CEER Privacy Policy

Effective since: 25 May 2018

One of CEER’s our core values is respectand we will apply that principle to your rights,including your personal datarights in accordance with therequirements of the EU General Data Protection Regulation (GDPR). We are very serious about our responsibility to ensure that your personal data is protected. This CEER privacy and cookies policy sets out what data we collect, why we collect this data and how we use it.

We are committed to safeguarding the privacy of our websitevisitors and other individuals with whom we deal, and to keeping your personal data safe and secure.

If you have any questions, do not hesitate to contact us at the following address: privacy@ceer.eu

Who is responsible for processing your data?

CEER is the data controller of your personal informationand our contact details are:

Council of European Energy Regulators (CEER)

Cours Saint-Michel 30a, box F (5th floor) 1040 Brussels, Belgium

https://www.ceer.eu

Tel.: +32 (0) 2 788 73 30

Fax: +32 (0) 2 788 73 50

privacy@ceer.eu


What data do we collect?

We adopt a minimalist approach of collecting only the data that is necessary. Depending on the product or service, this may includesome or all of the following:name, gender, email address, telephone number, member organisation, CV and photographs.

a) Website usage data: To ensure that our website is useful to all visitorsand continues to improve, we may process data about your use of the site. This may include your geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your use. This data, obtained through Google Analytics, is aggregated and anonymised such that it contains no information pertaining to any identifiable individual; as such, it is not personal data per se, but we address it here for completeness’s sake.

b) Correspondence data: we may process information contained in or relating to any communication that you send to us, whether through the site, by email, through social media, responding to our public consultations or questionnaire or otherwise. This may include the communication content and metadata associated with the communication, as well as any contact details you provide to us, such as your name, email address, phone number, job title, address or socialmedia username. We process correspondence data for the purposes of communicating with you and record-keeping.

c) Project/missiondata: where we undertake a particular piece of work or project, we process information for the purposes of setting up that project in our systems, such as your name and contact details. We may also process personal information contained within project-related correspondence and documents, including in relation to your customers, whether created by us or provided to us. All such data is processed for the purposes of providing our professional services and for record-keeping purposes.

d) Transaction data: we may process information relating to transactions, such as bank account details, contact details, or transaction data in relation to payments made by us to you or by you to us. This may include your contact details, or any bank account or sort code information provided for the purposes of making payment, as well as transaction details (such as POs or invoices). The transaction data may be processed for the purpose of supplying or receiving and administering the relevant services and keeping proper records of those transactions, and for making and receiving payments.

e) Personal data we obtain from others: your personal data maybe provided to us by someone other than you—for example, by your employer, by an organisation with whom you and we are both dealing, or by someone who wishes to refer you to us or vice versa. Normally this data will be correspondence data, enquiry data, or project data as described above, and will be processed by us for the purposes described above.
 

Why do we collect your data?

We process personal data on lawful bases only. In particular, we process personal data on the following lawful bases identified in Article 6 of the General Data Protection Regulation:

a) for the performance of a contract with you, or to take steps at your request prior to entering into a contract with you (Article 6(1) (b) GDPR). This may be our basis for processing correspondence data, enquiry data, matter data and transaction data;

b) for our legitimate interests (Article 6 (1) (f) GDPR). This may be our basis for processing:

i) correspondence and matter data (as we have an interest in properly administering our business and communications);

ii) enquiry data (as we have an interest in developing our business with interested parties);

iii) transaction data (as we have an interest in making and receiving payments promptly and in recovering debts);

iv) any personal data identified in the other provisions of this notice where necessary in connection with legal claims (as we have an interest in the protection and assertion of our legal rights, your legal rights and the legal rights of others);

v) any of the personal data identified in the other provisions of this notice in connection with backups of any element of our IT systems or databases containing that personal data (as we have an interest in ensuring the resilience of our IT systems and the integrity and recoverability of our data).

As a membership-based association, personal data is used to communicate withour members/observersabout our activities (e.g. newsletters, policy positions, reports and initiatives) and meetings/events.

For our core products such astraining courses, meetingsand events (e.g. conferences, workshops) we share promotional materials to register interest in attendance or participation.

For interested individuals (members or non-members), we distribute an agendaandsupporting documents (e.g. presentations and/orminutes) of the course/meeting/eventor these documents can be downloaded from the event/meeting page.

We keep in touch with our subscribers(only those who have consented to receivingour news alerts) by issuing a free, electronic, monthly CEER newsletter and some news alerts (about 2/3 a month) about our activities,publications, events or training courses.


How do we collect your data?

Most personal data is provided by the individual when they register (typically online) to participate in a CEER eventor initiative(e.g. a training course, conferenceor working groupmeeting)or request to be placed on a distribution list for CEER news alerts. Typically, only a name and email address is required. For members of the CEER General Assembly or Board or individuals who support the CEER training academy (lecturer) or missions (experts), the CEER Secretariat may also ask that additional contact details (email address, organisation, telephone number), and a CV and a photograph be provided.

Information you give to us

CEER Members and Observers:

CEER is the European association of energy national regulatory authorities (NRAs). The governance structure of CEER comprises a General Assembly (GA) and a Board of Directors. Board and GA members serve a defined term.

Each member/observer NRA nominates a CEER Liaison Officer for communication purposes.

NRAs who are CEER members/observers nominate experts to participants in CEER working groups or workstreams. Names and emailaddresses are held on a secure section of the CEER website and are used purely for the purposes of organising, planning and communicating activities and events. As membership to the workstream or working groups changes, information is deleted and updated.

Contact details of GA, Board, Liaison Officers and working Group/workstream members are securely held and are used to update members with regard to plannedmeetings and to share information that is required to discharge their responsibilities. Personal information (name, member organisation and a photograph)ispublished on the CEER website and isremoved when their term of office expires.

Training Academy:

Lecturers provide their CV which is shared with the course participants. This personal informationis used and retained only while thelecturerremainspart of the training academy.

Course participants provide their contact details and we advise them of similar activitiesonlywith their consent(i.e. when they have optedin to be informed of CEER training courses).

Experts Database:

Individuals from CEER’s membership/observershipbase (current and former regulatory staff) are invited to apply to be part of a pool of regulatory experts that can be drawn upon to participate in missions and projects. They provide a CV, contact details and a rating of their area of expertise which is securely stored. This may be shared with a third party that sponsors the mission or projector the host, where the mission takes place.

CEER Employees and Job Applicants:

Personal information about the CEER Secretariat staff is contained in a secure location and used for the purposes directly relevant to theiremployment. This information may be shared with third parties for the purposes of administering salaries, benefits and pension payments. Files are retained for as long as necessary to comply with employment legislation. Personal information about unsuccessful job applicants will be retained,with their consent, for 6 months. This allows them to be considered for avacancy that occurs within this timeframe. If there are no new positionswithin 6 months, their data will be destroyed.

Non-members (e.g. members of the public):

Access to the public section of the CEER websiteis freely available without providing personal information.Public documents (reports, policy papers, newsletters) can be downloaded free of charge.

Persons interested inbeing notified of CEER activities (events, training courses, news alerts) can subscribe onlineto receive news alertsof forthcoming activities. We require your e-mail address only. You can “unsubscribe” at any time if you no longer wish to be on CEER mailing lists.

All CEER events (conference, workshops, meetings) are free of charge.CEER training courses are fee-paying.  For registering to participate in CEER events and training courses, CEER requests your name, organisation and your e-mail address.Registration for courses and events is typically online.

Personal data of event/course participants will be retained (for 12 months) and used, with the consentof the participants, to advise them of similar activities, after which time it will be deleted.Since 25 May 2018, when the GDPR took effect, the list of participants of a CEER event is no longer published.

With regard to our public consultations, we respect your preferences to publish (or not) the name of the organisation of the respondents and we will anonymise the personal data of any individual (such as members of the public) that has contributed.We retain some personal contact data of our suppliers (e.g. caterers) for organisational, bill paying and accounting purposes.

Are your data protected?

We take appropriate measures to ensure that our server prevents unauthorised leaks, disclosure or destruction of personal data and have created a password protected members area.

All CEER computers are password protected and users are automatically required to change passwords regularly.

How long do we store your data?

Personal data for individuals who have requested to be placed on distribution lists is kept indefinitely or until theyrequest removal (i.e. unsubscribe).

For GA/Board members or individuals who contribute to CEER working groups,work streams,the CEER training academy or capacity building missions, their personal data is kept only for as long as they wish to play an active role.

Who has access to your data and to whom are they communicated?

CEER employees access and share personal data only to the extent necessary to comply with requests concerning products, services and activities.

CEER stores personal data in as few locations as possible.CEER sharespersonal data only with colleagues who are directly involved.CEER does not leave personal data unattended.

CEER does not process data regarding race, religion, health, criminal records, etc.CEER removespersonal data after expiration of the retention period.

CEER does not share the personal information of CEER event participants, news alert subscribers, membersof our organisation, or staff members with any third parties for marketing purposes.


What are your rights and how can they be exercised?

Right of Access (Article 15 GDPR)

You have the right to obtain confirmation that we hold and process your personal information and toaccess these data.We will apply security checks to ensure that the request matches the identity of the user.

Right to Rectification (Article 16 GDPR)

You can have inaccurate personal data rectified without undue delay.

Right to Object (Article 21)

You can object to your personal data being processed, for example, in relation to direct marketing or publication on a website.This right will be communicated when the first initial contact is made.

Right to Restriction of Processing (Article 18 GDPR)

This applies when you contest the accuracy of your personal data or consider that the processing is illegal.

Right of Erasure (Article 17)

Also known as the right to be forgotten, you can request the erasure of your personal data without undue delay. This does not apply when we are required to comply with a legal obligation.

Right to data Portability (Article 20)

You have the right to receive your personal data in a user-friendly format and to transfer it to another organisation.

Right to lodge a Complaint (Article 77)

You have the right to lodge a complaint with a supervisory authority in the Member State where you live, work or in locations where the alleged infringementstook place, if you believe we have not complied with the GDPR.

Do we share your personal data with others?

We generally do not share personal data. Anexception is when CEER undertakes acapacity buildingmission and the CVs of the expert team are shared with the sponsor and the hostorganisation. This is made clear in advance to the individuals who request to be part of the expert pool.

We may disclose your personal data to our insurers and/or professional advisers as necessary for the purposes of obtaining and maintaining insurance coverage, managing risks, obtaining professional advice and managing legal disputes.

We may disclose personal data to our suppliers or subcontractors in connection with the uses described above. For example, we may disclose:

a) any personal data in our possession to suppliers that host the servers on which our data is stored. In our case, these suppliers are Microsoft Ireland Operations Ltd (who provide Microsoft 365, and who host all our emails, documents and contact information) and Energie-Control (Austria) host our website, and Berox (Belgium) who provides local IT support);

b) correspondence data to suppliers which host email campaigns or send or receive correspondence onour behalf (such as LimeSurvey in relation toonline questionnaires/surveys);

c) transaction data and billing contact details to our accountants; and

d) transaction data and other relevant personal data to third parties for the purposes of fraud protection, credit risk reduction and debt recovery.

We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions and applicable law. In addition to the specific disclosures of personal data set out in this section, we may also disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another person.

How to receive our products?

With your consent, we only use your email address to offer you products similar to those that you have already expressed an interest in or ordered (e.g CEER news alerts or CEER training course mailing lists).

You can request to be removed from promotions, direct marketing or mailing lists at any time.

What is our policy on data concerning minors?

Our website or products are not targeted to children under the age of 13. If you learn that we have the personal data of your child without your consent, please contact us at privacy@ceer.eu

What happens in the event of a change to the privacy policy?

Changes will be published on our website.

How to contact us or make a complaint to us?

Council of European Energy Regulators (CEER)

Cours Saint-Michel 30a, box F (5th floor), 1040 Brussels, Belgium

Tel.: +32 (0) 2 788 73 30 Fax: +32 (0) 2 788 73 50

privacy@ceer.eu

Complaints to the Data Protection Authority

You have a right to complain about how we have handled your information and you can report it directly to the Data Protection Authority, at the following address.

Data Protection Authority Rue de la Presse 35, 1000 Brussels

https://www.dataprotectionauthority.be

+32 (0)2 274 48 00 +32 (0)2 274 48 35

commission@privacycommission.be

The Data Protection Authority's offices are open to members of the public during office hours, but by appointment only. Please observe that the preferred languages for contacting the Privacy Commission are Dutch and French.

About cookies

A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server. A ‘persistent’ cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a ‘session’ cookie will expire at the end of the user session, when the web browser is closed.

Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies. Our site uses category one and category two cookies. Category one cookies are essential in order to enable you to move around the website and use its features. Category two cookies collect information about how visitors use our Site—for instance, which pages visitors go to most often. All information these cookies collect is aggregated and therefore anonymous. Category two cookies enable us to use Google Analytics for analysing the use of and improving the Site. Google Analytics gathers information about website use by means of cookies. The information gathered relating to the Site is used to create reports about the use of the Site. Google's privacy policy is available at: https://www.google.com/policies/privacy/.

Most browsers allow you to refuse and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can obtain up-to-date information about blocking and deleting cookies via the support pages made available by your browser operator.

Every time you access the memberaccount or user account, CEER website collects: technical information  relating  to  the  devices  that  you  use,  such  as  the  IP-address, the  resource  you request, browser type and operating system.

Third Party websites and security

The CEER website (www.ceer.eu) contains links to third-party websites and refers to third-party service providers and other entities. If you follow a link to any third-party website or deal with any third party entity referred to on the site, then you should note that these third parties may have their own privacy and cookie policies, and that we are not responsible for their use of any personal data which you may provide to them. You should ensure that you have read and understood any relevant policies.

Although we do our best to ensure the security of personal data provided to us (and to use only reputable service providers), any transmission of data via the Internet is by its nature insecure and we cannot guarantee the security of any personal data you provide to us.