Last updated September 2019
Processing of Personal Data
We, npower Limited, have access to some of your personal data. We are considered to be the data controller of such personal data as we determine the purposes and means of processing that personal data.
Where this Policy refers to processing this includes collecting and storing personal data.
This Policy explains how we use your personal data, our legal basis for such use and your rights in relation to our processing of your personal data.
We would encourage you to read this Policy thoroughly so you know how we use your personal data, who we share it with and so that you understand your rights. We are committed to processing your personal data fairly and in accordance with the requirements of data protection law.
Should you have any queries about our processing of your personal data please contact our Data Protection Officer at npower Limited, Windmill Hill Business Park, Whitehill Way, Swindon, SN5 6PB.
Our group and your products and services
Our products and services may be provided to you by different companies within our Company Group. In order to enable such products and services to be provided we may need to share your personal data within our Company Group. The following companies within our Company Group may have access to your personal data. Where the term Company Group is used within this Policy we are referring to this list of companies and Company Group is any one of the companies on this list. You can find out more about npower on our website at www.npower.com.
Npower Limited (company number 3653277)
Npower Commercial Gas Limited (company number 03768856)
RWE Supply and Trading GmbH
Innogy SE Limited
Npower Northern Limited (company number 3432100)
Npower Yorkshire Limited (company number 3937808)
The address of Innogy SE is Opernplatz 1, 45128 Essen, Germany. The headquarters of RWE Supply and Trading GmbH is Altenessener Str. 27, 45141 Essen.
The address of all other Group Companies is Windmill Hill Business Park, Whitehill Way, Swindon SN5 6PB.
What personal data do we hold on you?
Whether or not you enter into a contract with us we will collect personal data from you.
We may receive personal data directly from you or we may receive your personal data indirectly from a third party. Please refer to the What sources of data do we use? section for further details.
Reference to your personal data means any data which, by itself or with other data we may hold, can be used to identify you. If you are a limited company this may only include your employees’ personal business contact details such as business email addresses and phone numbers. If you are a sole trader or partnership more of the data we hold on your business will be classified as personal data such as financial information and bank account details, MPANs and automated meter data.
The personal data we may hold will include the following.
Business name and address (including previous business addresses if you have been in your current premises for less than 2 years)*.
Home address (including previous home addresses if you have been in your current home for less than 2 years) (obtained for sole traders and partnerships only)*.
Names and contact details of key contacts (office/site address, email address, landline and mobile phone numbers).
Date of birth (obtained for sole traders and partnerships only)*.
Bank account and credit card details*.
Information from credit reference or fraud prevention agencies*.
MPANs and/or MPRNs*.
Meter Data (including data from automated meters which will include energy usage)**.
*this information will only constitute personal data where you are a sole trader or a partnership.
** this information will only constitute personal data where you are a sole trader or a partnership or where the meter is associated with premises occupied by a sole trader, partnership or domestic customer. See section on Automated Meter Data below.
If you provide information on behalf of anyone else then in doing so you are confirming that you have explained how their information may be used by us and they have given you permission to do so.
You must let us know if any of your contact details change so that we can update our records.
What sources of data do we use?
Most of the personal data we hold on you is collected as we set up your account with us and will be used to manage your contract with us and the services we provide to you.
Most of the personal data we hold on you is collected directly by us but we will also collect information from third parties and industry sources. Third parties will include other industry organisations who are involved in the services we provide to you such as your distributor or shipper, meter equipment owners and meter readers and your previous energy supplier. We may obtain personal data from brokers or consultants where you are using them to help you find energy products and services. We will also use third parties who can augment and/or verify information you have provided to us such as Companies House, your bank when verifying bank account and direct debit information and credit reference and fraud prevention agencies which we may use to obtain information about your repayment history or your credit rating or where we need to trace you for debt repayment purposes. Where you are a tenant we may obtain information from your landlord or letting agent to help us set up your account. We may also use other external data sources and other companies where you have given them your consent to share your personal data with us to enable us to market our products and services to you.
Using your personal data
We may only process personal data if we have a legal basis for doing so. The legal bases we rely on to process personal data are as follows:
- Processing is necessary for the performance of a contract or to take steps to enter into a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary for the purposes of legitimate interests
This section explains the reasons we will process your personal data and the legal basis we use to do so.
We will carry out the following processing to take steps to enter into a contract with you and/or to perform our contract with you:
- Providing you with a quote
- Taking steps to verify your identity (which may include use of Companies House information) and the data you have provided to us
- Setting up and managing your account and its interaction with each service area of our business
- Preparing invoices and processing billing/tax information
- Collecting debts
- Sharing personal data with industry participants such as metering agents
- Sharing data within the Company Group where necessary to provide services
- Receiving and actioning calls, letters and emails in relation to your account
- Sending service messages in relation to your account
- Updating records
- Obtaining credit reference decisions (see Carrying out Credit Checks section for further information)
- Complying with any other bespoke contractual requirements (for example bespoke reporting arrangements)
We will carry out the following processing as necessary for our own legitimate interests:
- Recording calls to monitor activities on your account and for internal training purposes
- Preparing internal reports and forecasting to analyse and share data for good governance and improving customer service
- Transferring data between teams within Npower Limited to ensure that accounts are managed appropriately.
- Responding to and addressing complaints and/or claims.
- Sharing personal data with third party metering agents in order to manage your account
- Analysing of data for auditing purposes
- Searching credit reference agencies
- Reviewing payment plans for good governance and management of our business
- Recovering debt
- Obtaining feedback for market research and analysis for business improvement
- Carrying out data enrichment and ensuring the information we hold is accurate and up to date
- Reporting to and paying referral partners such as brokers
- Using Web analytics to analyse and better configure our website
- If you have a display unit with your automated meter we may send messages to its display unit. See Automated Meter Data section for further information.
- If you have an automated meter to record your energy use. See Automated Meter Data section for further information
- Colleting and used half hourly data from an automated meter where we do not have a legal or regulatory obligation to do so (see Automated Meter Data section for further information).
We will carry out processing where required to comply with a legal obligation. As an energy supplier we are subject to licence conditions and energy-specific law and regulations as well as general law. Some examples of the obligations we have as an energy supplier are as follows:
- Sending data to Ofgem and Elexon (or other relevant law enforcement or government agencies) to comply with our industry reporting obligations
- Sending data to comply with data protection obligations (for example to respond to a data subject access request)
- Preventing and detecting fraud and other criminal activity by alerting fraud prevention and credit reference agencies and law enforcement agencies such as the police and HMRC where we suspect fraud
- Helping to prevent and detect theft, fraud or loss of gas or electricity by preparing and sending reports to the entity contracted to run the Theft Risk Assessment Service (TRAS) on behalf of all electricity retailers. See Theft and Fraud Prevention section for further information
- Settling supply customers on a half hourly basis where applicable
- For the establishment and defence of legal rights
- Sending information to relevant law enforcement agencies or government agencies where we have been asked to provide the information for legal or regulatory reasons
- Holding and using emergency contact details
We will only carry out the following activities where we have your consent to do so:
- Setting up direct debits with your bank (this will require the transfer of bank account information to our bank, Natwest)
- Contacting you to offer additional services and products (known as direct marketing)
You can change your direct marketing consent preferences at any time using this link npower.com/consent-preference-nBS.
We may share your personal data with third parties:
Some of the personal data we hold we may share with third parties such as agents and other service providers. We may do so for the following reasons:
- To enable us to assess your credit position we may share your data with credit reference agencies. See Carrying out Credit Checks section below
- Where there is debt on your account we may use debt recovery agents to pursue that debt on our behalf or we may use a credit reference agency or fraud prevention agency to trace you if necessary to recover your debt
- We may need to share your personal data with entities providing us with credit insurance and credit insurance brokers
- Where necessary to pass information to relevant industry participants based on agreed industry processes which may include distributors/shippers, metering agents and other energy suppliers
- In order to provide your services we may share personal data with other companies in our Company Group and third parties acting as our subcontractors. This may also mean that your personal data is accessed for support and administration purposes
- Where we suspect someone has committed fraud or stolen energy by tampering with a meter associated with your account or by diverting supply we will record such details on your account and share such information with Ofgem and other energy suppliers as required to comply with our legal obligations. See Theft and Fraud Prevention section for further information
- Where necessary to comply with our regulatory or legal responsibilities we may share personal data with regulatory and other government agencies.
- Where developing and testing our IT systems or diagnosing and dealing with IT incidents our IT subcontractors may require access to your personal data
- To agents and service providers (including IT service providers who host our databases) to support our business who may have access to our systems and data in order to provide services to us
- In order to carry out profiling and other market and statistical analysis to help improve the way we provide our services and the products that we are able to make available to you marketing agencies such as Google Analytics will have access to your personal data. Personal data is not shared with these agencies without your consent. See further details about profiling in the Automated decision-making and profiling section below
- If an organisation takes over our business or assets we will pass your personal data on to them
- To obtain professional advice our legal and professional advisers including our auditors may have access to your personal data
- If you have asked the Energy Ombudsman to assist you in dealing with a complaint, we may transfer personal data to them
Carrying out Credit Checks
We will use information from credit reference agencies and fraud prevention agencies together with data we hold on you for internal credit risk and debt management purposes in order to help us make decisions about your ability and that of your business to make payments for the goods and services we offer, to make decisions about the payment arrangements that are most suitable for you and the products and services that we can offer to you. We may use information provided by credit reference and fraud prevention agencies to verify your identity and to assist in the prevention of crime.
When credit reference agencies receive a search from us such request will be noted on your credit file. This may be seen by other organisations.
We may also send information about your account and how you manage your account to credit reference, regulatory and/or fraud prevention agencies and they may record this information (this may include sharing your account details including information about your payment history and any late or non-payment of bills which may be recorded by credit reference agencies as a debt).
If you set up an instalment plan or some other form of payment arrangement with us to repay a debt then a payment arrangement flag may be recorded on your credit file. We may record such a flag whether you are a current customer with us or one who has left us to go to another supplier and had their account closed with an outstanding debt that remains to be paid. This information may be supplied to other organisations (as described above) by credit reference agencies and may affect your ability to obtain credit.
If you give us false or inaccurate information or we suspect fraud, we will pass your details to credit reference, regulatory, fraud prevention and/or law enforcement agencies (such as the police and HM Revenue & Customs) who will receive and use this information.
The information we share may be supplied to other organisations (such as banks, other utility companies who offer you credit to purchase goods and services by credit reference agencies and fraud prevention agencies) to perform similar checks to those set out above and to trace your whereabouts if you have moved the location of your business without providing a forwarding address so that we/they can recover the debt on your account. The credit reference agencies keep records for 6 years after your account has been closed, you have paid off your debt or action has been taken against you to recover the debt.
We currently only use Experian as a credit reference agency. Experian’s role as a fraud prevention agency, the data it holds, the ways in which it uses and shares personal data, data retention periods and your data protection rights with Experian are explained in more details in the Credit Reference Agency Information Notice which is available from Experian at www.experian.couk/crain.
We and other organisations may access and use information recorded by fraud prevention agencies from other countries. See further information in the How we keep your personal data safe section below.
Automated decision-making and profiling
There are a number of processes we carry out which constitute profiling. Profiling includes automated processing of personal data which is used to analyse or predict an individual’s economic situation, personal preferences or behaviour. We may use profiling to analyse your credit position. This activity is carried out on the basis of our legitimate interests. Note that you have the right to object to us processing your personal data in this way however please be aware that if we are not able to complete credit checks we may be unable to offer you a contract or may need to adjust the terms of your contract in order to provide us with appropriate payment protection.
We have a legal requirement to notify you if our systems conduct any processing including profiling which produces a decision that is completely automated and produces legal effects concerning you or similarly significantly affects you. An automated decision is one which is made without input from a living individual. The outcome of the profiling we carry out during our credit vetting process is an automated decision with regard to your credit risk to us which falls within this category. This automated decision is performed on the basis of it being necessary in order for us to enter into a contract with you or perform our contract with you. However, if, following receipt of an automated decision you wish the decision to be reviewed by our staff please contact us at email@example.com and this review can be arranged for you.
Theft and Fraud Prevention (applicable to supply customers only)
If we suspect that someone has committed fraud or stolen energy by tampering with the meter or interfering with the supply at one of your sites we will record this information on your account and we may share this information (for a long as you have an account with us) on a regular basis (including occupier details, property type and consumption data) with the industry appointed TRAS Fraud Prevention Agency (including their sub-contractors (if any)) who will use that information and that of other customers (whether or not supplied by us) to check public and other databases they hold or have access to so that they can profile geographical, behavioural and other similar trends for the purpose of theft and fraud risk assessment and to generate leads based on that analysis which they will pass on to us for the purpose of preventing and detecting the theft of energy and the prosecution of offenders.
The TRAS Fraud Prevention Agency will hold this information and may provide it to other energy suppliers (where you have an energy account with them) or to Ofgem and other industry bodies in accordance with agreed industry processes and the information may continue to be used even following termination of your contract with us where you are supplied by a different energy supplier.
We may use any information we have collected as well as any leads passed to us by third parties including the TRAS Fraud Prevention Agency to (where relevant and appropriate) detect, investigate, pursue, prosecute and prevent (in so far as possible) theft and fraud.
If we suspect or confirm that you have committed energy theft a record of this will be kept by us and the TRAS Fraud Prevention Agency. We may use this information to assist us in making decisions about your payment arrangements and the products and services we offer you in the future.
Automated Meter Data
We receive information about your energy use from your meter equipment owners and meter readers through a secure method. This is the Metering Point Administration Number (MPAN) or Meter Point Reference Number (MPRN), the meter serial numbers and the meter reads. We receive this information from all meters. We get meter reads for each of the different registers you have if you have a meter configuration with more than one continuous time period.
If you have an Automated Meter (being a smart meter, an advanced meter or any other remote access meter) we receive this information more frequently in respect of each period of time for which we have permission to obtain data (monthly or half hourly). We refer to this as Automated Meter Data in this section.
We can use your Automated Meter Data to:
- produce your bills (including to produce a final bill);
- calculate any debts on your account;
- provide energy information for industry purposes in line with regulations; and
- predict the amount of energy you and other customers will need
We may also collect more frequent information, up to half hourly, for the following extra purposes:
- To send you more accurate bills, so that we do not need to estimate your bill if you move site or change your energy plan. (We may still need to use estimated readings if there is a problem with your meter or we are unable to communicate with it.
- To help us predict how much energy you will need and identify patterns in your energy use, so that we can make sure we are developing the right energy plans and services for our customers.
- To give us more detailed information about your usage, so that we can respond to your questions or complaints more easily.
- To help us identify if your meter has been damaged or isn’t working properly – so that we can be sure you are paying the right amount for the energy you have used.
- To give you feedback about your energy use – so that we can help you manage it better. (This will not include using your information for marketing purposes unless you have agreed that we can.)
The greater the detail of Automated Meter Data we can obtain the more tailored our analysis and feedback will become which will help us understand our customer needs better to help improve the way we provide our services and the types of services we offer.
Monthly is the minimum level of data we are allowed to take for billing and regulatory purposes. We are also allowed to take ad hoc meter reads to maintain accurate billing where we need to send you a bill after changes to your account, if we need to use the data to resolve a query from you or if we think your automated meter has been damaged or been compromised in any way.
We will only collect your energy data on a half hourly basis from your automated meter if:
- we are under a legal or regulatory obligation to do so or
- where we do not have a legal or regulatory obligation to do so, we have a legitimate interest to do so unless you contact us by the methods set out below to request that we do not collect your energy data on a half hourly basis.
The data will only be collected by us once a day (during a daily download of Automated Meter Data).
We will discuss the purposes for which your Automated Meter Data may be used in greater detail with you either when you contact us, or we will get in touch with you prior to your automated meter being installed, or when you transfer your energy supply over to us. If you request us not to, your half hourly Automated Meter Data will not be collected by us.
To discuss your options, request that we do not collect and use your energy data on a half hourly basis or otherwise change the level of Automated Meter Data we collect please contact us on 0800 138 2322 or put your request in writing to npower Business Solutions Customer Service, npower Ltd, Birch House, Joseph Street, Oldbury, B69 2AQ. You can change your mind about the use of your data whenever you like – but we are allowed to take monthly energy usage for the purposes set out above so that we can service your account.
If you decide that you want to change the level of Automated Meter Data that you want us to collect that change will not be reflected at a meter level for up to 2-3 days from the date that you contact us and the Automated Meter Data for that period either may still be available to us and to you or may not be available to us or to you until you meter is updated depending on whether you were increasing or decreasing the level of energy data you want to have access to.
If you have an automated meter at a Premises and you move out of those Premises
It is essential that you tell us in advance of that move taking place so that we can arrange for your Automated Meter Data to no longer be available to any new occupier via your automated meter energy display (if you have opted to have such a display). If you fail to let us know then we may be unable to prevent your Automated Meter Data being available to the incoming owner/occupier of the premises. This may also have an impact on the availability of the new occupier’s data to them as we will only be able to prevent access to your data from the date that you let us know that you have moved and that may include some data for the new customer if you have moved out and they are already occupying the premises.
If you are a landlord you must notify us when your tenants move in or out.
It is essential that you tell us in advance of that move taking place so that we can arrange for the previous tenants’ Automated Meter Data to no longer be available to any new occupier via the automated meter energy display(if you have opted to have such a display) in the premises. If you fail to let us know then we may be unable to prevent the previous tenants’ energy data being available to the incoming owner/occupier of the premises. This may also have an impact on the availability of the new occupier’s Automated Meter Data to them as we will only be able to prevent access to the previous tenants’ data from the date that you or the new occupier let us know that the previous tenants have moved and that may include some data for the new tenant if the previous tenants have moved out and the new tenant is already occupying the premises.
We are able to provide you with up to 24 months’ (or the period we have been your supplier whichever is the shorter) of Automated Meter Data as long as it is available from your automated meter. An automated meter is only able to store a limited amount of data so if you, for example, change your level of consent to enable us to collect more than monthly energy data then we will only be able to provide you with any retrospective information at that new level of energy data use if it is still available from your Automated Meter.
It may not be possible to remove all your Automated Meter Data from the systems once it has been collected. If requested we will stop processing that Automated Meter Data unless we have a legal or regulatory right to continue to use the data to deal with your account.
If you are the landlord or owner of premises we supply and are also the bill payer but you do not occupy the premises, we may only be able to share Automated Meter Data that is necessary to enable us to meet our contractual and legitimate responsibilities/functions to be carried out (such as billing) with you. We may be able to provide you with more Automated Meter Data if you provide us with your tenants details so that we can contact them, provide them with the purposes for which we will use their Automated Meter Data and seek their consent to provide you with more granular Automated Meter Data.
If you are the account holder for electricity, and not the account holder for gas (or vice versa) at a premise we supply, both of you will have access to the Automated Meter Data and will be able to see how much energy you are using.
How we keep your personal data safe
Any personal data you send via the post or email is at your own risk but once we receive it we use strict procedural and electronic safeguards to protect it.
Personal data is only shared with those individuals (either our staff or third parties) who need access to such information in order to manage your account and carry out the processing set out in this Policy.
Where it is necessary to transfer information to other industry participants we will put measures in place to ensure (insofar as reasonably possible) that the information is secure in transit.
Some categories of personal data we deem to be particularly sensitive and as such we have put additional protections in place for processing such data. Where this sensitive data is processed by us, access to such data within our databases is password protected and emails containing such information are encrypted and require authorised access. This sensitive data will include your bank account details and financial information.
We may also pass personal data outside of the European Economic Area (EEA) to countries that do not have the same data protection standards as we have in the UK. If we, or any of our processors do this, we will always know when any such transfer occurs and will make sure that it happens with the relevant legal protection in place. We will only transfer your personal data:
- to countries approved by the European Commission as having appropriate data protection laws to ensure an adequate level of protection for your personal data such as Canada, New Zealand; or
- where we have put in place our own measures to ensure an adequate level security as required by data protection law. These measures include ensuring that your personal data is kept safe by carrying out strict security checks on our overseas agents, service providers etc. backed by strong contractual undertakings approved by the relevant regulators for example the EU style Model Clauses. Visit the ICO website www.ico.org.uk and search for “international transfers” for more information; or
- to a member organisation approved by the European Commission as having a suitable level of data protection for example the EU-US Privacy Shield which covers transfers to the US. Visit www.privacyshield.gov for more information.
If we exit the European Union without a withdrawal agreement (a “No-Deal Brexit”) we will continue to transfer personal data to countries within the EEA and to those countries that the European Commission has already deemed to provide an adequate level of protection for your personal data on the basis that they are also deemed to provide adequate levels of protection for personal data by the British government.
How long do we keep your personal data for?
We will keep your personal data for as long as we need it to provide you with the products and services we are contracted to provide you and to comply with our legal obligations, to enable us to resolve any disputes and to enforce our legal rights. This may vary depending on the type of personal data we hold but our policy is to not retain any data for longer than we need to.
Your rights under data protection law
You have the following rights in relation to the personal data we hold on you:
- The right to be informed about our processing - the information in this Policy is intended to inform you about the processing we carry out together with “just in time” notices when we collect additional information at different points during your relationship with us
- The right to have personal data corrected if it is inaccurate or incomplete – you can ask us to change or complete any inaccurate or incomplete or incorrect personal data that we hold about you
- The right to withdraw consent – if you have given us consent to process your personal data you have the right to withdraw that consent at any time by contacting us on 0800 138 2322 or by updating your direct marketing preferences at npower.com/consent-preference-nBS
- The right to object to processing based on it being in our legitimate interests – where we rely on the legitimate interests legal basis to process your personal data you have the right to object to us using your personal data for those purposes. We do not have to stop processing your personal data if we can show that it is in our overriding interests to carry on processing your personal data and it will not cause you unjustified harm.
- The right to restrict processing - you can ask us to restrict the personal data we use about you where you have asked for it to be erased or you have objected to our use of it
- The right to have personal data erased – you have the right to have personal data deleted where it is no longer necessary for us to use it, you have withdrawn consent or we have no lawful basis to keep it
- The right to request access to your personal data and information about how we process it - this is known as a subject access request and can be made in writing, by email or by phone. We will not charge a fee unless your request is manifestly unfounded or excessive (particularly if it is repetitive) when we may charge you a reasonable fee based on our administrative costs
- The right to move, copy or transfer personal data – you can ask us to provide you or a third party with some of the personal data we hold about you in a structured, commonly used electronic form so it can be easily transferred
- Rights in relation to automated decision making and profiling (for further information see the Automated decision-making and profiling section above)
You also have the right to raise a complaint with the Information Commissioner’s Office if you have concerns about how we process your personal data.
Use of our Website
External links from our website
From time to time we may include hypertext links to sites which are created by individuals and companies outside of our Company Group. We do this when there is a particular relevance to the topic you are reading about. Whilst we endeavour to check that the content of these sites is suitable, we unfortunately cannot take any responsibility for the practices of the companies who publish the sites that we link to, nor the integrity of the content contained within them.
This policy does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
Our website search and decision notice search is powered by Funnelback. Search queries and results are logged anonymously to help us improve our website search functionality. No user-specific data is collected by us or any third party.
People who contact us via social media
We deal with all our social media interactions internally. If you send us a direct message via social media the message will be stored by us in accordance with our policy of not retaining data for longer than is necessary (see How long do we keep your Personal Data for? section for further information). It will not be shared with any other organisations.
Visitors to our website
When someone visits our website we use a third party service provider, to collect standard internet log information and details of visitor behaviour patterns. Our third party service provider is currently Webtrends but this service will shortly be transferring to Google Analytics. These analytics enable us to see how people use our website and give us the information needed to make improvements and make our website easier to use. We also do this to find out things such as the number of visitors to the various parts of the website. This information is only processed in a way which does not identify anyone. We do not make, and do not allow our third party service provider to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
Like most websites, we use "cookies" - small text files that are saved to your device. We test different versions of the website before we finalise changes to ensure that any improvements make it easier to use. Cookies help us to track how a user progresses through sections of our website that we are testing.
More details about cookies, how we use them and how you can disable them can be found at https://www.npower.com/about-npower/cookies/.
Data retention and managing your information on our website
We will retain data you have provided to us, including journey information and device models, to monitor the performance of our website and identify any problems. All data is completely anonymous and can’t be used to identify the user in any way.
Changes to this Policy
We may update this Policy from time to time and therefore advise you to check it regularly to ensure that you are aware of any updates. Significant changes to the personal data we hold on you or the way in which we use your personal data will always be highlighted to you.