Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Netherlands: Code of conduct for Smart Grid Management - What you need to know

On 3 May 2022, the Dutch data protection authority ('AP') approved the code of conduct for Smart Grid Management ('the code of conduct'). The approval of the code of conduct is conditional on the AP’s approval of a supervisory body for the code of conduct, to be established within the next two years.

In this Insight article, Chantal Van Dam and Fenneke Buskermolen, from Hogan Lovells, explore the different layers of the code of conduct, further highlighting the obligations, compliance, and supervision structure it sets out, as well as next steps in light of the code of conduct's approval.

koto_feja / Signature collection / istockphoto.com

What does the code of conduct entail?

A code of conduct can help organisations to ensure they follow best practice and rules tailored to their sector or processing operations, thus enhancing compliance with data protection law.

The code of conduct is created by Netbeheer Nederland (the Dutch branch organisation for electricity and gas network operators). It imposes a set of binding rules and good practices for the processing of personal data by electricity and gas network operators associated to Netbeheer Nederland ('the Network Operators'), for the purpose of network management conducted by those Network Operators. It is expected that the AP will assume that other electricity and gas network operators will also consider the rules and good practices set out in the code of conduct.

The code of conduct focuses on harmonising the way in which Network Operators inform customers in an understandable, unambiguous, and uniform manner about their processing of personal data in relation to network and smart grid management. The code of conduct further seeks to ensure the uniform assessment of data processing done by the Network Operators, by setting out a model Data Protection Impact Assessment ('DPIA'), as well as a joint data protection policy which provides a non-exhaustive list of frequently occurring network management purposes (e.g. firmware updates, capacity planning, and fraud detection) and any related details (e.g. type of data and frequency of data read-out).

Obligations for Network Operators

Transparency

In order to ensure a uniform, transparent, and harmonised provision of information towards customers, the code of conduct introduces a set of obligations to which the Network Operators have to adhere. The Network Operators should:

  • jointly inform customers in a understandable, unambiguous, and uniform manner about personal data processed in relation to network management objectives and smart grid management;
  • provide at least the following information to customers in relation to their processing of personal data for the purpose of network management:
    • the independent role of the Network Operator within the energy system;
    • the Network Operator's function in the energy system as a distribution system operator;
    • an explanation of the personal data (meter data) that the Network Operator processes for network management purposes; and
    • the manner in which the Network Operator has safeguarded the rights and freedoms of the customers; and
  • clearly inform customers of the right to object to the remote reading of meter data and to file a complaint regarding the processing of personal data for network management purposes.

DPIA

To ensure the uniform assessment of data processing by the Network Operators, the code of conduct sets out a model DPIA which the Network Operators jointly have to adhere to. This DPIA model requires the following sections to be included:

  • a description of the processing that will take place, including which personal data will be processed and a description of the implemented safeguards;
  • a Task Necessity Assessment ('TNA'), which assesses the scope, necessity, proportionality, and foreseeability of the envisioned processing, and whether the processing falls under the legal duties of the Network Operators;
  • a second review of the risk associated with the processing, which includes a determination of the risk level, as well as an assessment of any high-risk processing activities, the information provided to customers, and (additional) safeguards necessary to mitigate the risk to the rights and freedoms of customers;
  • a determination of the required time period for reassessment, at least once per five years for low-risk, and once per three years for high-risk processing; reassessment is also required when there is a change in the risk posed by the processing operations; when reassessing, the Network Operator should verify the implementation of mitigating measures and appropriate safeguards; and
  • if applicable: if the processing is determined to be high risk and no mitigating measures are implemented or available, then advice should be included in the DPIA, to either not carry out the intended processing, or to initiate a prior consultation procedure with the AP.

In addition, the Network Operators are required to keep a joint registry of the DPIA’s carried out, including the respective levels of risk to the rights and freedoms of customers and the time period for reassessment. The Network Operators are also required to jointly prepare a uniform summary of the main results of DPIAs in understandable language which can be published and made available upon request of customers or other interested parties. The code of conduct does not further define who qualifies as an interested party.

Compliance and supervision of the code of conduct

There are several mechanisms contained within the code of conduct which ensure the compliance with, and supervision of, the code of conduct.

Complaint handling procedure

The first compliance mechanism is the requirement for the Network Operators to implement an effective, transparent, and easily accessible compliant handling procedure to customers that provides for:

  • independency: the complaint is handled by a person that has not been involved in the processing to which the complaint relates;
  • transparency: the complainant is informed, in writing, of the findings in respect of the complaint, including the reasons for it, and the conclusions to be drawn from those findings; and
  • effectiveness: the complaint is handled as soon as possible, in principle within eight weeks following the complaint.

This complaint procedure is without prejudice to the rights of individuals under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

Supervisory body

The code of conduct provides that an independent supervisory body should be established by Netbeheer Nederland to oversee the processing of personal data by the Network Operators in relation to:

  • the provision of information by the Network Operators to customers;
  • the process of assessing the risks to the rights and freedoms of individuals involved;
  • the implementation of the complaint handling procedure by the Network Operators; and
  • compliance with the code of conduct by the Network Operators.

In the event of non-compliance with the code of conduct, the supervisory body holds various enforcement powers, including suspension, termination, or expulsion of the Network Operators from Netbeheer Nederland. Additional enforcement powers will be granted to the supervisory body in a governance and supervision regulation, which is yet to be drafted.

The supervisory body is to be established by Netbeheer Nederland within two years following the conditional approval of the code of conduct by the AP. Further information on the timeline for the creation of the supervisory body has not yet been published. Following establishment, the AP will assess, among other things, the independence and expertise of the supervisory body, accredit the supervisory body, and approve the code of conduct as a whole if this assessment is positive. Alternatively, the AP may suspend its conditional approval of the code of conduct.

Steps to be taken by Network Operators

After the conditional approval of the code of conduct by the AP, it is now up to the Network Operators to implement the rules and good practices as described in the code of conduct. The code of conduct may be used as an accountability tool to demonstrate the Network Operator's compliance with the GDPR for processing within the scope of the code of conduct, thereby potentially providing a consistent level of data protection in their sector.

The obligations, the DPIA template, the complaint mechanism, and the future establishment of a supervisory body introduced by the code of conduct will help the Network Operators in designing their processing activities in accordance with the principles laid down in the GDPR. The adoption of the code of conduct creates momentum for the Network Operators to review and revise their processing activities, internal policies, and procedures against the code of conduct and the GDPR in order to improve their level of compliance.

Chantal Van Dam Senior Associate
[email protected]
Fenneke Buskermolen Associate
[email protected]
Hogan Lovells, Amsterdam