FAQ GDPR

1. What is the new regulation on the protection of personal data (GDPR – General Data Protection Regulation) all about?

From 25 May 2018, the General Data Protection Regulation (GDPR) is applied in all the member states of the European Union. This text deals with protecting natural persons and concerns more particularly the processing of personal data.

The above regulation is intended to give European citizens more control over their personal data, to place more responsibility on businesses and to strengthen the role of the local data protection authorities (CNPD – Commission Nationale de la Protection des Données au Luxembourg (National Commission for Data Protection in Luxembourg).

2. For whom is this notice intended?

The GDPR applies to the processing of the personal data of living persons. In the case of the Encevo Group (with its entities Enovos and Creos) these are in particular our customers, our ex-customers, prospective customers, employees and ex-employees, potential employees, suppliers, partners, etc.

Anyone whose personal data is being processed by the Encevo Group can find further information on this processing in this notice.

3. What is meant by “personal data” and “processing”?

“Personal data” or data of a personal nature:

“Processing”

4. What personal data do we process?

a. Personal data sent directly by the data subject

We process the personal data that you send us. This may be by phone (for example, if you call customer service to ask a question or report a breakdown), in writing (for example, if you fill in an online order form, if you send us a text or an email, if you enter a competition or download an application), electronically, or orally (for example at one of our points of sale).

b. Personal data collected by automated means

This is the case as part of the use of IT systems, websites or meters and personal data obtained via third parties.

c. Categories of personal data

For practical reasons, the types of personal data have been grouped as follows:

5. What use do we make of the data?

We use the data to deliver the goods and services that we offer you.

More specifically, we process it solely:

In the circumstances described above, the data can be sent to third parties where this is necessary to achieve the aims of the processing.

The data can also be transferred to official statistical or control bodies pursuant to national or European legislation.

We pay particular attention to compliance with the principles of the GDPR – General Data Protection Regulation by our sub-contractors that may be charged with processing personal data, by selection on the basis of criteria to be observed, by contractual clauses and by monitoring compliance with these rules.

We also ensure that your data is stored in countries that observe the GDPR and that are recognised as compliant by the European Commission.

6. How do we safeguard the security of your data?

We do everything necessary to safeguard your personal data and your privacy in our offices, in our shops, on our network as well as in your home.

Our associates have been specifically trained to manage confidential data, and your personal data in particular, as appropriately as possible.

As part of each project intending to process personal data, we first of all carry out an assessment of the risks and security requirements, safeguarding your interests above all. Our policy, our requirements and our management standards for the protection of information are based in particular on the international ISO27000 standards.

On a day-to-day basis, specific people in our departments check compliance with the legislation on safeguarding your data and on our ethical ambitions, as laid out in this information notice. Other specialists in our business ensure that the security level of our network, our infrastructure and our information systems meets the high demands in this area.

Moreover, we apply all technical measures necessary to protect your personal data from access or unlawful use as well as from loss or theft. If, in spite of the various protection measures put in place, a breach of your personal data were to take place, you would be notified in the circumstances laid down by law.

The number of our associates who have access to your personal information is restricted. In addition, they only have authorisation where it is strictly necessary for the correct implementation of their tasks.

7. Do we sell data to third parties or do we transfer your data?

We may be caused to provide your personal data to third parties to process this information on our behalf. We require that these parties accept to process this information according to our instructions and requirements in accordance with this information notice.

Transfer of data

a) We do not sell your personal data.

b) We do not transfer personal data to third parties except where:

c) International processing of your personal data

Where personal data is processed outside the European Union, we ensure by contractual or other means that this data benefits from an appropriate level of protection, comparable with the protection from which it would benefit in the European Union under European regulations.

d) Use of anonymous data

We use aggregate and anonymous data for commercial purposes and for internal/external reports. This data can never be linked to an identified natural person. Encevo ensures each time that these parties can never link this data that we sent them to an identifiable natural person.

8. How long do we store your data?

The storage period for the data depends on the processing it undergoes.

It is fixed according to the legislation applicable to processing.

For example, your metering data relating to your contract for use can be stored for a maximum period of 15 years after the end of your contract for use (period defined by Article 3 of the Grand-Ducal Regulation of 27 August 2014 on the methods of metering electrical energy and natural gas).

9. What rights to you have?

Data protection law grants certain rights to users or data subjects. These rights are:

I. Right of access

II. Right to rectification

III. Right to erasure or right to be forgotten

IV. Right to restriction of processing

V. Right to data portability

VI. Right to object / right to oppose processing and right to withdraw your consent

I. Your right of access

You have the right to obtain from Encevo confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data and to obtain the following additional information:

You also have the right to obtain a free copy of the data processed in a comprehensible form. Encevo may charge a reasonable fee to cover its administrative expenses for each additional copy that you request.

II. Your right to rectification of your personal data

You have the right to obtain from us without undue delay the rectification of incomplete, inaccurate, inadequate or outdated personal data.

To keep your data up to date, we ask you in any event to tell us of any change such as a house move, change of email address or change of postal address.

III. Your right to erasure of the data (the “right to be forgotten”)

You have the right to obtain the erasure of personal data without undue delay where one of the following grounds applies:

Please be aware that we cannot always erase all the personal data requested, for example where processing it is necessary for the establishment, exercise or defence of legal claims or because we are required for the justice and security of the State to store the data in accordance with out retention policy. We will provide you with more detailed information on this in our answer to your question.

IV. Your right to restriction of processing

You have the right to obtain restriction of processing where one of the following applies:

V. Your right to the portability of personal data (“data portability”)

You have the right to “retrieve” your personal data, for example to be able to more easily change service provider. This is only possible for personal data that you have personally provided to Encevo based on consent or a contract. In all other cases you cannot, therefore, take advantage of this right (for example where the processing of your data is conducted on the basis of a legal obligation).

There are two aspects to this right:

VI. Your right to object to the processing of your personal data

You have the right to object, on grounds relating to your particular situation, to processing of your personal data if the processing is done in the legitimate interests of Encevo or in the general interest. Encevo will no longer process your personal data except where Encevo can demonstrate that there are compelling legitimate grounds for the processing which override yours or if the processing of the personal data is for the establishment, exercise or defence of legal claims (for example, submitting an appeal to a court).

How can I exercise my rights regarding privacy?

Directly via our Enovos and Creos customer services our via the dedicated access request form. To exercise your right of access and to prevent any unlawful publication of your personal data, we have to verify your identity. In case of doubt or uncertainty, we will first of all ask you for some additional information.

Are there fees for this?

You can exercise your rights concerning privacy free of charge unless your request is clearly without foundation or exaggerated, particularly of a repeated nature. In this case, we have the right and the choice – in accordance with the legislation relating to protection of privacy – (i) to charge you a reasonable fee (taking into account administrative expenses connected with providing the information or the communication requested and fees connected with taking the actions requested) or (ii) to refuse to follow up your request.

In what form will I receive a reply?

If you make your request electronically, the information will if possible be transmitted electronically except where your request stipulates otherwise. In any case, we will send you a concise, transparent, comprehensible and easily accessible reply.

When will I receive a reply?

We respond as quickly as possible to your request and in any case within the month following receipt of your request. According to the complexity of the requests and their number, this deadline may if necessary be extended to two months. In the event of extension of the deadline, we will inform you in the month following the receipt of the request.

What can I do if Encevo does not follow up my request?

We will always inform you, in our reply, about the option of complaining to the supervisory authority and to appeal in court.

10. How do we facilitate the exercise of your rights?

Who are the contact persons at the Encevo Group for your personal data?

Feel free to contact our point of contact (Data Protection Officer – DPO) for any sort of questions:

11. Escalating to the supervisory authorities

For complaints relating to the processing of your personal data, you can contact the Data Protection Authority,

Commission Nationale pour la Protection des Données (CNPD)
1, avenue du Rock’n’Roll
L-4361 Esch-sur-Alzette
Tel: +352 2610 60 1
Fax: +352 2610 60 29
E-mail: info@cnpd.lu
http://www.cnpd.lu/