CRU Privacy Notice
This privacy notice tells you what to expect us to do with your personal information when you make contact with us or use our services. The notice will tell you:
- why we are able to process your information;
- what purpose we are processing it for;
- whether you have to provide it to us;
- how long we store it for;
- whether there are other recipients of your personal information; and
- whether we intend to transfer it to another country.
Please take time to read this notice carefully. If you have any questions about how we use your information, please contact our Data Protection Officer at the details below.
Who we are
The Commission for Regulation of Utilities (CRU) is Ireland’s independent energy & water regulator with a range of economic, customer care and energy safety functions.
The CRU acts as data controller in relation to information held about you for the purposes of data protection law i.e. applicable national and EU data protection laws, regulations and guidelines including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018
Why we collect information about you
In order to carry out its functions, the CRU needs to collect and use personal information about the individuals who come into contact with us.
Most of the personal information we process is provided to us directly by you for one of the following reasons ;
- Complaint resolution (utility customers can contact CRU Customer Care to help resolve their complaints with suppliers or network operators);
- Information requests or queries;
- Subscribing to CRU publication updates on our website;
- Public access to information under FOI / AIE / Data Protection legislation;
- Responding to CRU Consultations;
- Attendance at a public hearing which we have conducted,
- Safety–related complaints received in relation to Compressed Natural Gas (CNG);
- Safety Supervisory Body (Safe Electric and RGII*) activities (information queries from the public; appeals; complaints; illegal activity and enforcement; audit and inspection of Safety Supervisory Body (SSB) inspectors);
- Public procurement activities (tenderers, suppliers and service providers);
- Licencing activities (processing applications for Licensing, Consents, Certifications & Registrations); and
- Protected Disclosures to CRU Commissioners.
This information is collected when you contact us with a query or request; through forms you complete, when you give us information verbally or in writing or when you visit the CRU offices.
We also receive personal information indirectly. This information is usually received from the entities that we regulate or designate and may happen in the following scenarios:
- CRU Customer Care contact an energy supplier or network operator on your behalf and it gives us your personal information in its response;
- Retail market monitoring and reporting activities;
- Conducting audits on energy suppliers or Irish Water;
- Assessment of applications for Recognition of EU Professional Qualifications (Gas Installers & Electrical Contractors);
- Energy Safety Supervisory Body (Safe Electric and RGII Scheme) activities. This includes applications, management of registration, certificates of completion, Notices of Hazard and Notices of Potential Hazard, Emergency Notices, audit and inspection of RECs/RGIs, complaints, investigations, changes of contractor or installer, disciplinary proceedings and information queries from the public;
- Gas Safety Framework (Natural Gas and LPG) incidents and investigations; or
- An employee of ours gives your contact details as an emergency contact or a referee.
*RGII (Register of Gas Installers of Ireland); Safe Electric - RECI (Register of Electrical Contractors of Ireland).
The information we process about you
|Categories of Personal Data||Types of Personal Data|
|Identity||Name, surname, title, and other identifying information provided by you
Details left in voicemails or in call recordings to CRU Customer Care and records of these discussions
Details provided when you sign in at CRU offices
|Contact information||Address, email address, phone number.|
|Authorised representatives||Details of nominees, executors, those with power of authority or other authorised representatives|
|Energy or Water Customer details||Complaint Reference Number as assigned by Supplier or Network Operator, Account Number and History, Meter Number (MPRN / GPRN / WPRN) and energy / water consumption details, Nature of complaint and resolution steps, Details in call records to CRU Customer Care, Vulnerable customer status.|
|Tenderer details||Staff CV details such as qualifications and experience; photos if provided in tender documents|
|Supplier details||Contact information, bank details, VAT details and tax clearance information|
|Stakeholder details||Contact information, role, meeting minutes / notes|
|Licence & Authorisation Applicant details||Contact information, Names of company directors, Person responsible for Construction / Engineer.|
|Market data as shared by Utility Suppliers or Network Operators** for the purposes of market monitoring, conducting supplier audits or CRU decision making
|Bulk energy retail market data regarding customer switching, renegotiations, prices, discount levels, disconnections, vulnerable customers, PAYG installations and debt flagging.
Energy customer MPRN / GPRN bulk meter details relating to disconnections.
Additional retail market data may be processed on a case by case basis in the context of auditing compliance with Codes of Practice for the bodies we regulate.
Irish Water customer WPRN bulk meter details for analysis.
|Members of or applicants to Safe Electric (RECI) or RGII Schemes||Contact information, documents relating to educational and employment background including identification, professional qualifications, insurance details, skills / training undertaken and previous employment details.
Details of audit and inspections, complaints, investigations, changes of contractor or installer, disciplinary proceedings and certificates of completion.
|Application for Recognition of EU Professional Qualifications (Gas Installers & Electrical Contractors)||Nationality, Proof of eligibility to work in country of qualification(s), Details of registration / licence including certified documentary evidence from regulatory body/ competent authority; Details of relevant professional qualification(s) including transcripts / certificates; Details of professional experience including proof of the relevant learning outcomes; References from employers and supervisors and certification / proof of completed works.|
|Unregistered gas installers and electrical contractors (where a complaint has been received)||Investigation files and enforcement actions, contact information, identification, statements in relation to alleged illegal gas and electrical works, employment background and professional qualifications|
|Safe Electric or RGII Inspectors schemes (where inspected or audited)||Name, contact information, registration number, employment background, professional qualifications|
|Personal details relating to Gas Safety Framework (GSF) Incidents & Investigations***||Contact information, nature of incident, injury information, health status of victim, investigation report|
|Protected Disclosure details||Contact information, organisation, role|
|Website user statistics (Google Analytics)||Location, time, date and details of your visit to our website (as anonymous statistics)|
|Other personal information||Telephone recordings (made to our out-sourced customer care provider); CCTV images at our offices; Information in relation to FOI / AIE / Data Protection requests (including proof of identity if required); Responses to CRU surveys|
** Electricity: MRSO (Meter Registration System Operator) - ESBN (ESB Networks). Gas: GPRO (Gas Point Registration Operator) - GNI (Gas Networks Ireland). Water: Irish Water. Electricity / Natural Gas Suppliers: BE Energy, Bord Gáis Energy, Electric Ireland, Energia, Flogas, Go Power, Iberdrola, Just Energy, Naturgy, Panda Power, Pinergy, PrePayPower, SSE Airtricity.
***As provided by GNI (Gas Networks Ireland) or Calor Teoranta or Flogas Ireland Limited depending on origin of incident
Please note: The CRU does not request or require personal data relating to children, health status, criminal convictions or any other special category / sensitive information in our engagement with the public, such as for the purposes of energy complaint resolution.
Why we use your information
We fully respect your right to privacy and will only collect or process your personal data, where required, for one or more of the following purposes (lawful basis):
Performing our public task as a regulator including:
- Contacting you by post, phone and email.
- Facilitating public input and comment on CRU Consultations.
- Responding to queries to the CRU Press Office.
- Resolving energy & water customer complaints with your energy supplier, network operator and Irish Water (As prescribed for under S.I. No. 463 of 2011 and the Water Services Acts 2013, 2014 & 2017).
- Providing you with information or responding to an enquiry relating to the services provided by energy suppliers, network operators or Irish Water. (As prescribed for under S.I. No. 463 of 2011 and the Water Services Acts 2013, 2014 & 2017).
- Processing applications for a Licence to Generate Electricity or Authorisation to Construct or Reconstruct a Generating Station or Electricity Supply Licence (under the Electricity Regulation Act, 1999 Section 14 as amended); Natural Gas Shipping and Supply Licence (Under Section 16 of the Gas (Interim) (Regulation) Act 2002, as amended); Consents pursuant to Section 48 and Section 49 of the Electricity Regulation Act 1999; High Efficiency CHP Certification (as set out in SI 298, 299 and 499 of 2009); LPG Safety Licences (in accordance with section 9JE (3) of the Electricity Regulation Act 1999, as amended by the Energy (Miscellaneous Provisions) Act 2012); Network Licences under section 14 (1) of the Electricity Regulation Act 1999 & section 16 (1) of the Gas Act 2002; and REMIT (Regulation on Energy Market Integrity and Transparency) Registration (SI 480 of 2014).
- Retail energy market monitoring measures, in compliance with requirements stemming from the 3rd Package of European energy legislation which was transposed into Irish law by S.I. No. 450 of 2010 and S.I. No. 630 of 2011 (the S.I.s covering electricity and gas, respectively).
- Conducting audits on energy suppliers to ensure compliance with the Electricity and Gas Supplier Handbook (the Supplier Handbook), as a Code of Practice prescribed for in S.I. No. 463 of 2011.
- Conducting investigations to ensure compliance with the conditions of a licence issued under sections (1) (b), (g) or (h) of the Electricity Regulation Act 1999, or sections 16(1)(a) or (b) of the Gas (Interim) (Regulation) Act 2002.
- Conducting public hearings where the CRU is satisfied that sufficient grounds exist to warrant a public hearing (as prescribed under the Electricity Regulation Act, 1999 Section 20, as amended).
- Facilitating registration appeals, complaints and disciplinary actions relating to applicants to or members of Safe Electric and RGII Schemes and facilitating the sharing of information in relation to prosecutions against unregistered gas installers and electrical contractors. (As prescribed for by the Electricity Regulation Act 1999, as amended and the Criteria Document(s).)
- Processing applications for the Recognition of EU Professional Qualifications for Gas Installers & Electrical Contractors as prescribed for by EU Directive 2013/55/EU and S.I. No. 8 of 2017.
- Facilitating the monitoring and inspection of Safe Electric and RGII Inspectors (As prescribed for under Electricity Regulation Act 1999, as amended and the Criteria Document(s).)
- Investigating natural gas or Liquefied Petroleum Gas (LPG) incidents to identify the cause and make recommendations on the prevention of future incidents as required by the Gas (Amendment) Act (Section 2) (Distribution) Order 2003 and Energy (Miscellaneous Provisions) Act 2012.
- Establishing an Appeal Panel as defined in the Electricity Regulation Act 1999 as amended.
- Responding to safety complaints regarding Compressed Natural Gas (CNG) in accordance with S.I. No. 647/2018 - European Union (Deployment of Alternative Fuels Infrastructure) (No. 2) Regulations 2018.
To fulfil the terms of a contract
- Engaging service providers and suppliers and for the provision of and payment for goods and services.
- Filling vacant positions and for the engagement and payment of employees.
- Monitoring and recording the conversations when you speak on the telephone to our out-sourced customer contact provider (to analyse, assess and improve customer service experience and for quality, training and contract management purposes).
Complying with our legal obligations, such as
- Preparing returns to relevant authorities including preparing income tax, PSWT, VAT3 and other revenue returns.
- Complying with your information rights.
- Complying with binding requests from regulatory bodies, such as the Data Protection Commission and the Office of the Information Commissioner.
- Facilitating the making of a Protected Disclosure to a Commissioner in the CRU as prescribed by The Protected Disclosures Act 2014.
- Complying with court orders arising in civil or criminal proceedings.
Where you have given us permission (which you may withdraw at any time)
When we ask for your consent, we will provide you with more information on how we will use your data in reliance on that consent. Please note that the withdrawal of consent does not impact processing based on consent prior to its withdrawal. Consent may be provided by:
- Subscribing to CRU publication updates.
- Use of your personal image in CRU publications.
- Attending a CRU event.
- Completing a CRU survey.
- In certain limited circumstances, where we use special categories of data, or sensitive data.
To protect your vital interests
Occasionally it may be necessary for the CRU to process personal data in order to protect a vital interest of an individual (such as in a medical emergency).
To run our organisation on a day to day basis including to
- Contact stakeholders: Business contact information relating to stakeholders (personal information typically found on a business card used by you in the conduct of your employment) is processed for legitimate business-related purposes.
- Compile and process your information for audit, statistical, reporting or research purposes (including, in some instances, making your data anonymous) in order to help us understand utility markets trends and to provide information to assist our regulatory functions.
- Protect our business, reputation, resources and equipment and manage the CRU network systems, and information.
- Provide security and prevent and detect crime including using CCTV at our premises.
- Manage and administer our legal and compliance affairs.
- Managing and responding to complaints about us.
- Effectively manage the functionality and usability of the CRU website.
The CRU will only process your personal data for the purposes for which they were originally collected and it will only be processed further for the following closely related business purposes:
- transferring the personal data to an archive;
- conducting internal audits or investigations;
- implementing business controls;
- conducting statistical analysis or research as required;
- preparing for or engaging in dispute resolution;
- using legal or business consulting services; or
- managing insurance issues.
Investigations for law enforcement purposes
As part of our statutory functions, we investigate and prosecute individuals and organisations for alleged criminal offences committed under the legislation we regulate (including prosecutions against unregistered gas installers and electrical contractors as prescribed for under Electricity Regulation Act 1999, as amended and the Criteria Document(s).)
Special category and criminal data
As part of the CRU’s statutory and corporate functions, we process special category data and criminal conviction data in accordance with the requirements of Article 9 and 10 of the General Data Protection Regulation (‘GDPR’) and Part 5 of the Data Protection Act 2018. Our processing of such data respects the rights and interests of the data subjects.
We process special categories of personal data under the following GDPR Articles:
- Article 9(2)(b) – where processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the CRU or the data subject in connection with employment, social security or social protection.
- Article 9(2)(g) - reasons of substantial public interest. This relates to the data we receive or obtain in order to fulfil our statutory function as a regulator. This may be information provided to us as part of a complaint or investigation.
- Article 9(2)(f) – for the establishment, exercise or defence of legal claims.
- Article 9(2)(c) – where processing is necessary to protect the vital interests of the data subject or of another natural person.
- Article 9(2)(a) – explicit consent.
We process criminal offence data in accordance with Part 5 of the Data Protection Act 2018, where necessary, as a ‘competent authority’ with the statutory powers to investigate, prevent, detect or prosecute in the context of criminal offences or criminal penalties.
How long we hold your information and how it’s secured
We will keep your personal data for as long as it is necessary to fulfil the purposes for which it was collected as described above and in accordance with our legal and regulatory obligations. The length of time we hold your personal data depends on a number of factors such as:
- The type of data we hold about you.
- Whether there is a legal obligation to hold the data for a minimum specified period.
- Whether there is a public interest basis to hold the data for a specified period.
- Where there is a sound evidence-based reason to hold the data for a specified period.
As a general rule, we keep your information for a specified period after the date on which your interaction with us has completed. This may mean that some information is held for longer than other information. For example:
- Contact with CRU Customer Care: Records are held for 12 months in the case of general queries / information requests / contacts or regarding the resolution of simple customer complaints and 24 months in the case of complex customer complaints.
- Recordings of calls to CRU Customer Care will be held for 6 months.
- Consultation responses published on the CRU website will remain there indefinitely.
- Personal data processed for the purpose of carrying out activities under the Safe Electric and RGII Schemes is retained for a maximum of two Safety Supervisory Scheme designation periods (currently set at 7 years).
When you contact us with a query or complaint, you may receive a phone call and/or email in relation to that contact. If you would prefer not to receive such communications, please let us know.
The CRU operates and uses appropriate technical and physical security measures to protect your personal data. We have taken appropriate security measures to protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Access is only granted on a need-to-know basis on a least privilege basis to staff members whose roles require them to process your personal data and, in certain circumstances, to third party service providers. In addition, our service providers are selected carefully to ensure they have an appropriate level of technical, organisational and security measures in place.
Processing your information outside the EEA
Your information is stored on secure systems within the CRU premises and with providers of secure information storage. We may transfer or allow the transfer of information about you to our service providers and other organisations outside the European Economic Area (EEA), but only if they agree to act solely on our instructions and protect your information to the same standard that applies in the EEA.
For transfers of your personal data to third parties outside of the EEA, we take additional steps in line with Data Protection Law. We will put in place adequate safeguards with respect to the protection of your privacy, fundamental rights and freedoms, and the exercise of your rights, e.g. we will establish an adequate level of data protection through EU Standard Contractual Clauses based on the EU Commission’s model clauses.
Exercising your information rights
Your rights under data protection law may include the following (where applicable):
|What does it mean?||How do I execute this right?||Conditions to exercise?|
|You may challenge the accuracy or completeness of personal data which we process about you. If it is found that personal data is inaccurate or incomplete, you are entitled to have the inaccurate data removed, corrected or completed, as appropriate.||Requests should be made in writing to the CRU’s Data Protection Officer at firstname.lastname@example.org
If possible, you should specify the reasons why the personal data are incorrect or incomplete
|This right only applies to your own personal data.
When exercising this right, please be as specific as possible.
|Right of access||Subject to certain conditions, you are entitled to have access to your personal data which we hold (this is more commonly known as submitting a “data subject access request”).||Requests should be made in writing to the CRU’s Data Protection Officer at email@example.com
If possible, you should specify the type of information you would like to see to ensure that the information that we disclose to you meets your expectations.
|We must be able to verify your identity. Your request may not affect the rights and freedoms of others, e.g. privacy and confidentiality rights of other employees.
Your request may be subject to certain exemptions; e.g. legal professional privilege.
|Right to object to or restrict our data processing||Subject to certain conditions, you have the right to object to or ask us to restrict the processing of your personal data.||Requests should be made in writing to the CRU’s Data Protection Officer at firstname.lastname@example.org||This right applies only if the processing of your personal data is necessary for a public or legitimate interest basis. Objections must be based on grounds relating to your particular situation (e.g. causing damage or distress) and must not be generic so that we can demonstrate that there are still lawful grounds for us to process your personal data.|
|Right to have personal data erased||
|Requests should be made in writing to the CRU’s Data Protection Officer at email@example.com||There are various lawful reasons why we may not be in a position to erase your personal data. This may apply (i) where we have to comply with a legal obligation, (ii) in case of exercising or defending legal claims, or (iii) where retention periods apply by law (i.e. as set out in legislation) or by virtue of the CRU’s data retention policies|
|Right to withdraw consent||You have the right to withdraw your consent to any processing for which you have previously given that consent.||Requests should be made in writing to the CRU’s Data Protection Officer at firstname.lastname@example.org||If you withdraw your consent, this will only take effect for the future. It will not affect the lawfulness of processing based on your consent before its withdrawal.|
|Right of data portability||Subject to certain conditions, you are entitled to receive the data which you have provided to us and which is processed by us by automated means, in a commonly-used machine readable format.||Requests should be made in writing to the CRU’s Data Protection Officer at email@example.com
If possible, you should specify the type of information you would like to receive to ensure that the information that we disclose to you meets your expectations.
|This right only applies if the processing is based on your consent or contract basis and when the processing is carried out by automated means (e.g. not for paper records). It affects only personal data that was “provided” by you. It does not, as a rule, apply to personal data that was created by CRU.|
If you make your request electronically (such as by email), we will, where possible, provide the relevant information electronically unless you ask us otherwise.
We are obliged to respond without undue delay. In most instances, we will respond within one calendar month unless we are unable to deal with your request fully within a calendar month due to the complexity or number of requests You can assist us in responding to your request by including any additional details that would help to locate your information – such as; the type of personal data involved, relevant dates or appropriate reference number or the circumstances in which the CRU obtained your personal data.
Please note: In certain circumstances, your information rights may be restricted in accordance with GDPR Article 23 as transposed by Section 60 of the Data Protection Act 2018.
Completion of this form will assist in responding to your request to access your personal data held by CRU. You may also be asked for evidence of your identity to make sure that personal information is not given to the wrong person.
You have the right to complain to the Data Protection Commission or another supervisory authority.
You can contact the Data Protection Commission at https://www.dataprotection.ie/docs/Contact-us/b/11.html
|Telephone:||+353 (0)761 104 800 or Lo Call Number 1890 252 231|
|Fax:||+353 57 868 4757|
|Postal Address:||Data Protection Commission, 21 Fitzwilliam Square
Dublin 2, D02 RD28 or
Canal House, Station Road, Portarlington, Co. Laois R32 AP23.
How to contact us and our Data Protection Officer
If you have any questions about this notice or your personal information in the CRU generally, including questions about accessing your personal information or correcting it, please contact our Data Protection Officer at
|Telephone:||+353 (0)1 4000800|
|Postal Address:||The CRU, Grain House, The Exchange, Tallaght, Dublin 24, D24 PXW0, Ireland|
Changes to this notice
We will update this Privacy Notice from time to time. Any changes will be made available on this web page and, where appropriate, notified to you by e-mail or when you contact the CRU again.