Principles of Enefit UAB customer data processing
1. General
1.1 The data controller is Enefit UAB (hereinafter referred to as the Company), legal entity code 300649187, registered address at Vito Gerulaičio str. 10-101, Vilnius, Lietuva.
1.2 The processing of the Company's customer personal data is based on Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 96/95/46/EC (General Data Protection Regulation or the GDPR), including the Law on Legal Protection of Personal Data of the Republic of Lithuania, and having regard to good business practices.
1.3 The Company also follows the guidelines and instructions of Data Protection Inspectorate and the European Union data protection expert group WP29.
1.4 These conditions (principles) (hereinafter referred to as the Conditions) are general, conditions, whereas other conditions related to personal data (hereinafter referred to as the Data) protection may also be included in respective agreements, documents, forms and made available on the Company's website www.enefit.lt. These Conditions are an integral part of these general conditions for the provision of services. The Company refers to the Conditions when concluding a contract (hereinafter referred to as the Contract) with the Customer, offering a service, goods and/or giving access to online account (hereinafter referred to as the e-environment) to the Customer and enables the Customer to get acquainted with the Conditions.
1.5 If the Customer finds that his/her Data is not processed in accordance with the applicable rules, he/she has the opportunity to contact the Company’s data protection specialist at [email protected]. This option does not affect the Customer's right to apply to respective data protection supervisory authority or to a court if necessary.
2. Aim of Conditions
2.1 The Conditions of the Company’s customer Data processing apply to the Company and its Customers.
2.2 The Conditions determine how the Company may use the Customer's Data in communication with the Customer and provide information on important issues related to the use of the Data.
2.3 The Conditions do not apply to the services or goods of other companies, even if they are available to the Customer via the Enefit UAB e-environment or the service (hereinafter referred to as the Services).
3. Definitions
3.1 The Company uses the terms in the sense defined in the General Data Protection Regulation here.
3.2 A Customer is any natural person who has entered into a Contract with the Company or has provided his or her information and expressed a wish to register as a Customer or to receive an offer from the Company to enter into a Contract, but has not entered into a Contract. The Company also treats as a Customer natural persons who use the Company’s Services or the e-environment.
3.3 The Contract is the contract between the Customer and the Company for the provision of the Service, consisting of the Individual Terms and Conditions of the Contract, the General Terms and Conditions of the Contract, and the documents and/or annexes to which the Individual Terms and Conditions refer.
3.4 Data (personal data) is any data of the Company's customers that can be directly or indirectly identified, distinguished, linked or located. Processing of Customer Data is any operation performed on Customer Data.
3.5 Anonymous data is information that cannot be associated with a specific Customer, as the Customer's identifying information has been removed from the data.
3.6 By ensuring the secure processing of data, we mean the use of up-to-date physical, organizational and IT security measures. These measures include the protection of employees, IT infrastructure as well as office buildings and technical equipment. The purpose of the measures is, in particular, to control the risks and to mitigate the risks posed by both persons and technology. In order to ensure compliance with the measures, the company's and the Enefit group's internal procedures have been established for mandatory compliance. The Company´s employees are subject to Data confidentiality and protection requirements and are responsible for fulfilling these obligations. The Data Processors authorized by the Company are obliged to ensure compliance with the same rules in respect of their employees and they are responsible for compliance with the requirements for the use of Data.
4. Conditions of Data protection of the Company
4.1 The Company uses the Data in the manner specified in the Conditions and only for the purpose for which the Company collected the Data and to the extent necessary to fulfil this purpose. The Company may combine Data collected in connection with different Services if such Data has been collected for the same purpose.
4.2 The Company considers the Customer's privacy and Data protection very important, using secure solutions for data processing.
5. The role of the Customer in ensuring Data security
5.1 The Customer must use the Services and e- environments safely and diligently and ensure that the devices (e.g. computer, smart phone, application, etc.) used by the Customer to use the the Company´s Services or e-environment are secure. The Customer is obliged to keep their Password, user IDs and passwords related to the Customer, their device, the Service or the e-environment or other information or information carriers (e.g. ID card or Mobile ID) related to himself/herself secret from other persons.
5.2 The Customer must be aware of and take into account the fact that the Company cannot guarantee the security of the Data and is not liable if the Data is not protected due to the Customer's breach of the obligation specified in clause 5.1 (incl. because the Customer has not changed the original PIN or other initial settings or the Customer's ID card, Mobile ID or their PIN codes have been used by unauthorized persons). In such case, the Customer is responsible for all consequences that may occur to them.
5.3 If the Customer allows the user (e.g. the Customer's family members, employees, etc.) to consume the Services or the e- environment on the basis of the Contract concluded between the Customer and the Company, the Customer is responsible for the user reading and agreeing with the Conditions.
6. Data collection and sharing
6.1 The Company offers Customers various Services and e-environments for use. The composition of the Data collected by the Company per Customer depends on which specific Services or e-environments the Customer uses, which Data is necessary to provide them; the extent to which the Customer transmits Data to the Company for this purpose (e.g. when ordering the Service, registering as a User, etc.) and consents the Customer provides the Company for data processing.
6.2 According to the nature and purposes of the data processing, the data collected is divided into three main categories:
6.2.1 Basic information, such as: first and last name, user name, personal identity number, date of birth, and other related information, age, address, other information about the object for which electricity supply contracts are concluded: object number, ESO user code, meter number in the object, e-mail address, services ordered or information about purchased products (e.g. service composition, additional services, parameters, service address, devices used, etc.) and related static IP address, domain name or device serial number, billing information (e.g. billing address, reference number, account number, etc.). Also data collected by Customers in the course of using the services in e-environments.
6.2.2 Specific types of personal data, such as racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data used for the unique identification of a natural person, health data or data on a person's sexual life and sexual orientation. The purpose of the Company is not to collect your specific personal data, but it may become known to us by chance, for example, through a letter or telephone call received by us as part of a Customer relationship, when you disclose it to us. In accordance with the Conditions of secure data processing, the processing of such data shall be in any even restricted (specific types of personal data, if possible, are deleted without delay).
6.2.3 Non-personalized data is data that is not attributable to any particular Customer, but which the Company must also process in order to provide services. Non-personalized data is, for example, data collected when using websites, which is collected by non- personalized customers for the Company in the course of using the services.
6.3 The Company collects Data in the following ways:
6.3.1 the Company receives Data from the Customer, for example, when ordering the Service, registering as a Customer, making an information request to the Company;
6.3.2 The Data is generated by the Customer when using the Services (e.g. when using the e-environment) and it is necessary for ensuring the performance of the Contract, such processing of the Data is prescribed by
legislation or is based on the Customer's consent;
6.3.3 The Company receives Data related to the Customer from other sources (e.g. other service providers or public registers, etc.) if it is necessary for ensuring the performance of the Contract, such processing of the Data is prescribed by legislation or is based on the Customer's consent.
6.4 The Company may disclose the Data only on legitimate grounds (e.g. when required by law or contract concluded with you, or we have your individual consent) and in accordance with the applicable legal requirements.
6.5 The Company may share the Customer’s Data with:
6.5.1 service providers acting as personal data processors of the Company and providing services to the Company;
6.5.2 in the cases provided for by law, law enforcement and supervision, as well as other state and municipal authorities, when complying with the requirements of legal acts, including the State Tax Inspectorate;
6.5.3 for persons providing services related to the performance of a contract concluded with you or your representative;
6.5.4 bailiffs, courts, other dispute resolution bodies;
6.5.5 other business entities, the merger of the Company with another legal person or acquisition, including persons performing legal due diligence;
6.5.6 companies providing company auditing and related services, legal and financial advisory services providers.
7. Use of Data for ensuring the performance of the Contract
7.1 The Company may use the Data without the separate consent of the Customer for the performance of the Contract in the following cases:
7.1.1 to identify the Customer and their representative;
7.1.2 to perform activities necessary for the provision of Services or sale of goods to the Customer (incl. for sale and delivery of Services and/or goods and for forwarding information on Services and goods to the Customer);
7.1.3 Customer service and troubleshooting;
7.1.4 to provide and develop the e-environment, its services and functionalities and high quality personal user experience (e.g. recording of language preference, etc.) and to provide the Customer with information related to the possibilities and security of using the e-environment;
7.1.5 to calculate the service fees related to the Contract, to prepare and send notices and invoices to the Customer;
7.1.6 to send notices related to the Contract and/or the Service to the Customer by post;
7.1.7 for documenting business and service activities and exchanging business information (incl. for submission to auditors when auditing the Company);
7.1.8 to better serve customers, including measuring the quality, usage activity or Customer satisfaction of the e-environment and Services, and to develop the Services and business;
7.1.9 for the maintenance or repair of other Customer's equipment procured by the Company or on the Customer's order and for other after-sales activities related to the equipment;
7.1.10 to record and preserve telephone calls between the Company and the Customer, with the purpose of using these call recordings to prove the declarations of intent or transactions made by the Parties and to better serve the Customer;
7.1.11 to assess and prevent potential business risks or losses related to the provision of the Service;
7.1.12 to ensure the performance of the Contract (e.g. to establish guarantees, enter into surety contracts);
7.1.13 for the protection of violated or disputed rights of the Company and debt collection (incl. for the transmission of Data related to breach of the Contract and/or indebtedness to persons providing collection services, lawyers, etc. authorized by the Company for processing the respective Data on the basis of the Contract);
7.1.14 to assess the Customer's creditworthiness and reliability (payment behaviour) (incl. to decide on the provision of credit for services);
7.1.15 in case of breach of Contract, for transmitting the Customer's payment default (data related to overdue debt, including debtor's name, personal identification code, information on the amount of debt, time of occurrence of debt and type of debt-related transaction) to credit information companies authorized by the Company.
7.1.16 to provide customers with the option to monitor their electricity consumption (including individual electrical devices) via the ELIQ mobile or web app.
7.2 The overview of the use of the Data for the purpose of performing the Contract and ensuring the performance of the Contract provided in Clause 7.1 is not exhaustive. This means that the Company may, if necessary, use the Data for the performance of the Contract or to ensure the performance of the Contract for some purpose not highlighted in clause 7.1.
7.3 When using the Service or the e- environment, the Customer cannot refuse to use the Data for the purposes specified in clause 7.1, as this would make it impossible to offer the Service or the e-Environment for the Customer.
7.4 The Company may use the following Data for the purposes specified in clause 7.1:
7.4.1 Basic Customer data;
7.4.2 Customer relationship information: Information concerning the use of the Company´s Services, details of the Contracts entered into by the Customer, submitted orders and Customer contacts, invoices and related information (e.g. payment data, etc.), information entered by the Customer into the e-environment (incl. data entered during account registration), e- environment, its services and data on the use of functionalities and data collected with the help of cookies (see clause 14) and data related to the Customer's payment discipline/indebtedness, and data required and data needed to perform electricity consumption analysis and to ensure the functionality of the mobile and web application ELIQ.
7.4.3 The list of data in Section 7.4 is not exhaustive. This means that, if reasonably necessary and to a reasonable extent, the Company may also process Data not specified in clause 7.4 for the purpose of ensuring the performance of the Contract.
8. Use of data subject to consent
8.1 In certain cases, the Company also requests separate consent from the Customer for the processing of the Data (hereinafter referred to as the Consent). When asking for consent, the Company explains the purpose of asking for consent and provides information on the planned processing.
8.2 The conditions of use of the Data set out in the Conditions apply to the consent. The Company refers to the Conditions when accepting the Consent from the Customer, and the Customer has the opportunity to get acquainted with the Conditions. The Customer has the right not to give the Consent or to withdraw the Consent later, notifying the Company via the e-environment or in writing or in a form that can be reproduced in writing. The consent is valid until it is revoked.
8.3 On the basis of the consent, the data will be processed for example as follows:
8.3.1 to prepare and send personal offers to the Customer electronically (e.g. via e-mail, SMS or social media). The preparation of personal offers may include a marketing analysis of the Customer's Services, e- environment, etc. usage preferences, with the aim of finding out the Customer's usage needs and preparing personal offers based on it.
8.3.2 For the transmission of data to companies belonging to the same group as the Company or to the Company's cooperation partners for the purpose of offering services to the Customer jointly or reciprocally, also, in order to transfer Data to other partners of the Company who can offer their services and/or goods to the Customer independently;
8.3.3 to find out the Customer's expectations, preferences and needs and to develop new and better services and possibilities of using the e-environment;
8.3.4 In the e-environment for delivering personalized content, offers and advertisements to the Customer.
8.4 Unless otherwise described in the specific consent, the Company may use the following Data on the basis of the Consent:
8.4.1 name, date of birth, personal identification code, language of communication, preferred contact information (eg, telephone number, e-mail, regular mail) of the Customer and the person or contact person authorized by the Customer, information on the Customer's segmentation;
8.4.2 information concerning the use of services and the purchase of goods (e.g. type of goods, price class, delivery information, etc.);
8.4.3 Data related to the Customer's creditworthiness, payment discipline/indebtedness;
8.4.4 information on the details concerning the consumption of the Company´s services by the Customer (incl. volume, quantity, method, time, etc. of use of the Services by type of services (e.g. used electricity or gas)) and information on additional services ordered by the Customer, as well as meter) data;
8.4.5 Data transmitted by the Customer to the Company via the e-environment (incl. data entered upon account registration);
8.4.6 Data on the use of the e-environment or its services and functionalities by the Customer and information collected by means of cookies;
8.4.7 Data received from other persons on a lawful basis.
9. Processing of Data on the basis of a legitimate interest
9.1 In certain cases, the Company also processes the Data in its legitimate interests. For the Company, a legitimate interest is a commercial interest in which the processing of the Data is justified and necessary and
which outweighs the possible infringement of the data protection rights of the Customer accompanying such data processing. Within the framework of a legitimate interest, the Company processes Customer data for the following purposes:
9.1.1 transmission of periodic news and information letters via e-mail, incl. to introduce additional services and offers to customers. The Customer can refuse getting news and information letters at any time without giving a reason.
9.1.2 improving the user experience by asking customers for feedback on services and processes and using it to compile statistics and surveys. Giving feedback is voluntary for the Customer.
9.1.3 improvement and further development of the Company's technical systems, self-service environment and IT systems, incl. security incident prevention and resolution.
9.1.4 analysis of breakdowns, sales, consumption and other statistics required to provide proactive Customer service;
9.1.5 general Customer group profiling;
9.1.6 settlement of claims and prevention of fraud.
10. Specific cases of Data processing arising from the legislation
10.1 Pursuant to legislation, the Company processes Customer data for the following purposes, for example:
10.1.1 transmission (and receipt from) of electricity seller data to transmission operator and receipt of relevant data in connection with concluding or terminating a Customer Contract .
10.1.2 to meet obligations under accounting or tax laws.
11. Data retention period
11.1 The Company will retain the Data for as long as is necessary to achieve the purpose of using the Data specified in the Conditions or until the term prescribed in the legislation.
11.2 When storing data, the Company follows the following main deadlines:
11.2.1 after 1 year, we will delete the Data of persons who have requested, for example, price offers or information on the existence of a technical possibility, but have not become a Customer of the Company, as well as call recordings of Customer service telephones or any other Customer service related recordings for that matter.
11.2.2 for direct marketing purposes, the Customer’s data shall be stored for no more than 2 years after the Customer’s consent to receive direct marketing communications;
11.2.3 10 years after the termination of the Contract, we will delete the basic data of the Contract and the data generated during the performance of the Contract if there is no ongoing collection procedure related to the performance of the Contract.
11.3 In some cases, the Company may also change the terms described in clause 11.2, if such a need is due to, for example, legislation or the Company’s legitimate interest.
12. Automatic decision making and profiling
12.1 The Company may also make automatic decisions when processing personal data, for example:
12.1.1 for background checks on the sale of goods and services on credit terms, in the framework of which we process relevant information about your payment behaviour and background from the Company´s information systems as well as public databases (official notices, information disclosed by bailiffs and other official registers and publications, e.g. commercial register, population register);
12.1.2 to provide automatic notifications in the framework of debt proceedings and to limit the services provided in accordance with the provisions of the Contracts and the law.
12.2 the purpose of marketing profiling is to develop different Customer segments, types or profiles that allow us to offer each Customer offers and services that are just right for them. For profiling, we can analyse, for example, Customer demographics (age, gender), service usage data, location, and behavioural patterns using a variety of internationally recognized methods of statistical analysis appropriate to the particular case.
12.2.3 The Customer has the right to ask for additional explanations and submit objections regarding automatic decisions concerning the Customer at any time by notifying the Company. In any case, automated decision making and profiling does not have any legal effect on you.
13. Use of data by authorized processors
13.1 Pursuant to the legislation, the Company may also grant the right to use the Data to authorized processors. Authorized processors are the Company’s partners who, for example, deal with the organization of billing, answering Customer questions, marketing services, reselling services, etc. The authorized processor has the right to use the Data only for the performance of specific operations requested by the Company and on the basis of a Contract entered into with the Company containing a confidentiality obligation.
14. Direct marketing
14.1 The Customer’s Data may be processed for direct marketing purposes in case there is a legitimate interest in such processing (when the Company sends proposals for similar services and/or goods to the Customer) or when the Customer gives his explicit consent to such processing.
14.2 Consent to the processing of data for direct marketing purposes may be given in different ways: if you decide to subscribe to the Company’s newsletters; upon written request; to receive commercial and other offers of services and/or goods provided by the Company or its partners and other activities related to the Company or its partners by means of a contract, website or other medium expressing consent (signature, tick or otherwise).
14.3 Pursuant to the Consent and legislation, the Company may also forward offers addressed to the Customer to a user whom the Company has become aware of, who was enabled by the Customer to use the Customer's services under the Contract between the Customer and the Company and the representative or contact person of the Company´s business Customer. These persons may prohibit from sending offers by electronic means (e.g. by e-mail, SMS or MMS) to them in the e-environment or by following the instructions provided in the e- mail or message or in any other electronic way offered by the Company. Only the Customer has the right to withdraw the consent.
14.4 In any case, if the Customer expresses its objection, in a manner indicated by the Company, to the processing of data for direct marketing purposes, the Company shall immediately terminate the processing of the Customer’s Data for direct marketing purposes.
15. Customer rights in connection with the use of Data
15.1 Right of access to your data. The Customer can get acquainted with his/her Data that is processed by the Company.
15.2 Right to rectify personal data. The Customer has the right to correct their data if it is incorrect or incomplete. If the Customer's basic and contact information has changed or the Customer discovers that their data is incorrect, he/she always has the right, and in some cases also the obligation under the Contract, to correct it in self- service or to contact Customer service to correct the data.
15.3 The right to request the deletion of your data. In certain cases, the Customer has the right to have their personal data deleted. This right does not apply in a situation where the Company processes the Customer's personal data in order to fulfil obligations arising from applicable legal acts.
15.4 Right to object. The Customer has the right to object at any time to the processing of personal data concerning him or her, which the Company performs on the basis of a legitimate interest.
15.5 Right to restrict data processing. The Customer has the right to demand a restriction on the processing of their personal data if, in his or her opinion, the data is inaccurate or if the Customer did not give consent to its processing.
15.6 Right to data transfer. The Company's customers have the right to transfer their consumption data (portability).
16. Contacting details of the Company for Data processing related matters
16.1 The Customer can contact the Company for questions related to the Conditions or the processing of the Customer´s Data at the following contacts: by phone at +370 52619141 and by e-mail at [email protected].
17. Use of cookies in e-environment of the Company
17.1 As with most websites, the Company's e- environments use cookie technology. Cookies are small text files that are downloaded to the user's computer via the e-environment server. As a result, the browser can transmit cookie information back to the e-environment each time the e- environment is used, with the aim of allowing the same user to be identified without identification (anonymously) and providing the user with a personal and more convenient e-environment experience (e.g. maintaining user preferences and interests, etc.) and analysing and developing the Services offered in the e-environment and directing offers and advertisements.
17.2 This version of the Conditions is valid for the Company and all Customers from 10-05- 2022. The Company has the right to unilaterally amend and update the Conditions as necessary. We keep the Conditions up-to-date and available on the Company's website www.enefit.lt. We will notify you of significant changes to the Conditions via our website, e-mail or other reasonable means.