It is of the utmost importance to us to respect the rights of individuals when it comes to processing personal data, hereinafter referred to as "data". This statement explains what kind of personal data we collect, how we use it and how we ensure to guarantee its security (integrity, confidentiality and availability). It also aims to inform you about your rights and how to exercise these with Creos.
As part of its public service obligations as a Grid Operator (GRD), Creos carries out numerous activities in partnership with its customers and partners. These activities are referenced as “services” in this document.
Next to its role as a network operator, Creos also provides provision of services and offers, which are described as “offers” in the context of this document.
This notice applies to the services and offers provided by Creos Luxembourg.
As of 25 May 2018, the General Data Protection Regulation (GDPR) is applicable in all member countries of the European Union. This text aims to protect individuals and, more specifically, the processing along with the free flow of personal data.
The above mentioned regulation aims to give European citizens more control over their personal data, make companies more accountable and reinforce the role of the local data protection authorities (CNPD - Commission Nationale de la Protection des Données in Luxembourg).
The GDPR applies to the processing of personal data of living natural persons, i.e. our customers and ex-customers, prospects, suppliers, employees, etc. Further information in terms of the personal data process for any other person, whose personal data is being processed by Creos Luxembourg S.A., is available in this notice.
What is meant by "personal data" and "processing"?
"Personal data":
"Processing":
a. Personal data transmitted directly by the data subject
We process personal data that you provide to us, or to our partners on our behalf, personally or through a representative.
This can be done:
b. Personal data collected through automated procedures
We collect personal data via the exchange of computer systems.
We exchange information:
We collect data from the network's technical installations with the purpose of managing this in connection with the services / offers requested, or as part of our obligations.
In order to provide high quality services and offers, we only collect the minimum of data required for the implementation.
All this data is collected in compliance with the law or with the aim to best meet our commitments.
The data we collect may include the following:
Name and contact details: We collect your first and last name, your e-mail address, your postal address, your landline or cell phone number, the language in which you communicate and other similar contact data.
Identifiers: In very specific cases (public contracts, etc.), we collect passwords and similar security information used for the authentication and the access to your account.
Financial data: We collect the data required to process your payments, in particular via SEPA mandates.
Contractual data: We collect the necessary data for the completion and the accurate execution of the contract (orders).
Customer’s consumption data: As part of the network usage, we collect the information related to the consumption of a customer per ¼ hour (electricity) / per hour (gas) or the annual consumption. For forecasting purposes of the network management, we also collect your standard type of consumption profile.
Technical data: We collect technical data relating to the characteristics of technical installations, which are used to manage the installations themselves as well as the network, in order to define and control the conditions of a contract in terms of the fees.
We use the data to carry out our public service missions in accordance with the amended law of 1 August 2007 on the organization of the electricity and natural gas markets, and to provide you with the services and offers we have.
Data may be passed on to third parties within the framework as defined above.
For example, you move into an apartment and sign a supply contract with the supplier of your choice. In accordance with the amended law of 1 August 2007 on the organization of the electricity market, you also sign a usage contract with Creos: this is what the law describes as "integrated supply". In this case, Creos will receive your name and contact details from the supplier of your choice. This data may be used:
Data may also be shared with official statistic or control agencies, taking into account the national or European legislation.
We pay extra attention that our subcontractors, who may be required to process personal data, do comply with the principles of the General Data Protection Regulation (hereinafter GDPR). These subcontractors are selected based on the criteria to be met, who are tied to contractual clauses and are being monitored to ensure that they are compliant with these rules.
We also make sure that your data is stored in countries which meet the GDPR requirements and are also recognized as compliant by the European Commission.
Legitimate interest
Possible recipients of personal data
Retention period of personal data
30 years and 12 years for financial data
Type of personal data processed
Legitimate interest
Possible recipients of personal data
Retention period of personal data
30 years and 12 years for financial data
Type of personal data processed
Legitimate interest
Possible recipients of personal data
Retention period of personal data
15 years and 12 years for financial data
Type of personal data processed
Legitimate interest
Possible recipients of personal data
Retention period of personal data
30 years and 12 years for financial data
Type of personal data processed
Legitimate interest
Possible recipients of personal data
Subcontractors Creos
Retention period of personal data
12 years
Type of personal data processed
Legitimate interest
GDPR Article 6, 1.c
Possible recipients of personal data
Retention period of personal data
Varies from 30 to 12 years depending on the type of dispute
Type of personal data processed
Purpose
Handle requests for information, data access, complaints, etc.
Legitimate interest
Possible recipients of personal data
Retention period of personal data
Varies from 30 to 12 years depending on the type of treatment involved
Type of personal data processed
(1) Luxembourg authorities: Ministries, Institut Luxembourgeois de Régulation (ILR), Administration du cadastre, Administrations communales, etc.
(2) Other third parties: notaries, lawyers, auditors, installers, energy suppliers, Luxmetering, architects, design offices, promoters, Chambre des métiers, etc
Depending on the relationship we have with our customers / partners, the processing of personal data may vary.
As a network user (consumer):
As a contractor within the framework of a connection (connection taker), we manage and use your data for drafting, following-up and billing purposes (2), (1).
As the owner of an installation managed by the Grid Operator:
As a customer for offers not covered by the public service (unregulated offer), we manage and use your data to draft, follow-up and invoice the offers/orders as well as for the execution of services (5).
As a customer's agent (electrician,...), we manage your data in order to keep the database of the mandates up to date in the context of a connection, a construction project of installation,... and to enable you to act within the scope of your mandate (1), (2), (3), (5), (7).
As an electrician/gas fitter, we manage your data for contacting purposes in the context of our various processes and as the responsible person (signatory) for the appropriate execution of work (2), (3), (5).
As a building professional, we manage your data for contacting purposes in order to coordinate or provide information in the context of carrying out work (1), (2), (5).
As the contact person for a company, we register the data we receive in order to improve our communication with our partners, no matter which processing is involved.
As an individual (customer or not), we register your data solely for the purpose of responding to your request (7) (request for information, announcement of a problem, etc.) or in the context of managing a dispute (6).
We do our utmost to protect your personal data and its confidentiality, whether on our IT network, our natural gas and electricity networks, in our offices or in our regional centers.
Our employees have been specifically trained to handle confidential data, including your data, in the most appropriate way possible.
For every project involving the processing of personal data, we first carry out an assessment of the risks and security requirements, safeguarding, above all, your interests. Our information protection policy, requirement and management standards are based on ISO 27000 international standards.
Specialists ensure that the security of our IT network, infrastructure and information systems meet the highest standards.
In addition, we take all the necessary technical measures to protect your personal data against unauthorized access or use, as well as against loss or theft. If, despite the many protective measures in place, your personal data should be lost or stolen, you, as our customer, will be personally notified in the circumstances provided for by law.
We do not sell your data to third parties.
We do not share your credit card or other financial information for marketing purposes.
We may provide your personal information to third parties for legitimate processing purposes. In such cases, we require that any third parties involved in the procedure do agree to process the information in accordance with our instructions and requirements.
The Data Protection Regulation grants certain rights to users or data subjects. These rights are:
a. The right to be informed - Data controllers must be totally transparent as to how they use personal data.
b. The right of access - Individuals will have the right to know exactly what information is retained about them and how it is processed.
c. The right of rectification - Individuals will have the right to rectify personal data if it is inaccurate or incomplete.
d. The right of erasure - Also known as the "right to be forgotten". This refers to an individual's right to have their personal data deleted or erased without providing a specific or reasonable explanation as to why they wish to do so.
e. The right of restricting the processing – This refers to an individual's right to block or suppress the processing of their personal data.
f. The right of data portability - This enables individuals to retain and re-use their personal data for their own intentions.
g. The right to object - In certain circumstances, individuals have the right to object their personal data being used. This includes for instance if a company uses personal data for direct marketing, scientific and historical research purposes, or for the performance of a task in the public interest.
h. Automated decision-making and profiling rights - The GDPR has put in place safety measures to protect individuals against the risk of a potentially harmful decision being made without a human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal impact on them or is based on an automated processing.
You can contact our Customer Service Department if you have any queries:
Tel.: 2624-2624
e-mail: info@creos.net
The Creos Data Protection Officer, Mr Bernard Motro, can be contacted at dpo@creos.net. He will deal with your request as quickly as possible.
For any complaints about the processing of your personal data, you can contact the Luxembourg Data Protection Authority:
Commission Nationale pour la Protection des Données (CNPD)
15, boulevard du Jazz
L-4370 Esch-sur-Alzette
Tel.: 2610 60 1
Fax: 2610 60 29
e-mail: info@cnpd.lu
Web: www.cnpd.lu