HOW TO CONTACT US
|· Position:||Privacy Manager|
|· Address:||DCUSA Limited, Northumberland House, 303-306 High Holborn, London WC1V 7JZ|
Current version: December 2020
WHAT PERSONAL DATA DO WE COLLECT?
DCUSA Party Data
When the organisation you work for signs up as a party to the DCUSA, they may nominate you as one of their representatives or give your details for the purposes of receiving communications. If so, we collect your name, job title, work address, phone number and email address.
If you set-up an online account for our website, we collect your user ID and password for the account, and your website usage.
DCUSA Panel, Committee or Workgroup Data
When you join a DCUSA panel, committee or workgroup, we collect your name, job title, gender, work address, phone number and email address. If you are a director of DCUSA Ltd we also collect your date of birth. If you are to be remunerated or have your expenses refunded we also collect your bank account details. Your attendance at meetings, and the views you express, will be recorded as part of the meeting minutes which we draft and manage.
We collect the name, job title, work address, phone number and email address of the relevant contact point for our service providers and other suppliers (includes prospective, current and previous suppliers).
When you contact us for general enquiries we collect your name, contact details and information regarding your query.
Data relating to detection and investigation of energy theft
Acting for licensed energy suppliers, we manage a number of regulated schemes concerned with prevention, detection and investigation of energy theft in Great Britain. In this role, we control the collection of the following data in relation to energy customers in Great Britain: name, address, energy usage, meter details, and status of investigations of instances of possible energy theft.
WHY DO WE PROCESS YOUR PERSONAL DATA?
We use your personal data for the following purposes listed in this section. We are allowed to do so on certain legal bases (please see section “How is processing your data lawful” for further detail).
|Personal Data processed||Purpose||Legal Basis|
|DCUSA Party Data||· Provide you with notices, invoices and other communications under or in relation to the DCUSA.
· Arrange meetings, record meeting minutes and other administrative matters in relation to the DCUSA.
· Request feedback from DCUSA parties to make improvements to our services.
· Publish contact information on the DCUSA website e.g. Contract Managers and other operational or escalation contacts for use by other DCUSA parties.
|Website Account||· Provide access to the private section of our website.
· Provide other website functionality.
|Contract, Legitimate Interest|
|DCUSA Panel, Committee or Workgroup Data||· Provide you with notices under the DCUSA.
· Arrange meetings and record meeting minutes and other administrative matters relating to the DCUSA.
· Provide industry training and information sessions.
· If applicable, pay remuneration and refund expenses.
· Panel Members website page also includes a photograph and short biography to inform relevant parties who they are represented by on the panel.
|Contract, Legitimate Interest|
|Suppliers||· Manage and administer the contract that we have with our suppliers.
|Contract, Legitimate Interest|
|General Enquiries||· Respond to your request for information about our services||Legitimate Interest|
|Energy Theft||· Managing for licensed energy suppliers regulated schemes concerning the prevention, detection and investigation of energy theft in Great Britain||Legitimate Interest|
Furthermore, we will process your personal data for the following purposes:
- Comply with any procedures, laws and regulations which apply to us; and
- Establish, exercise or defend our legal rights where it is necessary for our legitimate interests or the legitimate interests of others.
HOW IS PROCESSING YOUR PERSONAL DATA LAWFUL?
We are allowed to process your personal data based on the following legal bases for the purposes explained in the previous section “Why do we process your personal data”:
- Legitimate Interests – We are permitted to process your personal data if it is based on our ‘legitimate interests’ i.e. we have good, sensible, practical reasons for processing your personal data which is in our interests. To do so, we have considered the impact on your interests and rights, and have placed appropriate safeguards to ensure that the intrusion on your privacy is reduced as much as possible. The table in the previous section “”Why Do We Process Your Personal Data” explains the personal data processed on this basis.
You can object to processing that we carry out on the grounds of legitimate interests. See the section headed “Your Rights” to find out how.
- Contract – It is necessary for our performance of the contract you have agreed to enter with us. If you do not provide your personal data to us, we will not be able to carry out our obligations under the terms of your contract.
- Legal obligation – We are subject to legal obligations to process your personal data for the purposes of complying with applicable regulatory rules, and to make mandatory disclosures to government bodies and law enforcement agencies.
HOW LONG DO WE KEEP YOUR PERSONAL DATA FOR?
The following categories of personal data will be kept for the following periods.
|Data we process||How long this will be held for|
|DCUSA Party Data||6 years|
|Website Account||6 years|
|DCUSA Panel Committee or Workgroup Data||6 years|
|General Enquiries||6 years|
|Energy Theft||6 years|
WHO WILL HAVE ACCESS TO YOUR PERSONAL DATA?
We use external providers that act as our processors who provide typical services required by all organisations such as website development and IT hosting. These providers process your personal data as part of the services they offer to us. We take steps to ensure that our service providers process your data in accordance with the Data Protection Laws, only use it in accordance with our contract with them and keep it secure. If you would like more information about our processors, please contact us using the details at the “How to contact us” section.
We also share your personal data with the following external parties who act as separate controllers of your personal data:
|External Party||Purpose and Types of Data Shared|
|DCUSA Parties and members of the Panel, Committees or Workgroups||Contact details, meeting agendas and minutes and other of your details are shared between those who participate in the governance or administration of the DCUSA for DCUSA related purposes.|
|Regulators||Contact details, meeting agendas and minutes and other of your details are also shared with Ofgem as part of the process for governing and administrating the DCUSA.|
|Secretariat||Our main service provider is the Secretariat function which performs the role described in the DCUSA. This is currently Electralink Ltd.|
|Other Energy Code Bodies||From time to time we may share your details with the companies who manage other energy industry codes for the governance and administration of those codes.|
|Professional Advisors||We share your personal data with professional advisors including (but not limited to) accountants, lawyers and auditors to receive their services.|
|Energy Theft Data||We share the data concerning possible theft of energy with licensed energy suppliers and network companies, and with the service providers we appoint to provide services in this context – currently Experian and Crimestoppers.|
We strive to implement appropriate technical and organisational measures in order to protect your personal data against accidental or unlawful destruction, accidental loss or alteration, unauthorised disclosure or access and any other unlawful forms of processing. We aim to ensure that the level of security and the measures adopted to protect your personal data are appropriate for the risks presented by the nature and use of your personal data. We follow recognised industry practices for protecting our IT environment and physical facilities.
As a data subject, you have the following legal rights under the Data Protection Laws in relation to your personal data. You can exercise these rights free of charge, by contacting us (please see “How to contact us“). We will respond to any rights that you exercise within a month of receiving the request unless the request is particularly complex, in which case we will respond within three months.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Please be aware that there are exceptions and exemptions that apply to some of these rights, which we will apply in accordance with the Data Protection Laws.
|YOUR DATA PROTECTION RIGHTS||WHAT DOES THIS MEAN?|
To help us find the information, please give us as much information as possible about the type of personal data you would like to see.
|2. Right to rectification||You are entitled to have your information corrected if it is inaccurate or incomplete.|
|3. Rights to ask us to stop contact you with direct marketing||You can ask us to stop contacting you for direct marketing purposes.|
|4. Rights in relation to automated decision making||These rights are not applicable as we do not carry out any automated decision making.|
|5. Right to erasure||This is also known as the ‘right to be forgotten’ and enables you to request the deletion or removal of your information where:
· If you had given us consent to process your data, you withdraw that consent and we cannot otherwise legally process your data;
· You object to our processing and we do not have any legitimate interests that mean we can continue to process your data; or
· Your data has been processed unlawfully or have not been erased when it should have been.
|6. Right to restrict processing||You have rights to ‘block’ or suppress further use of your information. When processing is restricted we can still store your information, but may not use it further. You may request that we stop processing your personal data temporarily if:
· You do not think your data is accurate. We will start processing again once we have checked whether or not the data is accurate;
· The processing is unlawful but you do not want to erase your data;
· We no longer need the personal data for our processing, but you need the data to establish, exercise or defend legal claims; or
· You have objected to the processing because you believe that your interests should override [the companies] legitimate interests.
|7. Right to data portability||You have rights in certain circumstances to obtain and reuse your personal data for your own purposes across different services.|
|8. Right to object to processing||You have the right to object to certain types of processing, including processing based on our legitimate interests and processing for direct marketing.|
|9. Right to withdraw consent||If you have given your consent to anything we do with your personal data, you have the right to withdraw your consent at any time.|
What if your rights are breached?
You may be entitled to compensation for damage caused by contravention of the Data Protection Laws.
Complaints to the regulator