What is Steinergy’ role in your privacy ?
The supply of energy includes additional energy related services like the access and management to the customer portal, the customer account, the organization of commercial and marketing operations and the management of Users’ and Customers’ feedback.
Our commitment to comply with data protection Law
Steinergy acknowledges and undertakes to comply with the national laws and regulations applicable to the protection of personal data (the “Law”), including but not limited to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”).
Your points of contact
As Data Controller, Steinergy considers the protection of your personal data to be of great importance and has appointed a data protection officer (hereafter the “DPO”) that you can contact for any questions you may have. The main role of our DPO is to ensure that personal data of our employees, Prospects, Customers and Users are processed by Steinergy or by our Data Processors in compliance with the Law and the GDPR.
For any questions about the processing of your personal data carried out by Steinergy, please feel free to contact our customer service centre or the DPO at the following addresses:
- by post:
4, Square Patton,
L-8443 Steinfort (Luxembourg)
- by phone : or by email : email@example.com
- DPO at the following email address : firstname.lastname@example.org
How to stay involved in the treatment of your personal data ?
Whatever is the method used to collect personal data, either directly from you or from third parties, please note that we will use these personal data only for the specific reason for which it was provided to us.
When and how we collect data ?
The Schedule below provides more details about the type of data we collect, for which purposes and the legal basis on which we process your personal data.
What are our “legal bases” for processing your data ?
In the framework of our activities, we collect and process several types of personal data depending on the offers and services you have subscribed to and the forms you have filled-in on our websites. This processing is based on one of the following legal bases:
We process your personal data within the extent it is necessary to execute the contract you have entered with us and/or for the needs of the pre-contractual relationships.
We process your data on the basis of a clear and explicit consent (by ticking the box or clicking) that you have given to us for a specific purpose.
You can change your mind! If you have previously given your consent to the processing of your personal data, you may freely withdraw this consent at any time by contacting us by e-mail at email@example.com.
If you withdraw your consent, and if we do not have another legal basis for processing your information, then we will stop processing your personal data. If we have another legal basis for processing your information, we will limit our processing to what is strictly necessary with regard to the purpose of the concerned treatment.
In the following cases, we process your data on the basis of our legitimate interests within the limits of what you can reasonably expect in the interactions with us and as long as there is no other legal basis for such processing. Our legitimate interests are:
- gaining insights from your energy needs and consumption,
- delivering, developing, and improving Steinergy’ products and services,
- enabling us to enhance, customise or improve the User’s experience,
- enhancing data security.
In each case, we ensure to find a balance between your rights and our legitimate interests. For more information about such balancing, you can contact us by email at the following address : firstname.lastname@example.org
We process your personal data in accordance with the Law, relevant government instructions and energy sector industry practices as applied by the Courts and supervisory authorities.
How and why we process your data?
In the schedule below, you will find the detail of (i) the categories of personal data that we collect, (ii) the purposes for which we process such data, (iii) the legal basis associated with each purpose.
When collecting information, we indicate which information is mandatory or necessary for the conclusion of the contract. Failure to provide such information will prevent us from entering into a contract with you. Optional information is indicated as “optional”.
|Type of personal data 1
|Purposes of the processing
|Browsing on our websites and using our digital spaces
|Request an offer/ Enter into an energy supply contract
|Execution of the energy supply contract
|Exchange and communication with our services
 The details of each category of data (Customer Name Data, Customer Communication Data, Point of Delivery Data, etc.) are defined by Encevo Group internal policies.
 According to the Electricity Law dated June 9th, 2023, an active client is an end-customer or a group of end-customers acting jointly, which consumes, or stores electricity produced on its/their premises, or which sells its/their self-produced electricity and/or participates in flexibility or energy efficiency programs provided such activities are not its main commercial or professional activity.
What about really sensitive data?
We don’t collect any sensitive data as defined by the RGPD (like racial or ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic data, biometric data, health data, data about your sexual life or orientation, and offences or alleged offences).
What are your privacy rights?
You have personal rights regarding your data that you can exercise in accordance with the Law and the GDPR, including a right of access, right to correct, right to erasure, a right to restrict a treatment, right to oppose (right to be forgotten), and a portability right.
If you want to exercise or get more explanation about any of these rights, please contact the Data Protection Officer at the following address: email@example.com. We will answer you within a reasonable delay, not exceeding one month as from the date of your request.
Such right can be exercised to the extent it does not adversely affect the rights and freedoms of others. Under certain circumstances, some rights such as the right to be forgotten or the portability right can be exercised subject to conditions, for example, they shall not prevent the execution of ongoing contracts or prevent us from complying with our obligations or obstructing any possible legal proceedings.
In such cases, we will provide you with any further explanation which might be relevant to you.
- You have the right to access to the information we hold about you. Please refer to the Schedule above. You can ask us whether your personal data is being processed or not and request further details about the processing of your data.
- You have the right to request an update, an addition or a correction of any personal data which is inaccurate, incomplete or wrong. Please inform us about any update or inaccuracy you may have noticed by sending an email at firstname.lastname@example.org.
- You can request the erasure of your personal data under certain circumstances. This right may be subject to limitations as mentioned above.
- You can ask the restriction of processing of your personal data under certain circumstances. This right means that the treatment we operate on your personal data is limited, so that we can retain some data, but we cannot not use or process them for any other purpose(s).
- You have the right to object to the processing of personal data (“right to be forgotten”). This means that you can request us to stop using your personal data, notably for direct marketing purposes. We will do so as long as such data are no longer necessary for the provisions of services.
- You have the right to ask for the portability of your personal data carried out by automated means. You can request to receive directly your personal data in a structured commonly used and machine-readable format. The data will be given in MS Excel format directly to you so that you can transmit it to another controller and/or where technically feasible, your personal data will be transmitted directly to another controller.
Such right can be exercised to the extent it does not adversely affect the rights and freedoms of others. In such case, we will provide you with any further explanation which might be relevant to you.
- You have the right to lodge a complaint with the relevant supervisory authority, i.e. the “Commission Nationale de Protection des Données (“CNPD”).
We provide several channels to exercise your rights so that you can choose the more convenient to you.
For any questions/concerns, please contact us at the following addresses so that you have a chance to address your request in the best delay :
- by post:
to the attention of the DPO,
4, Square Patton,
L-8443 Steinfort (Luxembourg)
How we secure the data we collect?
Steinergy has implemented appropriate physical, technical and organizational security measures to protect your personal data against unauthorised access, alteration, disclosure, theft, destruction or other accidental or unlawful forms of processing in accordance with the Law, GDPR and generally accepted standards of technology and operational security.
We have set-up internal security policies and we require our Data Processors to comply with the Law and GDPR. They are bound by contractual obligations related to confidentiality, processing and security measures to prevent unauthorised access, use, theft, destruction and disclosure of personal data.
Security issues being a general matter concerning everyone, we advise you to remain vigilant and take any useful or necessary precaution to guarantee the confidentiality of your password and your access code to the customer account.
How do we store and transfer your personal data?
Your personal data are stored with the European Union either by our organization or by our service providers (Data Processors).
In the event a transfer of personal data outside the European Union or outside the European Economic Area (EEA) is contemplated, such transfer will only take place provided the appropriate safeguards provided by articles 44 to 47 of the GDPR are in place, i.e. :
- If there is an adequacy decision issued by the European Commission recognizing that the country of the recipient presents an adequate level of protection for personal data, we can rely on such instrument. More information is available here : https://cnpd.public.lu/fr/dossiers-thematiques/transferts-internationaux-donnees-personnelles/Reglement-general-sur-la-protection-des-donnees.html ;
- By concluding a contract including the standard contractual clauses (SCCs) approved by the European Commission; More information is available here : [https://cnpd.public.lu/fr/dossiers-thematiques/transferts-internationaux-donnees-personnelles/Reglement-general-sur-la-protection-des-donnees11/clauses-contractuelles.html; or
- By using any other mechanism meeting the requirements of the GDPR.
How long do we retain your data?
- as long as we maintain a contractual relationship with you (e.g., where you are a beneficiary of our Services, or you are lawfully included in our mailing list and you have not unsubscribed);
- until the end of the calendar year following the end of the limitation period under applicable laws.
The main retention periods are the following (for Luxembourg):
- For prospects: up to 3 years from the date of collection or from our last contact,
- For clients of electricity/gas supply:
- contractual and commercial communications: 10 years form the end of the contract,
- Payment and invoicing information: 10 years from the closure of the relevant financial year to comply the laws and regulations,
- For Users of websites : up to 3 years from the data collection,
- For cookies, please consult our Cookies Policy.
Despite these retention periods, your data may be archived with restricted access for a further period for limited reasons as permitted by law (default payment, warranty, disputes, etc.). Steinergy undertakes to delete or to anonymise your personal data upon expiry of the retention period as described above.
To whom your data are shared ?
We communicate some data to our technical partners, such as the network operator and to authorized third parties like state authorities, including the authority responsible for regulating the energy markets (ILR), where necessary and in compliance with the Law.
We share personal data with Data Processors within the limit of what is necessary for the performance of the services entrusted to them. In accordance with the terms of the contracts, Data Processors process data in compliance with GDPR on the basis of our instructions in relation to defined purposes and ensure to implement appropriate technical and organisational security measures.
We use the following categories of recipients to provide Services (a list of contracting entities can be shared upon request) :
- affiliated companies within the Encevo Group for intra-group services (accounting, finance, legal, IT, etc.),
- Database, sales administration and market interaction software providers,
- Credit reference and fraud prevention agencies to assess your ability to make payments, credit decisions, identity checks, fraud and money laundering prevention and account management. Credit reference agencies will record the search on your credit file whether or not your application has been successful. (There is no automated decision making based on that research).
- Credit insurers,
- Survey provider and market research,
- IT/Cloud service providers,
- Payment/debt collection agencies,
- Regulated social office,
- Print service providers,
- Facilities’ service providers,
- Subsidies’ energy agencies,
- Third party auditors, where applicable, to meet legal and regulatory obligations.
The data may be transmitted to third parties where this is required or expressly authorised by the Law, to enforce a provision of the law, or further to a judicial/regulatory decision if such disclosure is necessary in the context of an investigation or a legal proceeding and to protect the rights and interests, properties, safety and security of Steinergy, our clients or other persons.
Version 2.0 of 12 October 2023