Privacy Policy of Energy Solutions (ES) Ltd
1. Our Full Contact Details Are:
ENERGY SOLUTIONS (ES) LIMITED
UNIT 20, NEPTUNE COURT, VANGUARD WAY, CARDIFF CF24 5PJ
Alternatively you can email us at info@energysolutions.co.uk
Questions, comments and requests regarding this privacy notice are welcomed by using
the contact details above.
Please note that you have the right to make a complaint at any time to the ICO, the UK
supervisory authority for data protection issues (www.ico.org.uk). We would,
however, appreciate the chance to deal with your concerns before you approach the
ICO, so please contact us in the first instance.
2. Changes to Our Privacy Notice
We keep our privacy notice under regular review to ensure that it properly reflects our
use of your personal data. We may make periodic changes to our privacy notice in the
future, please check this page for any updates on your next visit to our website.
This privacy notice was last reviewed and updated on 01 November 2025.
It is important that the personal information we hold about you is accurate and current.
Please let us know if any personal information which we hold about you needs to be
corrected or updated at any time.
3. Personal Data
Principles relating to processing of personal data. Personal data shall be:
a) Lawful, fair, and transparent: Process data only with a valid legal basis (e.g.
consent, contract, legal obligation) and inform individuals how their data is used.
b) Purpose-limited: Collect data only for specified, explicit, and legitimate purposes.
c) Data minimisation: Collect only what is necessary for the intended purpose.
d) Accuracy: Keep data up-to-date and correct inaccuracies promptly.
e) Storage limitation: Keep data only as long as necessary for the purpose.
f) Integrity and confidentiality: Protect data with appropriate technical and
organisational measures (encryption, access controls, etc.).
g) Accountability: Be able to demonstrate compliance with these principles (records,
audits, policies).

4. Lawful Bases for Processing
The lawful bases for processing your (client/audience) personal data are as follows:
f)
a) Consent (freely given, specific, informed, unambiguous)
b) Contractual necessity
c) Legal obligation
d) Vital interests
e) Public task
Legitimate interests

 
5. How We Collect Personal Data
Personal data, or personal information, means any information about an individual from
which that person can be identified. It does not include data where the identity has been
removed (anonymous data).
We use different methods to collect personal data about you, and there are different
ways that we might do so. This privacy notice tells you what to expect when we collect
personal data about individuals in the following ways:
• visitors to our website;
• anyone who interacts with us or contacts us through social media;
• anyone who contacts us;
• anyone who uses our services;
• you when you are transferred by one of our third party partners to our website, or
one of our third party partners provides us with your personal data;
• from third party marketing partners; and
• from other energy brokers, where we have taken over the management and renewal
of your energy contract
This privacy notice also explains the types of personal information we collect from
you, and the lawful basis we rely on under data protection legislation to use your
personal data. Under data protection legislation, we are only permitted to use your
personal data if we have a lawful basis for doing so as set out in the data protection
legislation. Where we rely on our legitimate interests (or those of a third party) as the
lawful basis for processing, we have done so on the basis of balancing test which
means that our legitimate interests (or those of a third party) do not override your
interests and fundamental rights.

 
5.1 Visitors to our website
a. We develop our websites here in-house, at Energy Solutions (ES) Ltd, so
all personal data collected about your visit to our website is handled
internally by our employees. You can rest assured that all our employees


receive training on data security and that we take the protection of your
personal data seriously.
b. We also partner with other utility companies from time to time to provide
you with price comparison services. In this case, we operate the website and
this privacy notice applies to any personal data we collect about you when
providing this service.
c. End-User Analytics and Cookies
We will collect details of your visits to our websites, including traffic data,
location data, weblogs and other communication data and the resources you
access on our website. We also collect information about your device and your
visits to and use of our site, including, where available, your device’s IP address,
geographical location, operating system, referral source, browser type, length
of visit and number of page views. We will collect this information for the
purposes of system administration, optimising the use of our site and reporting
aggregate information to third party suppliers. This is statistical data about our
users’ browsing actions and patterns, and does not identify any individual.
In particular, we use an analytics service provider for website traffic analysis
and reporting and to track information such as which browser, screen resolution
and IP address you are using to access our website, in addition to tracking your
movements around our website. Please see section 3.4 for more details on how
we use this information.
Please note that we do use cookies on our website. More information on how
we use cookies can be found in our Cookies Policy.

 
5.2 Third parties
Our site contains links to and from the websites of our third party partner
networks, suppliers and affiliates. If you follow a link to any of these websites,
please note that these websites collect personal data for their own purposes and
have their own privacy notices. We do not accept any responsibility or liability
for these third parties or their data activities on such websites. Please check their
privacy notices before you submit any personal data to these websites.

 
5.3 Contacting us
Our website provides you with different ways to contact us. You may choose to
call us, or submit a query to us or request a call-back from us. All
communications are handled, reviewed and responded to internally by us, unless
we tell you otherwise.

As part of communicating with us, you will submit personal data about yourself
which includes your name, email address, telephone number and any other
additional information you choose to provide to us. We will use your personal
data for our legitimate interests (or those of a third party) where it is necessary
for any of the following:
• to contact you when you submit a query or complaint to our website or
request us to call you back;
• to administer caller information (so we know if you have called us
before);
• to investigate and follow up with you in regard to any query or complaint
you make to us (as applicable); and
• to deal with your query.
We will retain records of our correspondence with you, for a period of 5 years
from the date of last correspondence.
Please note that we record all telephone calls from our call centre, either when
we contact you or you contact us. We use a third party service provider to
provide call recording and other telecommunication services on our behalf. It is
in our legitimate interests to record these calls to:
• ensure we are providing you with excellent customer service;
• use for training purposes for our call centre staff; and
• assist us in the future, if we ever receive a complaint from you and to
enable us to investigate your complaint.
We will retain copies of call recordings for a period of 5 years from the date of
your call.

 
5.4 Using our services
Our website provides price comparison services for energy suppliers. We will
collect personal data from you when you complete a form on our website in
order to access our price comparison services or when you contact us by post,
telephone or email.
We also have partnerships with other companies, and therefore we (or they) are
able to provide you quote for water, telecoms, insurance, waste and other
services. We explain in section 5 below what personal data and the
circumstances where we will share your personal data with these companies.
The points below set out the categories of personal data we collect from you,
the purposes for which we use your personal data and the lawful basis we rely
upon for processing your personal data:


5.4.1 Providing Price Comparison Services (Energy)
5.4.1.1
5.4.1.2
5.4.1.3
Personal Data includes title, name, email, phone numbers,
address, and any other personal data you provide
Purpose of the data is to provide price comparison and account
services; to send your details to an energy partner
Lawful basis of the data are legitimate interests (to deliver
services and show realistic pricing) and contractual necessity
5.4.2 Utility Renewals
5.4.2.1
5.4.2.2
5.4.2.3
Personal Data includes same as 5.4.1.1
Purpose of the data is to contact you about utility contract
renewals
Legitimate interests is the legal basis of having, using the data
& consent of the individual
5.4.3 Meter Information
5.4.3.1
5.4.3.2
5.4.3.3
Personal Data includes Meter number, meter serial number,
business address
Purpose of the Meter information is to confirm meter data with
the suppliers or third parties like national grid etc.
Legal basis is legitimate interests (accuracy and service
delivery) & consent of the individual
5.4.4 Energy Consumption Verification
5.4.4.1
5.4.4.2
5.4.4.3
Data which we store are Meter number, annual consumption,
business address
The puspose is to confirm energy consumption with the
suppliers
Legal basis of the data is legitamate interest & consent of the
individual
5.4.5 Price Comparison (Water Services)
5.4.5.1
5.4.5.2
5.4.5.3
Personal Data includes Title, name, email, phone numbers,
address, and any other personal data
Purpose of the data is to provide price comparison and send
details to a water partner
Lawful Basis is Legitimate interests & consent of the
individual

 
5.4.6 Price Comparison (Telecoms Services)

5.4.6.1 Personal Data same as 5.4.5.1
5.4.6.2 Purpose is as 5.4.5.2
5.4.6.3 Lawful Basis as 5.4.5.3

5.4.7 Referrals to Waste, or Other Service Partners

5.4.7.1 Personal Data: Same as 5.4.5.1
5.4.7.2 Purpose: Same as 5.4.5.2
5.4.7.3 Lawful Basis: Consent (with right to withdraw)

5.4.8 Contractual Obligations

5.4.8.1 Personal Data: Same as 5.4.5.1 and bank accounts details
5.4.8.2 Purpose of the data is to fulfill obligations under any contracts
with you
5.4.8.3 Legal basis will be contractual necessity and the Letter of
Authority (Consent)

5.4.9 Service Notifications

5.4.9.1 Personal Data: Same as 5.4.5.1
5.4.9.2 Purpose: To notify you about additional services and any
service changes
5.4.9.3 Lawful Basis is contractual necessity and Letter of Authority
(Consent)

5.4.10 Website Content Presentation

5.4.10.1 Personal Data means the information relating to title, name,
contact info, address, IP address, other data
5.4.10.2 Purpose of the information is to tailor website content for your
device
5.4.10.3 Legal authority is the legitimate interests (user experience and
business growth)

5.4.11 Website Development and Support

5.4.11.1 Personal Data: Same as 5.4.10.1
5.4.11.2 Purpose of the data is to improve the website and verify
contact details
5.4.11.3 Legal authority is the legitimate interests

5.4.12 Interactive Website Features
5.4.12.1 Personal Data: Same as 5.4.10.1
5.4.12.2 The purpose of the data is to enable participation in interactive
services
5.4.12.3 Lawful Basis: Consent (with right to withdraw)
5.4.13 Customer Services and Complaints
5.4.13.1 Personal Data icludes title, name, contact info, address
5.4.13.2 Purpose of the data is to handle enquiries and complaints
5.4.13.3 Legal basis of the data is legitimate interests
5.4.14 Feedback Surveys
5.4.14.1 Personal Data: Same as 5.4.10.1
5.4.14.2 Purpose of the feedback survey is to improve services via
feedback
5.4.14.3 Lawful Basis of the data is legitimate interests
We may also use your personal data for analytical purposes. Where this takes
place, your personal data will be anonymised as far as we are able to do so for
this purpose, and we rely on our legitimate interests to tailor our service, grow
our business and to inform our marketing strategy.
In the course of using our services, whether you choose to switch utility
suppliers or not, we will retain your personal data for a period of five years from
the date you provide us with your personal data and/or express an interest in our
services, subscribe to our services, or re-subscribe to our services (whichever is
the later).
5.5 Our third party partners
We work with a number of third party partners to provide you with price
comparison services. When you access our services through our third party
partners, we will collect personal data about you in the following circumstances:
When you are transferred to our website from one of our third party partner
websites; and


Where third parties provide us with your personal data. We rely on our third
parties to notify you that they will be sharing your personal data with us or it is
mentioned in their data policy.
Please note that we will be the controller of your personal data from the stage
we are provided with your personal data (either directly from you or one of our
third party partners, whichever is the earlier). You should refer to this privacy
notice for details on how we will use and treat your personal data. Please refer
to sections 3.1, 3.3 and 3.4 for further information on how we will use your
personal data when we are providing you with our services.

 
5.6 Our third party marketing partners
From time to time, we will obtain personal data from our third party marketing
partners. This includes your name, email address, telephone number, home and
business address, business name, etc. In these circumstances, we will take
reasonable steps to ensure that such third party has collected your personal data
fairly and lawfully and, if applicable, has obtained all appropriate consents
required from you to allow us to market to you. We ensure that we use
experienced business database providers and we take reasonable steps to ensure
they take the protection of your personal data and compliance with data
protection legislation seriously.
If we have obtained your personal data from a third party source, we will inform
you of where we collected your personal data within a reasonable period of time
of having obtained your personal data and provide you with a copy of this
privacy notice.
We rely on our legitimate interests as a lawful basis for processing your personal
data, to offer and promote our products and services to you.

 
5.7 Subscribing to our marketing
If you are a customer, or have made an enquiry relating to our price comparison
services (or services offered by one of our other trading names), you have an
opportunity through the link in our Privacy Notice to object or opt-out of
receiving marketing communications at the time of collecting your personal
data. If you have not opted out of receiving the marketing communication, we
will contact you by email, SMS, telephone or via targeted social media adverts
in our legitimate interests to promote our products and services that are relevant
to your purchase or enquiry. We will also provide you with the option to
unsubscribe or object to continuing receiving marketing with each
communication. You have the right to object to receiving these
communications at any time by contacting us on the details above.

If you are not a customer but are interested in our products and services or you
are an existing customer but interested in other products and services we offer
(excluding our energy products and services you have an opportunity through
the link in our Privacy Notice to object or opt-out of receiving marketing
promotional material, updates, reminders and communications. If you have not
opted out, we will collect your contact details (name, postal address and email
address) to provide you with such communications.
You have the right to opt out at any time. For full details on how to opt out
please see above.
We use a third party email and SMS marketing platform service provider, to
manage our SMS and newsletter subscriptions. They will not use your personal
data for any other purpose other than as we instruct them to.
If you ever decide you no longer wish to receive our marketing communications,
you can opt out at any time by unsubscribing from the mailing list, using the
link provided in the marketing communications email, or by using the contact
details above. If you do unsubscribe, please note that we will still keep your
email in a separate secure list so that we can make sure that you do not receive
our marketing communications again in the future.

 
5.8 Third party energy brokers
If we take over the management of your contract from your existing energy
broker, your energy broker will provide us with certain information about you.
This will include your name, email address, contact number and meter number,
which we will use for the purposes set out in section 3.4 above (including
contacting you in relation to utility renewals).
Where we have received your personal data in these circumstances, we will
provide you with a copy of this privacy notice either at the time of first
communicating with you or at the latest, within one month of having received
your personal data, and we will also inform you of who provided us with your
personal data.

 
6. What happens if you do not provide the personal data that we request?
We will need some of your personal data as a contractual necessity in order to provide
you with our services or contact you and follow up with you in respect of any query or
complaint you have submitted on our website. For example, we need to know your
personal contact details in order to identify you and contact you.
Where information is needed for these purposes, if you do not provide it we will not be
able to provide you with our services, or contact you and follow up with you in respect


of the query or complaint you have submitted on our website. We explain this is the
case at the point where we collect this information from you.

 
7. Your data and third parties
We use third parties to provide services to us from time to time. We will share data with
them where it is in our legitimate interests for our business administrative needs. A list
of third parties that we use and how they process personal data is set out below. Please
note that these third parties are located within the UK or the European Economic Area,
unless otherwise stated below.

 
7.1
7.2
Energy Suppliers (Gas and Electric):
We share your title, first name, surname, email address, home number, mobile
number, and address with energy suppliers. This is done to help you switch
suppliers, determine your eligibility for services (ours or theirs), and fulfill any
subscriptions you have made, including processing payments, credit
referencing, and administering the site. These suppliers act as controllers of your
personal data. You’ll be notified which energy supplier receives your data, and
should refer to their privacy notice for details on data use and retention. For
rights related to your energy provider, contact them directly.
Water Partner and/or Telecoms Partners
We share your title, first name, surname, email address, home number, mobile
number, and address with water and/or telecoms partners. This allows for
switching services, determining eligibility, and managing subscriptions
(including contract fulfillment and administration). These third parties act as
data controllers. You will be notified which partner receives your data and
should check their privacy notice for more details.

 
7.3 Price Comparison Service Providers (Waste, Other Services)
Your title, first name, surname, email address, home number, mobile number,
and address may be shared with price comparison providers to deliver specific
services you request. They act as controllers of your data. Data is shared only
with your explicit consent, and you should consult their privacy notices for
information on usage and retention.

 
7.4 Third Party Data Providers
Your meter number, meter serial number, and business address are shared with
third-party data providers to confirm meter and consumption details. This
ensures pricing accuracy and address validation. These providers are controllers
of your data and their privacy notices provide further information.


7.5 Cloud Hosting Service Providers
We share your title, first name, surname, email address, home number, mobile
number, business postcode (if it’s your home address), and other personal data
you provide. These providers host our servers and data. We are responsible for
deleting your personal data from their servers in accordance with sections 3.3
and 3.4 of our policy.

 
7.6 Telecommunications Provider
Your title, first name, surname, email address, home number, mobile number,
business postcode (if it’s your home address), and other provided personal data
are shared with our telecommunications provider to manage our call system and
record calls. Generally, call recordings are retained for a period of one (1) year
where no contract or service agreement is established. If you enter into a contract
with us, call recordings relating to that contractual relationship may be retained
for the duration of the contract and for such additional period as is reasonably
necessary to establish, exercise, or defend any legal claims or disputes arising
from the agreement. The lawful bases for processing and retaining call
recordings may include legitimate interests (Article 6(1)(f) GDPR) and/or
contractual necessity (Article 6(1)(b) GDPR).
Under GDPR, you have the right to request a copy, ask for deletion, or object to
the processing of your call recordings. You can contact our Data Protection
Officer or use the contact details in this Privacy Notice to make such a request.

 
7.7 Email and SMS Platform Providers
We share your title, first name, surname, email address, home number, mobile
number, and business postcode (if also your home address) to send you
marketing and service messages. Refer to sections 3.3 and 3.4 of our policy for
more details.

 
7.8 Electronic Waste Recycling Service Providers
Your title, first name, surname, email address, home number, mobile number,
business postcode (if your home address), IP address, and any other personal
data you provide may be included on hardware we dispose of. These providers
securely wipe all data before recycling the hardware.

 
7.9 Energy Ombudsman
If you are an energy microbusiness customer with an unresolved complaint, your
title, name, contact information, meter number(s), and any other data related to
your complaint will be shared with the Energy Ombudsman. They require this
data to issue a decision and are controllers of your information. Refer to their
privacy notice for details.


7.10
Google, Facebook and Analytics Providers
We may share your name and email address with analytics providers like Google
and Facebook to analyze and improve our services, such as creating “Lookalike
Audiences” for marketing. Data is anonymized when possible and held as long
as we work with these partners.

 
8. Disclosure of your information
We will not usually disclose your personal data other than as already explained in
sections 3 and 5 above. However, there may be circumstances where we need to share
personal data other than as anticipated in sections 3 and 5 above. These include:
• where we are legally required to disclose the information. This includes sharing
the personal data with tax authorities and law enforcement agencies for the
purposes of the prevention and detection of crime;
• where we need to disclose the personal data for the purpose of or in connection
with any legal proceedings, or for the purpose of obtaining legal advice, or the
disclosure is otherwise necessary for the purposes of establishing, exercising or
defending legal rights;
• disclosure is required to protect our interests, or someone else’s interests (for
example, to prevent fraud or credit risk reduction);
• disclosure is necessary to protect your vital interests (for example if you are
unwell at our premises, we may need to seek medical assistance);
• it is to a third party for the purposes of providing administrative or processing
services on our behalf. If such disclosure is required we will take steps to ensure
that the third party protects the personal data in the same way that we do and
notify you of any changes to this privacy notice; and
• to any prospective purchaser of our business assets or organisation.

 
9. Keeping your personal information secure
We know that you provide your personal data in good faith and expect it to be looked
after. This is why we take the security of your personal data seriously. This means that
we have taken steps internally in order to ensure that our systems adequately protect
your personal data. This includes:
A. Technical Measures
i. Encryption and Pseudonymisation
Personal data is encrypted both at rest and in transit using recognised security
standards. Where possible, data is pseudonymised or anonymised to minimise
identification risks and ensure protection against unauthorised access.
12
ii.
iii.
iv.
v.
Access Control
Access to personal data is limited to authorised staff under the principle of least
privilege. Access rights are reviewed regularly and revoked when no longer
needed. Strong passwords and multi-factor authentication are required to
enhance account security.
Where we have given you (or where you have chosen) a password which
enables you to access certain parts of our site, you are responsible for keeping
this password confidential, together with any login details and/or user details.
We ask you not to share your password, login or user details with anyone.
System Security
Systems are protected with firewalls, anti-malware, and intrusion detection
tools that are monitored and updated regularly. Security patches and software
updates are applied promptly to reduce vulnerabilities.
Data Backup and Recovery
Regular encrypted backups of key systems and data are maintained and stored
securely. Recovery procedures are tested periodically to ensure data can be
restored in the event of system failure or data loss.
Regular Security Testing
Vulnerability assessments and penetration tests are conducted regularly to
identify and fix potential security issues. System logs and alerts are
continuously monitored for suspicious or unauthorised activity.

 
B. Organisational Measures
i.
ii.
iii.
Security Awareness and Training
All staff receive data protection and cybersecurity training on induction and at
least once a year. Training ensures employees understand their responsibilities
and know how to report incidents.
Confidentiality Obligations
Employees, contractors, and third parties with access to personal data must
sign confidentiality agreements. Breaches of confidentiality are taken
seriously and may result in disciplinary or legal action.
Policies and Procedures


Internal policies on data protection, IT security, and incident response are
reviewed annually. All third-party processors must follow equivalent security
standards under signed Data Processing Agreements (DPAs).
Unfortunately, the transmission of information via the internet is not completely secure.
Although we will do our best to protect your personal data, we cannot guarantee the
security of your data transmitted to our website and prior to us receiving it. Any
transmission is at your own risk. Once we have received your information, we will use
strict procedures and security features to try to prevent unauthorised access including
those measures set out above.

 
10. Transferring Your Personal Data Abroad
It is sometimes necessary for us to transfer your personal data to countries outside the
UK and EEA. This may include countries which do not provide the same level of
protection of personal data as the UK or EEA. We will transfer your personal data
outside the UK and EEA only where:
• the UK government has decided the recipient country ensures an adequate level of
protection of personal data (known as an adequacy decision); or
• there are appropriate safeguards in place (e.g., standard contractual data protection
clauses published or approved by the relevant data protection regulator), together
with enforceable rights and effective legal remedies for you; or
• a specific exception applies under data protection law.
You can contact us if you would like any other information about protection of
personal data when it is transferred abroad.

 
11. Data Breach Notification Policy
The purpose of this policy is to establish a clear framework for the identification,
management, and reporting of personal data breaches, ensuring compliance with
Articles 33 and 34 of the GDPR. It sets out the responsibilities of staff and procedures
to minimise risk to individuals’ rights and freedoms.

 
11.1 Definition of a Personal Data Breach
A personal data breach is any security incident that leads to the accidental or
unlawful destruction, loss, alteration, unauthorised disclosure or access to
personal data. This includes breaches affecting electronic systems, paper
records, or any other form of personal information.
11.2 Duties on the Company
a.
b.
All staff must immediately report any suspected or confirmed personal
data breach to the Compliance Officer or the IT Team.
The Compliance Offiicer is responsible for:
• Assessing the breach and its impact.


• Documenting all relevant details.
• Determining whether notification to the Supervisory Authority or
affected individuals is required.

 
11.3 Breach Management Procedure
a.
b.
c.
d.
e.
Identification and Containment
Upon discovering a personal data breach, affected systems must be
immediately isolated to prevent further unauthorised access, loss, or
damage. All relevant evidence, including system logs, emails, and
snapshots, must be preserved to support the investigation and any
regulatory reporting obligations. Prompt containment ensures that the
impact of the breach is minimised and critical information is retained for
analysis.
Assessment
The Compliance Officer (CO) or designated team will assess the breach
to determine its nature, scope, and severity. This assessment includes
identifying the categories and volume of personal data affected, the
number of individuals impacted, and the potential risk to their rights and
freedoms. The assessment guides subsequent decisions on notification and
remedial actions.
Notification
If the breach is likely to pose a risk to individuals’ rights and freedoms,
the Compliance Officier will notify the Supervisory Authority, such as the
ICO in the UK, within 72 hours of becoming aware of the incident. Where
the breach presents a high risk to affected individuals, they will be
informed without undue delay. Notifications will include clear
information about the nature of the breach, potential consequences, and
the measures taken or proposed to mitigate any adverse effects.
Documentation
All breaches, regardless of whether they require external notification,
must be documented internally. Records should include the facts of the
incident, an assessment of its impact and risk, the actions taken to contain
and remediate the breach, and any lessons learned. Proper documentation
ensures accountability and supports compliance with GDPR requirements.
Review and Improvement
Following any breach, a post-incident review will be conducted to identify
the root causes, evaluate the effectiveness of the response, and implement
improvements to prevent future occurrences. This may include updates to
internal policies, processes, or technical safeguards, ensuring continual
enhancement of the organisation’s data protection and incident
management practices.


12. Automated Decisions
We use automated decision making when you complete a form on our website and
submit it to access our price comparison services. This means we make decisions using
the personal data you provide using only technology and none of our employees or any
other individuals have been involved. You will receive quotes from suppliers, and these
quotes will vary in price depending on the information you provide us, including how
much your utility bill is usually (whether paid on a monthly, quarterly or yearly basis)
and where you are located in the UK. For example, if you usually pay a significant
utility bill each month, this indicates that you have a high utility usage and therefore
the quotes returned from our suppliers are likely to be higher as compared to someone
who has a low utility usage and month bill. You have a right to object to automated
decision-making – please see section 10.3(e) below.

 
13. Data Subject Rights
In accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR),
individuals whose personal data we process (known as data subjects) are entitled to
exercise certain rights regarding their personal information. We are committed to
ensuring that these rights are fully respected and can be exercised easily and without
undue delay.
The following rights apply to all data subjects whose personal data is processed by us:

 
13.1 Accessing your personal data (Article 15)
We want you to fully understand and be comfortable with how we use your
personal data. You can contact us at any time to ask whether we process any
personal data about you. If we do hold or use your personal data in any way,
you have the right to access that personal data. All we ask is that:
• you make your request to access in writing to the contact details above;
• you verify your identity; and
• you are fair and reasonable with how often you make this kind of request
(please note if you are unreasonable in the number and frequency of
requests you make, we may charge an administrative fee for processing
any further requests. We will notify you of this prior to incurring such
an administrative fee).
Please allow us up to one month from receipt of your request (or verification of
your identity, whichever is the later) in order to provide you with our response.

 
13.2 Requesting more information

We hope that you can understand that it is very difficult to cover all the possible
ways in which we collect and use personal data. We have tried to be as clear
and as open as we can and will continue to update this privacy notice as our use
of personal data develops. However, if you have any questions regarding our
use of your personal information, we will be happy to give you peace of mind
by answering any questions or providing any additional information that we can.
If you do have any specific questions, or need anything explaining, please get
in touch on the contact details above.

 
13.3 Additional rights
You also have some additional rights that you may exercise as set out here. We
may publish a policy, from time to time, to explain how we will handle such
requests and what you can expect from us when you make a request to exercise
your rights. If we do publish any such policy, we will provide a link to it here.
In each instance we may ask you to make your request in writing to the contact
addresses above and provide verification of your identity.
a. You have the right to request that we rectify any inaccuracy about you
that we may hold, in which case we may ask you to verify the corrected
information (for example, we may ask for a recent utility bill for proof
of change of address). (Article 16)
b. You have the right to request that we erase your personal data. Please be
aware that we can only comply with such a request if your personal data
is no longer required for the purposes it was collected for (for example,
we need your personal information to respond to a communication or
query); the collection, storage or use of the personal information by us
is prevented by law; your personal data is not required for the purposes
of establishing, exercising or defending a legal claim such as in the
conduct of legal proceedings. (Article 17)
c. You have the right to request that we restrict or refrain from processing
your personal data – for the time it takes us to verify the accuracy of your
personal data where you have disputed its accuracy; where the
collection, storage or use of the personal data by us is unlawful but you
decide not to ask for erasure; where, we no longer need your personal
data but you need them for the purposes of establishing, exercising or
defending a legal claim; for the time it takes to determine whether we
have an overriding legitimate ground to continue to process your
personal data, where you have exercised your right to object to
processing. (Article 18)
d. You have the right to data portability in respect of information we have
collected from you based on consent or for the reason of entering into a
contract (contractual necessity). If you exercise this right, we will

transfer a copy of the information that you have provided to us at your
request. (Article 20)
e. You have the right to object to our use of your personal data where we
are using that information based on our legitimate interests, and where
we do not have compelling overriding grounds to continue to use your
personal data; at any time, where we use your personal data to send you
the newsletter or any other type of direct marketing, in which case it will
no longer be used for that purpose, but we may use it for another lawful
purpose. (Article 21)
f.
You have the right to opt out where we have made a decision about you
using automated decision making. Don’t worry if you do not want us to
use our automated system to process your personal data you can object
to us using automated processing as we have another process in place
where you can access our price comparison services by speaking to one
of our advisors and contacting us at our call centre on the following
number: 0330 135 8266. (Article 22)
g. You have the right to withdraw your consent at any time where we have
collected your personal data based on your consent. Please note that this
will not affect the lawfulness of any processing based on your consent
prior to you making such withdrawal. (Article 7(3))
h. If you believe that we have processed your personal data in violation of
applicable data protection laws, you have the right to lodge a complaint
with your local Supervisory Authority. (Article 77)
In the UK, this is the Information Commissioner’s Office (ICO). We
encourage you, however, to contact us first so that we can address your
concerns directly and resolve any issues promptly.
To exercise any of these rights, please contact our Compliance Officer or Compliance
Team using the contact details provided in this Policy. We will respond to all legitimate
requests as required by applicable law and will explain if any exemptions apply.