforce it contractually – as far as applicable – with your consent if required by law on third parties who will collect your data (for us) in this context.
5. What use do we make of the data?
We use the data to deliver the goods and services that we offer you.
More specifically, we process it solely:
- as part of the preparation or execution of our goods and services;
- as part of the preparatory measures for setting up a contract;
- as part of the execution of a contract (particularly a contract of employment), this includes internal processing conducted by human resources, finances, IT services, premises management etc.;
- to comply with the statutory or regulatory provisions to which we are subject; or
- when we have received your consent.
In the circumstances described above, the data can be sent to third parties where this is necessary to achieve the aims of the processing.
The data can also be transferred to official statistical or control bodies pursuant to national or European legislation.
We pay particular attention to compliance with the principles of the GDPR - General Data Protection Regulation by our sub-contractors that may be charged with processing personal data, by selection on the basis of criteria to be observed, by contractual clauses and by monitoring compliance with these rules.
We also ensure that your data is stored in countries that observe the GDPR and that are recognised as compliant by the European Commission.
6. How do we safeguard the security of your data?
We do everything necessary to safeguard your personal data and your privacy in our offices, in our shops, on our network as well as in your home.
Our associates have been specifically trained to manage confidential data, and your personal data in particular, as appropriately as possible.
As part of each project intending to process personal data, we first of all carry out an assessment of the risks and security requirements, safeguarding your interests above all. Our policy, our requirements and our management standards for the protection of information are based in particular on the international ISO27000 standards.
On a day-to-day basis, specific people in our departments check compliance with the legislation on safeguarding your data and on our ethical ambitions, as laid out in this information notice. Other specialists in our business ensure that the security level of our network, our infrastructure and our information systems meets the high demands in this area.
Moreover, we apply all technical measures necessary to protect your personal data from access or unlawful use as well as from loss or theft. If, in spite of the various protection measures put in place, a breach of your personal data were to take place, you would be notified in the circumstances laid down by law.
The number of our associates who have access to your personal information is restricted. In addition, they only have authorisation where it is strictly necessary for the correct implementation of their tasks.
7. Do we sell data to third parties or do we transfer your data?
We may be caused to provide your personal data to third parties to process this information on our behalf. We require that these parties accept to process this information according to our instructions and requirements in accordance with this information notice.
Transfer of data
a) We do not sell your personal data.
b) We do not transfer personal data to third parties except where:
it is necessary for our services.
We make some of our databases available to third parties who work on our account and who help us in the delivery of our products and services. For example, commercial agents, independent technicians who maintain our network and (external) customer service associates who assist our customers on a daily basis. Your data is only transmitted for the purposes for which Encevo itself processes your data and this transmission is restricted to the data which these third parties need for the task they are performing for us. We ensure that they process your data, as we do, in a secure law-abiding manner and with due diligence and we lay down the appropriate contractual safeguards to this effect.
There is a statutory obligation.
There is a legitimate interest for Encevo or the third party concerned.
We only transfer your personal data if your interests or your fundamental rights and freedoms are not overriding and you will always be informed openly (except in the case of legal exceptions). Thus, your personal data may, for example, be sent to credit controllers, to debt collection agencies and to providers of legal services.
- We can disclose personal details to third parties as part of a merger, an acquisition or a sale (including any transfer carried out as part of insolvency or bankruptcy proceedings) or its affiliated companies or as part of a reorganisation, stock or sale of assets or another change in the control of the business.
You give us your consent.
If Encevo provides personal data to third parties in other situations, it is always done with an explicit notification, giving an explanation on the third party, the purposes of the communication and the processing. If required by law, we shall ask you for your explicit consent. Some examples: according to your choice when the contract is entered into, your essential subscription data are sent to and listed in the telephone directory and/or in the files of the information service; if you opt for registration of your electronic bills, we share your bills with this third party.
c) International processing of your personal data
Where personal data is processed outside the European Union, we ensure by contractual or other means that this data benefits from an appropriate level of protection, comparable with the protection from which it would benefit in the European Union under European regulations.
d) Use of anonymous data
We use aggregate and anonymous data for commercial purposes and for internal/external reports. This data can never be linked to an identified natural person. Encevo ensures each time that these parties can never link this data that we sent them to an identifiable natural person.
8. How long do we store your data?
The storage period for the data depends on the processing it undergoes.
It is fixed according to the legislation applicable to processing.
For example, your metering data relating to your contract for use can be stored for a maximum period of 15 years after the end of your contract for use (period defined by Article 3 of the Grand-Ducal Regulation of 27 August 2014 on the methods of metering electrical energy and natural gas).
9. What rights to you have?
Data protection law grants certain rights to users or data subjects. These rights are:
I. Right of access
II. Right to rectification
III. Right to erasure or right to be forgotten
IV. Right to restriction of processing
V. Right to data portability
VI. Right to object / right to oppose processing and right to withdraw your consent
I. Your right of access
You have the right to obtain from Encevo confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data and to obtain the following additional information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient (in particular recipients in third countries);
- if possible, the storage period or, if not possible, the criteria used to determine that period;
- the existence of your rights as regards privacy;
- the right to lodge a complaint with a supervisory authority;
- where we obtain personal data from a third party, any available information as to the source of the data; and the existence of automated decision-making.
You also have the right to obtain a free copy of the data processed in a comprehensible form. Encevo may charge a reasonable fee to cover its administrative expenses for each additional copy that you request.
II. Your right to rectification of your personal data
You have the right to obtain from us without undue delay the rectification of incomplete, inaccurate, inadequate or outdated personal data.
To keep your data up to date, we ask you in any event to tell us of any change such as a house move, change of email address or change of postal address.
III. Your right to erasure of the data (the “right to be forgotten”)
You have the right to obtain the erasure of personal data without undue delay where one of the following grounds applies:
- the personal data is no longer necessary for the purposes for which it was collected or otherwise processed by Encevo;
- you withdraw the prior consent on which the processing is based, and where there is no other legal ground that Encevo may call on for the processing;
- you object to the processing of your personal data and there are no overriding legitimate grounds for Encevo to pursue the processing;
- your personal data has been unlawfully processed;
- your personal data has to be erased for compliance with a legal obligation;
- your personal data have been collected while you were still a minor.
Please be aware that we cannot always erase all the personal data requested, for example where processing it is necessary for the establishment, exercise or defence of legal claims or because we are required for the justice and security of the State to store the data in accordance with out retention policy. We will provide you with more detailed information on this in our answer to your question.
IV. Your right to restriction of processing
You have the right to obtain restriction of processing where one of the following applies:
- you contest accuracy of the personal data, using it is restricted for a period enabling Encevo to verify the accuracy of the data;
- the processing of your personal data is unlawful: instead of requesting erasure of your personal data, you request the restriction of its use;
- Encevo no longer needs the personal data for the purposes of the processing, but you need it for the establishment, exercise or defence of legal claims; instead of asking for the erasure of the data, its use is limited to the establishment, exercise or defence of legal claims;
- pending a decision on the exercise of your right of opposition to processing, you request restriction of the use of your personal data.
V. Your right to the portability of personal data (“data portability”)
You have the right to “retrieve” your personal data, for example to be able to more easily change service provider. This is only possible for personal data that you have personally provided to Encevo based on consent or a contract. In all other cases you cannot, therefore, take advantage of this right (for example where the processing of your data is conducted on the basis of a legal obligation).
There are two aspects to this right:
- you can obtain the personal data concerned from Encevo in a structured, commonly used and machine-readable format and
- you can have the personal data concerned transmitted by Encevo to another data controller. In this process you are personally responsible for the accuracy and security of the (email) address that you give for the transfer. Encevo has the right to refuse your request if the transfer is technically unfeasible.
VI. Your right to object to the processing of your personal data
You have the right to object, on grounds relating to your particular situation, to processing of your personal data if the processing is done in the legitimate interests of Encevo or in the general interest. Encevo will no longer process your personal data except where Encevo can demonstrate that there are compelling legitimate grounds for the processing which override yours or if the processing of the personal data is for the establishment, exercise or defence of legal claims (for example, submitting an appeal to a court).
How can I exercise my rights regarding privacy?
Directly via our Enovos and Creos customer services our via the dedicated access request form. To exercise your right of access and to prevent any unlawful publication of your personal data, we have to verify your identity. In case of doubt or uncertainty, we will first of all ask you for some additional information.
Are there fees for this?
You can exercise your rights concerning privacy free of charge unless your request is clearly without foundation or exaggerated, particularly of a repeated nature. In this case, we have the right and the choice – in accordance with the legislation relating to protection of privacy – (i) to charge you a reasonable fee (taking into account administrative expenses connected with providing the information or the communication requested and fees connected with taking the actions requested) or (ii) to refuse to follow up your request.
In what form will I receive a reply?
If you make your request electronically, the information will if possible be transmitted electronically except where your request stipulates otherwise. In any case, we will send you a concise, transparent, comprehensible and easily accessible reply.
When will I receive a reply?
We respond as quickly as possible to your request and in any case within the month following receipt of your request. According to the complexity of the requests and their number, this deadline may if necessary be extended to two months. In the event of extension of the deadline, we will inform you in the month following the receipt of the request.
What can I do if Encevo does not follow up my request?
We will always inform you, in our reply, about the option of complaining to the supervisory authority and to appeal in court.
10. How do we facilitate the exercise of your rights?
Who are the contact persons at the Encevo Group for your personal data?
Feel free to contact our point of contact (Data Protection Officer – DPO) for any sort of questions:
- Enovos Luxembourg: Michel Brimeyer,
- Creos Luxembourg: Marie-Hélène Bertinchamps,
- Encevo: Jan Ricken,
- Creos Germany: Markus Hesse,
- Enovos Germany: Dr Hartmut Voelskow,
11. Escalating to the supervisory authorities
For complaints relating to the processing of your personal data, you can contact the Data Protection Authority,
Commission Nationale pour la Protection des Données (CNPD)
1, avenue du Rock’n’Roll
Tel: +352 2610 60 1
Fax: +352 2610 60 29