Privacy Information Notice

Last updated May 2018

This Privacy Information Notice (PIN) describes your rights under the General Data Protection Regulation and sets out how we will use and protect your personal information.

We publish the current version of our PIN on our website and we will update this from time to time.

We will contact you (by email or letter) to notify you of these updates where:

  • we are making substantial changes; or
  • where we are doing something with your personal information, which you might not expect based on what we have told you in this PIN.

Otherwise, any updates to this PIN will be notified on our website and through our other communications with you.

This PIN is effective from 25th May 2018.

Who are we?

Your information will be held by ScottishPower Energy Retail Ltd ("ScottishPower"), which is part of the ScottishPower Group.

More information on the ScottishPower Group can be found at scottishpower.com.

Contact Information

If you have a question on this PIN or how we use your personal information, please email dataprotection@scottishpower.com or write to us at ScottishPower Energy Retail, Data Protection, 320 St Vincent Street, Glasgow G2 5AD.

You have the right to lodge a complaint with our Data Protection Officer at dataprotection_corporate@scottishpower.com if you believe that your personal information is not being processed in line with this PIN.

If you are not satisfied with the response, you have the right to lodge a complaint with the Information Commissioner's Office. Find out on their website how to report a concern at ico.org.uk/concerns/.

What is Personal Information?

Personal information can cover a wide range of areas, but in general, it includes: information you tell us about you and your preferences; information provided by your connected devices such as mobile phones and SMART meters; information we learn from your custom; information we learn about you from our agents, contractors and industry; and information we obtain about you from public sources - please see section Data from third parties.

Personal information can include things that can allow someone to identify you either directly, through your name or national insurance number, or indirectly, through your address, phone number, date of birth, bank details or email address.

Personal information can also include other things such as your electricity consumption patterns, and locational data on mobile phones. Some of your personal information is treated as being sensitive under data protection legislation and therefore needs additional controls; this includes information regarding your health.

Where we collect your Personal Information from

In order to provide you with our energy services we need to collect and use your personal information. ScottishPower collects your personal information from a number of different sources, including:

Data you give to us:

  • When you apply for our products and services
  • When you talk to us on the phone
  • When you use our websites, mobile device apps, or web chat services
  • In emails and letters
  • In customer surveys
  • If you take part in our competitions or promotions

Data we collect when you use our services. This includes the amount, frequency, type, location, sales route and recipients:

  • Energy usage through SMART meters and other connected premises devices.
  • Online profile and usage data. This includes the profile you create to identify yourself with us when you connect to our internet, mobile and telephone services, e.g. through our mobile app. It also includes other data about how you use those services.

Data from third parties:

  • Other energy suppliers and OFGEM
  • Energy network operators
  • Credit Reference and Fraud Prevention Agencies
  • Government and local councils
  • Law enforcement agencies
  • Public information sources such as Companies House, and social networks
  • Companies that introduce you to us
  • Comparison websites
  • Land agents
  • Loyalty scheme operators
  • Market researchers
  • Agents and contractors working on our behalf

Who we share your Personal Information with

In order to provide our energy services to you, ScottishPower may share your personal information with other ScottishPower group companies and agents and contractors working on ScottishPower's behalf. This includes companies in the following categories:

  • Customer Service
  • Debt collection companies
  • Customer Research
  • Legal firms
  • Print and Design
  • Technology and IT
  • Digital and social media
  • Data analytics
  • Metering and Meter Reading Services
  • Sales and Marketing
  • Payment processing

We may also need to provide your personal information to other companies and agencies external to ScottishPower or its agents and contractors in connection with the provision of our energy services and to provide you with the product and service you have chosen. These companies include:

  • HM Revenue & Customs, and other authorities
  • Credit Reference and Fraud Prevention Agencies
  • Government agencies such as OFGEM
  • Energy Ombudsman
  • Information Commissioner
  • Energy Theft Risk Assessment Service
  • People whom you have authorised us to share your personal information
  • Joint venture companies
  • Other energy suppliers
  • Energy network operators
  • Prepayment processing firms
  • Metering agents
  • Audit firms
  • Locksmiths
  • The Principal insurer(s) of our products
  • Social service departments
  • Charities
  • Healthcare and other support organisations

We never share your personal details with external companies for the purposes of their marketing. We may need to share your personal information with other organisations to provide you with the product or service you have chosen, including:

  • If you have a debit, credit or charge card that you use with us we will share transaction details with companies which help us to provide this service (such as Visa and Mastercard).
  • If you pay us by direct debit we will share your data with the Direct Debit Scheme.
  • If you make an insurance claim, information you give to us or the insurer may be put on a register of claims. This will be shared with other insurers.

How we use your Personal Information

As well as this PIN, your privacy is protected by law. ScottishPower is allowed to use personal information only if we have a proper reason to do so.

There are six main ways that ScottishPower is permitted to use your personal information:

  • To manage your account and to fulfil our contractual commitments to you, or
  • To meet our legal obligations, or
  • To protect the vital interests of you or people in your household, or
  • To perform a task in the public interest, or
  • When you consent to us using your personal information for a purpose, or
  • When it is in ScottishPower's legitimate interests.

The majority of these uses are mandatory - in other words, where we need to use your personal information to meet our contractual obligations to you, to meet our legal obligations and to protect your vital interests. This also includes where you have provided us with your consent to use your personal information.

Here is a list of the ways that we may use your personal information for mandatory reasons:

Ways that we use your personal data Mandatory basis for using your personal information
  • To deliver our products and services to you.
  • To correctly bill you for the services you use.
  • To resolve your complaints.
  • To provide you with information required to ensure you are informed of your product and services.
  • To provide you with improved customer service.
  • To provide you with useful information on your online account.
  • To study how you use our products to help develop our marketing activities and improve our customer service.
  • Fulfil our contractual commitments.
  • To meet legal obligations.
  • Where you consent.
  • To fulfil our obligations to you.
  • To fulfil our obligations to our regulators.
  • To assess if you have particular needs or health requirements.
  • To provide you with details of Government energy initiatives.
  • To run our business in an efficient manner.
  • Fulfil our contractual commitments.
  • To meet legal obligations.
  • Protect your vital interests.
  • Where you consent.
  • To minimise the risk to your account.
  • To identify the theft of mains gas and/or electricity from your premises.
  • To detect, investigate, report and seek to prevent financial crime.
  • To recover money that is owed to us.
  • Fulfil our contractual commitments.
  • To meet legal obligations.
  • To ensure that you are prioritised for re-connection should there be a power cut and you have a health condition that we know about.
  • Protect your vital interests.
  • Where you consent.
  • To market products and services to you.
  • To test new products and services.
  • To assess if you have particular needs or health requirements and hold and share this data.
  • To obtain certain energy consumption details from you.
  • Fulfil our contractual commitments.
  • To meet legal obligations.
  • Where you consent.

We may also use your personal information based on our legitimate interests. A legitimate interest is when we have a business or commercial reason to use your information (for instance to add value to our services or to improve our customer service). But even then, it must not unfairly go against what is right and best for you. To achieve this, we will ensure that the collection and processing of your personal information:

  • is kept to a minimum with regards to the amount of data collected and the extent of any processing;
  • will not be overly intrusive to you; and
  • will be proportionate in order to meet our legitimate interests, as described below.

Our legitimate interests are shown below.

Our legitimate interests
  • Predict and develop what products and services will suit you and the pricing of those products.
  • Analyse our interactions with you to improve our customer services for you.
  • When you visit your online account we display products and services that are suitable for your circumstances.
  • Assess your use of our connected premises products.
  • Use your personal data to replicate real circumstances when testing computer systems.
  • Use Credit Reference Agencies to help prevent over indebtedness and to assess your ability to pay us by credit.
  • To seek your consent when we need it to contact you.
  • Analyse your payment patterns and account activity (online and offline) to build a picture of your use of our services and products.
  • Report frauds to the credit reference agencies, fraud prevention agencies, police, and/ or financial regulator.
  • To utilise existing methods and develop new techniques for identifying financial crime.
  • We may share your health data with electricity and gas transmission operators for the sole purpose of ensuring your wellbeing is prioritised during a power cut.
  • To market products and services to you.
  • Alert you to important information about your tariff and to help you manage your energy account more effectively.
  • Develop our products and our service to better meet customer needs.
  • Consider all aspects of the personal data we hold about you, to help us understand how you use our products and what products may suit you.

Using your information to make automated decisions

Many of our processes are automated to speed up our customer service and make our products and features more relevant to you. These processes do often lead to automated decisions being made, however these automated decisions do not introduce legal (or other similarly significant) effects on you (unless this is a necessary step to take when entering into a contract with you). You have a right to object to these automated decisions - see section Rights related to automated decision making including profiling, and each objection will be reviewed.

Process Decision
Improving our customer services to you

We may carry out statistical analysis across our phone, online and mobile communications with you, to better understand how we can make things easier for customers, for example, by finding out how and when it suits you to interact with us.

We may also categorise your personal information so that when you call us or visit our online website or mobile app we can predict your most likely next request to improve our customer service to you. For example, if you have emailed a complaint to us then subsequently phone us, we may use the data we hold to direct you to the most likely appropriate team in the first instance.

Minimising risk to your account

We may use your personal information to undertake analysis of your payment patterns and account activity (online and offline) to build a picture of your use of our services and products. Where we detect unusual payment activity we may put a hold on your account with us to allow us to investigate. This hold will not impact our delivery of energy to your premises. However, we may conduct further investigations as to the nature of the payment activity and seek additional clarifications from you to ensure any transactions are legitimate.

Where we detect fraud, we may report this to the fraud prevention agencies, police, or financial regulator.

Tailoring products for you

We may consider all aspects of the personal information we hold about you, such as your demographic, product history, location, financial status, how frequently you change products, your preferred communication status, your age, your marital status, your premises type, the lifestyle and occupation details we hold about you, and your prior consumption patterns - including half hourly where we have your consent, to help us understand how you use our products. We do this so we can predict what products and services will suit you, and to offer you opportunities to act on these insights.

We may use this analysis to offer you personalised price quotations, for example, we may assess when you use your energy so we can offer you "time of day" tariffs that may be cheaper to you.

Online and connected premises products

When you visit your online account we may utilise your preferences and our analysis of you to provide you with products and services that are suitable for your circumstances. To do this we will utilise your log-in information, 'cookies' on your computer, and the current products you take from us, to provide you with products and services that may be of interest to you.

We will also assess your use of our connected premises products and services, such as SMART energy meters, to allow us to assess and predict your anticipated future energy demand. Improved forecasting of customers energy usage will ultimately allow for cheaper 'balancing' of the energy grid by network operators which may result in lower customer tariffs in the long run.

Credit assessment

We use Credit Reference Agencies to help prevent over indebtedness. Credit Reference Agencies generally do this by sharing personal information about borrowers and their financial history which helps lenders make responsible decisions about extending credit to borrowers. We will use Credit Reference Agencies to make automated decisions, for example, if you request a change from a prepayment meter to a credit meter.

We will also use Credit Reference Agencies to assess your ability to pay us by credit. We may automatically choose to offer you alternative products when you first contact us based on this assessment.

Health information

Where you have consented to us holding your health data we will use this to ensure that you are prioritised for the purpose of re-connecting your electricity or gas supply.

Credit Reference Agencies

When you are in the process of opening an account with us we can supply your personal information to credit reference agencies (CRAs) and they will give us information about you, such as your financial history. We do this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity.

We will also continue to exchange information about you with CRAs on an ongoing basis, including about your settled accounts and any debts not fully repaid on time. CRAs will share your information with other organisations. When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.

Your personal information will also be linked to the data of your spouse, any joint applicants or other financial associates, so you should make sure you discuss and share this information with them, before opening your account with us.

The identities of the CRAs, their role as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in the Credit Reference Agency Information Notice (CRAIN). More detail of this notice is available at:

You can also obtain a copy of the CRAIN by contacting us.

Fraud Prevention Agencies and Energy Theft

We may need to confirm your identity before we provide products or services to you or your business. Once you have become a customer of ours, we will also share your personal information as needed to help detect fraud and money-laundering risks. We use Fraud Prevention Agencies (FPAs) to help us with this.

If you give us false or inaccurate information and/or we suspect fraud on your account, we will record this and may also pass this information to FPAs and other organisations involved in the prevention of crime, fraud and/or money laundering.

FPAs may send personal information to countries outside the European Economic Area ('EEA'). When they do, there will be a contract in place to make sure the recipient protects the data to the same standard as the EEA. This may include following international frameworks for making data sharing secure.

To help identify theft of mains gas and/or electricity from the property, we will share details of your account, which may include information about alleged criminal offences, with the Energy Theft Risk Assessment Service, the police, and/or other law enforcement bodies.

Sending data outside of the EEA (by us)

Your personal information will occasionally be transferred to third party organisations, some of whom may be located outside of the EEA, as part of the services that we offer to you. For example, this could happen if any of our servers that store your personal information are located in a country outside of the EEA, or when one of our service providers is located in a country outside of the EEA, such as India and Australia. Different countries have different data protection and security laws and some of these do not offer the same level of protection as you enjoy under UK data protection legislation.

The agreements that we have with these third party organisations are such that they will not use your personal information for any other purposes other than what we have agreed with them. We explicitly request that any third party organisations with whom we share personal information implement adequate levels of protection to safeguard your personal information, in accordance with the GDPR and any other applicable data protection legislation. For example, we may put in place special contracts (which are approved by the European Commission and are known as "standard contractual clauses") with those services providers, or alternatively will ensure they have signed up to, and comply with, other approved mechanisms such as the EU-US Privacy Shield.

If you choose not to give Personal Information

We may need to collect personal information by law, or under the terms of a contract we have with you. If you choose not to give us this personal information, it may delay or prevent us from meeting our obligations. It may also mean that we cannot perform services needed to run your account. It could mean that we cancel a product or service you have with us.

Marketing

We believe it is important for ScottishPower, as a responsible energy supplier, to communicate with you to let you know of products, services, and other important information in relation to your energy supply and associated energy services, such as SMART meters and boiler care products. Communication with you allows us to understand your needs, so we can offer you the right products and services to help and support your personal circumstances.

We will contact you, or businesses associated with you, with marketing messages if you have consented to them. We may also contact you if you are a new or existing customer, or you are an existing customer and the marketing messages relate to similar products or services to those that you have currently (or have had in the past), and we have a legitimate interest in doing so.

We may also have regulatory or contractual reasons for sending you communications.

Our communications with you

Where you phone us to enquire about a new product, or you visit our website (or mobile app) to assess different products but do not complete a sale then we will record this. We will use this information to prioritise our communications with you and we may contact you to offer you the opportunity to assess whether other products are more suitable for you.

Where we rely on your consent, we may seek, or re-seek, your marketing consent any time there is a change in your relationship with us, including, where you investigate buying another product from us, move house, seek to add an additional person to your account, where you have objected to marketing communications, where there is a change in law, where there is a structural change in our business, or where your tariff changes.

Where we do not hear from you we will contact you no more frequently than every 12 months to ensure your consent preferences remain accurate. Of course, you are free to change your preferences at any time either online or by contacting us.

If you decide to leave us we may contact you to allow us to market our products and services to you after you have left for up to two years.

We will always need to send you information on the products and services that you use. However, you can ask us to stop sending you marketing messages by contacting us at any time - see section Withdrawing your consent.

How long we keep your Personal Information

We will keep your personal information for as long as you are a customer of ScottishPower.

After you stop being a customer, unless we explain otherwise to you, we'll hold your personal information based on the following criteria:

  • For as long as we have reasonable business needs, such as managing our relationship with you and managing our operations to allow us to respond to any questions or complaints you may have.
  • For as long as we provide goods and/or services to you and then for as long as someone could bring a claim against us; and/or
  • Retention periods in line with legal and regulatory requirements or guidance to show that we treated you fairly.

Appropriate safeguards will be implemented to protect your data, including where technical limitations restrict our ability to remove your personal information from our systems.

Obtaining your Personal Information

You have the right to obtain a copy of the personal data we hold about you:

Through your online account Find details of the personal data we hold about you online including, the postal and supply address that we hold, historic bills and energy usage readings, and your contact preferences.
By emailing us dataprotection@scottishpower.com (subject heading: Subject Access Request - Your Name, your Account Number)
By writing to us Data Protection Team, Subject Access Request, ScottishPower Energy Retail Ltd, 320 St Vincent Street, Glasgow G2 5AD.

You also have the right to get your personal information from us in a format that can be easily re-used. You can also ask us to pass on your personal information in this format to other organisations if this is technically feasible.

We are working within our industry to improve the way your data is shared.

Correcting your Personal Information

You have the right to question any information we have about you that you think is wrong or incomplete. Please contact us if you want to do this.

By emailing us dataprotection@scottishpower.com (subject heading: Right to Rectification - Your Name, your Account Number)
By writing to us Data Protection Team, Right to Rectification, ScottishPower Energy Retail Ltd, 320 St Vincent Street, Glasgow G2 5AD.

Controlling your Personal Information

Data Protection law provides you with a number of rights in relation to how we can use your personal information.

  • Right to erasure (Right to be forgotten) - you have the right to request the deletion or removal of your personal information where there is no compelling reason for its continued processing by us.
  • Right to restrict processing - you have the right to request that we block or suppress processing of your personal information.
  • Right to object - you have the right to object to the processing of your personal information by us where the processing is based on our legitimate interests, is processed for direct marketing purposes (including profiling) or for the purposes of statistics. If you wish to object to our use of legitimate interest for marketing please see section Withdrawing your consent below, for contact details.
  • Rights related to automated decision making including profiling - you have the right not to be subject to automated decision making, including profiling. We can only carry out these activities where the decision is necessary for entry into the performance of a contract, authorised by European Union or Member state law to which we are subject or based on your explicit consent.

There may be legal or other reasons why we need to use your data in the way that we do, but please contact us if you think otherwise.

By emailing us dataprotection@scottishpower.com (subject heading: Data Subject Rights - Your Name, your Account Number)
By writing to us Data Protection Team, Data Subject Rights, ScottishPower Energy Retail Ltd, 320 St Vincent Street, Glasgow G2 5AD.

Further information on your personal information rights is available on the Information Commissioner's website at ico.org.uk.

Withdrawing your consent

Where we process personal information based on your consent, you have the right to withdraw this consent at any time. If you withdraw your consent, and we rely on it to use your personal information, we may not be able to provide certain products or services to you. Please contact us if you want to do this.

Through your online account or mobile app Visit the Your Preferences section of your online account to change your consent preferences at any time.
By emailing us contactus@scottishpower.co.uk
By writing to us Customer Services, ScottishPower Energy Retail Ltd, 320 St Vincent Street, Glasgow G2 5AD.

Cookies and online security

Security

As you'd expect, we do everything we can to protect your personal data. That's why, whenever you input your details on this website, you do so via our secure servers. These use what's known as Secure Socket Layer encryption (high-level 2048 bit) - a leading security standard in the e-commerce industry. The padlock symbol and depending on your browser the Extended Validation green bar is there for your peace of mind. You can also view this security certificate in the file/properties menu.

Most of this website isn't encrypted, because there's no need. However, the moment you submit any personal information as part of the quote and apply process or register to manage your account online, you're directed to secure pages.

Don't be surprised if you see a warning about non-secure pages while the secure pages are loading within the site. All of the information that's sent back and to during secure processes goes via secure links - so it's encrypted, keeping your personal details safe. Here are some of the other things we do to protect your personal data. When making a payment, your bank details are authorised in real time rather than being stored. For added security, the bank details that we do hold (for paying by direct debt) remain partially hidden when you access your online account. This way you can check which account you're using without letting anyone else see your full bank details, in the unlikely event of unauthorised access to your account.

We also train our staff to protect your personal details and check your identity whenever you contact us. You can do your bit too, of course. Keep your password and account details secure. And always remember to log out of your account and close your browser window when you've finished. This helps to ensure that no one else can access your personal data.

Cookies

To offer you a truly customised web service we need to use cookies. These remind us who you are and enable us to access your account information quickly and easily, leading to a superior, more personalised service. Cookies also help us to gauge the size of our audience and level of repeat usage. How do cookies work? In a nutshell, cookies are files that we send to your computer, which assign it a unique identification. We can then access these files whenever you visit our website. The cookie is set whenever you register or "log in" and modified whenever you "log out".

If you want to delete any cookies already on your computer, you will first need to find the file or directory that stores them - please refer to the instructions for your file management software. To stop cookies being stored on your computer in future, please refer to your internet browser's instructions by clicking 'Help' in its menu. Deleting our cookies or disabling future cookies won't stop our website from working, but it may mean that you won't be able to access certain areas of our site.

Want to know more about deleting or controlling cookies? Go to http://www.aboutcookies.org.

Download

You can download a PDF version of our PIN: Privacy Information Notice