Politique de confidentialité

GDPR - General Data Protection Regulation: General Information Notice

It is of the utmost importance to us to respect the rights of individuals when it comes to processing personal data, hereinafter referred to as “data”. This statement explains what kind of personal data we collect, how we use it and how we ensure to guarantee its security (integrity, confidentiality, and availability). It also aims to inform you about your rights and how to exercise these.

1. What is the Regulation on personal data protection?

As of 25 May 2018, the General Data Protection Regulation (“GDPR”) is applicable in all member countries of the European Union. This text aims to protect individuals and, more specifically, the processing along with the free flow of personal data.

The above-mentioned Regulation aims to give European citizens more control over their personal data, make companies more accountable and reinforce the role of the local data protection authorities (CNPD - Commission Nationale de la Protection des Données in Luxembourg).

2. To whom is this notice intended for?

The GDPR applies to the processing of personal data of living natural persons, including individuals whose data is processed within Leneda i.e. Leneda end‑users, former end‑users, Creos customers and ex-customers, prospects, suppliers, employees, etc. Further information in terms of the personal data process for any other person, whose personal data is being processed by Leneda, is available in this notice.

What is meant by “personal data” and “processing”?

Personal data:

  • any information relating to an individual who can be identified or an identifiable natural person (“data subject”);
  • an identifiable natural person is one who can, whether directly or indirectly, be identified, in particular based to an identifier such as a name, an identification number, a location data, an online identifier or to specific factors related to the physical, physiological, genetic, mental, economic, cultural or social identity of an individual person;

Processing:

  • any action or set of operations performed on personal data, whether by collection, recording, organization, structuring, storage, adaptation, modification, retrieval, consultation, use, disclosure by transmission, sharing, availability, alignment, combination, restriction, deletion, or destruction;

3. How do we collect your data?

a. Personal data transmitted directly by the data subject

You directly provide Leneda with most of the data we collect. We collect data and process data when you:

  • Register online
  • Voluntarily consent to have your Delivery Service Operator share your data with Leneda.

b. Personal data collected through automated procedures

We collect personal data via the exchange of computer systems.

We exchange information:

  • within the framework related to the organization of the energy markets, mainly with the energy supplier of your choice,
  • with financial institutions to pay your invoices.

We collect data from the network’s technical installations with the purpose of managing this in connection with the services / offers requested, or as part of our obligations.

4. The personal data we collect

In order to provide high quality services and offers, we only collect the minimum of data required for the implementation.

All this data is collected in compliance with the law or with the aim to best meet our commitments.

The data we collect may include the following:

  • Identification information: We collect your first, last name and birthdate.
  • Contact details: We collect your e-mail address, your postal address, your landline or cell phone number, the language in which you communicate and honorific title and other similar contact data.
  • Identifiers: In specific cases (public contracts, etc.), we collect hashed (non-reversible encryption) passwords and similar security information used for the authentication and the access to your account.
  • Financial data: We collect the data required to process your payments, in particular via SEPA mandates. (future storage and usage as per October 2024). We can collect VAT numbers.
  • Contractual data: We collect the necessary data for the completion and the accurate execution of the contract (orders).
  • Customer’s consumption data: As part of the network usage, we collect the information related to the consumption of a customer per ¼ hour (electricity) / per hour (gas) or the annual consumption. For forecasting purposes of the network management, we also collect your standard type of consumption profile.
  • Technical data: We collect technical data relating to the characteristics of technical installations, which are used to manage the installations themselves as well as the network, in order to define and control the conditions of a contract in terms of the fees.
  • Company mandates data: in case of company mandating a professional we collect information on function, company, work mail and other similar information.

We collect energy measurement data including load curves and meter reads.

  • Cookies/Connection data: Leneda uses cookies to ensure the proper functioning and security of its website, and to improve your browsing experience. For more details about the cookies we use, please consult our Cookie Policy.

5. How will we use your data?

Our Company collects your data so that we can:

  • Manage your account.
  • Pursue its legal obligations, especially the amended Law of August 1, 2007, related to the organisation of the electricity market.
  • Provide reporting to the authorities in application of national or European legislation.
  • Provide your supplier with the data necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.

6. Our process in detail

Processing of personal data for which Leneda is the data controller

CategoryDetails
1) Business Partner and Market Actors Onboarding

Legal Basis:

  • Article 6 (1)(c) GDPR - processing is necessary for compliance with a legal obligation to which the controller is subject
  • Amended law of August 1, 2007: Related to the organization of electricity markets

Possible recipients of personal data:

  • Subcontractors of Leneda
  • Luxembourg Authorities (1) (Anonymized consumption data only)
  • Other Third Parties (2) (in European Union) (Anonymized consumption data only)

Retention period of personal data: Data collected will be kept for fifteen (15) years after the last contract expiration

Type of personal data processed:

  • Identification information and contact details
2) Delegation and Mandate of Access Rights

Legal Basis:

  • Article 6(1)(a) GDPR - Data subject consent

Possible recipients of personal data:

  • Subcontractors of Leneda
  • Designated recipient by the customer
  • Luxembourg Authorities (1)
  • Other Third Parties (2) (in European Union)

Retention period of personal data: Data collected will be kept for fifteen (15) years after the last contract expiration

Type of personal data processed:

  • Identification information and contact details
  • Consumption data
  • Technical data of network installations
3) Access to Metering Point

Legal Basis:

  • Article 6 (1)(c) GDPR - processing is necessary for compliance with a legal obligation to which the controller is subject
  • Amended law of August 1, 2007: Related to the organization of electricity markets

Possible recipients of personal data:

  • Subcontractors of Leneda
  • Market actors that have an active contract with the customer
  • Luxembourg Authorities (1)
  • Other Third Parties (2) (in European Union)

Retention period of personal data: Data collected will be kept for fifteen (15) years after the last contract expiration

Type of personal data processed:

  • Technical data of network installations
4) Platform Operational and Security Management

Legal Basis:

  • Article 6 (1)(c) GDPR - processing is necessary for compliance with a legal obligation to which the controller is subject
  • Amended law of August 1, 2007: Related to the organization of electricity markets

Possible recipients of personal data:

  • Subcontractors of Leneda
  • Leneda agents intervening for remediations
  • Luxembourg Authorities (1)
  • Other Third Parties (2) (in European Union)

Retention period of personal data: Data collected will be kept for fifteen (15) years after the last contract expiration

Type of personal data processed:

  • Identification information and contact details
  • Financial data
  • Consumption data
  • Technical data
5) Business Partner Operations Read

Legal Basis:

  • Article 6 (1)(c) GDPR - processing is necessary for compliance with a legal obligation to which the controller is subject
  • Amended law of August 1, 2007: Related to the organization of electricity markets

Possible recipients of personal data:

  • Subcontractors of Leneda
  • Market actors that have an active contract with the customer
  • Luxembourg Authorities (1)
  • Other Third Parties (2) (in European Union)

Retention period of personal data: Data collected will be kept for fifteen (15) years after the last contract expiration

Type of personal data processed:

  • Identification information and contact details
  • Financial data
  • Consumption data
  • Technical data of network installations
6) Business Partner Operations Update

Legal Basis:

  • Article 6 (1)(c) GDPR - processing is necessary for compliance with a legal obligation to which the controller is subject
  • Amended law of August 1, 2007: Related to the organization of electricity markets

Possible recipients of personal data:

  • Subcontractors of Leneda
  • Market actors that have an active contract with the customer
  • Luxembourg Authorities (1)
  • Other Third Parties (2) (in European Union)

Retention period of personal data: Data collected will be kept for fifteen (15) years after the last contract expiration

Type of personal data processed:

  • Identification information and contact details
  • Financial data
7) Archiving and Deletion of Personal Data

Legal Basis:

  • Article 6 (1)(c) GDPR - processing is necessary for compliance with a legal obligation to which the controller is subject
  • Amended law of August 1, 2007: Related to the organization of electricity markets

Possible recipients of personal data:

  • Subcontractors of Leneda
  • Luxembourg Authorities (1)
  • Other Third Parties (2) (in European Union)

Retention period of personal data: Data collected will be kept for fifteen (15) years after the last contract expiration

Type of personal data processed:

  • Identification information and contact details
  • Financial data
  • Consumption data
8) BPSA analysis (Business Staging Area)

Legal Basis:

  • Article 6 (1)(c) GDPR - processing is necessary for compliance with a legal obligation to which the controller is subject
  • Amended law of August 1, 2007: Related to the organization of electricity markets

Possible recipients of personal data:

  • Subcontractors of Leneda
  • Luxembourg Authorities (1)
  • Other Third Parties (2) (in European Union)

Retention period of personal data: Data collected will be kept for fifteen (15) years after the last contract expiration

Type of personal data processed:

  • Identification information and contact details
9) Sharing Group Management

Legal Basis:

  • Article 6 (1)(c) GDPR - processing is necessary for compliance with a legal obligation to which the controller is subject
  • Amended law of August 1, 2007: Related to the organization of electricity markets

Possible recipients of personal data:

  • Subcontractors of Leneda
  • Luxembourg Authorities (1)
  • Other Third Parties (2) (in European Union)

Retention period of personal data: Data collected will be kept for fifteen (15) years after the last contract expiration

Type of personal data processed:

  • Identification information and contact details
  • Technical data of network installations
10) Cookie management

Legal Basis:

For the avoidance of doubt, Leneda website only uses cookies necessary for its functioning. More details can be found in our Cookie Policy.

  • Article 6 (1)(c) GDPR - processing is necessary for compliance with a legal obligation to which the controller is subject
  • Amended law of August 1, 2007: Related to the organization of electricity markets

Possible recipients of personal data:

  • Subcontractors of Leneda

Retention period of personal data:

  • Session cookies: one (1) day
  • Cookie consent data: twelve (12) months
  • Interface setting: Persistent

Type of personal data processed:

  • Connection data (logs, traces, cookies)

(1) Luxembourg authorities: Ministries, Institut Luxembourgeois de Régulation (ILR), Administration du cadastre, Administrations communales, etc.

(2) Other third parties: notaries, lawyers, auditors, installers, energy suppliers, Luxmetering, architects, design offices, promoters, Chambre des métiers, etc.

7. How do we ensure the security of your data?

We do our utmost to protect your personal data and its confidentiality, whether on our IT network, our natural gas and electricity networks, in our offices or in our regional centers.

All Creos employees have been specifically trained to handle confidential data, including your data, in the most appropriate way possible.

For every project involving the processing of personal data, we first carry out an assessment of the risks and security requirements, safeguarding, above all, your interests. Our information protection policy, requirement and management standards are based on ISO 27000 international standards.

Specialists ensure that the security of our IT network, infrastructure and information systems meet the highest standards.

In addition, we take all the necessary technical measures to protect your personal data against unauthorized access or use, as well as against loss or theft. If, despite the many protective measures in place, your personal data should be lost or stolen, you will be personally notified in the circumstances provided for by law.

8. Do we sell your data to third parties or pass it on?

We may share your data with trusted service providers or partners only when this is necessary to deliver our services, comply with legal obligations, or when you have given your explicit consent. When third parties are involved in the processing of data, we require them to process the data in accordance with our instructions and requirements and in full compliance with applicable data protection laws.

We do not transfer your data, nor do we make it available to recipients in countries outside the European Economic Area (EEA). If an exceptional transfer outside the EEA were ever required, it would take place only in accordance with GDPR requirements and with appropriate safeguards in place.

We do not share your credit card or other financial information for marketing purposes.

We do not sell your data to third parties.

9. What are your rights?

The Data Protection Regulation grants certain rights to users or data subjects. These rights are:

  • The right to be informed: Data controllers must be transparent as to how they use personal data.
  • The right of access: Individuals will have the right to know exactly what information is retained about them and how it is processed. Any information request is free of charge.
  • The right of rectification: Individuals will have the right to rectify personal data if it is inaccurate or incomplete.
  • The right of erasure: Also known as the “right to be forgotten”. This refers to an individual’s right to have their personal data deleted or erased without providing a specific or reasonable explanation as to why they wish to do so.
  • The right of restricting the processing: This refers to an individual’s right to block or suppress the processing of their personal data.
  • The right of data portability: This enables individuals to retain and re-use their personal data for their own intentions.
  • The right to object: In certain circumstances, individuals have the right to object their personal data being used. This includes for instance if a company uses personal data for direct marketing, scientific and historical research purposes, or for the performance of a task in the public interest.
  • Automated decision-making and profiling rights: The GDPR has put in place safety measures to protect individuals against the risk of a potentially harmful decision being made without a human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal impact on them or is based on an automated processing.

To ensure we can handle your request efficiently, when making an inquiry or exercising your data subject rights, please include the following information:

  • Identification: Provide information that allows us to find your data, such as your full name, email address, or account number.
  • Clear Statement of Request: Clearly state the purpose of your communication, whether it is a general inquiry or an exercise of a specific right (e.g., right to access, right to erasure, right to object).
  • Reason for Request (if applicable): If your request is based on your particular situation (e.g., an objection to processing based on legitimate interests), please provide the specific grounds.
  • Scope of the Request: Be specific about the data or processing activities your request concerns. For example, “I want to exercise my right to erasure for all data associated with my account.”

You can send your request to dpo@creos.net.

10. Changes to our privacy policy

Leneda keeps its privacy policy under regular review to reflect changes in our practices, legal requirements or service offerings. We encourage you to review this page periodically to stay informed about how we protect your personal data.

11. Who are your contact persons at Leneda for your personal data?

The Creos Data Protection Officer can be contacted at dpo@creos.net. He will deal with your request as quickly as possible.

You can contact our Customer Service Department if you have any queries related to the Leneda platform:

For any complaints about the processing of your personal data, you can contact the Luxembourg Data Protection Authority:

  • Commission Nationale pour la Protection des Données (CNPD)

15, boulevard du Jazz

L-4370 Esch-sur-Alzette

Tel.: 2610 60 1

Fax: 2610 60 29

e-mail: info@cnpd.lu

Web: www.cnpd.lu