CRU Privacy Notice

This privacy notice tells you what to expect us to do with your personal information when you make contact with us or use our services. The notice will tell you:

  • why we are able to process your information;
  • what purpose we are processing it for;
  • whether you have to provide it to us;
  • how long we store it for;
  • whether there are other recipients of your personal information; and
  • whether we intend to transfer it to another country.

Please take time to read this notice carefully. If you have any questions about how we use your information, please contact our Data Protection Officer at the details below.

 

 

Who we are

The Commission for Regulation of Utilities (CRU) is Ireland’s independent energy & water regulator with a range of economic, customer care and energy safety functions.

The CRU acts as data controller in relation to information held about you for the purposes of data protection law i.e. applicable national and EU data protection laws, regulations and guidelines including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

For the purposes of data protection law, the Commission for Regulation of Utilities (CRU) is a joint data controller with respect to the processing of Scheme Data for the Safe Electric and RGI (Register of Gas Installers) schemes (see below for further information).

Why we collect information about you

In order to carry out its functions, the CRU needs to collect and use personal information about the individuals who come into contact with us.

Most of the personal information we process is provided to us directly by you for one of the following reasons;

  • Complaint resolution (utility customers can contact CRU Customer Care to help resolve their complaints with suppliers or network operators);
  • Information requests or queries;
  • Subscribing to CRU publication updates on our website;
  • Public access to information under FOI / AIE / Data Protection legislation;
  • Responding to CRU Consultations;
  • Attendance at a public hearing which we have conducted,
  • Safety–related complaints received in relation to Compressed Natural Gas (CNG);
  • Certain activities related to the operation of the Safe Electric and RGI schemes by the designated Safety Supervisory Body (SSB) (including information queries from the public; appeals; complaints; illegal activity and enforcement; audit and inspection of Safety Supervisory Body (SSB) inspectors);
  • Public procurement activities (tenderers, suppliers and service providers);
  • Licencing activities (processing applications for Licensing, Consents, Certifications & Registrations); and
  • Protected Disclosures to CRU Commissioners.

This information is collected when you contact us with a query or request; through forms you complete, when you give us information verbally or in writing or when you visit the CRU offices.

We also receive personal information indirectly. This information is usually received from the entities that we regulate or designate and may happen in the following scenarios:

  • CRU Customer Care contact an energy supplier or network operator on your behalf and it gives us your personal information in its response;
  • Retail market monitoring and reporting activities;
  • Conducting audits on energy suppliers or Irish Water;
  • Assessment of applications for Recognition of EU Professional Qualifications (Gas Installers & Electrical Contractors);
  • Certain activities related to the operation of the Safe Electric and RGI schemes by the designated Safety Supervisory Body (SSB). This includes applications, management of registration, certificates of completion, Notices of Hazard and Notices of Potential Hazard, Emergency Notices, audit and inspection of RECs/RGIs, complaints, investigations, changes of contractor or installer, disciplinary proceedings and information queries from the public;
  • Gas Safety Framework (Natural Gas and LPG) incidents and investigations; or
  • An employee of ours gives your contact details as an emergency contact or a referee.

The information we process about you

Categories of Personal Data Types of Personal Data
Identity Name, surname, title, and other identifying information provided by you

Details left in voicemails or in call recordings to CRU Customer Care and records of these discussions

Details provided when you sign in at CRU offices

Contact information Address, email address, phone number.
Authorised representatives Details of nominees, executors, those with power of authority or other authorised representatives
Energy or Water Customer details Complaint Reference Number as assigned by Supplier or Network Operator, Account Number and History, Meter Number (MPRN / GPRN / WPRN) and energy / water consumption details, Nature of complaint and resolution steps, Details in call records to CRU Customer Care, Vulnerable customer status.
Tenderer details Staff CV details such as qualifications and experience; photos if provided in tender documents
Supplier details Contact information, bank details, VAT details and tax clearance information
Stakeholder details Contact information, role, meeting minutes / notes
Licence & Authorisation Applicant details Contact information, Names of company directors, Person responsible for Construction / Engineer.
Market data as shared by Utility Suppliers or Network Operators** for the purposes of market monitoring, conducting supplier audits or CRU decision making

 

Bulk energy retail market data regarding customer switching, renegotiations, prices, discount levels, disconnections, vulnerable customers, PAYG installations and debt flagging.

Energy customer MPRN / GPRN bulk meter details relating to disconnections.

Additional retail market data may be processed on a case by case basis in the context of auditing compliance with Codes of Practice for the bodies we regulate.

Irish Water customer WPRN bulk meter details for analysis.

Members of or applicants to Safe Electric or RGI Schemes Contact information, documents relating to educational and employment background including identification, professional qualifications, insurance details, skills / training undertaken and previous employment details.

Details of audit and inspections, complaints, investigations, changes of contractor or installer, disciplinary proceedings and certificates of completion.

Application for Recognition of EU Professional Qualifications (Gas Installers & Electrical Contractors) Nationality, Proof of eligibility to work in country of qualification(s), Details of registration / licence including certified documentary evidence from regulatory body/ competent authority; Details of relevant professional qualification(s) including transcripts / certificates; Details of professional experience including proof of the relevant learning outcomes; References from employers and supervisors and certification / proof of completed works.
Unregistered gas installers and electrical contractors (where a complaint has been received) Investigation files and enforcement actions, contact information, identification, statements in relation to alleged illegal gas and electrical works, employment background and professional qualifications
Safe Electric or RGII Inspectors schemes (where inspected or audited) Name, contact information, registration number, employment background, professional qualifications
Personal details relating to Gas Safety Framework (GSF) Incidents &  Investigations*** Contact information, nature of incident, injury information, health status of victim, investigation report
Protected Disclosure details Contact information, organisation, role
Website user statistics (Google Analytics) Location, time, date and details of your visit to our website (as anonymous statistics)
Other personal information Telephone recordings (made to our out-sourced customer care provider); CCTV images at our offices; Information in relation to FOI / AIE / Data Protection requests (including proof of identity if required); Responses to CRU surveys

[1] Electricity: MRSO (Meter Registration System Operator) - ESBN (ESB Networks)

Gas: GPRO (Gas Point Registration Operator) - GNI (Gas Networks Ireland)

Water: Irish Water

Electricity / Gas Suppliers: For current list of energy suppliers see https://www.cru.ie/home/customer-care/energy/communication/

Please note: The CRU does not request or require personal data relating to children, health status, criminal convictions or any other special category / sensitive information in our engagement with the public, such as for the purposes of energy complaint resolution.

Why we use your information

Safe Electric and RGI Schemes

The Electricity Regulation Act (ERA), 1999, as amended by various pieces of legislation, gives the CRU statutory responsibilities in the areas of electrical and gas safety. This includes the following functions:

  • Regulate the activities of electrical contractors with respect to safety (ERA Sections 9C, 9D, 9E); and
  • Regulate the activities of natural gas and LPG installers with respect to safety (ERA Sections 9F, 9G, 9H, 9I, 9J).

Electrical Safety - Safe Electric Scheme:

Safe Electric is a statutory regulatory scheme for Registered Electrical Contractors and regulated electrical works.  Its national safety supervisory function aims to give assurance that not only are Registered Electrical Contractors qualified and competent in working with electricity safely, but that the regulated works they have completed have been done in accordance with National Safety standards.

From 3 January 2023, the CRU has designated Walk Meadow Limited t/a Safe Energy Ireland as the Electrical Safety Supervisory Body (ESSB).

The CRU is a Joint Data Controller with Walk Meadow Limited t/a Safe Energy Ireland in connection with delivery of services and in relation to information held about you in the context of the Safe Electric Scheme. Please also refer to the Safe Electric Privacy Notice

Gas Safety - RGI Scheme:

The RGI Scheme is a statutory regulatory scheme for Registered Gas Installers and regulated gas works.  Its national safety supervisory function aims to give assurance that not only are Registered Gas Installers qualified and competent in working with gas safely, but that the regulated works they have completed have been done in accordance with National Safety standards.

From 3 January 2023, the CRU has designated Walk Meadow Limited t/a Safe Energy Ireland as the Gas Safety Supervisory Body (GSSB).

The CRU is a Joint Data Controller with Walk Meadow Limited t/a Safe Energy Ireland in connection with delivery of services and in relation to information held about you in the context of the RGI Scheme. Please also refer to the RGI Privacy Notice

We fully respect your right to privacy and will only collect or process your personal data, where required, for one or more of the following purposes (lawful basis):

Performing our public task as a regulator including:

  1. Contacting you by post, phone and email.
  2. Facilitating public input and comment on CRU Consultations.
  3. Responding to queries to the CRU Press Office.
  4. Responding to customer service quality complaints in accordance with our Customer Charter.
  5. Resolving energy & water customer complaints with your energy supplier, network operator and Irish Water (As prescribed for under S.I. No. 463 of 2011 and the Water Services Acts 2013, 2014 & 2017).
  6. Providing you with information or responding to an enquiry relating to the services provided by energy suppliers, network operators or Irish Water. (As prescribed for under S.I. No. 463 of 2011 and the Water Services Acts 2013, 2014 & 2017).
  7. Processing applications for a Licence to Generate Electricity or Authorisation to Construct or Reconstruct a Generating Station or Electricity Supply Licence (under the Electricity Regulation Act, 1999 Section 14 as amended); Natural Gas Shipping and Supply Licence (Under Section 16 of the Gas (Interim) (Regulation) Act 2002, as amended); Consents pursuant to Section 48 and Section 49 of the Electricity Regulation Act 1999; High Efficiency CHP Certification (as set out in SI 298, 299 and 499 of 2009);  LPG Safety Licences (in accordance with section 9JE (3) of the Electricity Regulation Act 1999, as amended by the Energy (Miscellaneous Provisions) Act 2012); Network Licences under section 14 (1) of the Electricity Regulation Act 1999  & section 16 (1) of the Gas Act 2002; and REMIT (Regulation on Energy Market Integrity and Transparency) Registration (SI 480 of 2014).
  8. Retail energy market monitoring measures, in compliance with requirements stemming from the 3rd Package of European energy legislation which was transposed into Irish law by S.I. No. 450 of 2010 and S.I. No. 630 of 2011 (the S.I.s covering electricity and gas, respectively).
  9. Conducting audits on energy suppliers to ensure compliance with the Electricity and Gas Supplier Handbook (the Supplier Handbook), as a Code of Practice prescribed for in S.I. No. 463 of 2011.
  10. Conducting investigations to ensure compliance with the conditions of a licence issued under sections (1) (b), (g) or (h) of the Electricity Regulation Act 1999, or sections 16(1)(a) or (b) of the Gas (Interim) (Regulation) Act 2002.
  11. Conducting public hearings where the CRU is satisfied that sufficient grounds exist to warrant a public hearing (as prescribed under the Electricity Regulation Act, 1999 Section 20, as amended).
  12. Facilitating registration appeals, complaints and disciplinary actions relating to applicants to or members of Safe Electric and RGI Schemes and facilitating the sharing of information in relation to prosecutions against unregistered gas installers and electrical contractors. (As prescribed for by the Electricity Regulation Act 1999, as amended and the Criteria Document(s).)
  13. Processing applications for the Recognition of EU Professional Qualifications for Gas Installers & Electrical Contractors as prescribed for by EU Directive 2013/55/EU and S.I. No. 8 of 2017.
  14. Facilitating the monitoring and inspection of Safe Electric and RGI Inspectors (As prescribed for under Electricity Regulation Act 1999, as amended and the Criteria Document(s).)
  15. Investigating natural gas or Liquefied Petroleum Gas (LPG) incidents to identify the cause and make recommendations on the prevention of future incidents as required by the Gas (Amendment) Act (Section 2) (Distribution) Order 2003 and Energy (Miscellaneous Provisions) Act 2012.
  16. Establishing an Appeal Panel as defined in the Electricity Regulation Act 1999 as amended.
  17. Responding to safety complaints regarding Compressed Natural Gas (CNG) in accordance with S.I. No. 647/2018 - European Union (Deployment of Alternative Fuels Infrastructure) (No. 2) Regulations 2018.

Who we share your information with

We only share your information where it’s necessary. We will not share your information with any third parties for the purposes of direct marketing. Sharing can occur in the following circumstances and with the following organisations.

Consultation responses published on the CRU website

  • Since May 2018,when you respond to a CRU Consultation Paper, your personal details will not be published unless you expressly request us to do so (excluding industry respondents). Where requested, these details will be published on the CRU website as part of the transparent sharing of views informing the CRU decision making process.

 Your authorised representatives

  • These include your attorney, your representative (under Power of Attorney) or any other party authorised by you to receive your personal data.

 

Disclosures to third parties

  • We may need to share your personal information with utility suppliers or network operators to aid the efficient processing of your query or compliant.
  • Business contact information relating to stakeholders may be shared with a relevant third party if it is reasonably expected that such information will only be used by the third party to contact you for legitimate business purposes related to your job responsibilities.
  • Where required, we share details of members of or applicants to Safe Electric or RGI (or of unregistered gas installers and electrical contractors) with Walk Meadow t/a Safe Energy Ireland in relation to registration appeals, complaints, illegal activity, disciplinary investigations and enforcement.
  • Where required, we share details of Safe Electric or RGI Scheme members with Walk Meadow t/a Safe Energy Ireland and with other members of disciplinary hearings.
  • Where required, we share details of applicants for the Recognition of EU Professional Qualifications for Gas Installers & Electrical Contractors with Walk Meadow t/a Safe Energy Ireland, and organisations whose details have been provided by applicants such as competent authorities and training providers. Where required we will also share these details with members of panels assessing applications.
  • Where required, we share your personal information with Garda Síochána and law enforcement agencies in order to assist with the detection, investigation prevention and prosecution of crime.
  • We share details of natural gas or LPG Incidents & Investigations with GNI (Gas Networks Ireland), Flogas and Calor Gas (as part of our legal requirements) and with Walk Meadow t/a Safe Energy Ireland, Department of Communications, Climate Action and Communications, the Irish LPG Association, the Fire Services and the HSA to facilitate investigations / share learnings and to help facilitate the safe transmission, distribution and use of natural gas and LPG in Ireland.
  • Tenderer or supplier details may be shared with the Northern Irish Authority for Utility Regulation (NIAUR) in cases where the CRU procures services or supplies on behalf of the Single Electricity Market Committee (SEMC) and NIAUR is a joint controller for the data.
  • Tenderer details are collected via www.etenders.gov.ie eTenders is the Irish Government’s electronic tendering platform administered by the Office of Government Procurement.

Third Party Service Provides

We use data processors who are third parties who provide services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us unless instructed to do so. They will hold it securely and retain it for the period we instruct.

 

  • Our customer contact service provider is currently A.R.I. Services Europe Ltd., (ARISE). ARISE is the first point of public contact for many queries and complaints regarding utility suppliers and network operators. We share your personal information with them as our data processor so that they can effectively provide this service to you. In providing these services, ARISE may record your call information.
  • Safe Electric and RGI Schemes: Details of applicants for the Recognition of EU Professional Qualifications for Gas Installers & Electrical Contractors are processed by Walk Meadow t/a Safe Energy Ireland on CRU’s behalf.
  • The CRU engages other third-party service provides to provide operational services and systems development, support and maintenance. These include ICT (including CRM and Case Management) systems services, ICT (including CRM) maintenance, software development, electronic signature services, secure file transfer services, document storage and destruction, printing, couriers, auditors and consultants including legal advisors.
  • Social media (Twitter, LinkedIn): We may use a third-party provider to manage our social media interactions. When contacting the CRU through a social media platform, we suggest you also familiarise yourself with the privacy information of that platform. Messages or posts received by the CRU on these social media platforms are viewed by the CRU but the personal data contained in the messages / posts is not logged or stored other than on the relevant social medial platform, and no further processing of such personal data is carried out by the CRU.
  • Website Analytics: When you visit cru.ie, we use a third-party service, Google Analytics, to collect standard statistical information and details of visitor behaviour patterns. We do this to find out such things as the number of visitors to the various parts of the site. This information is only processed in a way that does not directly identify anyone.
  • Subscribers: If you subscribe to CRU publication updates, your email address will be automatically added to the CRU subscriber database of the email marketing service used by the CRU. If you unsubscribe from our newsletter, your email address is retained by the provider in order to ensure you are not contacted again.
  • Website security & performance: We use a third-party web application firewall to help maintain the security and performance of our website. The service checks that traffic to the site is behaving as would be expected and blocks traffic that is not using the site as expected. To provide this service, site visitors’ IP addresses are processed.

Statutory and regulatory bodies (including central and local government) and law enforcement authorities

In certain circumstances, we may share and / or are obliged to share your Data with third party statutory or regulatory bodies in accordance with Data Protection Legislation.

These may include the courts and those appointed by the courts, government departments, statutory and regulatory bodies including: the Data Protection Commission, the Office of the Information Commissioner, Office of the C&AG, An Garda Siochana and Revenue Commissioners.

Organisations who share your information with the CRU

In certain circumstance, energy and water suppliers or network operators are required share certain personal identifiers with the CRU in order to facilitate our roles in utility customer complaint resolution, investigation of Gas Safety Framework incidents, monitoring customer protection issues and supplier compliance in the retail market. CRU is data controller for any such data when received from these organisations.

How long we hold your information and how it’s secured

We will keep your personal data for as long as it is necessary to fulfil the purposes for which it was collected as described above and in accordance with our legal and regulatory obligations. The length of time we hold your personal data depends on a number of factors such as:

  • The type of data we hold about you.
  • Whether there is a legal obligation to hold the data for a minimum specified period.
  • Whether there is a public interest basis to hold the data for a specified period.
  • Where there is a sound evidence-based reason to hold the data for a specified period.

As a general rule, we keep your information for a specified period after the date on which your interaction with us has completed. This may mean that some information is held for longer than other information. For example:

  • Contact with CRU Customer Care: Records are held for 12 months in the case of general queries / information requests / contacts or regarding the resolution of simple customer complaints and 24 months in the case of complex customer complaints.
  • Recordings of calls to CRU Customer Care will be held for 3 months.
  • Consultation responses published on the CRU website will remain there indefinitely.
  • Personal data processed by the CRU for the purpose of supervising the operation of the Safe Electric and RGI Schemes is retained for a maximum of two Safety Supervisory Body designation periods (currently set at an aggregate maximum term of 7 years).

When you contact us with a query or complaint, you may receive a phone call and/or email in relation to that contact. If you would prefer not to receive such communications, please let us know.

The CRU operates and uses appropriate technical and physical security measures to protect your personal data. We have taken appropriate security measures to protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Access is only granted on a need-to-know basis on a least privilege basis to staff members whose roles require them to process your personal data and, in certain circumstances, to third party service providers. In addition, our service providers are selected carefully to ensure they have an appropriate level of technical, organisational and security measures in place.

Processing your information outside the EEA

Your information is stored on secure systems within the CRU premises and with providers of secure information storage. We may transfer or allow the transfer of information about you to our service providers and other organisations outside the European Economic Area (EEA), but only if they agree to act solely on our instructions and protect your information to the same standard that applies in the EEA.

For transfers of your personal data to third parties outside of the EEA, we take additional steps in line with Data Protection Law. We will put in place adequate safeguards with respect to the protection of your privacy, fundamental rights and freedoms, and the exercise of your rights, e.g. we will establish an adequate level of data protection through EU Standard Contractual Clauses based on the EU Commission’s model clauses.

Exercising your information rights

Your rights under data protection law may include the following (where applicable):

Your right
What does it mean? How do I execute this right? Conditions to exercise?
Rights in relation to inaccurate or incomplete personal data
You may challenge the accuracy or completeness of personal data which we process about you. If it is found that personal data is inaccurate or incomplete, you are entitled to have the inaccurate data removed, corrected or completed, as appropriate. Requests should be made in writing to the CRU’s Data Protection Officer at dataprotection@cru.ie

If possible, you should specify the reasons why the personal data are incorrect or incomplete

This right only applies to your own personal data.

When exercising this right, please be as specific as possible.

Right of access Subject to certain conditions, you are entitled to have access to your personal data which we hold (this is more commonly known as submitting a “data subject access request”). Requests should be made in writing to the CRU’s Data Protection Officer at dataprotection@cru.ie

If possible, you should specify the type of information you would like to see to ensure that the information that we disclose to you meets your expectations.

We must be able to verify your identity. Your request may not affect the rights and freedoms of others, e.g. privacy and confidentiality rights of other employees.

Your request may be subject to certain exemptions; e.g. legal professional privilege.

Right to object to or restrict our data processing Subject to certain conditions, you have the right to object to or ask us to restrict the processing of your personal data. Requests should be made in writing to the CRU’s Data Protection Officer at dataprotection@cru.ie This right applies only if the processing of your personal data is necessary for a public or legitimate interest basis. Objections must be based on grounds relating to your particular situation (e.g.  causing damage or distress) and must not be generic so that we can demonstrate that there are still lawful grounds for us to process your personal data.
Right to have personal data erased
Subject to certain conditions, you are entitled, on certain grounds, to have your personal data erased (also known as the “right to be forgotten”), e.g. where you think that the information, we are processing is inaccurate, or the processing is unlawful.
Requests should be made in writing to the CRU’s Data Protection Officer at dataprotection@cru.ie There are various lawful reasons why we may not be in a position to erase your personal data. This may apply (i) where we have to comply with a legal obligation, (ii) in case of exercising or defending legal claims, or (iii) where retention periods apply by law (i.e. as set out in legislation) or by virtue of the CRU’s data retention policies
Right to withdraw consent You have the right to withdraw your consent to any processing for which you have previously given that consent. Requests should be made in writing to the CRU’s Data Protection Officer at dataprotection@cru.ie If you withdraw your consent, this will only take effect for the future. It will not affect the lawfulness of processing based on your consent before its withdrawal.
Right of data portability Subject to certain conditions, you are entitled to receive the data which you have provided to us and which is processed by us by automated means, in a commonly-used machine readable format. Requests should be made in writing to the CRU’s Data Protection Officer at dataprotection@cru.ie

If possible, you should specify the type of information you would like to receive to ensure that the information that we disclose to you meets your expectations.

This right only applies if the processing is based on your consent or contract basis and when the processing is carried out by automated means (e.g. not for paper records). It affects only personal data that was “provided” by you. It does not, as a rule, apply to personal data that was created by CRU.

If you make your request electronically (such as by email), we will, where possible, provide the relevant information electronically unless you ask us otherwise.

We are obliged to respond without undue delay. In most instances, we will respond within one calendar month unless we are unable to deal with your request fully within a calendar month due to the complexity or number of requests You can assist us in responding to your request by including any additional details that would help to locate your information – such as; the type of personal data involved, relevant dates or appropriate reference number or the circumstances in which the CRU obtained your personal data.

Please note: In certain circumstances, your information rights may be restricted in accordance with GDPR Article 23 as transposed by Section 60 of the Data Protection Act 2018.

Completion of this form will assist in responding to your request to access your personal data held by CRU. You may also be asked for evidence of your identity to make sure that personal information is not given to the wrong person.

You have the right to complain to the Data Protection Commission or another supervisory authority.

You can contact the Data Protection Commission at https://www.dataprotection.ie/docs/Contact-us/b/11.html

Telephone: +353 (0)761 104 800 or Lo Call Number 1890 252 231
Fax:     +353 57 868 4757
E-mail: info@dataprotection.ie
Postal Address: Data Protection Commission, 21 Fitzwilliam Square

Dublin 2, D02 RD28 or

Canal House, Station Road, Portarlington, Co. Laois R32 AP23.

How to contact us and our Data Protection Officer

If you have any questions about this notice or your personal information in the CRU generally, including questions about accessing your personal information or correcting it, please contact our Data Protection Officer at

Online: https://www.cru.ie/home/about-cru/privacy/
Telephone: +353 (0)1 4000800
E-mail: dataprotection@cru.ie
Postal Address: The CRU, Grain House, The Exchange, Tallaght, Dublin 24, D24 PXW0, Ireland

Changes to this notice

We will update this Privacy Notice from time to time. Any changes will be made available on this web page and, where appropriate, notified to you by e-mail or when you contact the CRU again.