Privacy Policy for Contact Persons

Privacy statement for customer and partner register

Last updated: June 21, 2018

Your privacy is important to us and we work hard to protect your information. This privacy statement which is based on the General Data Protection Regulation (EU) 2016/679 (“GDPR“) describes what personal information is being processed by Enersense, how it is processed and for what purposes.

1. Controller of personal data

Enersense Oy
Business ID: 2442767-4
Konepajanranta 2
28100 Pori, FINLAND

hereinafter “Enersense”

2. Contact information for this Register

You may contact our Data Protection Officer, if you have any concerns related to the processing of personal data or the exercise of your rights under the EU Data Protection Regulation. Please contact our Data Protection Officer by email at dpo@enersense.com.

3. Name of the Register

Customer, Partner and Contact Person Register (“Register“). The register contains personal data of former, existing and potential customers’ and co-operation partners’ contact persons.

4. The nature, purposes and the legal basis for the processing

Processing of personal data is necessary for concluding and managing customer relationships or cooperation with Enersense or its affiliated companies.

The purpose of the processing of personal data is to maintain a customer relationship, to cooperate, to support sales, to develop business and services and to maintain customer communication in regards to contract compliance and marketing. Personal data is processed only to the extent necessary.

Based on data protection regulations, Enersense processes personal data on the following legal basis for processing:

Purpose of processing personal dataLegal basis for processing
Customer Relationship Management and Development

  • Customer service and communication
  • Communication related to a possible or terminated contract
  • Tasks related to customer relationship management, customer events and training
Marketing and Customer Acquisition

  • Finding potential customers as well as offering services to prospective customers
  • Target marketing and advertising
Business and Service Development

  • Monitoring and analysis of the service usage as well as e.g. customer segmentation to enable personalized service
  • Quality assurance
Risk Management

  • Ensuring the security of services
  • Preventing and investigating irregularities
Legitimate interest

Enersense considers that the purposes defined in this privacy statement are essential for its business and thus has a legitimate interest for processing personal data.

Enersense shall make sure that the processing of personal data is proportionate to the interests of the data subject and corresponds with his or her expectations.

The data subject has the right to object the processing of personal data according to the requirements of the EU Data Protection Regulation, insofar as the processing is based on the legitimate interest of Enersense.

Enersense has also conducted the balancing test as defined by the Data Protection Authority to ensure that the data subject’s interests are taken into account.
Performance of Contracts, Offering and Providing Services

  • Customer or co-operation contract compliance
  • Communication on compliance with contracts and the providing and production of services
Agreement

Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Processing of personal data is necessary to conclude an agreement and to fulfill the contractual obligations between the customer or partner and Enersense or its affiliated companies
Statutory Requirement

  • Fulfilment of requirements and obligationsstated in laws, regulations or decisions from authorities and supervisors (e.g. Accounting Act, Prepayment Act)
Legal obligation

Enersense is obliged to process personal data to comply with its legal obligations.

5. Categories of personal data contained in the Register

The Register consists of personal data related to the customers’ and partners’ contact persons in the following categories:

  • first name and surname
  • contact details (e.g. phone number, email address)
  • name of the company represented
  • customer and contract information (e.g. name of the contact person in orders and
    invoicing)
  • position and profession
  • information related to customer events (e.g. food restrictions and allergies upon
    the data subject’s consent)

6. Duration of processing

Personal data is processed at least for the duration of the customer and contractual relationship. Personal data will also be stored after the termination of the customer and contractual relationship for the period necessary to fulfill the purposes defined in this privacy statement.

Personal data is erased after the claim period related to a specific customer relationship or service has elapsed. This period is typically ten (10) years. The information of potential customers is stored as long as the storage is necessary for establishing a customer relationship.

Personal data processed for analytical or statistical purposes will be anonymised or erased securely at the end of a customer or contractual relationship unless there is a legal basis for the storage. Anonymization means that any identifying information that a person can or could be identified is erased so that data is no longer considered as personal data.

Enersense estimates regularly the need for data storage taking into account the applicable legislation.

7. Sources of personal data

Personal data is primarily collected directly from the customer or co-operation partner. In addition, personal data may be collected and updated from other Enersense Group’s companies registers. Personal data may also be collected from other sources upon the data subject’s consent.

When permitted by law, personal data may be collected from registers of third parties, such as:

  • The Population Register Centre
  • registers of other authorities, e.g. Trafi, Trade Register and Register of
    Foundations
  • contact service providers
  • credit information registers

8. Transfer of personal data and the categories of recipients of personal data

Personal data shall not be transferred to third parties without the consent of the data subject. Notwithstanding the above, personal data may be transferred to affiliates of the Enersense within the limits of the purposes of processing determined above.

Personal data shall not be transferred outside the European Union (“EU“) or the European Economic Area (“EEA“) unless it is necessary in regards to the purposes of processing determined above. In case personal data is transferred outside the EU or the EEA, Enersense shall implement suitable safeguards in order to comply with the requirements of applicable data protection legislation. Enersense may for instance conclude an agreement with a client operating outside the EU or the EEA in accordance with the standard data protection clauses adopted by the European Commission.

9. Security of processing

Enersense has appropriate technical and organisational means of data security in order to safeguard data subjects personal data from loss, misuse or other equivalent illegal access. Secure processing of personal data is ensured by providing instructions as well as implementing access management to provide access to designated employees of the Enersense or its affiliates. Personal data is only processed by employees who have the right to do so within the framework of their work duties.

Data security is a central part of the core values of the Controller. Therefore data security is evaluated and developed regularly.

10. Rights as a data subject

The data subject can exercise their rights by contacting the data protection officer using the information in section 2. The data subject has the following rights as defined by the GDPR:

  • The right to obtain confirmation as to whether or not personal data concerning him or her are being processed, and where that is the case, access to the personal data.
  • The right to have incorrect or incomplete information corrected or completed.
  • The right to request erasure of personal data concerning him or her.
  • The right to restrict processing of personal data, when applicable according to the GDPR.
  • The right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller.
  • The right to object processing of personal data according to the requirements of the GDPR
  • The right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes the GDPR

11. Updates to this privacy statement

Enersense seeks to develop its services continuously and thus reserves the right to modify this privacy statement. This privacy statement may also be updated to reflect any changes in applicable laws. Enersense encourages data subjects to periodically review this privacy statement. Enersense may also notify data subjects directly by sending a notification about updates that have material effects to data subjects.