1. POLICY STATEMENT
Everyone has rights with regard to the way in which their personal data in handled. During the course of our activities we will collect, store and process personal data about our customers, suppliers and other third parties, and we recognise that the correct and lawful treatment of this data will maintain confidence in the organisation and will provide for successful business operations.
2. ABOUT THIS POLICY
2.1 The types of personal data that Flogas may be required to handle include information about current, past and prospective customers and others that we communicate with. The personal data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the relevant Data Protection and ePrivacy Laws and Regulations.
The data controller is Flogas of Knockbrack House, Matthews Lane, Donore Road, Drogheda, Co. Louth.
2.2 This policy and any other documents referred to in it sets out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources.
2.3 The Data Protection Manager is responsible for ensuring compliance with the relevant Data Protection and ePrivacy Laws and Regulations and with this policy. That post is held by Hazel Byrne, ext. 805 email email@example.com. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the Data Protection Manager.
2.4 Data Protection concerns the protection of the personal data of living individuals. It safeguards the privacy rights of individuals in relation to the processing of personal data, in both paper and electronic format. Responsibility for ensuring personal data is processed in accordance with data protection legislation lies with the data controller and/or data processor.
2.5 Flogas is committed to protecting and respecting your privacy. This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
3. DEFINITIONS OF DATA PROTECTION TERMS
We have set out below some definitions contained:
Data is information which is stored electronically, on a computer or in certain paper-based filing systems.
Smart Data is data off your smart meter.
Data subjects for the purpose of this policy include all living individuals about whom we hold personal data. All data subjects have legal rights in relation to their personal information.
Data Controllers are the people or organisations who determine the purposes for which, and the manner in which any personal data is processed. They are responsible for establishing practices and policies in line with the relevant laws and regulations. Flogas is the data controller of all personal data used in our business for our own commercial purposes.
Data Processors include any person or organisation that processes personal data on our behalf and on our instructions. Employees of data controllers are excluded from this definition, but it could include suppliers which handle personal data on Flogas' behalf.
GDPR means the General Data Protection Regulations EU 2016/679.
Personal Data means data relating to a living individual who is or can be identified from the data or from the data in conjunction with other information that is in or is likely to come into Flogas possession. Examples of Personal Data include name, address, date of birth, telephone number, email address, account number etc.
Sensitive Personal Data relates to specific categories of data such as data relating to a person’s racial origin; political opinions or religious or other beliefs; physical or mental health; sexual life; criminal convictions or the alleged commission of an offence and trade union membership. Flogas may collect sensitive personal data, such as limited health data in the event that specialised services are required by our customers to meet their needs.
Processing of Personal Data means any activity that involves the use of the data. We require this information to understand your needs and provide you with a better service. In particular, we will use it for the following legitimate interests of our business:
- Internal record keeping and account management purposes (e.g. verifying your identity and fulfilling orders you place).
- Monitoring, recording and storing telephone or email communications for the purpose of internal training, to improve the quality of our customer service and in order to meet any legal and regulatory requirements.
- Improving our products and services. Contacting you by email, phone, SMS or mail for the purpose of account administration and/or processing and fulfilling orders.
- Customising our website according to your interests.
- We may periodically send you promotional mails, emails, SMS messages or social media communications about new products, special offers or other information which we think you may find interesting using the contact details which you have provided
- Use your information to contact you for market research purposes; and
- Contact you by phone in relation to the above.
4. OBLIGATIONS OF FLOGAS AS DATA CONTROLLER
Anyone processing personal data must comply with the six Data Protection principles of good practice. These provide that personal data must be:
A. Be obtained and processed lawfully and fairly;
B. Be collected and kept only for specified, explicit and legitimate purposes and not be used or disclosed in a manner incompatible with those purposes for which it was given to you initially
C. Be protected against unauthorised access, alteration, disclosure or destruction, or unlawful processing;
D. Be accurate, complete and where necessary, kept up to date;
E. Be adequate, relevant and not excessive in relation to the purpose for which they were collected;
F. Not be kept for longer than is necessary;
5. FAIR AND LAWFUL PROCESSING
5.1 These Data Protection and ePrivacy laws and Regulations are not intended to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject.
5.2 For personal data to be processed lawfully, it must be processed on the basis of one of the legal grounds set out in the relevant laws and regulations. These include, among other things, the data subject's consent to the processing, or that the processing is necessary for the performance of a contract with the data subject, for the compliance with a legal obligation to which the data controller is subject, or for the legitimate interest of the data controller or the party to whom the data is disclosed. Flogas rely on legitimate interests as their basis for processing customer data under Article 6 1(f) of the GDPR. When sensitive personal data is being processed, additional conditions must be met. When processing personal data as data controllers in the course of our business, Flogas will ensure that those requirements are met.
6. PROCESSING FOR LIMITED PURPOSES
In the course of our business, Flogas may collect and process your personal data. This may include data we receive directly from you (for example, by completing forms or by corresponding with us by mail, phone, email or otherwise) and data we receive from other sources (including, for example, business partners, sub-contractors in technical, payment and delivery services, credit reference agencies and others).
7. NOTIFYING DATA SUBJECTS
7.1 If we collect personal data directly from Data Subjects, we will inform them about:
(a) The purpose or purposes for which we intend to process that personal data.
(b) The types of third parties, if any, with which we will share or to which we will disclose that personal data.
(c) The means, if any, with which Data Subjects can limit our use and disclosure of their personal data.
7.2 If we receive personal data about a Data Subject from other sources, we will provide the Data Subject with this information as soon as possible thereafter.
7.3 We will also inform Data Subjects whose personal data we process that we are the data controller with regard to that data, and who the Data Protection Manager is.
8. ADEQUATE, RELEVANT AND NON-EXCESSIVE PROCESSING
We will only collect personal data to the extent that it is required for the specific purpose notified to the Data Subject. The processing of the data would be strictly confined to the purposes notified to the Data Subject and or mentioned in this policy and shall not be further processed in any manner incompatible with that purpose(s).
9. ACCURATE DATA
We will ensure that personal data we hold is accurate and kept up to date. We will check the accuracy of any personal data at the point of collection and at regular intervals afterwards. We will take all reasonable steps to destroy or amend inaccurate or out-of-date data as per this policy and in accordance with the relevant Data Protection laws and regulations.
10. TIMELY PROCESSING
We will not keep personal data longer than is necessary for the purpose or purposes for which they were collected. We will take all reasonable steps to destroy, or erase from our systems, all data which is no longer required as per our Retention Policy.
11. PROCESSING IN LINE WITH DATA SUBJECT'S RIGHTS
We will process all personal data in line with data subjects' rights, in particular their right to:
(a) Request access to any data held about them by a data controller
(b) Prevent the processing of their data for direct-marketing purposes.
(c) Have inaccurate data amended (see also clause 9).
(d) Be forgotten – A customer has the right to have their personal data anonymised provided they are not a current customer and they fulfil the internal criteria for this i.e. your balance is zero and you have not had a transaction on your account in over 2 years etc.
(e) Data portability – a customer has the right to request the personal data that they provided to the Data controller in a downloaded readable format.
(f) Prevent processing that is likely to cause damage or distress to themselves or anyone else.
12. INFORMATION WE MAY COLLECT
12.1 Types of Personal Data which may be collected by Flogas include:
- Telephone number
- Email address
- Account No. / Name
- PPS number (provided by the DSFA) for receiving allowances
- Financial information e.g. bank details
- Smart meter read data
- Personal description
- Certain health data (where specialised services are required)
- Recording of telephone calls
- CCTV images
CCTV is in operation Flogas premises for security reasons and your image may be captured if you attend our premises in person.
Flogas Ireland is the data controller responsible for this data, with contact details as per point 2.
Should we capture your image, you are entitled to receive copies of any CCTV images under a data access request, see point 16.1. As per our current Retention policy, we only retain these images for one month.
You also have to right to lodge a complaint to the DPC, should you wish to do so, see point 20 for contact details.
12.2 Information you give us.
You may give us information by filling in forms on our website (our site) www.flogas.ie or by corresponding with us by phone, e-mail or otherwise. This includes information you provide when you register to use our website, switch your energy supply, subscribe to our service, place an order, enter a competition, promotion or survey and when you report a problem with our service.
12.3 Information we collect about you
We collect information to enable us to supply you with our services. This information may include details of your energy usage, credit history, allowances received from the government.
Where applicable, it is in our legitimate interest to obtain information about you from:
- Your previous supplier that will enable us to take over your supply safely and efficiently;
- The Network Operator, in the case of when a Smart Meter is installed, so we can obtain interval data (with your pre-consent) or non-interval data.
- Your current or former landlord or previous occupier for the purposes of establishing dates of occupation and Energy usage;
- Where applicable, we can obtain/provide information from/to Network Operators about you in order to service your account fully. This would be a legal obligation on both parties involved.
With regard to each of your visits to our website we may automatically collect the following information
- technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, operating system and platform;
- information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); pages/products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.
13. DISCLOSURE OF YOUR INFORMATION
13.1 We may share your information with selected third parties including:
- Members of the Flogas group, including our subsidiaries, holding companies and their subsidiaries.
- Business partners, suppliers and sub-contractors for the performance of any contract we enter into with you. See also clause 15 in relation to data transfers.
- Analytics and search engine providers that assist us in the improvement and optimisation of our site.
- Credit reference agencies for the purpose of assessing your credit score where this is a condition of us entering into a contract with you.
13.2 We may also disclose your personal information to third parties:
- In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
- If Flogas or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
- If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms and conditions of supply and other agreements; or to protect the rights, property, or safety of Flogas, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
- We may need to share your personal data with 3rd parties such as government bodies and/or Revenue. This could be to facilitate discounts or credits to be applied to your energy account and the data may consist of your meter point number, details of any payments made and data about your meter point including your billing cycle and how you pay your bill. The legal basis for processing these personal data is public task. Processing is necessary for the performance of a task carried out in the public interest, under Article 6(1)(e)) of GDPR. The specific public task is to allow for monitoring, assurance, fraud prevention and evaluation purposes of the schemes.
14. DATA SECURITY
We will process all personal data we hold in accordance with our Data Security Policy.
14.1 We will put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor if he agrees to comply with those procedures and policies, or if he puts in place adequate measures himself.
14.2 Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
14.3 Our website may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
14.4 We will maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:
Confidentiality means that only people who are authorised to use the data can access it.
Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on Flogas’ central computer system instead of individual PCs.
14.5 All information you provide to us is stored on our secure servers. Any payment transactions will be encrypted using SSL technology.
15. TRANSFERRING PERSONAL DATA TO A COUNTRY OUTSIDE THE EUROPEAN ECONOMIC AREA (“EEA”)
15.1 We may transfer any personal data we hold to a country outside the EEA, provided that one of the following conditions applies:
15.1.1 The country to which the personal data are transferred ensures an adequate level of protection and appropriate safeguards in place for the data subjects' rights and freedoms.
15.1.2 The data subject has given his/her consent.
15.1.3 The transfer is necessary for one of the reasons set out in the relevant Data Protection Laws and Regulations, including the performance of a contract between Flogas and the data subject, or to protect the vital interests of the data subject.
15.1.4 The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims.
15.1.5 The transfer is authorised by the relevant data protection authority where we have adduced adequate safeguards with respect to the protection of the data subjects' privacy, their fundamental rights and freedoms, and the exercise of their rights.
15.2 Subject to the requirements in clause 15 above, personal data we hold may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. That staff maybe engaged in, among other things, the fulfilment of contracts with the data subject, the processing of payment details and the provision of support services.
15.3 We may transfer some personal data to the following 3rd parties outside of the EEA:
- Iron Mountain for offsite storage (IT servers are based in the UK)
For all transfers outside of the EEA, there may not be an adequacy decision in place to allow for this transfer to take place so we will put in place additional safeguards by way of a Standard Contractual Clause “SCC”. Each 3rd party applicable will enter into a SCC with us to ensure your data is protected at all times.
16. YOUR RIGHTS
The Acts lay down strict rules about the way in which personal data and sensitive personal data is collected, assessed, used and disclosed. Data Subjects have the following rights:
Data subjects can access their personal data on request in writing or verbally to the Data Protection Manager and, if they find that any data is incorrect, they have the right to have this data corrected, erased or restricted. Access requests must be carried out within one month from date of receipt. This can be extended by a further two months if it is a complex request.
For all data subject access requests made in writing, please address to the Data Protection Manager in Flogas. For your assistance, we include sample wording below:
I wish to make an access request under Section 4 of the relevant Data Protection Acts for a copy of my personal data held by you, in relation to.... (Fill in as much information as possible to assist Flogas to locate the data that you are interested in accessing e.g. customer account number etc.
In order to protect our customers’ personal data, we may ask you for information to enable us to correctly identify you.
Information you provide or that we hold about you, may be used by Flogas in connection with our legitimate interests in marketing about our products and services, that you have purchased from us and/or which may be of interest to you and for our legitimate interests in marketing about products and services in which we think you would be interested, but only from other members of the DCC group, who observe the same high levels of data protection as we do.
You have the right to opt-out so that we will not process your personal data for marketing purposes. You can also exercise the right at any time by writing to us at our address or email us at firstname.lastname@example.org or simply call us on 041 214 9500.
18. DATA RETENTION
We will retain your data on your account in order to be able to service your account. This data will be retained in line with our Data Retention policy and will not be kept for longer than is necessary.
Should you no longer be a customer of Flogas for a period of time and have zero balance on your account you may request for your data to be anonymised. This request can be put in writing to our Data Protection Manager at the details listed below.
Hazel Byrne at email@example.com
Should you be dissatisfied with our responses, you may contact the Irish Data Protection Commissioner. Contact details for the Irish Data Protection Commissioner, as well as information on the relevant Data Protection Laws and Regulations, may be found at the Data Protection Commissioner's web site www.dataprotection.ie.
Here are some FAQ’s that may help you with any query you may have in relation to Data Protection and the data we hold on you;
- What do you do with my data? The protection of your personal data is a priority for Flogas. We offer you a better standard of service by using your personal data for the following legitimate interests of our business:
(a) Contacting you by phone, mail, SMS and email about your account with invoices, balances and other important information;
(b) We may contact you by mail, email, SMS or social media about products and offers which we think will be relevant to you;
- How do you protect it? We look after your personal information at all times by using appropriate security and technical controls. Anyone who works with us handling your data has to comply with strict standards of European data protection law. All our people are trained to respect your data.
- How long will you hold it? Where we are using your data to send you marketing information, we will hold it for 6 years as we understand that we may not supply you with energy during this whole time period, but you may switch to a different supplier during this time and then switch back to us. By retaining this data this will enable a very smooth switch back to Flogas.
- What do you hold? You can ask us at any time what information we hold about you; just drop us a line at the address below.
- Who will you give it to? We will not sell or distribute your personal information to anyone else unless we have your permission or are required by law to a person authorised to obtain data under specific legislation. If you wish for us to transfer your personal information to a third party (e.g. another service provider), we will provide personal information held by us for you to pass to that third party.
- I don’t want any more marketing. If you do not want to receive any more marketing material from us by email, post, telephone or SMS, just contact us at the details below and we will stop immediately. We will still hold your information where we are legally obliged to do so. You can also ask us to stop using your information or erase your personal information from our systems as long as we do not have to keep it for legal reasons.
- I want to know more: Please contact us if you would like any of the following: what information is being processed; a copy of information that is being processed; correction of information being processed; deletion of information held on you (commonly known as the right to be forgotten); to restrict processing; to request your data be handed over to someone else; object to the processing of your information.
- How can I contact you? E-mail us at firstname.lastname@example.org; call us on 041-2149500 or write to us at Flogas, Knockbrack House, Matthews Lane, Donore Road, Drogheda. It is always good to hear from you.
- Still not happy? We will always try to resolve your concerns. In the unlikely event that you are still concerned, you can contact the Irish Data Protection Commissioner. Contact details for the Irish Data Protection Commissioner, as well as information on the relevant Data Protection Laws and Regulations, may be found at the Data Protection Commissioner's web site www.dataprotection.ie