Data Privacy Policy
Read through our Privacy Policy to learn how we use the information we collect from you.
2. Definitions
Cookie Data
A cookie is a small data file of letters and numbers that is placed on your computer when interacting with websites and other forms of online applications. Cookies allow us to distinguish you from other users of our website, which helps us to provide you with a good experience when you browse our site and also allows us to improve our site. The cookies we use are “analytical” cookies. They allow us to recognise and count the number of visitors and to see how visitors move around the site when they are using it. This helps us to improve the way our site works, for example by ensuring that users are finding what they are looking for easily. You are free to decline cookies if your browser permits, however it may prevent you from using certain features on our site.
Data Controller
The person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in line with the Data Laws.
Data Laws (UK Data Protection and Privacy Laws)
The UK GDPR and Data Protection Act 2018 and associated laws and regulations, as updated and amended from time to time.
Data Processor
The person or organisation that processes and is responsible for Processing Personal Data.
Personal Data
Any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data includes Sensitive Personal Data and pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour. Personal Data specifically includes, but is not limited to, name, address, bank details.
Priority Services Register
Our Priority Services Register, known as Extra Care, is for customers with additional requirements (such as but not limited to communication needs, visual impairment, medical condition or vulnerable situation) that we need to be aware of to ensure we offer the best individual service we can to those at higher risk if there were an interruption in the heat supply.
Processing or Process
Any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.
Sensitive Personal Data
Information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and Personal Data relating to criminal offences and convictions.
Legal Basis for processing personal data
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation) (Text with EEA relevance) Article 6. Here is the link for more information: https://www.legislation.gov.uk/eur/2016/679/article/6
3. Overview
This Data Privacy Policy sets out how Vattenfall Heat UK, Vattenfall Brent Cross Limited, Midlothian Energy Limited, Bristol Heat Networks Ltd (“we”, “our”, “us”, “VHUK”, “BCL”, “MEL”, “BHNL”) handle the Personal Data of anyone who has contact with VHUK including our customers and those visiting our website (“you”, “your”).
We are committed to providing you with a high standard of service in all our dealings with you. Where and to the extent we process information about you, we will at all times aim to be transparent in how we collect, store, and process your Personal Data. This Data Privacy Policy will help you to understand what to expect from us.
This policy applies to everyone who has contact with VHUK, BCL, MEL and BHNL. This includes current customers and former customers.
VHUK is a Data Controller and Processor in relation to UK Data Protection and Privacy Laws. It must comply with those laws when it comes to the processing of your Personal Data. In the sections below we explain the scenarios when your personal data will be gathered, how it will be stored and what it will be used for. It will also set out your rights as a ‘Data Subject’ in relation to the Personal Data we hold and process.
If you have any questions regarding the processing of your personal data, you can contact: our Data Protection Officer for VHUK by email at data.protection.uk@vattenfall.com.
Questions regarding VHUK and the Vattenfall Group’s personal data processing can be addressed to our Data Protection Officer by email at data.protection.uk@vattenfall.com or by post to:
Data Protection Officer
Vattenfall Heat UK
70 St Mary Axe
London EC3A 8BE
Personal data breaches are always handled according to an internal process and, in relevant cases, are reported to the ICO for Privacy Protection and to the individual concerned. If you think there has been a possible personal data breach – please contact the Data Protection Officer for VHUK by emailing data.protection.uk@vattenfall.com.
If you have discovered a (possible) security issue then you can report it to Vattenfall IT and choose to remain anonymous if you wish. Learn more about this via this link: Reporting security issues through Responsible Disclosure.
4. Changes to this privacy notice
This policy may change from time to time in line with amendments to the UK and other laws, regulations and generally to ensure it is always up to date and accurate.
The latest version of this Policy will be available on our website, and any material changes to the Policy and/or how we store or process Personal Data will also be communicated directly to those whose details have been registered with us as Data Subjects. It is also important that you read this data protection notice every time you use any of our services as the processing of your personal data may differ from your previous use of the service in question. You will find the latest version of our privacy policy on our website.
5. Your Data Protection Rights
Under UK data protection law, you have rights that we need to make you aware of. The rights available to you depend on our reason for processing your information. Further detail on these rights is set out below. You have the right to ask us for copies of your personal information - this right always applies. There are some exemptions, however, which means you may not always receive all the information we process. If you would like to contact us for more information, please contact us on data.protection.uk@vattenfall.com. Vattenfall will send a response to the address where the person is registered within one month of receiving the request.
5.1 Right to rectification of personal data
You have the right to ask us to correct information you think is incorrect. If you are a customer, you can contact the customer care team to correct your information.
5.2 Right to delete your Personal Data
Vattenfall deletes personal data when legal grounds for keeping the data no longer exist. Our customers are entitled to immediate deletion of their personal data if any of the following apply:
- Processing is based on your consent, and you have withdrawn your consent
- Example: You have given consent to participate in market research but wish to withdraw your consent.
- The data is no longer necessary for the purposes they were collected for.
- Example: You gave consent for your information to be processed to attend an event. The event has passed and you have not given consent to be contacted about other events or services.
- The processing is for the purpose of direct marketing and you object to your data being used for this purpose
- Example: You object to the processing of data used to market a specific service or product to you outside of the services you already have.
- The information has not been processed in accordance with the law.
- Example: You consented to be contacted about a customer satisfaction survey but you have received sales material for a new service that you have not consented to.
If the data is deleted at your request, Vattenfall undertakes to inform those to whom it has disclosed information, however, this does not apply if it should prove impossible or too burdensome.
5.3 Right to portability
If you have agreed to provide your personal data to Vattenfall or if you provided the information due to an agreement, you can request that the personal data be transferred to another personal data controller, such as another company if you want to use their services instead. Vattenfall only needs to transfer the data to another company if it is technically feasible.
5.4 Right to restriction
In certain cases, you have the right to request that the processing of your personal data be restricted. For example when you have determined that your personal data is incorrect and you have demanded correction. While the investigation is ongoing, you can request that the processing of your personal data is restricted. In the event of a restriction, the data is marked so that it may only be processed for certain purposes. When a restriction expires, you should be informed.
It is possible to restrict the processing of your Personal Data in the following situations:
- During the period that checks are being carried out on the correctness of your Personal Data if you have requested this.
- The processing of your Personal Data is unlawful and you request its processing to be limited but not its removal.
- We no longer need your Personal Data, but you need it for the establishment, exercise or substantiation of a legal claim.
- During the period that you are waiting for an answer to the question of whether we have a legitimate interest to process your data in a certain way.
If you would like to request the right to restriction, please contact us and indicate what data you disagree with being processed and why.
5.5 Right to object
You have the right to object at any time to the processing of personal data based on public interest or legitimate interest/balancing of interests, including profiling based on these provisions. The controller shall no longer process the personal data unless it can demonstrate substantial legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
If you do want to object please email data.protection.uk@vattenfall.com and we will assess your objection and whether we can stop processing the data as per your request.
6. What personal data do we collect and process
If you contact Vattenfall we will have a record of the data associated with that contact. which may also contain your Personal Data. Contacting us includes visiting our website, using our mobile app, providing us with your email address (including if you send us an email), subscribing to our newsletter, calling us, chatting with us on web chat or at a customer engagement event.
| Category of personal data | Examples |
|---|---|
| Customer account number | Unique number that is registered with Vattenfall for your customer account |
| Contact data (Name, Address, Phone Number, Email) | Name, Address, Phone Number, Email required to create your customer account and contact you and send you bills and letters in relation to your account. |
| Financial data | Details of payment you have made to your account, any refunds or credits we have issued when eligible or required, and any arrears, debt and payment defaults |
| Vulnerability information that we need to be aware of | Data that tells us that your personal circumstances would put you or a member of you household in a vulnerable situation |
| Content (Opinions, Declarations) | Data collected in free text fields such as a customer survey or feedback form. |
| Device data (Cookies, IP Address, Browser type, OS information) | Data about the device, connection and installed software that is logged to together identify a person. |
| Monitoring data (Camera surveillance, Audit trail, Activity logging) | Data that tracks specific non personal related assets such as physical locations and non-physical environments such as applications. |
| Metering data | Meter data collected with a frequency of one hour or less. |
| Rating data (Personal scoring/performance/evaluation) | Data relating to the scoring/performance or evaluation of service or in relation to from a specific individual. |
6.1 Why VHUK records your Personal Data
We track and record data and your Personal Data to allow us to serve you more effectively, provide and develop our services, follow up on contact previously made by you or us, or to make you a personalised offer.
For customers entering into a Heat Supply Agreement or Cooling Supply Agreement (”HSA") with VHUK, BCL, MEL or BHNL, we ask for personal details to ensure we can set-up a customer accounts and provide services to you.
The Personal Data we collect includes:
- Full name.
- Address.
- Email address.
- Telephone number (landline and mobile).
- Relevant bank account details (account number and sort code).
- Fraud and credit check
- Meter consumption data – this is how much heat or cooling energy a customer has used measured in kWh.
- The start and end date of the HSA.
- The type of tenure they have over their property (owner occupier, private rented, social rented)
- Customer’s preferred payment method.
- Customer’s payment history.
- Other payment information (such as a customer’s registration with a debt assistance agency or any repayment plan history).
- A customer’s communication preference (whether they prefer communication by email or post).
- If a customer (or other person within their household) is registered on the Priority Services Register (called Extra Care), what additional support the Customer (or person within their household) may require and where required information on a customer's (or household member's) vulnerability status. We will not collect information about other persons in a customer's household, save to log that the household includes a vulnerable person and their vulnerability status.
- Complaints registered with us, notes on accounts from emails, phone or web chat communication.
- VHUK will also store any username that a customer uses to create an online account on our website or on the VHUK app.
- VHUK also gathers Cookie Data and IP address, location and device details in order to protect both your and our online environments.
6.2 What VHUK may use your Personal Data for
| Personal data processing need: what do we use the information for? | What lawful basis for processing Personal Data are we using |
|---|---|
| To supply a customer with heat or cooling and provide services associated with such supply | The lawful basis is Contract. Processing is necessary to service the contract we have with you to provide the services to you |
| To process invoices, payment account and energy consumption information. | The lawful basis is Contract and Legal obligation to provide bills to you and collect payments. |
| Customer contact and complaints handling. | The lawful basis is Contract and Legal obligation to provide bills to you and collect payments. |
| To improve the customer experience we provide | The lawful basis is Consent, Contract and legitimate interests to ensure we are providing high quality service to you |
| To understand the causes of positive and negative customer feedback | The lawful basis is Consent, Contract and legitimate interests to ensure we are providing high quality service to you |
| To understand the common queries or complaints received to improve our services and the information and content on our website | The lawful basis is Consent, Contract and legitimate interests to ensure we are providing high quality service to you |
| To make our website more personalised for your use, via cookies. | The lawful basis is Consent, Contract and legitimate interests to ensure we are providing high quality service to you |
| To book an engineer appointment to attend your property to access equipment that we own and are responsible for maintaining, servicing, repair or replacing. | The lawful basis is Contract, Vital Interest, Legal obligation and Legitimate interest to ensure our equipment is working well to provide services to you. |
| To provide to third parties that we appoint to deliver services on our behalf, such as maintenance companies, metering and billing companies., debt collection agencies, IT providers, customer insights companies. | The lawful basis is Contract, Vital Interest, Legal obligation and Legitimate interest to ensure our equipment is working well to provide services to you, the heat or cooling network is safe and secure, to recover payment for services provided, to collect customer feedback on our service. |
| To offer a personalised experience on social media channels, if you have given consent to the relevant social media provider for this | The lawful basis is Consent and Legitimate Interests to ensure we are providing high quality service to you |
| To prevent or detect fraud, including fraudulent registrations | The lawful basis is Legal obligation to prevent, where possible, fraud. |
| To refer a customer to independent debt support services. In this scenario your personal data would only be shared with your prior consent | The lawful basis is Consent and Legitimate Interest to ensure support services can help customers with debt management |
| To process and share Personal Data with an external party in the event of a merger, acquisition, or change of control of VHUK | The lawful basis is Contract as part of merger, acquisition or change of control. |
| To give you energy advice online or over the phone | The lawful basis is Consent and Legitimate interest to share energy efficiency advice to help a customer manage their own energy consumption. |
| To tailor support to customers that are in a vulnerable situation or have additional communication needs and are registered on our Priority Services Register (PSR) | The lawful basis is Consent, Vital Interest, Legitimate Interest and Legal obligation to know customers that require additional support because they are in a vulnerable situation or have additional communication needs. |
| Where necessary for compliance with any legal obligation which we are required to comply with, such as reporting to statutory bodies and regulator | The lawful basis is Legal obligation to meet compliance requirements. |
| To contact your landlord or management company about your account. | The lawful basis is Contract, Vital Interest and Legitimate interest to inform your landlord or management company as owner of the property (or owners assigned representative) |
| For providing training to staff | The lawful basis is Contract and Legitimate Interest to ensure we can provide a high quality service to customers and improve our service from feedback. |
| To comply with reporting to statutory bodies such as a regulator. | The lawful basis is Contract and Legal Obligation to comply with a request from a legal or regulatory body. |
6.3 Sharing your Personal Data
Any data that is shared with a third party will be subject to technical and organisational measures to ensure that your data is kept safe and that no unlawful processing takes place.
If a third party we work with is outside the European Union or European Economic Area, we will only transfer data to the extent permitted and/or provided for under the applicable Data Laws or equivalency measures in relation to the applicable territory.
6.4 How long do we keep your Personal Data?
We will only store personal data for as long as it is required for the purpose needed to deliver services to you or to comply with our ongoing legal obligations. Any personal data no longer required will be securely deleted.
6.5 VHUK's commitment to keeping your data safe
We take the security of personal data very seriously. We understand that you want to be able to contact us safely and we want to prevent any of your Personal Data from being compromised. This is why we have taken steps to ensure that the organisational and technical measures are in place to protect your Personal Data, including:
- Online account passwords will be encrypted to reduce the possibility of someone being able to log in and access your data.
- Security scans and integrity testing of our website will be carried out regularly.
- Any communications we receive through the website or via email shall be secured and encrypted.
- We will constantly monitor for any data breaches and take appropriate action to prevent these.
- Effective and appropriate technologies and software will be used, and kept up to date, to protect the safety of your Personal Data.
- We will also utilise security methodologies and procedures against malware, viruses and cyber-attacks to protect the safety of your Personal Data.
- If your Personal Data is to be transferred from one system or platform to another, we will ensure that this is done in a safe and secure manner.
- Only employees who require access to your Personal Data to carry out their job will be granted access to it.
- Any interactions or uses of your data will be logged so that we can keep track of it.
7. How to get in touch
We have a Data Protection Officer and Data Protection Controller who can be contacted if you have any concerns relating to this policy. Their email is data.protection.uk@vattenfall.com.
8. Complaints
If you are unhappy with how we process your personal data, you have the right to file a complaint to the ICO: https://ico.org.uk/concerns/
