GDPR - General Data Protection Regulation: general information notice

It is of the utmost importance to us to respect the rights of individuals when it comes to processing personal data, hereinafter referred to as "data". This statement explains what kind of personal data we collect, how we use it and how we ensure to guarantee its security (integrity, confidentiality and availability). It also aims to inform you about your rights and how to exercise these with Creos.

As part of its public service obligations as a Grid Operator (GRD), Creos carries out numerous activities in partnership with its customers and partners. These activities are referenced as “services” in this document.

Next to its role as a network operator, Creos also provides provision of services and offers, which are described as “offers” in the context of this document.

This notice applies to the services and offers provided by Creos Luxembourg.

1. What is the new regulation on personal data protection?

As of 25 May 2018, the General Data Protection Regulation (GDPR) is applicable in all member countries of the European Union. This text aims to protect individuals and, more specifically, the processing along with the free flow of personal data.

The above mentioned regulation aims to give European citizens more control over their personal data, make companies more accountable and reinforce the role of the local data protection authorities (CNPD - Commission Nationale de la Protection des Données in Luxembourg).

2. To whom is this notice intended for?

The GDPR applies to the processing of personal data of living natural persons, i.e. our customers and ex-customers, prospects, suppliers, employees, etc. Further information in terms of the personal data process for any other person, whose personal data is being processed by Creos Luxembourg S.A., is available in this notice.

What is meant by "personal data" and "processing"?
 
"Personal data":

  • any information relating to an individual who can be identified or an identifiable natural person ("data subject");
  • an identifiable natural person is one who can, whether directly or indirectly, be identified, in particular based to an identifier such as a name, an identification number, a location data, an online identifier or to specific factors related to the physical, physiological, genetic, mental, economic, cultural or social identity of an individual person;

"Processing":

  • any action or set of operations performed on personal data, whether by collection, recording, organization, structuring, storage, adaptation, modification, retrieval, consultation, use, disclosure by transmission, sharing, availability, alignment, combination, restriction, deletion or destruction;

3. How do we collect your data?

a. Personal data transmitted directly by the data subject

We process personal data that you provide to us, or to our partners on our behalf, personally or through a representative.

This can be done:

  • by phone (for example, when you call the Customer Service Center to ask a question or report an issue),
  • in writing (for example, when you send us a letter or sign a document),
  • electronically (for example, when you send us an e-mail, register for a contest or download an application),
  • by your presence at one of our receptions. 

 b. Personal data collected through automated procedures

We collect personal data via the exchange of computer systems.

We exchange information:

  • within the framework related to the organization of the energy markets, mainly with the energy supplier of your choice,
  • with financial institutions to pay your invoices.

We collect data from the network's technical installations with the purpose of managing this in connection with the services / offers requested, or as part of our obligations.

4. The personal data we collect

In order to provide high quality services and offers, we only collect the minimum of data required for the implementation.

All this data is collected in compliance with the law or with the aim to best meet our commitments.

The data we collect may include the following:

Name and contact details: We collect your first and last name, your e-mail address, your postal address, your landline or cell phone number, the language in which you communicate and other similar contact data.

Identifiers: In very specific cases (public contracts, etc.), we collect passwords and similar security information used for the authentication and the access to your account.

Financial data: We collect the data required to process your payments, in particular via SEPA mandates.

Contractual data: We collect the necessary data for the completion and the accurate execution of the contract (orders).

Customer’s consumption data: As part of the network usage, we collect the information related to the consumption of a customer per ¼ hour (electricity) / per hour (gas) or the annual consumption. For forecasting purposes of the network management, we also collect your standard type of consumption profile.

Technical data: We collect technical data relating to the characteristics of technical installations, which are used to manage the installations themselves as well as the network, in order to define and control the conditions of a contract in terms of the fees.

5. How do we use the data?

We use the data to carry out our public service missions in accordance with the amended law of 1 August 2007 on the organization of the electricity and natural gas markets, and to provide you with the services and offers we have.

Data may be passed on to third parties within the framework as defined above.

For example, you move into an apartment and sign a supply contract with the supplier of your choice. In accordance with the amended law of 1 August 2007 on the organization of the electricity market, you also sign a usage contract with Creos: this is what the law describes as "integrated supply". In this case, Creos will receive your name and contact details from the supplier of your choice. This data may be used:

  • to warn you in the event of a power shutdown (action aligned with the network operator's public service obligation under the above mentioned law),
  • for billing purposes of Creos’ used distribution network to your chosen supplier.

Data may also be shared with official statistic or control agencies, taking into account the national or European legislation.

We pay extra attention that our subcontractors, who may be required to process personal data, do comply with the principles of the General Data Protection Regulation (hereinafter GDPR). These subcontractors are selected based on the criteria to be met, who are tied to contractual clauses and are being monitored to ensure that they are compliant with these rules.

We also make sure that your data is stored in countries which meet the GDPR requirements and are also recognized as compliant by the European Commission.

6. Our process in detail:

A. Processing of personal data for which Creos is the data controller

1) Network maintenance and construction

Legitimate interest

  • Amended law of 1 August 2007 on the organization of the electricity and natural gas markets
  • GDPR Article 6, 1.c and e

Possible recipients of personal data

  • Creos subcontractors
  • Luxembourg authorities (1)
  • Other third parties (2) (in Europe)

Retention period of personal data

30 years and 12 years for financial data

Type of personal data processed

  • Name and contact data
  • Financial data
  • Technical data
2) Connection management

Legitimate interest

  • Amended law of 1 August 2007 on the organization of the electricity and natural gas markets
  • GDPR Article 6, 1.b, c and e

Possible recipients of personal data

  • Creos subcontractors
  • Luxembourg authorities (1)
  • Other third parties (2) (in Europe)

Retention period of personal data

30 years and 12 years for financial data

Type of personal data processed

  • Name and contact data
  • Financial data
  • Customer consumption data
  • Technical data
3) Metering installation management

Legitimate interest

  • Amended law of 1 August 2007 on the organization of the electricity and natural gas markets
  • GDPR Article 6, 1.b, c and e

Possible recipients of personal data

  • Creos subcontractors
  • Luxembourg authorities (1)
  • Other third parties (2) (in Europe)

Retention period of personal data

15 years and 12 years for financial data

Type of personal data processed

  • Name and contact data
  • Financial data
  • Customer consumption data
  • Technical data
4) Network usage management

Legitimate interest

  • Amended law of 1 August2007 on the organization of the electricity and natural gas markets
  • GDPR Article 6 b, c and e

Possible recipients of personal data

  • Creos subcontractors
  • Luxembourg authorities (1)
  • Other third parties (2) (in Europe)

Retention period of personal data

30 years and 12 years for financial data

Type of personal data processed

  • Name and contact data
  • Financial data
  • Customer consumption data
  • Technical data
5) Third-party service management (non-regulated)

Legitimate interest

  • Delivery of contractual services
  • GDPR Article 6, 1.b

Possible recipients of personal data

Subcontractors Creos

Retention period of personal data

12 years

Type of personal data processed

  • Name and contact data
  • Financial data
  • Technical data
6) Management of disputes relating to our assets

Legitimate interest

GDPR Article 6, 1.c

Possible recipients of personal data

  • Creos subcontractors
  • Luxembourg authorities (1)
  • Other third parties (2) (in Europe)

Retention period of personal data

Varies from 30 to 12 years depending on the type of dispute

Type of personal data processed

  • Name and contact data
  • Financial data
  • Customer consumption data
  • Technical data
7) Customer relationship management

Purpose

Handle requests for information, data access, complaints, etc.

Legitimate interest

  • Responding to customer requests
  • GDPR Article 6, 1.b and c

Possible recipients of personal data

  • Creos subcontractors
  • Luxembourg authorities (1)
  • Other third parties (2) (in Europe)

Retention period of personal data

Varies from 30 to 12 years depending on the type of treatment involved

Type of personal data processed

  • Name and contact data
  • Financial data
  • Customer consumption data
  • Technical data


(1) Luxembourg authorities: Ministries, Institut Luxembourgeois de Régulation (ILR), Administration du cadastre, Administrations communales, etc.
(2) Other third parties: notaries, lawyers, auditors, installers, energy suppliers, Luxmetering, architects, design offices, promoters, Chambre des métiers, etc

B. Processing by type of relationship between a person and Creos

Depending on the relationship we have with our customers / partners, the processing of personal data may vary.

As a network user (consumer):

  • We use your data for network and construction maintenance (troubleshooting) to contact you in case your installations might be impacted by some works (1);
  • We use your data as part of the metering installation management to contact you in the event of an impact of work on your installations, such as the replacement of meters (3);
  • We manage and use your data for billing purposes of the network usage (via your supplier in the case of an integrated supply) (4).

As a contractor within the framework of a connection (connection taker), we manage and use your data for drafting, following-up and billing purposes (2), (1).

As the owner of an installation managed by the Grid Operator:

  • We manage and use your data to draft the offer, to track and invoice the services for third parties (regulated) (1), (2), (3);
  • We use your data for invoicing purposes of the network maintenance and the construction work in connection with the installation as part of the Grid Operator’s public service obligations (1).

As a customer for offers not covered by the public service (unregulated offer), we manage and use your data to draft, follow-up and invoice the offers/orders as well as for the execution of services (5).

As a customer's agent (electrician,...), we manage your data in order to keep the database of the mandates up to date in the context of a connection, a construction project of installation,... and to enable you to act within the scope of your mandate (1), (2), (3), (5), (7).

As an electrician/gas fitter, we manage your data for contacting purposes in the context of our various processes and as the responsible person (signatory) for the appropriate execution of work (2), (3), (5).

As a building professional, we manage your data for contacting purposes in order to coordinate or provide information in the context of carrying out work (1), (2), (5).

As the contact person for a company, we register the data we receive in order to improve our communication with our partners, no matter which processing is involved.

As an individual (customer or not), we register your data solely for the purpose of responding to your request (7) (request for information, announcement of a problem, etc.) or in the context of managing a dispute (6).

7. How do we ensure the security of your data?

We do our utmost to protect your personal data and its confidentiality, whether on our IT network, our natural gas and electricity networks, in our offices or in our regional centers.

Our employees have been specifically trained to handle confidential data, including your data, in the most appropriate way possible.

For every project involving the processing of personal data, we first carry out an assessment of the risks and security requirements, safeguarding, above all, your interests. Our information protection policy, requirement and management standards are based on ISO 27000 international standards.

Specialists ensure that the security of our IT network, infrastructure and information systems meet the highest standards.

In addition, we take all the necessary technical measures to protect your personal data against unauthorized access or use, as well as against loss or theft. If, despite the many protective measures in place, your personal data should be lost or stolen, you, as our customer, will be personally notified in the circumstances provided for by law.

8. Do we sell your data to third parties or pass it on?

We do not sell your data to third parties.

We do not share your credit card or other financial information for marketing purposes.

We may provide your personal information to third parties for legitimate processing purposes. In such cases, we require that any third parties involved in the procedure do agree to process the information in accordance with our instructions and requirements.

9. What are your rights?

The Data Protection Regulation grants certain rights to users or data subjects. These rights are:

a. The right to be informed - Data controllers must be totally transparent as to how they use personal data.

b. The right of access - Individuals will have the right to know exactly what information is retained about them and how it is processed.

c. The right of rectification - Individuals will have the right to rectify personal data if it is inaccurate or incomplete.

d. The right of erasure - Also known as the "right to be forgotten". This refers to an individual's right to have their personal data deleted or erased without providing a specific or reasonable explanation as to why they wish to do so.

e. The right of restricting the processing – This refers to an individual's right to block or suppress the processing of their personal data.

f. The right of data portability - This enables individuals to retain and re-use their personal data for their own intentions.

g. The right to object - In certain circumstances, individuals have the right to object their personal data being used. This includes for instance if a company uses personal data for direct marketing, scientific and historical research purposes, or for the performance of a task in the public interest.

h. Automated decision-making and profiling rights - The GDPR has put in place safety measures to protect individuals against the risk of a potentially harmful decision being made without a human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal impact on them or is based on an automated processing.

10. Who are your contact persons at Creos for your personal data?

You can contact our Customer Service Department if you have any queries:

Tel.: 2624-2624
e-mail: info@creos.net

The Creos Data Protection Officer, Mr Bernard Motro, can be contacted at dpo@creos.net. He will deal with your request as quickly as possible.

For any complaints about the processing of your personal data, you can contact the Luxembourg Data Protection Authority:

Commission Nationale pour la Protection des Données (CNPD)
15, boulevard du Jazz
L-4370 Esch-sur-Alzette
Tel.: 2610 60 1
Fax: 2610 60 29
e-mail: info@cnpd.lu
Web: www.cnpd.lu