What is personal data?
Personal data may be collected when contacting the Vattenfall Group. Personal data may also be collected from other sources. “Personal data” means any information directly or indirectly attributable to a living, natural person.
Vattenfall is the data controller of the personal data we are provided with. Below follows a description of the guidelines applied by the Vattenfall Group in connection with our processing of personal data, how we process and store information and what your rights are. The guidelines never limit the rights under the GDPR or other legally binding provisions.
The contact information to the data controller and data protection officer can be found under “Contacts”.
Vattenfall’s general guidelines for personal data
The general provisions for processing of personal data is set out in Vattenfall’s group management system. The provisions therefore apply to the entire Vattenfall Group.
The Vattenfall Group always processes personal data in a manner respectful of the individual’s privacy. Personal data considered as sensitive is only processed when there are strong reasons to do so. The Vattenfall Group only shares personal data with third parties outside the Vattenfall Group if it is evident that the legal prerequisites are met.
The Vattenfall companies often have their own provisions supplementing the Group’s general guidelines. The national websites of the Vattenfall Group may also have supplementing provisions applicable for the respective countries.
See below for information regarding how personal data is processed for Applicants
Collection of personal data
Vattenfall collects personal data for example when you visit corporate.vattenfall.com, when data is provided to Vattenfall via regular mail, email, telephone, etc., or when Vattenfall collects data from public registers.
Corporate.vattenfall.com can normally be visited without personal data being collected. We only collect information used for statistical purposes and the visitor remains anonymous. Examples of such information is the time for the visit, how long the visit lasted and which websites are visited.
Vattenfall uses so called cookies to ensure that functions and services at corporate.vattenfall.com shall function properly.
Information when data is collected
When personal data is collected by the Vattenfall Group, the person providing his/her personal data will receive information about:
- Which Vattenfall company is responsible for the processing of personal data
- For what purpose and legal ground the personal data is collected, and what interest Vattenfall has in matters where the processing is based on legitimate interests
- Who is the recipient of the personal data and any transfers to third countries
- Contact information to the data controller and data protection officer
His/her rights in connection with the processing performed
- The right to withdraw consent and to file complaints to the supervisory authority
- Information required for the person providing his/her personal data to be able to exercise his/her rights
- How long the data is stored
If you consider the information to be unclear or incomplete, please contact Vattenfall for complete information.
Objectives and legal grounds for processing
Vattenfall only collects personal data for objectives supported by the applicable data protection regulation. The purpose can for example be to perform a service, such as mailing of newsletters requested or subscribed for by the person concerned, where the grounds for processing personal data is the fulfilment of an agreement. For other purposes Vattenfall may process personal data based on its legitimate interests. Such purposes can, for example, be to perform statistics and analysis.
It is also possible to actively consent to certain processing of personal data. A given consent can be withdrawn at any time. Vattenfall will then cease the processing of personal data encompassed by the withdrawn consent.
Vattenfall does not process personal data for reasons that are incompatible with the original purpose. Further information regarding the purposes for which the personal data is used is provided when the personal data is collected, such as when an email form is filled out.
Transfer of personal data to third party
Since Vattenfall has several group-wide functions, the personal data can be shared with other companies within the Group. When a transfer takes place, the company takes into consideration the special laws and other provisions that regulate the separation between electricity trading companies and electricity grid companies (so-called unbundling rules). This means that personal data cannot always be transferred to another Vattenfall company, even if the affected person so requests.
Under certain circumstances Vattenfall may also transfer personal data to data processors, collaboration partners, vendors or other third parties.
As a general rule personal data is not transferred to countries outside the EU or EEA. When a so called third country transfer nevertheless has to take place, a special assessment is made to ensure that the legal prerequisites are fulfilled and that technical and organisational measures are taken in order to ensure that the personal data is processed safely, with an adequate level of security equivalent to that within the EU/EEA.
Access to personal data
Only those who need access to the personal data in order to perform the agreed services are authorized to access and manage the personal data. Vattenfall has engaged several subcontractors who process personal data to various degrees and they apply the same requirements on the processing as Vattenfall applies internally.
Vattenfall does not store personal data longer than necessary. The personal data is permanently erased when it is no longer required. This applies, for example, when an issue has been resolved or when a contractual relationship has been terminated and the parties’ balances have been finalized. However, some data may need to be retained thereafter, such as data used for statistics or as required under the bookkeeping act.
Vattenfall undertakes specific physical, technical and organizational measures to protect the personal data being processed so that no data is lost, destroyed, manipulated or made available to unauthorized parties. The measures aim to achieve a sufficient level of security considering the technical capabilities available. Changes in personal data are recorded continuously in order to ensure that traceability exists in all changes of the data that occur.
Personal data breaches are always handled in accordance with an internal process and are, in relevant cases, reported to the Swedish Data Protection Authority (Sw. Datainspektionen) and to the individual in accordance with the rules set out in the GDPR. If you suspect a potential personal data breach, please contact Vattenfall’s customer service (see contact information below).
Right of access
Each user is entitled to receive information about and to what extent his/her personal data is being processed by Vattenfall. If such personal data is stored by Vattenfall, the affected person may request information of i.a. which category of personal data is being processed, from where the data was collected, for which purpose(s) the processing takes place, which legal ground the processing covers, storage time and with whom the data is shared. Vattenfall will send an answer to the address where the person is being registered within one month from having received the request.
Right to rectification
Each user is entitled to request rectification of his/her own personal data that is incorrect or being processed in violation of applicable law. Vattenfall is required to take such measures.
Right to erasure
Vattenfall erases personal data when there is no legal ground for keeping the data.
Your personal data can be erasure if any of the following is true:
- The processing is based solely on consent which is withdrawn
- The data is no longer required for the purposes for which they are being processed
- The processing is done for direct marketing and the person opposes the processing of the personal data
- The data is not processed in accordance with the GDPR
- The person opposes processing that takes place based on balance of interests, and Vattenfall’s legitimate interest does not outweigh the person’s own interest
- Erasure is required in order to comply with a legal obligation
If data is erased upon request, Vattenfall undertakes to inform any third party with whom Vattenfall has shared the personal data.
Right to portability
Each user who has his/her personal data stored by Vattenfall is entitled to request his/her data in a generally used and machine-readable format for transfer to another party, for example.
Right to restriction of processing
Processing of personal data may be restricted upon request by an affected person or upon initiative by the data controller. Restriction means that the personal data will be marked so that it, in the future, may only be processed for specific purposes. The right to restriction applies for example during the time when the processing of personal data is being investigated.
Right to object
If Vattenfall processes personal data based on balancing of interests as a ground, it is possible to object to the processing. In order to do so it must be specified which processing the objection regards. Vattenfall must show that there are legitimate interests outweighing the interest of the individual in order to continue processing his/her personal data.
In the event the personal data is being used for direct marketing (DM), this is stated in connection with the collection of the personal data. Individuals opposing to their personal data being used for DM are entitled to notify Vattenfall thereof after which marketing will cease. It is also possible to choose by which channels marketing shall take place.
In all DM, Vattenfall matches personal data with blocking registers for DM (via regular mail, email, telephone or the like). Marketing by email only takes place when the affected person has given prior consent. Emails include a link to unsubscribe from email marketing.
Right to compensation
It is possible to claim compensation, for example if Vattenfall’s processing of personal data violates the GDPR and has led to damages to the person in question. Claims can be made directly to Vattenfall.
The information on this page applies for Vattenfall and the website corporate.vattenfall.com, unless otherwise stated. For further information regarding Vattenfall’s policy for processing of personal data within other Vattenfall companies, please contact the respective companies and/or visit their potential websites (as listed above). Vattenfall is not responsible for the content of such websites.
Changes to the personal data provisions
If there are changes to the provisions of the Vattenfall Group regarding processing of personal data, it will be announced on this page. The policy may for example change if the law or the application thereof changes. If the processing of personal data has been regulated in an agreement with the customer, the provisions of the agreement apply until they are changed, unless this violates the rights as per the above or are incompatible with law or other legally binding provisions.
Reporting security vulnerabilities through responsible disclosure
Vattenfall pays much attention to the proper security of its information and communication systems. Despite this, a weak spot may exist or develop: a security vulnerability. Abusing a security vulnerability, or informing third parties about such a vulnerability which could lead to abuse, is illegal.
Vattenfall has adopted governmental recommendations and adheres to the following responsible disclosure rules.
Report a (possible) vulnerability to Vattenfall IT Security by completing the online form. Provide as much information as possible. A report can be made anonymously.
Do not use the security vulnerability (e.g. by copying or modifying data), do not make it known to third parties; any communication will be coordinated by Vattenfall.
If the above conditions have been met, Vattenfall will not report the intrusion of its systems to the respective authority.
In the event of a non-anonymous report, Vattenfall will inform the discloser about Vattenfall’s approach to resolve the vulnerability and will keep the discloser updated on progress.
Depending on the degree of seriousness of the security vulnerability and the quality of the report, Vattenfall may decide to express its appreciation and / or issue public credits to the discloser.
Vattenfall considers security, reliability and honesty as highly important. This applies to Vattenfall’s activities as an energy company as well as to its role in society. Your honest contribution to increasing safety and reliability is highly appreciated!
Vattenfall guarantees that it will not attempt to identify an anonymous discloser, provided that the discloser does not use his / her knowledge about the security leak and that the knowledge is not shared with third parties.
Contacts – data protection officers
The data controller is Vattenfall AB, 556036-2138. Queries regarding the Vattenfall Group’s processing of personal data can be made to any of our data protection officers, or via the general contact form.