PRIVACY NOTICE

This website (“the Website”) is provided by Smart Metering Systems plc (company number SC367563), having its registered office at Second Floor 48 St. Vincent Street, Glasgow, G2 5TS (“we, us, SMS”). Together with our group companies, we are the controller of personal data obtained via our website, meaning that we are the organisation legally responsible for deciding how and for what purposes it is used.

This privacy notice explains to individuals (“you/your”) how SMS and each of our group companies uses your personal information.

We collect, use and are responsible for certain personal data about you. When we do so, we are subject to the UK General Data Protection Regulation (UK GDPR).

Please read this privacy notice carefully as it contains important information. This notice covers: -

What personal data we process;
How your personal data is collected;
Keeping your personal data secure;
How and why, we use your personal data;
Sharing personal data with third parties;
How long your personal data will be kept;
Transferring your personal data out of the UK [and EEA]
Your rights under data protection legislation;
Changes to our privacy policy; and
How to contact us and the ICO.

Given the nature of the Website, we do not expect to collect the personal data of anyone under 13 years old. If you are aware that any personal data of anyone under 13 years old has been shared with our website, please let us know so that we can delete that data.

What personal data do we process?

The personal data we collect about you depends on the particular context in which it is processed. We may collect and use the following personal data about you:

• Details of any of your needs or the needs of others in your household such as, age, health, or vulnerability status to the extent it may be relevant for the carrying out of services and to ensure that the service we provide, and health and safety considerations are tailored to such vulnerability;

• Records of site visits by our field operations team;

• Date of birth;

• Information to enable us to undertake credit or other financial checks on you; and

• Contact details such as name, address, email address and telephone number;

• Meter reference numbers; meter readings and usage information;

• Energy consumption data;

• Device identifier numbers (such as IMEI numbers and IP address);

• Details relating to your property, such as access information;

• Information to check and verify your identity (e.g., your date of birth and details within your passport and signatures);

• Purchase and account history: records relating to the products and services which you have purchased or used from us;

• Records of your discussions with us, including customer support teams (such as call recordings and emails);

• Your gender if you choose to give this to us;

• Your billing information, transaction, and payment card information

• Job details, including job title and company;

• Your professional online presence (e.g., your LinkedIn profile); and

• Information about how you use our website, IT, communication, and other systems.

Certain personal data we collect is treated as a special category to which additional protections apply under data protection law, including data concerning health.

We collect and use this personal data for the purposes described in the section ‘How and why we use your personal data’ below.

Throughout our website, we may link to other websites owned and operated by certain trusted third parties to make additional products and services available to you. Those third-party websites may also gather information about you in accordance with their own separate privacy policies. For privacy information relating to those third-party websites, please consult their privacy policies as appropriate.]

Personal data may be held at our offices, our information processing centres and those of our third-party service providers, representatives, and agents.

Some of those third parties or their sub-processors may be based outside of the UK and/or European Economic Area (“EEA”). For more information, including on how we safeguard your personal data when this happens, see below “Transferring your personal data outside of the UK and EEA.”

How your personal data is collected.

We collect most of this personal data directly from you—in person, by telephone, text, or email, and/or via our website and apps. However, we may also collect information:

• From publicly accessible sources (e.g., LinkedIn or Companies House);

• Directly from a third party (e.g., credit reference agencies or customer due diligence providers);

• Business contacts with whom we have a relationship in common;

• From a third party with your consent (for example your bank, energy supplier or employer);

• From cookies on our website. A cookie is a small text file which is placed onto your device (e.g., computer, smartphone or other electronic device) when you use our website. for more information on our use of cookies, please see our cookie policy (Cookie Policy | SMS (sms-plc.com)); and/or

• Via our IT systems (e.g., through automated monitoring of our websites and other technical systems, such as our computer networks and connections, and email systems).

Keeping your personal data secure

We take all necessary steps to ensure that personal information is kept safe and confidential during storage, processing, and transit (where applicable).

We have appropriate security measures to prevent personal data from being accidentally lost, used, or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it. Those processing your personal data will do so only in an authorised manner and are subject to a duty of confidentiality. We continually test our systems and are ISO 27001 certified, which means we follow top industry standards for information security.

How and why, we use your personal data.

We process your personal information for multiple reasons, including the following:

Website use - We process your personal information because you are a visitor to the Website, and you have consented to us doing so. When contacting us via our “contact us” page or when downloading our materials, you may provide us with certain personal data directly. Specifically, we will ask for details including your name, email address, your company, and job role. Where that is the case, we require to process and retain personal information to allow us to allow us to contact you. In these cases, we are the data controller.
Direct customers - Because you are one of our customers and we provide services to you. These services are governed by a contract between us. In the context of these services, you may provide us with certain personal data directly. Where that is the case, we require to process and retain personal information to allow us to offer such services, to allow us to undertake and comply with our legal and regulatory obligations applicable to consumer services, and to allow us to contact you. In these cases, we are the data controller.
Asset ownership - We also may own assets (such as EV charging stations, meters, or battery storage systems) installed at your property. Where that is the case, we may require to retain personal information to allow us to maintain and manage the assets. In those cases, we are the data controller.

4. Third party services - We may process your personal data in connection with services which we provide on your behalf or in connection with services we provide to a third party (such as energy suppliers or registered social landlords). These services are governed by a contract between us and the third party. We require to process your personal information when these services are to be carried out at your property or in relation to your energy meters or other assets installed at your property or data relating to them (because you have a contract with, or are entering into a contract with, the energy supplier or other third party). Where we are providing services on behalf of a third party, we are acting as a data processor.

Other communications - We may also wish to make our services available, to customise them, to understand individuals’ needs, and to provide improved services, newsletters, and other communications. With your agreement, we may request to contact you about our or our business partners’ promotions, products and services or other information which we think you may find interesting, or for customer satisfaction purposes (including contact by email), and for market research, analysis, testing, monitoring, risk management and administrative purposes (including diagnosing technology problems which may be reported to us). In those cases, we are the data controller.

Legal basis for data processing

Under data protection law, we can only use your personal data if we have a legal basis to do so, for example:

• Where you have given your consent;

• To comply with our legal and regulatory obligations;

• In connection with a contract with you or a third party; or

• For our legitimate interests or those of a third party (which is when we have a business or commercial reason to use your personal data, so long as this is not overridden by your own rights and interests).

Where the processing is based on consent, you have the right to withdraw your consent at any time. This will not affect the validity of the processing of your data prior to the withdrawal of consent.

The table below explains why we use your personal in further detail.

What we use your personal data for	Legal basis
Providing products and/or services to you	To perform our contract with you or to take steps at your request before entering into a contract.
In connection with providing services to a third party (such as energy suppliers or registered social landlords)	Because you have a contract with, or are entering into a contract with, that third party
Conducting checks to identify our customers and verify their identity.	Depending on the circumstances: — to comply with our legal and regulatory obligations —for our legitimate interests
Other activities necessary to comply with professional, legal, and regulatory obligations that apply to our business, e.g., under health and safety law or rules issued by professional regulators	To comply with our legal and regulatory obligations
To enforce legal rights or defend or undertake legal proceedings	Depending on the circumstances: —to comply with our legal and regulatory obligations; —in other cases, for our legitimate interests (i.e., to protect our business, interests, and rights)
Gathering and providing information required by or relating to audits, enquiries, or investigations by regulatory bodies	To comply with our legal and regulatory obligations
Operational reasons, such as improving efficiency, training, and quality control	For our legitimate interests (i.e., to be as efficient as we can so we can deliver the best service to you at the best price)
Updating and enhancing customer records	Depending on the circumstances: —to perform our contract with you or to take steps at your request before entering into a contract; —to comply with our legal and regulatory obligations; —for our legitimate interests, e.g., making sure that we can stay connected with our customers about existing orders and new products
Marketing our services and those of selected third parties to: —existing and former customers; —third parties who have previously expressed an interest in our services; —third parties with whom we have had no previous dealings.	Depending on the circumstances: —for our legitimate interests, i.e., to promote our business to existing and former customers; or —with your consent
Credit reference checks via external credit reference agencies	For our legitimate interests (i.e., to ensure our customers are likely to be able to pay for our products and services)
To share your personal data with members of our group and third parties that will or may take control or ownership of some or all of our business (and professional advisors acting on our or their behalf) in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency In such cases information will only be shared where necessary	Depending on the circumstances: —to comply with our legal and regulatory obligations; —in other cases, for our legitimate interests, i.e., to protect, realise or grow the value in our business and assets
Customising our website and its content to your particular preferences based on a record of your selected preferences or on your use of our website	Depending on the circumstances: —your consent, as gathered via our website —where we are not required to obtain your consent and do not do so, for our legitimate interests, i.e., to be as efficient as we can so we can deliver the best service to you at the best price
Retaining and evaluating information on your recent visits to our website and how you move around different sections of our website for analytics purposes to understand how people use our website so that we can make it more intuitive or to check our website is working as intended	Depending on the circumstances: —your consent, as gathered via our website —where we are not required to obtain your consent and do not do so, for our legitimate interests, i.e., to be as efficient as we can so we can deliver the best service to you at the best price

Marketing

We may use your personal data to send you updates (by email, text message, telephone, or post) about our products a service, including exclusive offers, promotions or new products and services.

We have a legitimate interest in using your personal data for marketing purposes (see above ‘How and why we use your personal data’). This means we do not usually need your consent to send you marketing information. If we change our marketing approach in the future so that consent is needed, we will ask for this separately and clearly.

You have the right to opt out of receiving marketing communications at any time by:

• contacting us at hello@metischarge.co.uk

We may ask you to confirm or update your marketing preferences if you ask us to provide further products and services in the future, or if there are changes in the law, regulation, or the structure of our business.

Sharing personal information with third parties

Due to our corporate structure, our group companies will have access to your personal information. This privacy policy applies to all our group companies, including SMS Connections Limited, SMS Meter Assets Limited, SMS Data Management Limited, SMS Energy Services Limited, CH4 Gas Utility and Maintenance Services Limited, Qton Solutions Limited, Solo Energy Limited, SMS Data Services Limited, Metis Charge Limited, and Smart Home Systems Limited.

No energy consumption data of your end consumers shall be commercially exploited by our group companies.

Under certain circumstances, we also may be required to share your personal information with our third-party suppliers, partners and subcontractors who are assisting with the provision of the services and in connection with our business operations. These include:

Subcontractors (including our subcontracted engineering workforce);
Third parties we use to help deliver our products and services to you (e.g., suppliers, and payment service providers);

· Other third parties we use to help us run our business, e.g., marketing agencies or website hosts;

· Business partners;

· Third parties approved by you (e.g., social media sites you choose to link your account to or third-party providers);

Our external auditors (for example in relation to the audit of our accounts) in which case the recipient of the information will be bound by confidentiality obligations;
Outsourced service providers (e.g., call centre services);
The Financial Conduct Authority;
The Smart Energy Code (SEC) who may periodically audit the provision of the services we provide;
Financial services providers (e.g., credit reference agencies for the purposes of credit reference checks);
Insurers;
Professional advisors;
Logistics providers;
Security providers; and
Cloud service providers.

We may also be obliged to disclose personal information to any competent legal or regulatory authority conducting an investigation in relation to criminal activity.

We only allow those organisations to handle your personal data if we are satisfied, they take appropriate measures to protect your personal data.

The third parties mentioned above occasionally also share personal data with:

· Their external auditors;

· Their professional advisors (such as lawyers and other advisors); and

· Law enforcement agencies, courts, tribunals, and regulatory bodies to comply with our legal and regulatory obligations.

If you would like more information about who we share our data with and why, please contact us (see ‘How to contact us’ below).

How long your personal data will be kept.

Different retention periods apply for different types of personal data; however, we keep personal information only for so long as we need it. Once we no longer need it, we arrange for it to be deleted from our systems. Where we are required to retain personal information to allow us to maintain and manage the assets, we will do so only for so long as we have maintenance and/or management obligations. We may retain certain personal information for legal or regulatory purposes only.

In some circumstances, we might anonymise your data (so that it can no longer be associated with you) and use this indefinitely.

Transferring your personal data out of the UK [and EEA]

We (or a third party who we share personal data with) may process your personal data outside of the UK and EEA. In those cases, we will comply with applicable UK and EEA laws designed to ensure the privacy of your personal data.

When we send data outside of the UK/EEA, we will make sure that the correct safeguards have been put in place to protect your personal data, including:

ensuring that the country where any data will be transferred to is subject to an “adequacy decision” by the UK government and/or European Commission. This is to ensure that the particular country ensures an adequate level of protection of personal data under their domestic laws; or
ensuring that there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for you; or
a specific exception applies under relevant data protection law; or
ensuring that standard, legally approved, data protection clauses recognised or issued further to Article 46(2) of the UK GDPR or EU GDPR (as applicable) are included in our contracts with those third parties.

In the event we cannot or choose not to continue to rely on either of those mechanisms at any time, we will not transfer your personal data outside the UK unless we can do so on the basis of an alternative mechanism or exception provided by UK data protection law and reflected in an update to this policy.

Your rights

As an individual, you have the following rights: -

Right to request a copy of your personal information that we process;
Right to request that your personal information is updated or removed;
Right to make a complaint to the Information Commissioner’s Office due to concerns about the way we are processing your personal information; and
Right to withdraw consent to us processing your personal information or require us to restrict processing of your personal data in certain circumstances.

For more information on each of those rights, including the circumstances in which they apply, please contact us (see ‘How to contact us’ below) or see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights.

Changes to this privacy policy

We review this policy regularly. If there are any changes to the way we use personal information, we will update this policy on our website. This privacy policy was last updated on 14^th December 2023.

How to contact us

To get in touch with us about any of the above (including if you have any questions about this privacy policy or the information we hold about you, to exercise a right under data protection law or to make a complaint) please email or write to our data protection officer at: dpo@sms-plc.com / Data Protection Officer, SMS plc, 2nd Floor, 48 St Vincent Street, Glasgow, G2 5TS.

Information Commissioner’s Office

Please contact us if you have any queries or concerns about our use of your personal data (see above ‘How to contact us’). We hope we will be able to resolve any issues you may have.

If an individual is not happy with our reply to any complaint or thinks our processing of their personal data does not comply with data protection law, a complaint can be made to the Information Commissioner’s Office (ICO). Just use these details:

Address: Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF

Telephone number: 0303 123 1113

Web: Information Commissioner's Office (ICO)