Haven Power Broker Privacy Notice
This document (together with our contractual terms with you) sets out how Haven Power Limited “Haven Power” (“we”, “us” or “our”) uses personal information about our prospective, current and past brokers.
Haven Power Limited is primary designed to provide energy and related services to the business community. The collection of personal data is limited to personal information of individuals representing the commercial enterprise/business entity that will enable us to manage our commercial relationship with you, as explained further in this Privacy Notice (“Notice”).
This notice only applies to our use of “personal data” about “data subjects” (as defined by data protection law and called personal information in this notice) which includes personal information relating to our prospective, current and past brokers who are sole traders or non-limited partnerships, and contacts at corporate customers (“you” or “your”). This notice does not apply to information which you provide to us or which we collect about corporations (e.g. limited companies).
We will be the data controller of your personal information which you provide to us or which is collected by us from you or third parties. This means that we are responsible for deciding how we hold and use personal information about you and that we are required to notify you of the information contained in this notice. It is important that you read this notice so that you are aware of how and why we are using such information and how we will treat it.
The information which you provide to us may include information about other individuals who are associated with the management of your business, the administration of your account with us or, including contacts within your business. If you provide us with information about such individuals, it is important that you provide them with a copy of this notice prior to providing us with the information and that you provide them with any updated notices we provide from time to time.
Our Data Protection Manager is responsible for overseeing questions in relation to this notice and is contactable on [email protected] You can also contact us using the details provided at the end of this notice in the “Contacting Us” section.
LEGAL BASIS AND PURPOSE FOR PROCESSING
We will collect various types of personal information from you. Further details of how we use your personal information are set out below.
In the section below, we have indicated with asterisks whether we need to process your personal information:
- * to enter into and/or to perform a contract with you;
- ** to pursue our legitimate interests, provided that your interests and fundamental rights do not override those interests;
- *** to enable us to comply with our legal obligations
HOW WE WILL USE YOUR INFORMATION
Initial engagement with you
When you elect to introduce prospective energy customers to us, we will need to collect the following information about you */**:
- First and last name
- Business name
- Address of your business
- Date of birth (of sole traders and partners – for credit checking (see below) and other background checks / of directors – to carry out background checks);
- Domestic address(es) (of sole traders and partners – for credit checking (see below);
- Email address
- Telephone number(s)
This information will be used so we can carry out a number of background checks on you, including a credit check; to check sanctions lists, regulatory enforcement lists and various media services (for negative media alerts) via our due diligence system.
Managing your account
Whilst you are working with us, we will collect the following information to allow us to manage your account* and continue to provide the services you have requested from us*:
- Information about the operation of your account
- Your financial information so that we may pay you
- Usage of our websites and online portals
In order to process your application, we will supply your personal information to credit reference agencies (CRAs) and they will give us information about you, such as about your financial history. We do this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity. CRAs will share your information with other organisations. The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail at:
Credit Reference Agencies (“CRAs”) collect and maintain information about credit behaviour. This includes data sourced from the Electoral Register, fraud prevention, and credit information – including details of previous credit applications and your payment history – and public information such as County Court Judgements, and bankruptcies.
When a credit check is carried out on you, your credit records will be searched, along with any financially associated individuals such as your spouse or partner when you are a sole trader. The CRA will keep a record of this search and place a “footprint” on your credit file.
The information we provide to credit reference agencies about you, such as details of false or inaccurate information provided by you, or if we suspect fraud, may be provided to other organisations and used by them to:
- help make decisions, for example when managing credit and credit-related accounts or facilities;
- detect and prevent crime, fraud and money laundering;
- check your credit history;
- verify your identity;
- trace your whereabouts; and
- undertake research, statistical analysis and systems testing.
Recording and Monitoring
We will record and monitor communications with you by telephone for the purposes of quality assurance, our mutual protection, staff training, improving our customer service, fraud detection and compliance with our regulatory requirements*/**/***.
Other uses of your information
We may also use your personal information in the following ways:
- to carry out ongoing monitoring against sanctions lists, regulatory enforcement lists and various media services (for negative media alerts) via our due diligence system***
- to manage and provide any rewards and offers and administer any promotions, competitions and surveys**
- to invite you to re-join us as a broker**
- to provide you with information about other products and services that we offer or which we feel may be of interest to you from Haven Power where permitted by law, including via our social media and digital campaigns**
- to promote the uptake of smart meter installation**/***
- to investigate, detect and prevent fraud, energy theft and any other crimes**/***
- to create statistics, analyses and anonymous profiles to develop and improve our products and services**
- to carry out testing of our IT systems to develop and improve our systems**;
- to respond to consultations and requests for information from industry and government bodies, including the energy regulator**/***; and
- to carry out any work required by our regulators**/***.
We will not carry out any solely automated decision making using your personal information.
CHANGE OF PURPOSE
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will usually notify you and we will explain the legal basis which allows us to do so.
DISCLOSURE OF YOUR INFORMATION
We may share your personal information with the third parties set out below for the purposes described above:
- service providers (generally based in the UK) such as those who provide IT and system administration services or support us in the delivery of any of our marketing materials to you (marketing agencies) or provide us with market research services
- other companies in our Group of companies such as Drax Power Limited or Opus Energy Limited (based in the UK) who provide security, IT and system administration services and undertake management reporting and statistical analysis to improve our product and service offering
- if we are under a duty to disclose or share your personal information in order to comply with any legal obligation), requirement of our regulators (including Ofgem), industry code, or in order to enforce or apply our contract with you
- in the event that we sell or buy any business or assets, in which case we may (where relevant) disclose your personal information to the prospective seller or buyer
- if we, or substantially all of our assets, are acquired by a third party, in which case personal information held by us will be one of the transferred assets
- to protect the rights, property or safety of us, our customers and others. This includes exchanging information with other organisations such as fraud and theft prevention agencies for the purposes of reducing credit risk, fraud and energy theft.
We require all service providers and Group companies that we share your personal information with to respect the privacy and security of your personal information and to treat it in accordance with the law. We do not allow our third-party service providers, including Group companies, to use your personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions.
Most of the personal information we collect about you is based in the United Kingdom or in some cases, a service provider or their sub-processor may be based elsewhere in the European Union (EU) and so, they are required to comply with European data protection law. On occasion, we may appoint a third-party service provider whose operation or a server or sub-processor may be based outside of the EU. As part of our Vendor Management Policy, we carry out due diligence on our third-party providers and assess whether your personal information will be transferred to them or accessed by them from outside the EU. If that is the case, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- we will only transfer your personal information to countries that have been deemed to provide an adequate level of protection for personal information by the European Commission; or
- where we use providers based in the US, we may transfer personal information to them if they are part of the Privacy Shield which requires them to provide similar protection to personal information shared between the EU and the US. You can view certifications at www.privacyshield.gov; or
- where we use certain service providers who are not in a ‘adequate’ country or part of the Privacy Shield, we may use specific contracts approved by the European Commission which give personal information the same protection it has in the EU, called an EU Model Clause Agreement.
If you would like to know the specific mechanism used by us when transferring your personal information out of the EU, please contact us using the details set out in the “Contacting Us” section at the end of this Notice.
STORAGE OF YOUR PERSONAL INFORMATION
We will only keep your personal information for as long as necessary to fulfil the relevant purpose(s) we collected it for, as set out above in this notice, and for as long as we are required to keep it for legal purposes.
To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
For example, by law, we have to keep basic information about our customers (including contact, identity, financial and transactional data) for six years after they cease being customers for tax purposes.
In some circumstances:
- you can ask us to delete your personal information, see “Your Rights” below for further details; and
- we may anonymise your personal information (so that it can no-longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know that information. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal information breach and will notify you and any applicable regulator where appropriate.
Data protection laws provide you with the following rights where we are processing your personal information (but not in respect of information about a corporation); to:
- request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;
- request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;
- request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below);
- request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it; and
- request a copy of your personal information which you have provided to us, in a structured, commonly used and machine-readable format and the right to transfer it, or to require us to transfer it directly, to another controller.
You also have the “right to object” to the processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights above). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. The ICO can be contacted by telephone on 0303 123 1113 or by post as follows: Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or via email at [email protected] We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance using any of the details set out below in the “Contacting Us” section.
CHANGES TO OUR PRIVACY NOTICE
Any changes we make to our notice in the future will be posted on our website and, where appropriate, notified to you in writing.
If you wish to submit an individual rights request or complaint, or you are a law enforcement or government organisation wishing to make an enquiry, please visit our secure portal.
Updated: August 2020
 Article 45 of the GDPR
 Article 46 of the GDPR
 Article 46 of the GDPR