Hello,
This comment was left by a Forum Volunteer. It is NOT the official response of OVO.
Firstly, please try to format your posts properly into paragraphs. Giant walls of text are annoying and painful for others to read, so please try to make it easier for other folks in future.
I think you really, really need to lower and manage your own expectations here tbh. You’re asking too much of the wrong team to do the wrong thing.
If you actually read the Privacy Policy properly, you would have not only found an email address - dataprotection@ovoenergy.com - AND a postal address - OVO Energy, 1 Rivergate, Temple Quay, Bristol, BS1 6ED - AND two web links to a couple of forms. This one to request access to your data and this one to request erasure of your data. Everything else is either self-service or can be done via Support. FWIW, yes call recordings can be requested this way too.
Also, not everything in your account is personal data. OVO is allowed to withhold certain stuff from a GDPR request.
This isn’t the place to be going into details about Data Controllers and Data Processors acting on behalf of a Data Controller. I will refer you back to the ICO for that.
One merely needs to provide a way of getting in touch with the DPO, there’s nothing in the rules about how. And I’m sorry, but if your preferred way is by phone… Good luck with that. Most large companies don’t allow you to phone the DPO directly. And besides, 99% of the time they need to have a written record of the request - verbal often isn’t enough. This is exactly why there’s no phone number (other than the ICO one) in the “how to contact us” section of OVO’s Privacy Policy.
Sorry, but this feels like an issue with your expectations vs reality if I’m being honest.
In my personal view, I’d probably also advise against trying to tell others here on the Forum about how GDPR stuff works unless you fully understand it yourself. This is just a request from me, but it helps to prevent difficult situations from arising as a result of bad advice. Only the Forum Volunteers and Forum Moderators know the full story about how the SSE to OVO Migration worked and I can tell you now that OVO took a total backup of all the old systems before pulling the plug on them. In addition, wiping the old data off of SSE systems merely one month after migrating a customer would have caused its own problems, such as not being able to resolve read disputes or historical billing issues. That data needs to be held for up to six years post-migration. Only then can it be deleted - and most likely will.
Migrations never lose data when done correctly. Rather than move the original data, you make a copy of it, move that copy over, verify it and only after the migration has been totally verified as complete do you actually proceed to delete the old copy. If something went wrong, you can just go back and grab the missing stuff from the original copy.
One does not become a GDPR expert simply by reading the ICO website for a few days and calling the ICO once or twice. It took me several months of research to gain the knowledge I have. Given my IT and Cybersecurity backgrounds, I’m also trained on GDPR matters - I have to know it as part of my job.
Hello Blastoise 186
Sorry about the formatting. Nothing about that in the terms and conditions.
It is a Forum managed by OVO, so my expectations are realistic as OVO say that all posts are read by Moderators, and if no customers knows that answers, then a MOD will surely respond, as it seems that most of OVO Customer Services is unable to do what is required by the GDPR, and stated in the OVO Privacy Notice.
I thought I had said, my mistake that I had emailed, and had no response.
As OVO provide, in the Privacy Notice, a phone number it must be possible to speak to someone, who is what the ICO say, a lawful representative of that Data Controller. there cannot be a number as the contact details and then be required to use another format, that would not be in accord with the GDPR.
So while there is an email address for Subject Access Requests, and Erasures, because OVO give a phone number it has to also be possible to do that on the phone. 25% of customers according to studies, dont even have email, so it has to be possible to do everything on the phone.
The rest of the RIghts that customers have under the GDPR Restriction, Objection, Portability, (Articles 16-22) Rectification, or even how someone gets a demonstration of Accountability (Article 5) are not clear
Customer Care, who I can only reach in the Philippines, or South Africa, do not seem to know even what the rest of the Rights a Customer has, let alone how to implement. So they cannot be the representative of the Data Controller. The ICO say that anyone that answers the phone is supposed to be fully trained and competent in the GDPR, if only because they have to be able to do Accountability and Rectification, on the fly, for what they say.
Everything in an Account is Personal Data, if it concerns or impacts, as that is the meaning if Personal Data.
I did not say anything about DPO. Tasks of DPO and Data Controller are different. If DPO had to do all the things set out in the GDPR, specifically for the Data Controller, it would have to say that clearly in the Privacy Notice, and the team would have to be huge to deal with all the formal Accountability and Rectifications.
The phone number, for the Data Controller is in the Privacy Notice so you have to be able to do that, OVO have to do that, AS Article 30 requires a Controller to keep a record of any Processing, if it is done by phone, then OVO have to provide the written record, to the Customer, if only to confirm that what they have recorded is accurate.
As you know no Data Controller can use any data, unless it knows, and can demonstrate that the data it is holding is accurate, adequate and relevant (Article 5). If you contact OVO by phone, that record, of what is written in the Account has to be validated before anyone in OVO can investigate or act. That obviously includes complaints as well as direct GDPR. As that is not clear in the Privacy Notice, or the Complaints Procedure, and as it is a statutory requirement for OVO, as the Data Controller to provide that information, before it Processes any Data, you have to be able to speak to someone. And because everyone has to be a lawful representative of OVO, under the GDPR, everyone on the phone is supposed to know.
But Customer Care, in both Philippines and South Africa, dont seem to know anything, or do anything, apart from the security part of the GDPR, so according to the ICO they are limited to being nothing more than a Data Processor.
Only asking, as I cannot get any sense from Customer Care, it is not explained clearly and transparently in the Privacy Notice, if any customers had experience of who or how to contact, the Data Controller.
I was not telling anyone, just quoting what the ICO said, and clearly asking for a response from anyone that knew who or how one was able to speak to someone in OVO.
As you will know. As far as SSE was concerned they became a Data Processor in January 2020. OVO wrote to everyone under the SSE banner telling them about the changes, So it was clear. Most things had to be done by OVO from that point on, because OVO had stated it was now both the Data Controller, and the Licenced Supplier for SSE Domestic, and the Regulations are clear that the SSE part was extremely limited in what could do from that point onwards.
The Regulations stipulate that that data, that was on the SSE branded systems, had to be erased, within a Month, following a Migration.
OVO could only be allowed to do a full back up, because it was the Data Controller.
Any new “disputes” had to be dealt with, by OVO, directly, from Jan 2020 onwards, because that is what the Regulations say, and OVO became responsible, because that is the nature of a takeover, CAB told me about cases where OVO had been reprimanded for actions that SSE took before they bought them in Jan 2020.
Sorry if you misunderstood that it was not just a few days, and just a few calls to the ICO, it was several weeks, where for personal reasons there was little else I could do. and many, many calls to the ICO, and CAB. I am a quick learn so was able to understand most of how GDPR works in that time. ICO are even correcting something on the website because of one call, small, but they had not seen it, so I can’t be far of from being an exert in that sense. No ones is perfect and knows everything.
My original question remains. Does anyone know how to contact a lawful representative of OVO under the GDPR, who can explain the rest of the information that is not in the Privacy Notice, but is required to be provided by requirement of the GDPR, before any Processing of any Data. ie, before anything relating to the customer and the account takes place.
Thanks
While it is true that Forum Moderators patrol the forum and read everything, they’re not obligated to reply to anything. The OVO Forum is volunteer led, and the vast majority of responses will come from a Forum Volunteer such as myself. The Forum Moderators can also respond too, but it’s purely at their discretion as to whether they will or not. The reason they read everything is mainly for moderation reasons and to keep the place tidy.
Likewise, Forum Volunteers are also involved in the moderation process. We patrol the forum constantly and respond to any incidents based on what’s agreed backstage between all of us. We do not have moderator powers ourselves, but we have easy access to OVO staff who do have those powers and we report directly to them.
As mentioned, the three primary ways are either by freeform email that you write yourself, via the Privacy Portal tool which formats the request automatically or by freeform letter that you send by post to OVO’s head office. There is no phone number - and this is in line with pretty much every company ever.
That caters for pretty much everyone. If you don’t have an email account even though it’s super easy to get one, you can just send a letter. Additionally, I’ve already said this, but to complain to OVO about GDPR issues, just email dataprotection@ovoenergy.com or just send a letter to OVO’s head office with ATTN: Data Protection Officer or something along those lines on it.
If you don’t like what OVO is doing, the policy is clear. Raise it with the ICO. But my view remains that I’m not sure you understand how it all works properly.
While I do agree that the Forum House Rules don’t mention about formatting, it is considered to be common sense and basic forum etiquette that applies globally that one should try to make an effort to make one’s posts readable. Just because a rule isn’t explicitly specified, doesn’t mean it doesn’t exist. Please bear this in mind for the future and across all forums you might contribute to. Likewise, the House Rules for this Forum don’t mention about not using garish and eye searing formatting, but we’ll still cringe if you did it and would probably either plead with you to reset the formatting, or call in a Forum Moderator to remove it.
Otherwise, we’ve already answered your question as best we can.
Sorry that doesn’t make sense
It’s an OVO Forum. I had to agree to OVO T&Cs. Someone in OVO, Moderators, has to read everything, even if they don not reply,just to make sure that the Regulations are being met, and any advice from fellow Customers is correct, as being an OVO Forum, OVO are responsible for any information disseminated under its name.
Part of the reason for posting is the hope that a MOD will recognise that there may be significant breaches of the GDPR with Customer Care in Philippines and South Africa.
For those reasons that it is an OVO Forum, volunteers cannot represent OVO, so cannot be involved in the official Moderation Process. I thought that was clear from the T&Cs.
Lets be clear, what ever is in a Privacy Notice, has to be correct, that the law. So, as OVO provide a phone number it has to be possible to contact the Data Controller, by phone. and OVO have to provide that service, because it is in the Privacy Notice. it is irrelevant what other companies do, it is OVO that are Accountable, to the customer, for what they do.
The cannot be any “backstage” agreements, because, everything, being an OVO Forume, comes under the GDPR, so has to be clear and transparent.
You do not seem clear on why a company has to provide a postal address, when it must be used, what a company has to do if it directs anyone to use post, other than for certain reasons, or why it has to provide other ways to contact the Data Controller. Not least because if a GDPR problem is raised, in many cases that would involve. Restricting the Processing, either under the requirements of Article 18 or 21, which would mean no activity on that Account, and no Billing for that period. OVO would have to get a response, and allow for the customers Right of Rectification in regard to that response, and all within the statutory 1 Month. Hardly feasible by post unless OVO had huge numbers allocated to deal with 5 million customers posting everything in.
Afraid you are incorrect. The Regulations stipulate that you can only go to the ICO, for a complaint matter, after you have raised it with the Controller, and they have provided a response, and the response, is demonstrated to be fully compliant with the GDPR. Everything stated in teh GDPR to be the responsibility of the Controller has to be dealt with by OVO, and as OVO give a phone number in the Privacy Notice for the official contact details of the Data Controller it has to be able to be done on the phone, because that is what the Regulations stipulate.
I do know how the GDPR works, but what I am trying to find out is how OVO do what the Regulations require them to do under the GDPR, beyond basic security. Principally Accountability and Rectification as the ICO say that those are key to everything relating to the GDPR, and every Controller, which OVO obviously is, must demonstrate compliance.
Which means that everyone answering the phone is supposed to do that, and because this is an OVO Forum, OVO have to monitor everything that happens on the Forum to make sure it doesnt breach any of its statutory duties.
The thing about formatting simply makes no sense. It would have to be in the T&Cs to be applicable. it may be sensible to do so, but it cannot be required, and most certainly, as it is not in b reach of the T&Cs be removed simply because someone struggled to read un-formatted text. All they had to do was not read it. Apart from the Moderators, they have to read everything.
I am sorry but I do not understand your use of “we”. You state you are a Volunteer, so do not represent OVO, I have not had a response from OVO, in fact I have not had a response from anyone else.
Thank you for engaging, but as the question was I think simple, how does one contact the lawful representative of the Data Controller, by phone, as that is a stated requirement of the Privacy Notice. The info, re formatting is appreciated, and i will try. But the rest, regarding GDPR, can only be addressed by OVO directly, and all I needed from anyone in the Forum was if they had had experience, who and how they contacted tp exercise any of their Rights under the GDPR, and who and how they contacted for a demonstration of Accountability under the GDPR seeing that no one in Philippines or South Africa, even though they should. to whatever extent they are permitted given their apparent role as Data Processors, be able to meet the basic requirements, which they dont seem to be able to do.
As it is a statutory duty OVO must have the means to fulfil those duties, But it is not clear from the Privacy Notice, so has to be explained, and has to be able to be done on the phone, as not only does everyone answering the phone have to demonstrate the essential of compliance, but has to provide the information of who and how does things that they are unable to do.
I really dont see the point of this, You havent addressed my question, you have gone off on tangents, most of which you have given inaccurate information on, and are not a representative of OVO, or you would have Rectified, and demonstrated Accountability, when I pointed out your errors.
You might be done. But I obviously am not as I still havent had a response. As you haven’t addressed the actual question , and only repeated what I have said, which says that you have to be able to do it by phone, because its in the Privacy Notice as the official contact details, then directing me to that document, which only proves what I have said anyway, really does not make much sense.
I do appreciate your efforts, certainly for pointing out that some may find reading if it is not in paragraphs difficult most useful, I do not have that problem so wouldn’t be aware of that.
But most of the rest that you have said is simply incorrect/
You can lead a horse to water, but you can’t make it drink.
I don’t want OVO’s lawyers throwing the book at me. So I’ll say this one last time.
Is the place to ask the questions you seek answers to. The OVO Forum is not the place to ask.
If you won’t accept this as the final answer, then so be it.
Farewell.
That is not the answer to my question, that doesn’t explain anything. It obviously should, because the information is supposed to be in the Privacy Notice, but in that absence of that any of the contact details for the Controller have to be able to do that.
But the required information on who to phone, is not in the Privacy Notice. have you actually read it, do you actually know what the GDPR requires for a Privacy Notice.
I only asked if anyone had any experience that might shed light on it, as no one in Philippines or South Africa was able to assist, and from what they were saying must be Data Processors and not Controllers, so would not be permitted to provide that information of who and how to contact.
How on earth could OVO lawyers do anything, you are a volunteer, if whatever training you have is not up to scratch that would be the responsibility of whoever did your training, assuming you had some.
If you did have some then that would state that this is OVOs Forum and it is responsible for its volunteers, So the MODS should be correcting your misinformation. Should you not be checking with the Mods, and then if you do, they would have to take over the chat, and great if they did because they would have to provide the correct information.
Bottom line is that the GDPR requires the information to be provided on how OVO implements the GDPR, to everyone, including those that don’t have internet or email, which why the phone number, for the Data Controller is included in the Privacy Notice.
Anyone that answers the phone has to be able to be a lawful representative of OVO, in its capacity of Data Controller, but, that is obviously not happening in either South Africa or Philippines, and from what they say, the cannot be Controllers representatives, but Data Processors representatives, so could not provide that information, or act in that capacity anyway.
The question of who does, and how you contact them by phone is what I was hoping someone would have had experience of, and could say how that happens.
Because someone in OVO has to read all posts, my hope was, and is, that if no customer was able to provide that information, that they would intervene, given that they would know it was a legal requirment of OVO. As yet no one has done that, but obviously if no one does soon the Mods will have to intervene, or the T&Cs and OVO statements about who runs and controls the Forum would be contrary to the legislation.
Why you would respond, if you didn’t know the answer to the question is rather strange. Why you would suggest I read the Privacy Notice, when the required information is obviously not in there, and then repeat the statement as though that is going to change the facts.
I thank you for your advice about formatting, as even though it cannot be imposed, and is not a problem for me, I do appreciate that others may, even though no one else said so.
But the rest is opinion that is blatantly wrong, and does not even address my question. Have you got experience of trying to exercise any Rights, that are not clearly stated in the Privacy Notice, that do not require email, that can be done by phone. Obviously not, so why respond if you cannot address the question, and why throw in lots of incorrect information about the GDPR.
That does not make sense. Please let someone who has experience, or the Mods, step in the address the actual question.
Thanks
I did not see the insult about leading a horse to water, from the T&Cs that type of personal insult would not seem to be permitted, Perhaps the Mods would like to intervene to remind the person of behavioural matters for the Forum
I’d like to give you some advice. No matter what Forum you are on, using Moderators as a Weapon won’t help you. In many cases, it can actually backfire and result in you getting banned instead.
The sword that a Moderator holds isn’t a toy and you can’t just swing it around mindlessly - it has to be used with extreme caution. It is one of the reasons why there are only three Forum Moderators here and why Forum Volunteers don’t have that power - it prevents us from making “deadly” mistakes.
In addition, I have Autism myself and with that, I also have the ability to detect an Autistic person in just about any environment - including online Forums. Whenever I pick up on those signals, I’m known to use that to my advantage by adapting how I respond to better match the other person and - on forums like this one - make their experience better by adjusting to their needs. It’s a powerful skill that is unique to myself on this Forum, but it comes in useful from time to time and can help explain unusual behaviours. However, in this case I do not believe you have Autism yourself as I would have noticed it by now.
The saying “You can lead a horse to water, but you can’t make it drink” is not an insult - it’s a well known proverb, which means I can try many times to give you an opportunity, but I can’t force you to take up the offer.
It appears you are not here to build a community and instead appear to just be trying to start a fight with us. We don’t bite easily and so this will be the last comment in this thread from any of the Forum Volunteers. I suspect you won’t get a response from a Forum Moderator either if I’m being brutally honest...
I have waited to respond so I could check the facts with the GDPR Regulator (ICO)
I have no idea what is going on?
Leading a Horse to water, may be a well known proverb, it is the context that declares it an insult - as though I am a horse and Blastoise has taken me to water, and I am to ignorant to drink.
I was not using Moderation as a weapon, simply stating what the T&cs state, and as I felt it to be an insult and that is not acceptable behaviour, and, if no one has any actual experience in relation to my question, that hopefully, because I do feel insulted, they might step in to correct the mistakes, and because they represent OVO, that under the requirements of the GDPR that they might address the question.
How someone could get banned for asking a question, correcting a response as incorrect, and saying that they felt insulted , would be very strange.
Of course, as this is an OVO Forum, everything under ti has to comply with the GDPR, as well as T&Cs and one could only be banned after an explanation had been provided, under the GDPRs requirements.
I do not see how Blastoise being Autistic, is relevant to anything. The statement obviously shows an error. I am diagnosed as Autistic. The suggestion of being able to pick up on signals is wrong. it is hard enough to pick up on signals face to face, and as the Spectrum is so diverse impossible to pick up in a Forum.
But it is not relevant to anything anyway. there is no questionnaire that has to be filled in, no medical history.
I have asked a question, the only answer to date, from Blastoise have been completely incorrect as far as the GDPR is concerned. If only for the reason that I asked if anyone had any experience, the actual information has to, because of the GDPR, come from OVO, in its capacity as the Data Controller.
I most certainly not here to start a fight. I am only here because I cannot seem to find the information , that is supposed to be in the Privacy Notice, and either is, and no one who answers the number in the Privacy Notice is properly trained, or the information in the Privacy Notice, is not accurate or transparent, as the GDPR requires.
Whatever the reason, I cannot seem to find a way to contact OVO, by phone, as I did not get a response from the email in the Privacy Notice, and, as the Privacy Notice gives a phone number for the contact details of the data Controller, that has to be possible to do, and, as anyone that answers a phone representing OVO, has to be able to demonstrate compliance with the GDPR,that person must be a representative of the Controller so according to the ICO, therefore has to either be able to be a lawful representative themselves, or declare that they are not amd provide the information, of a different number, or transfer the call to a lawful representative.
As everyone that answers the calls seems to be either in South Africa or the Philippines, so must be declared under the GDPR to be Data Processors, and not Data Controllers, so cannot lawfully represent the Controller, they should be declaring, when you call for an stated GDPR matters, what their formal position is, and acting accordingly.
As they do not, I assumed that there would be many in the same position, and given that something like a quarter of people do not even have email, I assumed that a quarter of people would have had experience, given the wide ranging impact on everything OVO does, including complaints.
As I have no wish to get into a fight with anyone. Blastoise, could you please, unless you know the answer of who to direct me to, or have had the experience yourself, not respond. It doesn’t help to have inaccurate information, which does not address the question.
Thank you
I will spell out the answer one final time.
- Write a letter detailing your concerns. It can either be handwritten or done on a computer and printed out - either way works but make sure to include a return address and your account details, otherwise OVO can’t respond
- Go to a post office
- Buy an A4 envelope - they’re about £1 at most
- Buy a 1st Class Large Letter Stamp - £2.50 should be enough
- Put the letter in the envelope and write the address on it that’s at the bottom of this comment and attach the stamp in the top right corner on the same side as the address
- Hand it to the Post Office staff, they’ll do the rest
- OVO will get back to you once they’ve read it - using the exact address as written below will ensure it gets routed directly to the DPO who deals with GDPR matters, or at very least a member of the team who knows how to handle this stuff
The address is:
ATTN: Data Protection Officer
OVO Energy
1 Rivergate
Temple Quay
Bristol
BS1 6ED
If you are not willing to accept this answer, then I’m sorry but we will not assist you further via the OVO Forum. For your information, for the purposes of what you seek, the Data Protection Officer IS the Data Controller and/or an authorised representative of the Data Controller. They will assist you with your query.
Dear Balstoise. You clearly have not read my question.
Let me make it clear yet again. I know of the other ways to contact the Controller, it is however my given Right to contact the Data Controller by Phone. I need to know how to contact the Data Controller by Phone, not in any other way.
I asked if anyone had any experience of how to contact OVO -by Phone.
Because OVO has a Customer Service, that you can contact by Phone, and states on the website, that is the Contact details for the Data Controller include a phone number, you have to be able to, by law, contact the Data Controller by Phone.
The postal address, is by law required for formal documents that have to be formally submitted. OVO cannot require a person to use a method that would be financially detrimental to them for basic communications, such as contacting the Data Controller.
It might only be a few pounds, but for those of us that do not have a few spare pounds kicking around it cannot be required. And you forgot to add on the cost of having it signed for, which would be required, or someone in OVO might just say they did not receive it.
And, you forgot the basics of the GDPR, That a Controller can only collect data, when it is necessary, for the specific purpose; which it clearly is not, because OVO provide a phone number, and, if I am required to give my name and address, that is personal data that the Controller is, by law, not allowed to collect, until after it has met the requirements of the GDPR, and provided the information on how it intends to Process any Data, and how ones Rights are met. All if which has to be done before any data is collected, so cannot by law be done in the manner you suggest.
Your answer cannot be accepted, because it does not relate to the question. If you had addressed the actual question, and provided information that I did not already know, then of course I would accept it. it is only your, one persons opinion, not that of the entire Forum, and isnt even correct in most details relating to the GDPR, it certainly is not the answer to the question, nor an answer from someone that has had experience.
I need to know, as is my legal Right, who and how to contact the Data Controller by Phone.
It obviously cannot be the outsourced customer services in S Africa or Philippines, and they seemingly have no idea what a Data Controller is, let alone who to contact.
Which Is why I asked if any Customer had experience, and had been able to contact the data Controller.
The DPO is not the Controller. The Controller appoints the DPO and the DPO is given specific tasks under the GDPR, which do not include the day to day tasks of the Controller. There is not a Phone number for the DPO, so that is not applicable anyway.
My question was not for you in particular, and why you would answer unless you had direct knowledge and experience of implementing your Rights of receiving a demonstration of Accountability, and so could answer the question of how to contact the Controller .
So once again, does anyone know, or had experience of how to contact the Data Controller -by Phone.
Thank you
