Employee Privacy Statement

Employee Privacy Statement of the Swedish Vattenfall companies

Date: 25.05.2018

The protection of privacy is of very high importance to Vattenfall. Personal data is therefore processed and secured with the utmost care in accordance with the General Data Protection Regulation (EU) 2016/679 (the "GDPR"). This privacy statement informs you about how Vattenfall handles your personal data and how you can exercise your rights w.r.t. your personal data.

1. Definition of terms

2. Scope

3. Controller, Data Protection Officer, and the relevant data protection authority

4. Aim of the Privacy Statement and legal ground for the processing of personal data

5. Categories of personal data

6. Recipients of personal data

7. Data Retention

8. Data Minimization

9. Automated decision making

10. Rights of the Data Subject and Complaints Lodging

Up

1. Definition of terms

Data Subject: the natural person to whom the personal data relates
Vattenfall: All of the direct and indirect UK subsidiary companies of Vattenfall AB
Controller: The company that is responsible for and determines the purpose and the means of the processing of the personal data

Up

2. Scope

This statement covers the processing of personal data of

- Employees of Vattenfall

- Staff contracted through a temporary-employment agency

- Former employees of Vattenfall and former staff contracted through a temporary-employment agency, to the extent a reason for processing exists

- Retired employees of Vattenfall and their beneficiaries

Up

3. Controller, Data Protection Officer, and the relevant data protection authority

The Controller is your contractual partner within Vattenfall. The responsible Data Protection Officer can be contacted through
Vattenfall AB
Data Protection Officer
Evenemangsgatan 13
S-169 56 Solna
e-mail: dpo.nordics@vattenfall.com

The responsible data protection authority is the Swedish Data Protection Authority.

Up

4. Aim of the Privacy Statement and legal ground for the processing of personal data

This statement informs you about the processing of your personal data. The processing takes place:

i. on the grounds of contractual fulfilment (Article 6 Subparagraph 1 Point (b) GDPR)

The data processing is necessary for the initiation, execution, and settlement of the employment contract. The data collection takes place in the context of contract initiation and during the period of the contract. The information collected is needed for the fulfilment of the following contractual obligations (amongst others):

  • determining, calculating and paying salaries, bonuses and other compensation;
  • determining, calculating and paying compensation to family members or next of kin of the Data Subject;
  • arranging benefit claims due to the termination of employment;
  • implementing pension schemes and insurance policies;
  • for company medical care provided to the Data Subject, absenteeism, special allowances, re-integration and company welfare;
  • executing and planning business trips.

Up

ii. based on a legitimate interest (Article 6 Subparagraph 1 Point (f) GDPR)

We are processing your personal data in order to fulfil our legitimate interest regarding the execution and improvement of our work processes and of our individual employee development. This usage includes the following purposes:

  • Internal communication (intranet, internal telephone book, etc.)
  • performance management and training, development, review and career guidance of the Data Subject;
  • management information;
  • internal control and company security, including access control;
  • supporting and improving business processes and determining potential changes to the organisational structure;
  • execution of business processes.

The data processing legitimately takes place under consideration of the reciprocal legitimate interests. The legitimate interest of Vattenfall is to optimize the internal business processes in order to use the potential of the Vattenfall employees to the most optimal extent, which contributes to the overall success of the company. In order to protect the legitimate interest of the Data Subject, the processing of the personal data is strictly bound by purpose and minimized.

Up

iii. due to legal obligations (Article 6 Subparagraph 1 Point (c) GDPR)

As a company, we are obliged to fulfil certain legal obligations (e.g. tax law, social security law, Employment Law, etc.), which require the processing of your personal data, e.g.

  • informing and consulting with the trade unions;
  • for company medical care provided to the Data Subject, absenteeism, special allowances, re-integration and company welfare;
  • calculating, determining, and paying tax and contributions for the Data Subject;

Up

5. Categories of personal data

The following categories of personal data are being processed by the Controller:

a) Personnel Management data

- Personnel master data
- Billing and time writing data
- Data for preventive occupational medical care
- Personnel and salary files

b) Internal Recruitment data

- Application documents
- Results from selection procedures
- Talent Management data (for participants only)
- Internal Placement data (for participants only)

 Up

c) Vattenfall Group identification card data
- Access authorization
- Access data and time recording
- Canteen usage

d) Identity Management data
- IT user master data and authorizations
- Log data regarding the usage of IT systems and the internet

e) Video Surveillance data
- Video recordings (without reference to persons)
- In exceptional cases: Reports with reference to persons as agreed in the corresponding labor agreement

Up 

f) Usage of company resources such as
- Rooms- Company cars
- Other tools and utilities

g) Voice recordings (only in defined, openly announced, and with codetermination agreed upon environments)
The personal data processed is directly obtained from the Data Subject.

Up

6. Recipients of personal data

Reciptients of the the processed personal data are

a) public authorities, if required by law

b) internal and external service providers

c) employees and authorized persons of the Controller

In the context of provision of services by external service providers, the personal data category listed under Section 5 Point d) are partly processed in countries outside the European Union, for which no adequacy decision has been taken by the European Union. These countries are the USA and India. It is planned to process personal data from categories Section 5 Points d) and f) through an external service provider in the USA, Australia, and India.

Next to technical and organizational measures in order to provide appropriate protection of the affected personal data, EU model clauses have been or will be agreed upon with the respective service providers. Access to these clauses can be obtained from your Data Protection Officer.

Up

7. Data Retention

We process your personal data as long as it is necessary to fulfil the processing purpose or to fulfil our contractual and legal obligations. The legislator has issued various retention obligations and retention periods. After fulfilment of the processing purpose and, should the data in question be subject to any of such retention periods, after expiry of the retention period the data in question is routinely deleted.

Up

8. Data Minimization

We only collect and process personal data that is minimally required to fulfil the aforementioned processing purposes or obligations.

Up

9. Automated decision making

Within the processing of the personal data in scope of the privacy statement, no automated decision making incl. profiling takes place.

Up

10. Rights of the Data Subject and Complaints Lodging

Should you have questions w.r.t. the processing of your personal data, you can turn to the Data Protection Officers (see Section 3). The Data Protection Officers and their teams are also available in case of requests for access or in case of complaints.

Please direct all requests regarding your personal data as defined in Article 15 of the GDPR to
Vattenfall AB
Data Protection Officer
Evenemangsgatan 13
S-169 56 Solna
e-mail: dpo.nordics@vattenfall.com

Up

The Data Protection Officers of Vattenfall are also your contact persons for the execution of your right to rectification in case of errors while storing or processing your personal data (Article 16 GDPR), erasure of your personal data e.g. in case of expiry of the processing purpose (Article 17 GDPR), restriction of processing e.g. in case of disputes regarding the correctness of personal data or for the protection of possible claims (Article 18 GDPR), objection against processing based on legitimate interest (Article 21 GDPR), and data portability (Article 20 GDPR).

Should the processing of personal data be based on legitimate interest (Article 6 Subpara-graph 1 Point (f) GDPR), you have, at any time, the right to object to the processing based on reasons arising from your particular situation. Please direct your objection to
Vattenfall AB
Data Protection Officer
Evenemangsgatan 13
S-169 56 Solna
e-mail: dpo.nordics@vattenfall.com

In addition, you can also contact the Information Commissioner's Office, ico.org.uk, in case of complaints (Article 77 GDPR).

Up

Last updated: 2018-09-20 16:05