Vatenfall Europe Sales GmbH fined for not fulfilling transparency obligations Summary Our remarks Vattenfall Europe Sales GmbH offered its customers • When processing personal data, make sure to especially beneficial contracts that involved a payout inform your data subjects of their rights under the to customers. To avoid making these deals unprofitable, GDPR, including: the company conducted routine reviews of contract ° The right to be informed, inquiries for ”behavior conspicuous for switching”. To do so, Vattenfall utilized invoices from around 500,000 ° The right to access, previous customers, effectively cross-referencing this information with the data obtained from the inquiries. ° The right to rectification and erasure, However, the company did not inform new or existing ° The right to restriction of processing, customers about this data reconciliation process or its purpose. ° The right to data portability, The company cooperated extensively with the DPA ° The right to object, throughout the investigation process. ° The right to not be subject to automated decision- The Decision of the DPA making, including profiling. The DPA’s investigation focused solely on the matter of • In accordance with the right to be informed, data information obligations and did not assess whether the controllers should inform the data subject about data reconciliation itself was permissible. the data processing itself, including: The DPA fined Vattenfall Europe 900,000 EUR for the ° The identity and contact details of the data controller following violations: and the DPO (if applicable), • Not providing data subjects information about ° The purpose of the processing and the legal basis for their rights as data subjects in relation to the data the processing, processing (GDPR, Article 12). ° The categories of data being processed, as well as the purposes of the processing, • Not providing data subjects with information about the nature of the processing of their personal data ° The recipients or categories of recipients who will or the purpose of the processing (GDPR, Article 13). have access to the personal data, The fine was significantly reduced due to Vattenfall’s ° Where processing is based on consent, the right to extensive and immediate cooperation with the DPA. withdraw the consent. • When the data is collected from the data subject, the data subject should, when possible, be informed at the time of the collection. Published: 28-07-2022 Journal number: N/A Tags: 01 Legal basis and principles of processingPublished: 24-09-2021 Journal number: N/A Tags: 02 Right to access and obligation to provide information. 51