CRU Privacy Notice
This privacy notice tells you what to expect us to do with your personal information when you make contact with us or use our services. The notice will tell you:
- why we are able to process your information;
- what purpose we are processing it for;
- whether you have to provide it to us;
- how long we store it for;
- whether there are other recipients of your personal information; and
- whether we intend to transfer it to another country.
Please take time to read this notice carefully. If you have any questions about how we use your information, please contact our Data Protection Officer at the details below.
Who we are
The Commission for Regulation of Utilities (CRU) is Ireland’s independent energy & water regulator with a range of economic, customer care and energy safety functions.
The CRU acts as data controller in relation to information held about you for the purposes of data protection law i.e. applicable national and EU data protection laws, regulations and guidelines including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
For the purposes of data protection law, the Commission for Regulation of Utilities (CRU) is a joint data controller with respect to the processing of Scheme Data for the Safe Electric and RGI (Register of Gas Installers) schemes (see below for further information).
Why we collect information about you
In order to carry out its functions, the CRU needs to collect and use personal information about the individuals who come into contact with us.
Most of the personal information we process is provided to us directly by you for one of the following reasons;
- Complaint resolution (utility customers can contact CRU Customer Care to help resolve their complaints with suppliers or network operators);
- Information requests or queries;
- Subscribing to CRU publication updates on our website;
- Public access to information under FOI / AIE / Data Protection legislation;
- Responding to CRU Consultations;
- Attendance at a public hearing which we have conducted,
- Safety–related complaints received in relation to Compressed Natural Gas (CNG);
- Certain activities related to the operation of the Safe Electric and RGI schemes by the designated Safety Supervisory Body (SSB) (including information queries from the public; appeals; complaints; illegal activity and enforcement; audit and inspection of Safety Supervisory Body (SSB) inspectors);
- Public procurement activities (tenderers, suppliers and service providers);
- Licencing activities (processing applications for Licensing, Consents, Certifications & Registrations); and
- Protected Disclosures to CRU Commissioners.
This information is collected when you contact us with a query or request; through forms you complete, when you give us information verbally or in writing or when you visit the CRU offices.
We also receive personal information indirectly. This information is usually received from the entities that we regulate or designate and may happen in the following scenarios:
- CRU Customer Care contact an energy supplier or network operator on your behalf and it gives us your personal information in its response;
- Retail market monitoring and reporting activities;
- Conducting audits on energy suppliers or Irish Water;
- Assessment of applications for Recognition of EU Professional Qualifications (Gas Installers & Electrical Contractors);
- Certain activities related to the operation of the Safe Electric and RGI schemes by the designated Safety Supervisory Body (SSB). This includes applications, management of registration, certificates of completion, Notices of Hazard and Notices of Potential Hazard, Emergency Notices, audit and inspection of RECs/RGIs, complaints, investigations, changes of contractor or installer, disciplinary proceedings and information queries from the public;
- Gas Safety Framework (Natural Gas and LPG) incidents and investigations; or
- An employee of ours gives your contact details as an emergency contact or a referee.
The information we process about you
|Categories of Personal Data||Types of Personal Data|
|Identity||Name, surname, title, and other identifying information provided by you
Details left in voicemails or in call recordings to CRU Customer Care and records of these discussions
Details provided when you sign in at CRU offices
|Contact information||Address, email address, phone number.|
|Authorised representatives||Details of nominees, executors, those with power of authority or other authorised representatives|
|Energy or Water Customer details||Complaint Reference Number as assigned by Supplier or Network Operator, Account Number and History, Meter Number (MPRN / GPRN / WPRN) and energy / water consumption details, Nature of complaint and resolution steps, Details in call records to CRU Customer Care, Vulnerable customer status.|
|Tenderer details||Staff CV details such as qualifications and experience; photos if provided in tender documents|
|Supplier details||Contact information, bank details, VAT details and tax clearance information|
|Stakeholder details||Contact information, role, meeting minutes / notes|
|Licence & Authorisation Applicant details||Contact information, Names of company directors, Person responsible for Construction / Engineer.|
|Market data as shared by Utility Suppliers or Network Operators** for the purposes of market monitoring, conducting supplier audits or CRU decision making
|Bulk energy retail market data regarding customer switching, renegotiations, prices, discount levels, disconnections, vulnerable customers, PAYG installations and debt flagging.
Energy customer MPRN / GPRN bulk meter details relating to disconnections.
Additional retail market data may be processed on a case by case basis in the context of auditing compliance with Codes of Practice for the bodies we regulate.
Irish Water customer WPRN bulk meter details for analysis.
|Members of or applicants to Safe Electric or RGI Schemes||Contact information, documents relating to educational and employment background including identification, professional qualifications, insurance details, skills / training undertaken and previous employment details.
Details of audit and inspections, complaints, investigations, changes of contractor or installer, disciplinary proceedings and certificates of completion.
|Application for Recognition of EU Professional Qualifications (Gas Installers & Electrical Contractors)||Nationality, Proof of eligibility to work in country of qualification(s), Details of registration / licence including certified documentary evidence from regulatory body/ competent authority; Details of relevant professional qualification(s) including transcripts / certificates; Details of professional experience including proof of the relevant learning outcomes; References from employers and supervisors and certification / proof of completed works.|
|Unregistered gas installers and electrical contractors (where a complaint has been received)||Investigation files and enforcement actions, contact information, identification, statements in relation to alleged illegal gas and electrical works, employment background and professional qualifications|
|Safe Electric or RGII Inspectors schemes (where inspected or audited)||Name, contact information, registration number, employment background, professional qualifications|
|Personal details relating to Gas Safety Framework (GSF) Incidents & Investigations***||Contact information, nature of incident, injury information, health status of victim, investigation report|
|Protected Disclosure details||Contact information, organisation, role|
|Website user statistics (Google Analytics)||Location, time, date and details of your visit to our website (as anonymous statistics)|
|Other personal information||Telephone recordings (made to our out-sourced customer care provider); CCTV images at our offices; Information in relation to FOI / AIE / Data Protection requests (including proof of identity if required); Responses to CRU surveys|
 Electricity: MRSO (Meter Registration System Operator) - ESBN (ESB Networks)
Gas: GPRO (Gas Point Registration Operator) - GNI (Gas Networks Ireland)
Water: Irish Water
Electricity / Gas Suppliers: For current list of energy suppliers see https://www.cru.ie/home/customer-care/energy/communication/
Please note: The CRU does not request or require personal data relating to children, health status, criminal convictions or any other special category / sensitive information in our engagement with the public, such as for the purposes of energy complaint resolution.
Why we use your information
Safe Electric and RGI Schemes
The Electricity Regulation Act (ERA), 1999, as amended by various pieces of legislation, gives the CRU statutory responsibilities in the areas of electrical and gas safety. This includes the following functions:
- Regulate the activities of electrical contractors with respect to safety (ERA Sections 9C, 9D, 9E); and
- Regulate the activities of natural gas and LPG installers with respect to safety (ERA Sections 9F, 9G, 9H, 9I, 9J).
Electrical Safety - Safe Electric Scheme:
Safe Electric is a statutory regulatory scheme for Registered Electrical Contractors and regulated electrical works. Its national safety supervisory function aims to give assurance that not only are Registered Electrical Contractors qualified and competent in working with electricity safely, but that the regulated works they have completed have been done in accordance with National Safety standards.
From 3 January 2023, the CRU has designated Walk Meadow Limited t/a Safe Energy Ireland as the Electrical Safety Supervisory Body (ESSB).
The CRU is a Joint Data Controller with Walk Meadow Limited t/a Safe Energy Ireland in connection with delivery of services and in relation to information held about you in the context of the Safe Electric Scheme. Please also refer to the Safe Electric Privacy Notice
Gas Safety - RGI Scheme:
The RGI Scheme is a statutory regulatory scheme for Registered Gas Installers and regulated gas works. Its national safety supervisory function aims to give assurance that not only are Registered Gas Installers qualified and competent in working with gas safely, but that the regulated works they have completed have been done in accordance with National Safety standards.
From 3 January 2023, the CRU has designated Walk Meadow Limited t/a Safe Energy Ireland as the Gas Safety Supervisory Body (GSSB).
The CRU is a Joint Data Controller with Walk Meadow Limited t/a Safe Energy Ireland in connection with delivery of services and in relation to information held about you in the context of the RGI Scheme. Please also refer to the RGI Privacy Notice
We fully respect your right to privacy and will only collect or process your personal data, where required, for one or more of the following purposes (lawful basis):
Performing our public task as a regulator including:
- Contacting you by post, phone and email.
- Facilitating public input and comment on CRU Consultations.
- Responding to queries to the CRU Press Office.
- Responding to customer service quality complaints in accordance with our Customer Charter.
- Resolving energy & water customer complaints with your energy supplier, network operator and Irish Water (As prescribed for under S.I. No. 463 of 2011 and the Water Services Acts 2013, 2014 & 2017).
- Providing you with information or responding to an enquiry relating to the services provided by energy suppliers, network operators or Irish Water. (As prescribed for under S.I. No. 463 of 2011 and the Water Services Acts 2013, 2014 & 2017).
- Processing applications for a Licence to Generate Electricity or Authorisation to Construct or Reconstruct a Generating Station or Electricity Supply Licence (under the Electricity Regulation Act, 1999 Section 14 as amended); Natural Gas Shipping and Supply Licence (Under Section 16 of the Gas (Interim) (Regulation) Act 2002, as amended); Consents pursuant to Section 48 and Section 49 of the Electricity Regulation Act 1999; High Efficiency CHP Certification (as set out in SI 298, 299 and 499 of 2009); LPG Safety Licences (in accordance with section 9JE (3) of the Electricity Regulation Act 1999, as amended by the Energy (Miscellaneous Provisions) Act 2012); Network Licences under section 14 (1) of the Electricity Regulation Act 1999 & section 16 (1) of the Gas Act 2002; and REMIT (Regulation on Energy Market Integrity and Transparency) Registration (SI 480 of 2014).
- Retail energy market monitoring measures, in compliance with requirements stemming from the 3rd Package of European energy legislation which was transposed into Irish law by S.I. No. 450 of 2010 and S.I. No. 630 of 2011 (the S.I.s covering electricity and gas, respectively).
- Conducting audits on energy suppliers to ensure compliance with the Electricity and Gas Supplier Handbook (the Supplier Handbook), as a Code of Practice prescribed for in S.I. No. 463 of 2011.
- Conducting investigations to ensure compliance with the conditions of a licence issued under sections (1) (b), (g) or (h) of the Electricity Regulation Act 1999, or sections 16(1)(a) or (b) of the Gas (Interim) (Regulation) Act 2002.
- Conducting public hearings where the CRU is satisfied that sufficient grounds exist to warrant a public hearing (as prescribed under the Electricity Regulation Act, 1999 Section 20, as amended).
- Facilitating registration appeals, complaints and disciplinary actions relating to applicants to or members of Safe Electric and RGI Schemes and facilitating the sharing of information in relation to prosecutions against unregistered gas installers and electrical contractors. (As prescribed for by the Electricity Regulation Act 1999, as amended and the Criteria Document(s).)
- Processing applications for the Recognition of EU Professional Qualifications for Gas Installers & Electrical Contractors as prescribed for by EU Directive 2013/55/EU and S.I. No. 8 of 2017.
- Facilitating the monitoring and inspection of Safe Electric and RGI Inspectors (As prescribed for under Electricity Regulation Act 1999, as amended and the Criteria Document(s).)
- Investigating natural gas or Liquefied Petroleum Gas (LPG) incidents to identify the cause and make recommendations on the prevention of future incidents as required by the Gas (Amendment) Act (Section 2) (Distribution) Order 2003 and Energy (Miscellaneous Provisions) Act 2012.
- Establishing an Appeal Panel as defined in the Electricity Regulation Act 1999 as amended.
- Responding to safety complaints regarding Compressed Natural Gas (CNG) in accordance with S.I. No. 647/2018 - European Union (Deployment of Alternative Fuels Infrastructure) (No. 2) Regulations 2018.
How long we hold your information and how it’s secured
We will keep your personal data for as long as it is necessary to fulfil the purposes for which it was collected as described above and in accordance with our legal and regulatory obligations. The length of time we hold your personal data depends on a number of factors such as:
- The type of data we hold about you.
- Whether there is a legal obligation to hold the data for a minimum specified period.
- Whether there is a public interest basis to hold the data for a specified period.
- Where there is a sound evidence-based reason to hold the data for a specified period.
As a general rule, we keep your information for a specified period after the date on which your interaction with us has completed. This may mean that some information is held for longer than other information. For example:
- Contact with CRU Customer Care: Records are held for 12 months in the case of general queries / information requests / contacts or regarding the resolution of simple customer complaints and 24 months in the case of complex customer complaints.
- Recordings of calls to CRU Customer Care will be held for 3 months.
- Consultation responses published on the CRU website will remain there indefinitely.
- Personal data processed by the CRU for the purpose of supervising the operation of the Safe Electric and RGI Schemes is retained for a maximum of two Safety Supervisory Body designation periods (currently set at an aggregate maximum term of 7 years).
When you contact us with a query or complaint, you may receive a phone call and/or email in relation to that contact. If you would prefer not to receive such communications, please let us know.
The CRU operates and uses appropriate technical and physical security measures to protect your personal data. We have taken appropriate security measures to protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Access is only granted on a need-to-know basis on a least privilege basis to staff members whose roles require them to process your personal data and, in certain circumstances, to third party service providers. In addition, our service providers are selected carefully to ensure they have an appropriate level of technical, organisational and security measures in place.
Processing your information outside the EEA
Your information is stored on secure systems within the CRU premises and with providers of secure information storage. We may transfer or allow the transfer of information about you to our service providers and other organisations outside the European Economic Area (EEA), but only if they agree to act solely on our instructions and protect your information to the same standard that applies in the EEA.
For transfers of your personal data to third parties outside of the EEA, we take additional steps in line with Data Protection Law. We will put in place adequate safeguards with respect to the protection of your privacy, fundamental rights and freedoms, and the exercise of your rights, e.g. we will establish an adequate level of data protection through EU Standard Contractual Clauses based on the EU Commission’s model clauses.
Exercising your information rights
Your rights under data protection law may include the following (where applicable):
|What does it mean?||How do I execute this right?||Conditions to exercise?|
|You may challenge the accuracy or completeness of personal data which we process about you. If it is found that personal data is inaccurate or incomplete, you are entitled to have the inaccurate data removed, corrected or completed, as appropriate.||Requests should be made in writing to the CRU’s Data Protection Officer at email@example.com
If possible, you should specify the reasons why the personal data are incorrect or incomplete
|This right only applies to your own personal data.
When exercising this right, please be as specific as possible.
|Right of access||Subject to certain conditions, you are entitled to have access to your personal data which we hold (this is more commonly known as submitting a “data subject access request”).||Requests should be made in writing to the CRU’s Data Protection Officer at firstname.lastname@example.org
If possible, you should specify the type of information you would like to see to ensure that the information that we disclose to you meets your expectations.
|We must be able to verify your identity. Your request may not affect the rights and freedoms of others, e.g. privacy and confidentiality rights of other employees.
Your request may be subject to certain exemptions; e.g. legal professional privilege.
|Right to object to or restrict our data processing||Subject to certain conditions, you have the right to object to or ask us to restrict the processing of your personal data.||Requests should be made in writing to the CRU’s Data Protection Officer at email@example.com||This right applies only if the processing of your personal data is necessary for a public or legitimate interest basis. Objections must be based on grounds relating to your particular situation (e.g. causing damage or distress) and must not be generic so that we can demonstrate that there are still lawful grounds for us to process your personal data.|
|Right to have personal data erased||
|Requests should be made in writing to the CRU’s Data Protection Officer at firstname.lastname@example.org||There are various lawful reasons why we may not be in a position to erase your personal data. This may apply (i) where we have to comply with a legal obligation, (ii) in case of exercising or defending legal claims, or (iii) where retention periods apply by law (i.e. as set out in legislation) or by virtue of the CRU’s data retention policies|
|Right to withdraw consent||You have the right to withdraw your consent to any processing for which you have previously given that consent.||Requests should be made in writing to the CRU’s Data Protection Officer at email@example.com||If you withdraw your consent, this will only take effect for the future. It will not affect the lawfulness of processing based on your consent before its withdrawal.|
|Right of data portability||Subject to certain conditions, you are entitled to receive the data which you have provided to us and which is processed by us by automated means, in a commonly-used machine readable format.||Requests should be made in writing to the CRU’s Data Protection Officer at firstname.lastname@example.org
If possible, you should specify the type of information you would like to receive to ensure that the information that we disclose to you meets your expectations.
|This right only applies if the processing is based on your consent or contract basis and when the processing is carried out by automated means (e.g. not for paper records). It affects only personal data that was “provided” by you. It does not, as a rule, apply to personal data that was created by CRU.|
If you make your request electronically (such as by email), we will, where possible, provide the relevant information electronically unless you ask us otherwise.
We are obliged to respond without undue delay. In most instances, we will respond within one calendar month unless we are unable to deal with your request fully within a calendar month due to the complexity or number of requests You can assist us in responding to your request by including any additional details that would help to locate your information – such as; the type of personal data involved, relevant dates or appropriate reference number or the circumstances in which the CRU obtained your personal data.
Please note: In certain circumstances, your information rights may be restricted in accordance with GDPR Article 23 as transposed by Section 60 of the Data Protection Act 2018.
Completion of this form will assist in responding to your request to access your personal data held by CRU. You may also be asked for evidence of your identity to make sure that personal information is not given to the wrong person.
You have the right to complain to the Data Protection Commission or another supervisory authority.
You can contact the Data Protection Commission at https://www.dataprotection.ie/docs/Contact-us/b/11.html
|Telephone:||+353 (0)761 104 800 or Lo Call Number 1890 252 231|
|Fax:||+353 57 868 4757|
|Postal Address:||Data Protection Commission, 21 Fitzwilliam Square
Dublin 2, D02 RD28 or
Canal House, Station Road, Portarlington, Co. Laois R32 AP23.
How to contact us and our Data Protection Officer
If you have any questions about this notice or your personal information in the CRU generally, including questions about accessing your personal information or correcting it, please contact our Data Protection Officer at
|Telephone:||+353 (0)1 4000800|
|Postal Address:||The CRU, Grain House, The Exchange, Tallaght, Dublin 24, D24 PXW0, Ireland|
Changes to this notice
We will update this Privacy Notice from time to time. Any changes will be made available on this web page and, where appropriate, notified to you by e-mail or when you contact the CRU again.