Last Modified: 11th May 2018 PN 1.0
About this Privacy Notice
Exchange Utility Limited is committed to protecting your personal data when you are using our services. Personal data is any information relating to an identifiable living person who can be directly or indirectly identified in particular by reference to an identifier such as a name, postal, email and ISP addresses and cookies.
This privacy notice relates to our use of any personal data that we collect from you whether in the course of the supply of products and services, the provision of access to our online services or recruitment.
We will comply with data protection law which requires that personal data we hold about you is:
- Used lawfully, fairly and in a transparent way;
- Collected only for valid purposes that we have clearly explained to you and not used in any way incompatible with those purposes;
- Relevant to the purposes we have told you about and limited only to those purposes;
- Accurate and kept up to date;
- Kept only as long as necessary for the purposes we have told you about; and
- Kept securely.
This privacy notice will, therefore, inform you as to who we are, what personal data we collect, the purposes for which we use it, for how long we retain it and how we keep it secure, your rights in relation to your personal data and how you can contact us to discuss, query or obtain details of the personal data we hold about you.
1. Who we are
2. Whose personal data we process
3. Why we process your personal data
4. Personal data sources
5. How we will inform you about our privacy notice
6. The purposes for which your personal data is collected and processed
7. Who we will share your personal data with
8. Transferring your data outside of the European Economic Area
9. Safeguarding your personal data
10. How long we retain your personal data
11. Your rights as a data subject
12. Reporting a concern to us or to the Information Commissioner’s Office
13. Your right to lodge a complaint with a supervisory authority
14. The automated decision-making processes we operate
15. Other Websites
16. Getting in touch with us
Exchange utility Limited is registered in England and Wales with company number 10255652 and has its registered office at Athenaeum House, Market Street, Bury, Lancashire BL9 0BL.
Exchange Utility Limited is a data controller and is registered with the Information Commissioner`s Office (ZA264637).
We provide utilities brokerage services to commercial customers throughout the country.
How to Contact Us
We are based in Bury, Lancashire and we can be contacted directly about your personal data on the details below:
The Data Protection Manager
Exchange Utility Limited
Telephone Number: 0800 9777 000 (Monday to Friday 08:30 to 17:30)
We collect and process personal data about our:
- suppliers and service providers;
- advisers, consultants and other professional experts;
- employees and prospective employees; and
- enquirers and complainants.
We collect and process personal data:
- with your consent; and/or
- to perform the contract we have entered with you (or discharge other contractual obligations); and/or
- to comply with our legal obligations; and/or
- to pursue our legitimate interests (and your rights do not override our interests).
We can collect personal data from any number of sources including:
- Information you provide by visiting our website (exchangeutility.co.uk), filling in forms online requesting our products and/or services, contacting us, contracting with us and responding to surveys and/or prize draws;
- Publicly available information such as Companies House, LinkedIn and search engines such as Google; and
- Third party providers such as debt recovery agencies, contractors and business introducers.
You can request a free hard copy of this privacy notice by contacting us using the details set out above.
Where we obtain your personal data indirectly, for example from a business contact or website, we will inform you where you can access this privacy notice within one month of obtaining that data.
We will not use your personal data for any purposes other than those set out below without first informing you. Changes made to this privacy notice will be updated on our website and clearly signposted on our key documents.
We collect personal data with the overall aim of providing a better service to all of our customers and industry partners.
We will not collect sensitive personal data from you. For example, we will never ask for or process data relating to race, religion or ethnicity.
The personal data categories identified below are relevant and specific for the products and services that we offer or obtain. The listing also describes how and why we process them.
6.1. Name, address and contact details (including company details, contact names, telephone numbers and email addresses)
This data allows us:
- To carry out our obligations arising from any contracts entered into between you and us including delivery of product and services (in particular obtaining quotations and arranging supply contracts), invoicing and reporting; and
- To provide you with information on products and/or services you specifically request from us or which we believe may be of interest to you.
If you are an existing customer we will only contact you by email and/or SMS with information about products and/or services similar to those which we have previously supplied to you.
If you are a new customer, and where we permit selected third parties to use your data, we (or they) will contact you by email and/or SMS only with your consent.
If you do not want us to use your personal data to market to you by email and/or SMS or pass on your details to third parties for marketing purposes, please unsubscribe by using the link in the relevant email. Please note it might take up to 30 days for us to update our records.
On occasions we will share your contact details with our agents (such as third party suppliers) who may need to contact you to arrange the supply of products and services on our behalf.
Most contact details will be provided by you at the point that you make an online enquiry or request or provide a quotation. In some cases, we may need to obtain alternative contacts (for example a facilities manager) who may be best suited to assist us should we have a specific query. Where we have no contact details, we may sometimes take proactive steps to collect data using desktop research (such as internet searches).
There may be an impact on the level of service we provide should we have only limited or inaccurate contact details.
6.2. Meter point details (including meter point reference number, meter serial number, address and meter readings)
Premises which are connected to the utility network, typically have a unique identification such as a meter point reference number which can be linked to a meter serial number and/or other apparatus such as an automated meter reader (AMR). These reference/serial numbers are linked to your address and are stored on a central database.
We collect meter point details directly from customers, from introducers and suppliers. This data enables us to obtain quotations for customers from suppliers.
This data allows us to carry out recruitment. We will dispose of all unsuccessful candidates` data securely unless we are asked to retain the CV on file.
This data may be provided to us at the start of or at any time during our business relationship with you. Such data can relate to the setting up of a direct debit, which we will process in accordance with the direct debit guarantee scheme.
We also take credit and debit card payments over the telephone and may ask you to confirm your bank details by email and over the telephone should we need to make any payments to you.
These processing activities allow us charge you for our products and services and make payments to you.
External telephone calls are recorded for training, security and auditing purposes.
We may collect and process electronic and hardcopy correspondence and other documentation (such as emails, invoices, contracts, tenders and letters) as part of either a contractual obligation or a wider legitimate interest.
When you contact us for any reason, we may keep a record of our communication to help us deal with any queries and/or to support our customer service delivery operation.
When you access our website and web portal we may collect data relating to your computer including its IP address. Such data is anonymous in its form and allows us to carry out statistical analysis of browsing behaviour.
The cookies provide us with anonymous information showing us the number of visitors to our website, the device used to access it and which web browser they are viewing it on. This data allows for statistical analysis and helps us understand our customer behaviour better and optimise your online experience. Cookies also provide a convenience feature to save you time. For example if you personalise a web page or navigate within a site, a cookie helps the site to recall your specific information on subsequent visits. This simplifies the process of delivering relevant content and eases site navigation.
You can set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser. However, in a few cases some of our website features may not function as a result.
Our website also uses the Lucky Orange analytics system to help improve usability. Lucky Orange may record mouse clicks, mouse movements and scrolling activity. Lucky Orange may record keystroke information that you voluntarily enter on this website. Lucky Orange does not track this activity on any site that does not use the Lucky Orange system.
You can choose to disable the Lucky Orange service at http://www.luckyorange.com/disable.php. Please note, that doing so will disable other features of the Lucky Orange system.
We may share your personal data with:
- Regulatory authorities (such as Trading Standards), Government departments (such as HMRC) or the police in order to comply with any legal obligations or to assist in fraud prevention and detection;
- Credit agencies (for the purpose of credit risk management), and professional advisors to enforce or apply the terms of any contracts between us and you;
- Third party suppliers where we have subcontracted to them the performance of any or all of our obligations under our contract with you;
- Utility suppliers as part of securing a quotation and/or arranging a supply contract;
- The buyer and its professional advisors should we wish to sell any or all of our business and/or our assets in which case personal data we hold about our customers will potentially be one of the assets we sell; and
- Other third parties where we reasonably believe that such action is necessary to comply with a legal obligation, or to protect our rights and property, or act in urgent circumstances to protect the personal safety of our staff or agents, users of our products or services or members of the public.
Some of our processing activities may involve your personal data being transferred to a third party agency who may in turn process your data outside of the European Economic Area (EEA). In such instances the transfer of data outside of the EEA is necessary for the performance of a contract between ourselves and that of our processing partner.
We take all reasonable steps to ensure that appropriate safeguards are in place to protect your personal data. We have policies in place dealing with information security (both physical and digital) and data breaches. We ensure that our staff are properly trained so that they can process your data securely and safely.
Safeguards are regularly reviewed by senior management as part of our wider data protection policy which sets out how we aim to preserve the confidentiality, integrity and availability of personal data we hold.
Your personal data will be retained by us for as long as there remains a valid lawful basis for retaining it. We will keep data retention under regular review.
Accounting information (such as invoices) will be retained for at least 6 years in line with current tax legislation. Contractual documentation will be held for at least 6 years.
To ensure fair and transparent processing it is important that we inform you of your rights with regards to how your personal data is processed. Where you wish to exercise a right, we have signposted the best contact details for you to get in touch with us. Naturally we will need to confirm your identity before your request can be processed.
This is our privacy notice which informs you of who we are, why we are processing your personal data, with whom we share your personal data and how we have collected it. These details are set out above.
Our privacy notice can be found on our website and is signposted on our web portals and other key business documentation (such as on contracts and invoices). Our staff are trained to provide this notice in hard copy, soft copy or orally on request.
If you would like to discuss this privacy notice or suggest ways which we could improve the content or its communication then please contact a member of staff on 0800 9777 000 who will put you in contact with the data protection manager or email firstname.lastname@example.org.
As a data subject you have the right to access the personal data we hold about you and check that we are lawfully processing it.
To make a data subject access request (DSAR) is free and can be done in writing by emailing us at email@example.com or alternatively writing to us at:
The Data Protection Manager
Exchange Utility Limited
Further details of how to make a DSAR can be found at https://www.exchangeutility.co.uk/data-subject-access-request-process/.
You can also speak to a member of staff on 0800 9777 000 who will put you in contact with the data manager should you have any questions or queries relating to a DSAR.
In line with legal requirements we do not have a data protection officer due to the nature and volume of our processing activities. However, we have appointed a data protection manager who will act in an equivalent capacity.
Once we receive your request we will ask you to verify your identity and ask you to specify the data or processing activity that you require so that we can confirm your expectations and respond within one month.
We do have the right to refuse a DSAR should it be manifestly unfounded or excessive and we can apply a reasonable fee and/or extend the time to respond should the request be complex (in which case you would be informed within 1 month). We do have the right to charge a reasonable fee if you make numerous requests for the same information.
Where personal data is inaccurate or incomplete you have the right for it to be rectified on our systems. In such cases we will act promptly to put things right.
So that we can quickly resolve your query we may ask you to provide some supporting evidence to show that the data needs to be altered.
If you require your personal data to be rectified you can speak to a member of staff on 0800 9777 000 who will put you in contact with the data protection manager or email firstname.lastname@example.org.
This enables you to ask us to delete or remove personal data where there is no good reason for us to continue to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to withdraw consent (see below).
Sometimes, however, we may refuse a request to erase such data in order, for example, to comply with a legal obligation.
If you require your personal data to be erased you can speak to a member of staff on 0800 9777 000 who will put you in contact with the data protection manager or email email@example.com.
This enables you to ask us to restrict the processing of your personal data. For example, if you do not want us to erase your data you may ask us to restrict our processing activities instead. A good example would be electronic invoicing.
If you wish for restricted processing to be applied to your personal data you can speak to a member of staff on 0800 9777 000 who will put you in contact with the data manager or email firstname.lastname@example.org.
To help strengthen your control over your data, you have the right, in certain circumstances, to receive personal data from us in a format which allows you to easily access it. For example, you may want your invoicing data in an Excel format.
We may ask you to specify what data you wish us to provide to you, or we may direct you to an existing service that we already provide where you can freely obtain the information. Where we can we will try and provide you the data in a common format which is transferable with other data controllers.
Should you wish to exercise your right to data portability you can speak to a member of staff on 0800 9777 000 who will put you in contact with the data protection manager or email email@example.com.
In circumstances where you may have provided your consent to the processing of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing activity at any time. To withdraw your consent you can speak to a member of staff on 0800 9777 000 who will put you in contact with the data protection manager or email firstname.lastname@example.org.
Once we have received notification that you have withdrawn your consent, we will no longer process your data for the purpose or purposes you originally agreed to, unless we have another lawful basis for doing so such as a contractual or legal reason.
Details of what automated decision-making activities we carry out are described below in paragraph 14. If you wish to speak to a member of our team to understand the decision made, obtain an explanation of the decision and challenge it you can speak to a member of staff on 0800 9777 000 who will put you in contact with the data protection manager or email email@example.com.
We may reject your request not to be subject to automated decision making where such activity is a necessary step in our contracting process or is required in the performance of a contract between us.
If you have a concern regarding how we handle your personal data then we kindly request that you inform us about it first so that we can work with you in an effort to resolve it.
You can report a concern or raise a complaint with us initially by contacting your usual contact or speaking to a member of staff on 0800 9777 000 who will put you in contact with the data protection manager or email firstname.lastname@example.org.
Alternatively, you can write to us by sending your letter to:
Data Protection Manager
Exchange Utility Limited
We aim to acknowledge your complaint within two business days and provide a resolution within 28 days. If we are unable to meet this timescale we will write to notify you in advance.
If you are not satisfied with our proposed resolution to your complaint you can raise the matter directly with the Information Commissioner’s Office (ICO). The ICO will take steps to address your concern and provide guidance and support to us to so that we can put things right.
Exchange Utility Limited is a data controller and is registered with the ICO (ID ZA264637).
Details as to how to get in touch with the ICO or report a concern can be found on their webpage https://ico.org.uk/concerns/
If you consider that the processing of personal data infringes any of your rights set out in paragraph 11, you have the right to lodge a complaint with the relevant supervisory authority in the European State that you reside, or work or in the place of the alleged infringement; the relevant supervisory authority for the UK is the Information Commissioner`s Office.
The supervisory authority with which the complaint has been lodged shall inform you of its progress and the outcome of the complaint including the possibility of a judicial remedy.
There are some automatic decision processes that we operate to which we should draw your attention. The purpose of this automation is necessary for us to agree a contract with you or to allow us to meet a contractual obligation.
Automated decision making can include credit checks. Where we process your data for the purposes of a contract we are not compelled to explain the decision made. However, to show good customer service we will try and provide you with an explanation where we can within a reasonable time.
If you would like to discuss this privacy notice or suggest ways in which we could improve the content or its communication then please contact us on 0161 762 1838 or email@example.com.