The data protection laws (UK General Data Protection Regulation and Data Protection Act 2018) requires us to be transparent about how we process personal data. This layer of our Privacy Notice explains in more detail how Smart DCC (DCC) deals with personal data that it collects and processes, what we use it for and how you can exercise your rights under the data protection laws (if you are a data subject) or find out more information. We have a separate section of our website which explains the cookies we use on our website which can be accessed here.
To help you find the content which is most relevant to you, this Privacy Notice is divided into the following sections:
About DCC
DCC is a wholly owned subsidiary of Capita Plc.
As a licensee of the Department for Energy Security and Net Zero (DESNZ) we are regulated by the Smart Meter Communications Licence which is overseen by Ofgem. Under this Licence, we also abide by the Smart Energy Code, which is administered by the Smart Energy Code Administrator and Secretariat and the Retail Energy Code.
Under the above regulatory documentation, DCC is responsible for establishing and managing the data and communications network to connect smart meters to the business systems of energy suppliers, mobile telecommunication network operators and other authorised service users of the network. DCC is also responsible for developing key technology that will facilitate faster energy switching (further information about our switching service can be found here). Our address and contact details for data protection matters can be found near the end of this notice.
Why do we process your personal data?
We process your personal data for the following reasons:
Interoperability Checker (also known as Smart Mode Checker)
The Interoperability Checker Service is a tool which DCC is required by law to make available to energy consumers, via the Citizen’s Advice website. You can visit the Interoperability Checker service here (if you are located in Scotland, visit the Interoperability Checker service here).
The Interoperability Checker can tell you if DCC handles data and communication services for your smart meter and, if we do, it will be able to tell you:
- The name of your current energy supplier
- Whether your meter is a first generation smart meter (aka SMETS1 meter) or second generation smart meter (aka SMETS2 meter)
- If you have a SMETS1 meter you can opt to receive information about other energy suppliers that are capable of operating your meter in ‘smart mode’ (in case you are considering switching).
The Interoperability Checker Service is only meant to be used if you are resident in the same house as the electricity or gas meter for which you are searching.
To use this service, you will need to provide your personal data in the form of your post code and your meter’s unique identification number. For your electricity meter, this is the meter point administration number (MPAN); for your gas meter, this is the meter point reference number (MPRN).
Once you have submitted your personal data via the Citizens Advice website, it will be securely transmitted to DCC. DCC uses that data to find the information that we hold. We then send the relevant information to the Citizen’s Advice website for you to read. Once you leave the portal, your results will not be retained by Citizen’s Advice.
We will not share your personal data with anyone else, and we will not use it for any other purpose than to provide the Interoperability Checker Service.
DCC will retain your post code and a unique transaction ID for a period of six months, to allow for incident resolution and checking performance of the Interoperability Checker service and technology, after which time these will be securely deleted. Citizens Advice will not retain any of your personal data connected with the Interoperability Checker Service. Citizens Advice will process other data about you when you visit their website, which you can read about on their Privacy and Cookies webpages.
DCC is under a legal obligation through the Smart Meter Communications Licence, and under the Smart Meter Code, to deliver the Interoperability Checker Service. When we process your personal data to provide the Interoperability Checker Service, DCC will be acting in the capacity of a ‘controller’, with Citizens Advice acting as a ‘processor’.
We rely upon the lawful bases of legal obligation and legitimate interests under the data protection laws for the processing carried out in relation to the Interoperability Checker Service. (You can learn more about legal obligations and legitimate interest in the Glossary section).
To find out more about the Interoperability Checker Service, how your data is processed or exercise your data protection rights in connection with this service, you can contact our data protection team using the contact details near the end of this notice.
If you would like to know more about SMETS1 and SMETS2 meters and DCC’s wider role, please read the next section.
Personal data relating to your smart meter
DCC has been appointed by law to provide data and communication services for all smart meters in Great Britain. Our job, in a nutshell, is to make sure that messages and data get from your smart meter to your energy supplier safely and securely. When we do this, we are acting as a processor for your energy supplier, who is the controller for the data sent to and from your smart meter. If you would like more information regarding the personal data processed over our network, you can get in touch with us using the contact details near the end of this notice.
However, by law, when we are acting as processor, we will only be able to respond if your energy supplier (the controller) authorises us to do so (as an alternative, you can always contact your energy supplier directly).
If you would like more information about what DCC does and how we work hard to ensure your data remains secure when it passes over our networks, you are welcome to review our website generally, or by using the contact details near the end of this notice.
People working in the energy industry
If you work in the energy industry in relation to smart metering, such as for an energy supplier, or another business providing equipment or services in the smart metering eco-system, or a business involved in energy switching, then we will process your personal data from time-to-time. This can be to respond to communications which you send to us, to manage contract(s) and business relationship(s), to allow you to use DCC's systems (only certain authorised individuals are authorised to do this), or to provide you with information regarding our work and what is happening with the smart metering implementation programme, or to invite you to industry events where smart metering issues will be discussed.
We will receive your data either because you, your employer or work-colleagues have provided it, or because another body involved in smart metering (such as the Smart Energy Code Administrator) or energy switching has asked us to get in touch with you.
The data we collect will include your contact details and, if you are authorised to use DCC's systems, the information you provide at the point where you seek that authorisation via our registration forms. DCC is a controller in relation to this personal data.
Engaging with stakeholders, building and maintaining relationships with businesses involved in smart metering and ensuring people in industry can use our systems are all a crucial part of the Smart Metering Implementation Programme. Without this, we would not be able to perform our role effectively, or fulfil the obligations in our Licence or the Smart Energy Code. We therefore rely upon legal obligations and legitimate interest as a basis for processing your data (you can learn more about legal obligations and legitimate interest in the Glossary section).
That said, if you are receiving communications from us in relation to the Smart Metering Implementation Programme, the Switching Programme or our events and would like us to stop, please e-mail us and we will respond to your request promptly.
Further information relating to our marketing, events and communications activities can be found here.
Personal data collected via our website and Customer Portal
We receive your personal data when you fill in forms, click on links or receive Cookies from us. The purpose for which we process your personal data is the same as the reason you gave it to us. Meaning:
- If you give us your e-mail address to subscribe to our newsletter, we will only use your e-mail address for that purpose. We will always give you the option to opt-out of our newsletters when you receive them.
- If you contact us with a query, we will use your personal data to respond to your query.
- If you send us your CV or apply for a job, we will use your personal data in order to send you details of roles which could be of interest.
- Our Customer Portal will allow you to select certain contact preferences.
Please visit the Cookies section of our website for details of how they are used.
DCC is the controller for personal data received via our website and Customer Portal. The data we process will be that which you provide to us via the relevant form or link. We will either receive your personal data directly, or via processors who host and operate our website for us.
The lawful basis for processing your data is consent, where we ask for it. Otherwise, we rely upon our legitimate interest, namely responding to queries and communications from stakeholders and/or the public. Rest assured, we only use your data in ways that are necessary for the purposes for which you provided it.
Who receives your data from us
DCC shares personal data with third parties when necessary and subject to strict security and other safeguards to ensure that the privacy of your personal data and your rights as a data subject are protected.
The categories of recipients who will receive your personal data are as follows:
- If you are an energy consumer, and DCC processes your personal data, we will be required to share it with our Service Providers, your energy supplier, other companies licensed to operate in the energy industry, and their agents or sub-contractors, either in order to ensure that information passes to and from your smart metering devices in the proper way or for the purposes of developing systems to support faster energy switching. You should contact your energy supplier in the first instance if you wish to learn more or exercise your data subject rights.
- If you work in the energy industry, we will appoint processors and sub-processors who provide us with IT storage, hosting, application, communication, and/or administration services, through which your personal data is stored and processed.
- If you provide data via our website, we will receive your personal data via companies who provide services relating to our website and other companies who provide us with IT storage, hosting, application, communication, and/or administration services, through which your personal data is processed.
- If you accept Cookies from us, the data we receive will be used by us and our website provider to monitor traffic and usage of our site (as set out in the Cookie section of our website here).
Rest assured, DCC and anyone receiving your data from us is required to only use it for the purposes for which that data was originally provided. The security and integrity of your data will be protected.
Where your data is processed
All personal data processed will be transferred to, and processed in, countries other than the UK. These countries will have data protection laws that are different to the laws of the UK (and, in some cases, may not be as protective).
Specifically, our website servers are located in the UK, but our group companies and third party service providers and partners operate around the world. This means that when we collect your personal data it will processed in those other countries.
However, we have taken appropriate safeguards to ensure your personal data remains protected in accordance with this Privacy Notice. These includes implementing the European Commission’s Standard Contractual Clauses for transfers of personal data outside of the European Economic Area.
How long your data is stored
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements, including requirements under our Licence, the Smart Energy Code (for smart metering) and the Retail Energy Code (for faster energy switching).
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Your rights and how to exercise them
You have the following rights under the data protection laws in relation to your personal data:
Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data. This enables you to ask us to delete personal data where there is no good reason for us to continue to process it. You also have the right to ask us to delete your personal data when for example you have successfully exercised your right to object to processing (see below), where we have processed your personal data unlawfully or where we are required to delete your personal data to comply with local law. However, please note that this right is not automatic and there will be occasions when we can lawfully refuse your request, but we will explain the reasons why if we do.
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which overrides your rights and freedoms.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we will not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
If you wish to exercise any of your rights please contact the data protection team using the details in the next section.
As set out previously, we are only required to respond to your requests where we are the controller of your personal data. If you are an energy consumer and want to exercise your data subject rights, you must contact your energy supplier to do this.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we can charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we can refuse to comply with your request in these circumstances or if we have another basis in law to refuse your request.
We will need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We can also contact you to ask you for further information in relation to your request if we need to.
We try to respond to all legitimate requests within one month. Occasionally it can take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Contact the Data Protection Team
If you wish to contact DCC regarding personal data which you have submitted via this website, or through industry events, or another reason unrelated to your Smart Meter devices, our contact details are as follows:
Smart DCC Limited
E-mail: dataprotection@smartdcc.co.uk
2nd Floor, Ibex House, 42-47 Minories, London, EC3N 1DY
0203 725 8656
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), which is the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
If you wish to learn more about how personal data is processed in connection with your Smart Meter devices, please contact your energy supplier.
Changes to the privacy notice
This notice will be reviewed annually but changes may be made before then. This version was last reviewed in September 2023 and historic versions can be obtained by contacting us. Please check back to our website from time to time to check for any changes.
Links to other websites
Our website will contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over the other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this Privacy Notice. You should exercise caution and look at the Privacy Notice applicable to the website in question.
Glossary
Below we set out some further guidance on terms which we use in this Privacy Notice.
Our legal grounds to process your personal data
Legitimate Interest means the interest of our business in conducting and managing our business to enable us to work with the energy industry, suppliers and other people we interact with (e.g. via our website) to best support the Smart Metering Implementation Programme. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
Legal obligation means processing your personal data where it is necessary for compliance with a non-contractual legal obligation that we are subject to.
Public task means that we need to process your personal data to perform a task which is either in the public interest or we have the legal authority to perform.
Consent means that you have provided your consent to us to process your personal data and that consent has been obtained in accordance with applicable laws. Where we rely upon your consent to process your data, you can withdraw it at any time (this will not affect the lawfulness of the processing prior to the date upon which you withdraw your consent).