Sainsbury’s Energy considers the protection and security of your data to be of paramount importance. We never sell personal data and we carry out all processing operations in strict compliance with the EU General Data Protection Regulation (“GDPR”).
So what information do we collect about you?
Whenever you visit our site we collect anonymous data about the way you use our website. We also collect personal data if you decide to apply for any products or services, a quote or contact us through our ‘contact us’ forms. The data we collect falls into the following categories:
- Information you give us.
- Information we collect about you.
Information you give us and how we use it
We will process your personal information under the legal ground ‘performance of a contract’ for supply of your energy and will take the necessary pre-contractual steps requested by you prior to entering into that Contract.
We won’t disclose your personal data to anyone else, unless we’re required to do so by law to bodies such as the police. Even then, we would only disclose the minimum personal data required, in accordance with the data protection laws.
- Sainsbury’s Energy sign up process
When you begin the quote process on our website we ask for your postcode, full address and energy consumption data. We store this information for two years in line with energy industry licence requirements. If you proceed to sign-up, then we collect the information we ask you to input (e.g. name, email address etc). If you do not complete the sign-up process within 1 hour we will delete this data from our records.
- Email quote
You may opt to receive your online energy quote to your email inbox, you will need to provide your email address for this to happen. This data is used solely to generate and send your quote information directly to your email inbox and is stored for 30 days. Your email address will not be used for any other purpose.
- Information via the contact forms
You may wish to contact us on our website to ask us questions, for example via the ‘contact us’ form, where we ask you for your contact information (e.g. name, email address contact phone number and postcode). We use this data solely in connection with answering the queries we receive and store this information in accordance with the Privacy Notice.
Information we collect about you and how we use it
We process your information for our own Legitimate interests. This is where we use your personal information for our normal business purposes where the benefits of doing so are not outweighed by your fundamental rights or freedoms. You have a right to object to this type of processing. See ‘What rights do you have over your personal information?’
- Website usage data
When you visit our website we store the name of your internet service provider, the website from which you visited us from, the parts of our site you visit, the date and duration of your visit, and information from the device (device type, operating system, screen resolution, language, country you are located in, and web browser type) you used during your visit.
We process this usage data to facilitate your access to our services (e.g. to adjust our services to the device you are using), and to recognize and stop any misuse. We also process usage data in an anonymized form for statistical purposes and to improve our site.
- Website Analytics
We use programs such as Google Analytics and Lotame to help us find out:
• How many people visit our websites
• Which pages and parts are most popular
• How long people spend in each area
• What information people are searching for
These insights help us understand how to improve our website.
• Browser types
• Operating systems
• Referring sites that sent you to us
• The date and time of a visit
We also use third party analytics services like Hotjar, which is similar to Google Analytics. Where Google Analytics identifies overall trends in people’s browsing habits, Hotjar helps us work out why those trends exist, for example, why everybody is suddenly visiting a certain page. It allows us to:
• See where people click on a webpage
• Follow mouse patterns
• And track non-sensitive text that people might type into the site
The cookies collect information such as the number of visitors to the site, which pages they visited and whereabouts they came to the site from. This information is anonymous and cannot be used to identify you personally.
Cookies are stored on your individual device and you have full control over their use. You can deactivate or restrict the transmission of cookies by changing the settings of your web browser. Should you visit our site with cookies deactivated, you may not be able to use all of the functions on our site to the full extent.
We use tools such as Doubleclick to place ads on other websites you may visit. These tools may set cookies to track the performance of our advertising campaigns and allow us to tailor the advertising you might be interested in.
We also use products like Google Analytics Advertising, including remarketing with Google Analytics, Google Display Network Impression Reporting. These products help us understand what ads work best so we can more effectively promote our products and services to you.
We also use Google Adometry to track the way you interact with our ads before you come to our website. This helps us to work out which ads are relevant to you and which ones aren’t. We use a unique identifier to track how successful our advertising is, and this is done on an anonymous basis. We do not use your personal information.
Information we collect from third parties about you
We collect personal information about you from third parties such as energy comparison websites or brokers where you sign up to our products or services through their website or contact centres. They will be governed by their own privacy policies and we recommend you review them.
Where you have chosen to contact us via social media such as Facebook or Twitter we will use the contact information you have provided to answer your questions and the information will continue to be stored on Facebook or Twitter in line with their deletion periods. You should review Facebook and Twitter’s privacy policies to find out more.
We use a third party provider to supply and support our webchat service which we use to handle customer queries in real time. If you use the webchat service we will collect details such as your name, address, and the contents of your webchat session. The third party provider will delete this information after two years.
Who we share your personal information with
We may pass information about you to our agents and service providers for the purposes set out in this privacy notice for the following purposes:
- Agents acting on our behalf to carry out profiling, modelling and analysis, market and customer research, statistical analysis to help improve the way we provide our services and the products that we are able to make available to you. These agents include creative agencies, professional user experience testing agencies and search engine optimisation agents. We do not provide personal information to these agents.
- Our processors and sub-processors for the development and testing of our IT systems, diagnosing and implementing bug fixes, and diagnosing and dealing with incidents.
Whenever your personal data is passed to an external data processor, your information is managed to the same high standard as it is by us.
In accordance with the data protection laws, we only work with data processors that offer security guarantees and we take reasonable measures to ensure their compliance. The data processor is only allowed to process personal data in line with our specific instructions and for no other purpose than it was originally intended.
Third party websites
We take your privacy seriously and do everything we can to protect your personal data. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data being transmitted to the website and app, however once we have received the information we will do all we can to keep your data secure.
Whenever you input your details on this website you do so via our secure servers. These use what’s known as Secure Socket Layer encryption– a leading security standard in the e-commerce industry.
Most of this website isn’t encrypted, because there’s no need. However, the moment you submit any personal information as part of the quote and apply process or register to manage your account online, you’re directed to secure pages.
We also train our staff to protect your personal details and check your identity whenever you contact us. You should always keep your password and account details secure and always remember to log out of your account and close your browser window when you’ve finished. This helps to ensure that no one else can access your personal data.
When do we pass your information outside the EEA?
There are a number of instances where we may pass your personal information outside of the European Economic Area (EEA) to countries that do not have the same data protection standards as we do in the UK. Firstly, we and our processors make sure that it happens with the relevant legal protection in place. Secondly, we always know when this occurs and make sure relevant security and contractual protections are in place. The countries we pass such information to are:
- New Zealand. One of our sub-processors which undertakes development of our IT systems is based in New Zealand, along with other sub-processors they use. New Zealand holds an adequacy decision from the European Commission. This is authorised under Article 45 of the GDPR;
- United States. We primarily rely on Privacy Shield certification to ensure these data transfers are legal, and also EU model clauses. This is authorised under Article 46 of the GDPR;
- Australia. We use a US based sub-processor with infrastructure in Australia who has entered into a data processing addendum including model clauses.
What rights do you have over your personal information?
- Access: You are entitled to know what personal information we hold about you at any time. (If you write to, email or phone us and ask to see this information, it is known as a ‘Subject Access Request’ or ‘SAR’ for short). When we receive your request, we will send you a form to fill in, along with identity checks. If you do not return the form and/or answer our phone calls to verify you have made this request, we will not be able to deal with your request.
- Data Portability: You can request the personal information you provide to us in a commonly used and machine-readable format. We already allow you to access your information online (including the ability to export your meter reads), but if you need other information or you don’t want to access it online you can contact us.
- Accuracy/ Rectification: You can check that the personal information that we hold is accurate, or to let us know of any changes to your personal information. We always try to ensure that the information that we hold is accurate, up to date and relevant. We’ll be more than happy to make changes or to correct any inaccuracies.
- Deleting/ Erasure: You can ask us to delete some or all of your personal information in certain circumstances (e.g. we no longer need it), and we are obliged to delete it. We can refuse to delete that information if those circumstances don’t apply.
- Restriction on use: You can ask us to temporarily stop using the personal information in the following circumstances:
- where you think your personal information is not accurate, we will temporarily stop using it until we have verified the accuracy of it, if we cannot resolve the accuracy of it straight away;
- where you have objected to our use of the personal information (in circumstances where it was necessary for the performance of a public interest task or for our legitimate interests as a business), and we are considering whether our legitimate interests as a business override your rights to object to our use of it;
- when processing is unlawful, and you don’t want us to erase it, and request restriction instead; or
- if we no longer need the personal information but you want it to establish, exercise or defend a legal claim.
If we have shared the personal information in question to third parties, we must inform them about the restriction on the processing of the personal information, unless it is impossible or involves disproportionate effort to do so. We must also inform them when we decide to lift a restriction on processing.
- Right to object to processing based on our ‘legitimate interests’ as a business: If we rely on the legal grounds that we have a legitimate right as a business to use your personal information (as opposed to any other legal ground) then you have a right to object to us using your personal information for these purposes. You can exercise your right to object by emailing or calling our call centre (see below). If you do not want us to use Google Analytics in respect of your use of the mobile app then you can turn this off in the mobile app on each device by going to the main menu of the app then: >Settings> Google Analytics.
- Right not to be subjected to automated decision-making: You have the right not to be subject to a decision based solely on automated processing which produces legal effects or similarly significantly affects you, except where we do so for the purposes of your energy supply, it is authorised by law, or you consent to it. In those circumstances you are entitled to at least contest any such decision and obtain a review. Our systems do not have automated processing that fulfil these criteria.
- Complain: If you think we are using or processing your personal information in a way that is not consistent with this privacy notice or with the law, you can lodge a complaint with the Information Commissioner’s Office. Contact details are available at https://ico.org.uk/concerns/. We would always prefer you to contact us first though, to see if we can answer your concerns.
You can exercise any of these rights by contacting us as set out below under ‘Who is your data controller?’ below.
Who is your data controller?
- Emailing firstname.lastname@example.org
- Contacting us using the “Contact Us” form on our website www.sainsburysenergy.com/ or our mobile app
- Calling our call centre on 0800 088 4127 (should be free from all mobiles and generally free from all landlines);
- Logging on, going to the Settings, then Privacy & Data then turning off the direct marketing option;
- Writing to us at Data Protection Officer, Sainsbury’s Energy, 5th Floor, 125 Colmore Row, Birmingham B3 3SD.
You also have the right to ask us to delete or correct any information we hold about you that is inaccurate.
Duration of Processing
We will store your data for the time periods listed in the table below.
All other data as specified above will be retained for as long as is necessary for the purpose(s) for which we originally collected it. We may also retain information as required by law.
Personal information processed
Incomplete account sign up by site visitor
Updated: March 2019