GRI 418: Customer privacy

GRI 103: Management approach (103-1, 103-2, 103-3)

Relevance

Since the entry into force of the General Data Protection Regulation (GDPR) in 2018, the processing of personal data has become even more important, both within the company as well as externally with regard to data flows.

As an international energy company, Alpiq operates in all important European markets, so the GDPR became a focus of our attention. Alpiq has introduced a data privacy management system and appointed a Data Privacy Officer (DPO) for the group. The Alpiq DPO is supported by local data privacy partners (coordinators), which ensures data privacy compliance in line with the GDPR and all other applicable local regulations. The data privacy expert community maintain a regular exchange and participate in further development activities. Due to its new strategic direction, Alpiq will primarily focus on B2B business activities.

Management approach

Trust is a fundamental requirement for the sustainable success of the Alpiq Group. As a result, Alpiq is committed to handling personal data with the utmost care. All employees receive training in the respectful handling of personal data in accordance with the applicable rules and regulations. Alpiq considers privacy to be much more than a regulatory requirement, it is an integral part of its business practices, as evidenced by our “privacy by design” and “privacy by default” concept. To emphasise this approach, the procedures were anchored in the internal rules for data privacy, which were approved by the Executive Board (2018). The Alpiq Group Data Privacy Officer (DPO) manages the privacy management system together with the local data privacy partners (coordinators) in our operating jurisdictions. The DPO is part of the Alpiq Compliance Team, which ensures that this topic is given prominence and attention. Alpiq has introduced standard procedures for handling data subject requests and data breaches as well as for recording complaints. Transparency and data protection play a key role in the relationships that Alpiq has with its customers and partners, and Alpiq ensures that it collaborates closely with these parties. Alpiq has introduced a state-of-the-art privacy management tool for the uniform management of all aspects of personal data, such as requests of data subjects, cookies and the record of processing activities.

Assessment

The DPO assessed the maturity of the data privacy programme at the start of 2020. The results were incorporated into the privacy roadmap. In addition, the implementation of the GDPR at the local level was externally assessed in the autumn of 2020. The results will have a significant influence on the further development of the data privacy management system.

GRI 418-1: Substantiated complaints concerning breaches of customer privacy and losses of customer data

In 2020, Alpiq recorded one substantiated complaint by a regulatory authority as a result of a technical error that occurred while migrating a customer record. The personal data disclosed was minor in scope and the disclosure posed a very low risk for the individuals concerned. However, Alpiq considered it its duty to notify the competent data protection authority. Together with the authority, Alpiq published a corresponding online notice on the respective website.