Denmark: Datatilsynet finds processing activities in connection to remote electricity meter readings in line with GDPR
On May 17, 2023, the Danish data protection authority (Datatilsynet) announced its decision in which it found Radius Elnet A/S's processing of personal data to be in accordance with the General Data Protection Regulation (GDPR) and national data protection rules, following complaints from individuals.
Background to the decision
The complaints against Radius, a company that operates distribution networks for electricity in Denmark, concerned its processing of personal data, whereby it collected personal data about the complainants' electricity consumption in kilowatt hour (kWh) on an hourly basis via remotely read electricity meters, and then reported the information to the energy company, Energinet.
Findings of the Datatilsynet
Notably, the Datatilsynet found that Radius' processing activities were in accordance with the GDPR, specifically noting that:
- Radius' processing of personal data for the purpose of billing and ensuring the security of supply, as well as sufficient quality and capacity in the electricity network, was necessary to comply with a legal obligation under the Electricity Supply Act, in line with Article 6(1)(c) of the GDPR;
- Article 25(1) of the GDPR does not apply to the processing activity in question since the activity was initiated before May 25, 2018 (when the GDPR came into effect), and Article 25(1) does not entail a requirement for older systems to be redesigned if, for example, sufficient organizational security solutions already exist; and
- there was no basis for concluding that Radius' processing activities on the basis of its legal obligation were in breach of the principle of proportionality under Article 5(1)(c) of the GDPR.
Ultimately, the Datatilsynet found that Radius had not breached the aforementioned article of the GDPR, finding no violations of the same.