CRU Privacy Notice

This notice is being provided to you in line with our obligations under the General Data Protection Regulation (GDPR), which comes into effect on 25 May 2018. From that date, the GDPR, together with applicable Irish requirements, amends existing data protection law and places enhanced accountability and transparency obligations on organisations when using your information. It also gives you greater control over your personal information.

Please take time to read this notice carefully. If you have any questions about how we use your information, please contact our Data Protection Officer at the details below.

This notice relates to the CRU privacy practices and policies. The CRU is not responsible for the content or privacy practices and policies of other websites. Any external links to other websites are clearly identifiable as such.

Who we are

The Commission for Regulation of Utilities (CRU) is Ireland’s independent energy and water regulator and has a wide range of economic, customer protection and safety responsibilities. The CRU is also the economic regulator of the Irish public water and wastewater sector.

The CRU acts as data controller in relation to information held about you for the purposes of data protection law i.e. the General Data Protection Regulation (GDPR) and any applicable Irish implementation.

Why we collect information about you

In order to carry out its functions, the CRU needs to collect and use personal information about the individuals who come into contact with us in areas such as;

  • Complaint resolution (utility customers can contact CRU Customer Care to help resolve their complaints with suppliers or network operators);
  • Information requests or queries;
  • Public access to information under FOI / AIE / Data Protection legislation;
  • CRU Consultation process where members of the public are invited to respond;
  • Public procurement activities (tenderers, suppliers and service providers);
  • Licencing activities (in processing applications for Licensing, Consents, Certifications & Registrations);
  • Retail market monitoring and reporting activities;
  • Conducting audits on energy suppliers;
  • Energy Safety Supervisory Body (Safe Electric and RGII[1]) activities (appeals, complaints, illegal activity; disciplinary investigations and enforcement; monitoring and inspection of Inspectors);
  • Gas Safety Framework Incidents and Investigations and
  • Protected Disclosures to CRU Commissioners.

This information is collected when you contact us with a query or request; through forms you complete, when you give us information verbally or in writing, when you visit the CRU offices and from the entities that we regulate or designate.

The information we process about you

Categories of Personal Data Types of Personal Data
Identity Name, surname, title, and other identifying information provided by you (such as details left in voicemails)
Contact information Home address, email address, phone number.
Energy or Water Customer details Complaint Reference Number as assigned by Supplier or Network Operator, Account Number, MPRN / GPRN / WPRN, Nature of complaint and resolution steps.
Tenderer details Staff CV details such as qualifications and experience, photos if provided in tender documents
Supplier details Contact information, bank details, VAT details and tax clearance information
Stakeholder details Contact information, role, meeting minutes / notes
Licence & Authorisation Applicant details Contact information, Names of company directors, Person responsible for construction / Engineer.
Market data as shared by Utility Suppliers or Network Operators[2] for the purposes of market monitoring, conducting supplier audits or CRU decision making

 

Bulk energy retail market data regarding customer switching, renegotiations, prices, discount levels, disconnections, PAYG installations and debt flagging.

Energy customer MPRN / GPRN bulk meter details relating to disconnections.

Additional retail market data may be processed on a case by case basis in the context of conducting Energy Supplier Audits as required in the Energy Supplier Handbook.

Irish Water customer WPRN bulk meter details.

Members of or applicants to Safe Electric (RECI) or RGII details (where a complaint or an appeal has been received) Contact information, documents relating to educational and employment background including identification, professional qualifications, skills training undertaken and previous employment details
Unregistered gas installers and electrical contractors (where a complaint has been received) Investigation files and enforcement actions, contact information, identification, statements in relation to alleged illegal gas and electrical works, employment background and professional qualifications
Safe Electric or RGII Inspectors details (where inspected or audited) Name, contact information, registration number, employment background, professional qualifications
Personal details relating to Gas Safety Framework (GSF) Incidents &  Investigations[3] Contact information, nature of incident, injury information, health status of victim, investigation report
Protected Disclosure details Contact information, organisation, role
Other personal information Telephone recordings (made to our out-sourced customer care provider); CCTV images at our offices; Information in relation to FOI / AIE / Data Protection requests.

 

Please note: The CRU does not request or require personal data relating to your children, your health status, criminal convictions or any other special category / sensitive information in any of our public interactions, such as complaint resolution.

Why we use your information

We fully respect your right to privacy and will only collect or process your personal data, where required, for one or more of the following purposes (legal basis):

To comply with our legal obligations

  1. Resolving energy & water customer complaints with your energy supplier, network operator and Irish Water (As prescribed for under S.I. No. 463 of 2011 and the Water Services Acts 2013, 2014 & 2017).
  2. Providing you with information relating to the services provided by energy suppliers, network operators or Irish Water. (As prescribed for under S.I. No. 463 of 2011 and the Water Services Acts 2013, 2014 & 2017).
  3. Processing applications for a Licence to Generate Electricity or Authorisation to Construct or Reconstruct a Generating Station or Electricity Supply Licence (under the Electricity Regulation Act, 1999 Section 14 as amended); Natural Gas Shipping and Supply Licence (Under Section 16 of the Gas (Interim) (Regulation) Act 2002, as amended); Consents pursuant to Section 48 and Section 49 of the Electricity Regulation Act 1999; High Efficiency CHP Certification (as set out in SI 298, 299 and 499 of 2009);  LPG Safety Licences (in accordance with section 9JE (3) of the Electricity Regulation Act 1999, as amended by the Energy (Miscellaneous Provisions) Act 2012); Network Licences under section 14 (1) of the Electricity Regulation Act 1999  & section 16 (1) of the Gas Act 2002; and REMIT (Regulation on Energy Market Integrity and Transparency) Registration (SI 480 of 2014).
  4. Retail energy market monitoring measures, in compliance with requirements stemming from the 3rd Package of European energy legislation which was transposed into Irish law by S.I. No. 450 of 2010 and S.I. No. 630 of 2011 (the S.I.s covering electricity and gas, respectively).
  5. Conducting audits on energy suppliers to ensure compliance with the Electricity and Gas Supplier Handbook (the Supplier Handbook), as a Code of Practice prescribed for in S.I. No. 463 of 2011.
  6. Conducting investigations to ensure compliance with the conditions of a licence issued under sections (1) (b), (g)  or (h) of the Electricity Regulation Act 1999, or sections 16(1)(a) or (b) of the Gas (Interim) (Regulation) Act 2002.
  7. Conducting public hearings where the CRU is satisfied that sufficient grounds exist to warrant a public hearing (as prescribed under the Electricity Regulation Act, 1999 Section 20, as amended).
  8. Facilitating registration appeals, complaints and disciplinary relating to applicants to or members of Safe Electric and RGII Schemes and facilitating the sharing of information in relation to prosecutions against unregistered gas installers and electrical contractors. As prescribed for under Electricity Regulation Act 1999, as amended and the Criteria Document(s).
  9. Facilitating the monitoring and inspection of Safe Electric and RGII Inspectors (As prescribed for under Electricity Regulation Act 1999, as amended and the Criteria Document(s).
  10. Investigating natural gas or Liquefied Petroleum Gas (LPG) incidents to identify the cause and make recommendations on the prevention of future incidents as prescribed for by the Gas (Amendment) Act (Section 2) (Distribution) Order 2003 and Energy (Miscellaneous Provisions) Act 2012
  11. Establishing an Appeal Panel as defined in the Electricity Regulation Act 1999 as amended (revised and updated to 3 January 2018).
  12. Complying with your information rights.
  13. Preparing returns to relevant authorities including preparing income tax, PSWT, VAT3 and other revenue returns.
  14. Complying with binding requests from regulatory bodies, such as the Data Protection Commission and the Office of the Information Commissioner.
  15. Complying with court orders arising in civil or criminal proceedings.
  16. Facilitating the making of a Protected Disclosure to a Commissioner in the CRU as prescribed by The Protected Disclosures Act 2014.

To fulfil the terms of a contract

  1. Engaging service providers and suppliers and for the provision of and payment for goods and services.
  2. Filling vacant positions and for the engagement and payment of employees.
  3. Monitoring and recording the conversations when you speak on the telephone to our out-sourced customer contact provider (to analyse, assess and improve customer service experience and for quality and contract management purposes).

 

Performing a task carried out in the public interest

  1. Contacting you by post, phone and email.
  2. Facilitating public input and comment on CRU Consultations.
  3. Managing and responding to complaints about us.

 

Where you have given us permission (which you may withdraw at any time)

  1. Using cookies in accordance with our Cookie Policy.
  2. Using special categories of data, or sensitive data.

When we ask for your consent, we will provide you with more information on how we will use your data in reliance on that consent.

 

To protect your vital interests

Occasionally it may be necessary for the CRU to process personal data in order to protect a vital interest of an individual.

To run our organisation on a day to day basis including to

  • Contact stakeholders: Business contact information relating to stakeholders (personal information typically found on a business card used by you in the conduct of your employment) is processed for legitimate business-related purposes.
  • Compile and process your information for audit, statistical, reporting or research purposes (including, in some instances, making your data anonymous) in order to help us understand utility markets trends and to provide information to assist our regulatory functions.
  • Protect our business, reputation, resources and equipment and manage the CRU network systems, and information.
  • Provide security and prevent and detect crime including using CCTV at our premises.
  • Manage and administer our legal and compliance affairs.

The CRU will only process your personal data for the purposes for which they were originally collected and it will only be processed further for the following closely related business purposes:

  • transferring the personal data to an archive;
  • conducting internal audits or investigations;
  • implementing business controls;
  • conducting statistical analysis or research as required;
  • preparing for or engaging in dispute resolution;
  • using legal or business consulting services; or
  • managing insurance issues.

Who we share your information with

We only share your information where it’s necessary. Sharing can occur in the following circumstances and with the following organisations.

Consultation responses published on the CRU website

  • When you respond to a CRU Consultation Paper, your personal details will not be published unless you expressly request us to do so. Where requested, these details will be published on the CRU website as part of the transparent sharing of views informing the CRU decision making process.

Your authorised representatives

  • These include your attorney (under Power of Attorney) or any other party authorised by you to receive your personal data.

Third parties

  • Our customer contact service provider is currently A.R.I. Services Europe Ltd., (ARISE). ARISE is the first point of public contact for many queries and energy complaints and we share your personal information with them as our data processor so that they can effectively provide this service to you. In providing these services, ARISE may record call information and will hold this securely; all other data is held in systems of the CRU.
  • We may need to share your personal information with utility suppliers or network operators to aid the efficient processing of your query or compliant.
  • Tenderer or supplier details may be shared with the Northern Irish Authority for Utility Regulation (NIAUR) in cases where the CRU procures services or supplies on behalf of the Single Electricity Market Committee (SEMC) and NIAUR is a joint controller for the data.
  • Tenderer details are collected via www.etenders.gov.ie eTenders is the Irish Government’s electronic tendering platform administered by the Office of Government Procurement.
  • Business contact information relating to stakeholders may be shared with a relevant third party if it is reasonably expected that such information will only be used by the third party to contact you for legitimate business purposes related to your job responsibilities.
  • Where legally required to do so, we share details of members of or applicants to Safe Electric or RGII (or of unregistered gas installers and electrical contractors) with those Safety bodies in relation to registration appeals, complaints, illegal activity, disciplinary investigations and enforcement.
  • Where legally required to do so, we share details of Safe Electric or RGII Scheme members with those bodies and with other members of a disciplinary hearing.
  • We share details of natural gas or LPG Incidents & Investigations with GNI (Gas Networks Ireland), Flogas and Calor Gas (as part of our legal requirements) and with the RGI Scheme, Department of Communications, Climate Action and Communications, the Irish LPG Association, the Fire Services and the HSA to facilitate investigations /share learnings and to help facilitate the safe transmission, distribution and use of natural gas and LPG in Ireland.
  • The CRU engages service provides to provide operational and systems support and maintenance. These include ICT (including CRM) systems services, ICT (including CRM) maintenance, software development, document storage and destruction, printing, couriers, auditors and consultants including legal advisors. Your personal information remains protected when our service providers use it.

 

Statutory and regulatory bodies (including central and local government) and law enforcement authorities

  • These include the courts and those appointed by the courts, government departments, statutory and regulatory bodies including: the Data Protection Commission, the Office of the Information Commissioner, Office of the C&AG, An Garda Siochana and Revenue Commissioners.

We take our security responsibilities seriously when sharing your data, employing the most appropriate and commercially reasonable physical and technical measures. We review our security measures and procedures regularly.

Organisations who share your information with the CRU

In certain circumstance, utility suppliers or network operators are required share certain personal identifiers with the CRU in order to facilitate our role in monitoring customer protection issues and supplier compliance in the retail market. CRU is data controller for any such data when received from these organisations.

How long we hold your information

The length of time we hold your data depends on a number of factors such as:

  • The type of data we hold about you.
  • Whether there is a legal obligation to hold the data for a minimum specified period.
  • Whether there is a public interest basis to hold the data for a specified period.
  • Where there is a sound evidence-based reason to hold the data for a specified period.

As a general rule, we keep your information for a specified period after the date on which your interaction with us has completed.

This is for 12 months in the case of general queries / information requests / contacts or the resolution of simple customer complaints to 24 months in the case of complex customer complaints. Consultation responses published on the CRU will remain there indefinitely.

When you contact us with a query or complaint, you may receive a phone call and/or email in relation to that contact. If you would prefer not to receive such communications, please let us know.

Processing your information outside the EEA

Your information is stored on secure systems within the CRU premises and with providers of secure information storage. We may transfer or allow the transfer of information about you with us to our service providers and other organisations outside the European Economic Area (EEA), but only if they agree to act solely on our instructions and protect your information to the same standard that applies in the EEA.

Exercising your information rights

You have several rights in relation to how we use your information. If you make your request electronically, we will, where possible, provide the relevant information electronically unless you ask us otherwise.

You have the right to:

  • Find out if we use your information, to access your information and to receive copies of the information we have about you.
  • Request that inaccurate information is corrected and incomplete information updated.
  • Object to particular uses of your personal data which you believe is causing damage or distress and where the legal basis for our use of your data is the performance of a task in the public interest or our legitimate business interests or. However, doing so may have an impact on the services we can provide. If you wish to object to certain data processing operations, please state set out how the processing is causing you unwarranted and substantial damage and distress.
  • Have your data deleted or its use restricted – you have a right to this under certain circumstances. For example, where you withdraw consent you gave us previously and there is no other legal basis for us to retain it, or where you object to our use of your personal information for particular legitimate business interests.
  • Obtain a transferable copy of certain data to which can be transferred to another provider, known as “the right to data portability”. This right applies where personal information is being processed based on consent or for performance of a contract and the processing is carried out by automated means. You are not able to obtain through the data portability right all of the personal information that you can obtain through the right of access. The right also permits the transfer of data directly to another provider where technically feasible. Therefore, depending on the technology involved, we may not be able to receive personal data transferred to us and we will not be responsible for the accuracy of same.
  • Withdraw consent at any time, where any processing is based on consent. If you withdraw your consent, it will not affect the lawfulness of processing based on your consent before its withdrawal.

To facilitate your request, when contacting us, please specify the reasons why the personal data are incorrect, incomplete or not lawfully processed. Please note that in certain circumstances the CRU may not be able to fulfil your request as we may be legally required to keep such data.

We are obliged to respond without undue delay. In most instances, we will respond within one calendar month. If we are unable to deal with your request fully within a calendar month (due to the complexity or number of requests), we may extend this period by a further two calendar months. Should this be necessary, we will explain the reasons why. If you make your request electronically, we will, where possible, provide the relevant information electronically unless you ask us otherwise. In order to respond in writing, please provide us with your full name and home address (including your Eircode).

You can assist us in responding to your request by including any additional details that would help to locate your information – such as; the type of personal data involved, your customer account or reference number or the circumstances in which the CRU obtained your personal data. The CRU has templates available which may be issued to you to assist in responding to your request. You may also be asked for evidence of your identity to make sure that personal information is not given to the wrong person.

You have the right to complain to the Data Protection Commission or another supervisory authority.

You can contact the the Data Protection Commission at https://www.dataprotection.ie/docs/Contact-us/b/11.html

Telephone: +353 (0)761 104 800 or Lo Call Number 1890 252 231
Fax:     +353 57 868 4757
E-mail: info@dataprotection.ie
Postal Address: Data Protection Commission, Canal House, Station Road, Portarlington, Co. Laois R32 AP23 or 21 Fitzwilliam Square, Dublin 2, D02 RD28

How to contact us and our Data Protection Officer

If you have any questions about this notice or your personal information in the CRU generally, including questions about accessing your personal information or correcting it, please contact our Data Protection Officer at;

Online: https://www.cru.ie/home/about-cru/privacy/
Telephone: +353 (0)1 4000800
E-mail: dataprotection@cru.ie
Postal Address: The CRU, Grain House, The Exchange, Tallaght, Dublin 24, D24 PXW0, Ireland

 

Changes to this notice

We will update this Privacy Notice from time to time. Any changes will be communicated to you and made available on this page and, where appropriate, notified to you by e-mail or when you contact the CRU again.

[1] RGII (Register of Gas Installers of Ireland); Safe Electric - RECI (Register of Electrical Contractors of Ireland).

[2] Electricity: MRSO (Meter Registration System Operator), ESBN (ESB Networks)

Gas: GPRO (Gas Point Registration Operator), GNI (Gas Networks Ireland)

Water: Irish Water

Electricity & Gas Suppliers: BE Energy, Bord Gáis Energy, Electric Ireland, Energia, Flogas, Go Energy, Just Energy, Panda Power, Pinergy, PrePayPower, SSE Airtricity, Vayu.

[3] As provided by GNI (Gas Networks Ireland) or Calor Teoranta  or Flogas Ireland Limited depending on origin of incident