One year of DSGVO - what has changed in energy management?
On 25 May 2018, the European Data Protection Basic Regulation (DSGVO) entered into force. The high level of media interest has now subsided, with reports of record fines now and then.
But it was not only the media that had been dealing with the basic data protection regulation for more than a year; companies and other organisations also panicked: Long contracts were sent to business partners, Internet offers were restricted or even discontinued altogether. There were three reasons for this:
- The Basic Data Protection Ordinance can be interpreted in many places
- Legal advisors and other companies sensed revenue opportunities and did not tire of pointing out liability risks
- A law-compliant implementation of the DSGVO means a not inconsiderable effort, which had to be stemmed by the way.
The interpretability of the DSGVO leads to uncertainty until corresponding experiences and judgements are available. Article 40 of the DSGVO actually opens up the possibility of associations submitting so-called rules of conduct to the data protection authorities for approval. In this way, some of the uncertainties could have been dispelled - however, such rules of conduct have not yet become known.
Are personal data processed in energy management?
The first question to be clarified is whether personal data are processed in energy management at all - only then does the DSGVO apply. According to the DSGVO, personal data is "all information relating to an identified or identifiable natural person [...]".
So if names or contact details of persons appear in energy management (or also, for example, in EDL-G audit reports), personal data is clearly available. For example:
- Paper files on the buildings of an organisation whose cover page contains the contact details of the person responsible for the building.
- An Excel list with the persons responsible for meter readings.
- The database of an energy management software in which the authorized users are stored.
In most cases, pseudonymisation does not change the classification as personal data. If, for example, in an audit report a "Mr. M." is reported as responsible for Annex X, it is possible to use further information to find out who is behind the abbreviation "Mr. M." - Mr. Müller can therefore be identified.
More exciting is the question of whether energy consumption data are personal. The quarter-hour consumption data of a one-person household are certainly personal if they can be assigned to a person via address, meter number or customer number. Annual energy consumption of a large school or factory hall is certainly not person-related. Between these two extremes, a case-by-case examination is actually necessary.
Ultimately, in most cases one will have to assume that energy management deals with personal data because of the contact data of the persons involved. In the rarest of cases, however, this involves particularly sensitive personal data such as health data or religious/ideological convictions.
Lawfulness of the processing of personal data in energy management
If it can be assumed that personal data are processed in energy management and that the DSGVO therefore applies, there must be a basis as to why the data of a specific person are processed. This can be, for example, an explicit consent of the data subject, a contract with the data subject, a legal obligation or the protection of vital interests. These principles are in most cases unsuitable for energy management. In particular, the solution with explicit consent is not advisable, as this must not only be obtained explicitly and legally, but can also be revoked at any time.
Article 6 DSGVO paragraph 1 letter e becomes relevant in most cases: "Processing is lawful only if [...] the processing is necessary to safeguard the legitimate interests of the controller or of a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail ...".
The justified interest is energy saving. It can be assumed that the "interests or fundamental rights and freedoms of the data subject" do not predominate in the typical uses of personal data in energy management.
(New) obligations under the basic data protection regulation
According to the DSGVO, all persons whose data are processed (e.g. in energy management) must be informed about the fact of the processing and the scope. In addition, the DSGVO lists what must be included in this information:
- Contact details of the person responsible + if applicable the data protection officer
- Which data is collected and for what purpose?
- Legal basis (in the case of legitimate interests also these interests); here e.g. "Art. 6 DSGVO paragraph 1 letter e" and "energy saving" - whereby of course the necessity of the processing of personal data for energy saving should be explained.
- Recipient of the data, if applicable
- Intention, if any, to transfer the data to a third country outside the EU
- Duration of storage (time or criteria)
Reference to rights (information, deletion, restriction of processing or right of withdrawal, right of appeal to data protection authority)
- Source of information, if any
If the organisation entrusts a third party with the processing of personal data, further requirements apply. For example, the so-called "processor" must be selected "carefully", and the processor may only involve subcontractors for the processing of personal data if the original client agrees to this. In particular, a contract must be concluded between the organisation and the processor, with special requirements.
The rights of data subjects under the DSGVO naturally also apply to personal data in energy management. These rights include, among other things, the right to obtain information about all data stored about them, to correct the data or to have the data deleted for certain reasons.
Similarly, an organisation that processes personal data in energy management is obliged to report data breakdowns to the data protection supervisory authorities. A data protection glitch can be, for example, a lost notebook on which personal data was stored.
In such a case at the latest, the technical and organisational measures (TOM) will be reviewed. The DSGVO requires the person responsible (here the organisation operating energy management) and any contract processor involved to take appropriate technical and organisational measures "to ensure and provide evidence that the processing is carried out in accordance with this Ordinance".
Last but not least, the DSGVO imposes the obligation to limit the processing of personal data as far as possible by means of "technology design" and "data protection-friendly default settings". Specifically for energy management, this can mean, for example, limiting the data stored on a person to the absolute minimum (contact data).
In many cases, the DSGVO also affects energy management - even if the persons responsible for meter readings or measures are on a list. If a software solution from the cloud is used for energy management, a contract must be concluded that meets the requirements of the DSGVO. Even if the data remains "in-house", the regulations of the DSGVO must be observed. In particular, only those personal data may be processed that are necessary to achieve the objective. All persons concerned must be informed and must know, among other things, the scope of the data and the legal basis for the processing of the personal data - in energy management these are usually the "legitimate interests" pursuant to Art. 6 DSGVO paragraph 1 letter e.
For most persons and organisations involved in energy management, the content of the work does not change - data security and economical handling of personal data have always been of great importance, at least for professional providers such as IngSoft. New is a bureaucratic overhead - which is not only to be implemented once, but must be maintained permanently.
Note: This text is for general information only and does not replace any legal advice that IngSoft does not provide.