Privacy Policy

This Privacy Policy describes how Gasgrid Finland Oy and its subsidiaries, Floating LNG Terminal Finland Oy and Gasgrid Vetyverkot Oy (later collectively referred to as ”Gasgrid group”, and later each jointly or separately, as the context requires, also “we”) processes your personal data.

Gasgrid Finland Oy, Floating LNG Terminal Finland Oy and Gasgrid Vetyverkot Oy basically each act as independent controllers for the processing of personal data related to their respective business activities. This means that each of the companies acts as an independent controller of, for example, the personal data of its own customers, the personal data of its suppliers’ representatives and the personal data of its job applicants. However, since the processing of personal data by the companies described in this Privacy Policy is consistent, this Privacy Policy describes the processing of personal data by all companies in Gasgrid group as described in this Privacy Policy.

As the controller, we are ultimately responsible for the processing of personal data that we carry out. Trust is key to privacy and data protection, and protecting your privacy and personal data is of paramount importance to us. This is why we will only process your personal data to the extent that we need it for the purposes described in this Privacy Policy. In all processing of personal data, we comply with applicable data protection legislation, including the European Union’s General Data Protection Regulation (EU) 2016/679 (GDPR) and the supplementary national Data Protection Act (1050/2018), and, where applicable, the Act on Electronic Communications Services (917/2014).

Gasgrid Finland Oy maintains the Gasgrid group website at https://gasgrid.fi/en/. Please note that our website contains links to third party websites or content provided by third parties, and some of the content on our website, as well as the media through which you can interact with us, such as social media channels, are services provided by third parties. Such links to third party websites or content and our presence on services provided by third parties do not imply that we are affiliated with or have any control over such third parties, and therefore, to the extent permitted by applicable law, we are not responsible for such content or services, their level of privacy protection or the actions of such third parties with regard to their processing of personal data.

Data controllers and content of privacy policy

Data controller

Gasgrid Finland Oy (Business ID 3007894-1)
Keilaranta 13-19 B, FI-02150 Espoo
info (at) gasgrid.fi

Floating LNG Terminal Finland Oy (Business ID 3285669-8)
Keilaranta 13-19 B, FI-02150 Espoo
info (at) gasgrid.fi

Gasgrid Vetyverkot Oy (Business ID 3331856-8)
Keilaranta 13-19 B, FI-02150 Espoo
info (at) gasgrid.fi

As a data subject, you may be either a contact person or other representative of one of our customers or potential customers, a job applicant, a natural gas end-user, a contact person or other representative of our service providers or partners, a sponsorship applicant, or any other member of our stakeholders (data subject) with whom it is important or necessary for us to communicate.

This Privacy Policy applies to the processing of personal data in the following contexts related to the activities of Gasgrid group:

Processing context	Data controller
Customer and potential customer relationships – representatives of registered customers and potential customers	The Gasgrid group company with which the company you represent has entered into a customer relationship agreement or whose potential customer is the company you represent.
Goods and services procurement procedures- registered representatives of service providers and other suppliers	The Gasgrid group company with which the company you represent has concluded an agreement or are involved in a procurement procedure.
Partners, media and public authority contacts and other stakeholders, including stakeholder surveys – registered representatives of partners, media and other stakeholders	The Gasgrid group company with which the company you represent has concluded an agreement or been in dialogue relating to cooperation or other stakeholder activity.
Specific features of our operations and our legal obligations as a transmission system operator (including the Gas Data Hub, Gasgrid portal, Guarantee of Origin scheme)	Gasgrid Finland Oy
Recruitment processes and open job applications	The Gasgrid group company whose job vacancy is concerned or with whom you have interacted in a recruitment matter. If the recruitment is carried out by our recruitment partner MPS-Yhtiöt Oy, the processing will also create a joint register between the Gasgrid group company and MPS-Yhtiöt Oy. In such cases the Privacy Policy of MPS-Yhtiöt also applies to personal data processing.
Reports via Gasgrid group’s Whistleblowing channel	The Gasgrid group company which the whistleblowing report concerns.
Gasgrid group’s recording video surveillance system and access control at our premises	Gasgrid Finland Oy
Sponsorship applications	Gasgrid Finland Oy
Gasgrid group’s website at https://gasgrid.fi/en/	Gasgrid Finland Oy maintains the website and acts primarily as an independent controller. To the extent that the personal data collected on the website is also used by other companies for their own business purposes, there is a joint controller relationship between them for that use. To the extent that a website visitor enters their personal data on the website (for example, by filling in a feedback form), the controller is the party whose activities the visitor has intended to be affected by their actions.

Purpose and legal basis for processing personal data

We process your personal data only for the purposes described in this Privacy Policy or for other purposes disclosed to you when we collected your personal data and only to the extent that the processing is necessary for each of the purposes of processing described in more detail in these contexts.

We process personal data primarily for purposes that enable our customers to use our products and ensure a first-class customer experience. In particular, we process personal data for the following purposes, based on the following processing criteria:

Representatives of customers and potential customers, service providers and other suppliers, partners, media and other stakeholders

Statutory duties: The provision of services covered by the TSO with system responsibility under the Natural Gas Market Act (587/2017) and the obligations of the operator of the Guarantee of Origin system under the Act on Guarantees of Origin for Energy (1050/2021) based on our legal obligation under legislation (Article 6(1)(c) of the GDPR)

Managing the customer, supplier or stakeholder relationship, such as entering into, implementing and potentially subsequently amending an agreement between us and the organisation you represent, managing and developing the relationship, and communications related to the relationship, such as providing customer service, sending communications and other content related to our business relationships or services, and otherwise responding to requests and enquiries from customer, supplier or other stakeholder representatives through various channels. The legal basis for this processing is our legitimate interest (GDPR Article 6(1)(f)) in conducting our business and your relationship with the organisation with which we have entered into a business relationship. Where the stakeholder is a natural person, the legal basis for the processing may also be an agreement between us and that person (GDPR Article 6(1)(b)).
Invoicing and other management of invoices and payments based on our legitimate interest (GDPR Article 6(1)(f)) to conduct our business and your relationship with the organisation with which we have entered into a business relationship.
The arrangement of events, including various seminars, trainings, stakeholder meetings, rescue exercises, webinars, info briefings, safety webinars and customer forums, where the processing is based on our legitimate interest (GDPR Article 6(1)(f)) to process personal data for the purposes of arranging the event. Where you provide us with special categories of personal data in this context, such as information about allergies or special dietary needs, from which information about your health can be inferred, the basis for the processing is your explicit consent (GDPR Article 9(2)(a)).
Marketing and similar communications to our existing or potential customers or other stakeholders, for example, to provide up-to-date information about our products or services and new features or other current issues that we believe may be of interest to the recipient. The legal basis for processing communications for marketing or similar purposes is our legitimate interest (GDPR Article 6(1)(f)), in particular to promote the sale of our products and services and to raise awareness of them and of our company. The processing of your personal data may also be based on your consent (GDPR Article 6(1)(a)), for example, if you have subscribed to the Gasgrid group newsletter, or, if you provide us with special categories of personal data, such as information about allergies or special dietary needs, from which information about your health can be inferred, the basis for the processing is your explicit consent (GDPR Article 9(2)(a)).
Sales: Promoting sales of our services and products, either on our initiative or on the initiative of the potential customer representative themself, based on our legitimate interest (GDPR Article 6(1)(f)) will promote our business. We also make additional sales to our existing customers, which we target to our customers’ representatives, also based on our legitimate interest (GDPR Article 6(1)(f)) to promote our business.
Product development: We develop our products and services based on feedback from our customers or other stakeholders. The collection of information for product development purposes may be anonymous or identifiable. To the extent that personal data is processed, the processing of personal data in these contexts is based on our legitimate interest (Article 6(1)(f) GDPR) or on the data subject’s consent (GDPR Article 6(1)(a)).
Compliance with obligations under other applicable legislation, such as tax obligations, EU and UN sanctions legislation and decisions, or responding to requests from public authorities, for example under tax or accounting legislation or other mandatory legislation. The processing basis is then the relevant provision of the applicable law (GDPR Article 6(1)(c)).
Ensuring agreement compliance and control of abuse: Ensuring and monitoring compliance with the agreement between us and the organisation you represent and investigating suspected abuses, where the processing is based on our legitimate interests (GDPR Article 6(1)(f)) to conduct our business and protect our legitimate interests in relation to it.

Natural gas end customers

Provision of services under the system responsibility of the transmission system operator under the Natural Gas Market Act, based on our legal obligation under the Natural Gas Market Act (GDPR Article 6(1)(c)).

Users of our website

Enabling use of our website: When you visit our website, we may process your personal data to provide you with access to our website and its functions and to ensure the security, functionality and stability of the website, such as processing to detect possible misuse and attacks that undermine the security of our website. The processing is based on our legitimate interests (GDPR Article 6(1)(f)) and the legitimate interests in question are the purposes of use mentioned above. The collection and further processing of your personal data on our website is generally carried out using automated technical means such as cookies and similar technologies. If you would like to know more about the use of cookies on our website, please refer to the additional information on the use of cookies on our website at https://gasgrid.fi/en/cookie-policy/.

Whistleblowing channel

Our obligation under applicable law to ensure that our operations comply with the law. The basis for processing personal data of the subjects reported is then our obligation to ensure compliance with legislation based on the Act on the Protection of Persons Reporting Infringements of European Union and National Law (1171/2022, Whistleblower Act) (GDPR Article 6(1)(c)). Reports can be made anonymously, but where you, as the whistleblower, submit your personal data when making the report, the processing will be based on your consent (GDPR Article 6(1)(a)). Processing may also be based on our legitimate interest, both in relation to the subject of the report and the whistleblower, in which case the legitimate interest is our right to ensure the lawful and ethical conduct of our employees, suppliers and business partners and to take action where we detect misconduct. Gasgrid group’s whistleblowing channel can be found at https://gasgrid.ilmoituskanava.fi/#/.

Sponsorship applicants

Signing and implementing a sponsorship agreement. If the sponsorship applicant is an organisation, the legal basis for the processing is our legitimate interest (GDPR Article 6(1)(f)) to conduct our business and your relationship with the organisation with which the sponsorship relationship is entered into. If the sponsorship applicant is a natural person, the processing is based on the sponsorship agreement or on the measures necessary for its conclusion at the request of the data subject (GDPR Article 6(1)(b)).

Jobseekers

Recruiting process: We process your personal data for the purposes of the recruitment process to the extent that the processing is necessary to take steps at your request prior to the conclusion of an employment contract between you and us, including assessing the qualifications and skills of job applicants; managing the recruitment process, such as organising and conducting interviews; providing information about the recruitment process and feedback to job applicants, and other communication with job applicants; conducting aptitude tests in accordance with the requirements of the role concerned and to the extent permitted by applicable law; checking information provided by the jobseeker, such as references and, where applicable, other requirements such as qualifications. The processing of personal data is therefore based on the measures necessary for the conclusion of an employment contract with the selected candidate (GDPR Article 6(1)(b)). We may use external service providers to carry out personality or aptitude assessments in the context of the recruitment process, and applicable legislation may require us to obtain the consent of the job applicant to carry out such assessments. The entire recruitment process may also be carried out by our recruitment partner, MPS-Yhtiöt Oy. In this case, the processing of your personal data also creates a joint controllership between the company belonging to the Gasgrid group and MPS-Yhtiöt Oy, and the Privacy Policy of MPS-Yhtiöt also applies to the processing of your personal data. If you are selected for a position, depending on the position you are applying for, we may also ask you to provide us with a drug test certificate, provided that applicable law allows it. Since some of our positions require accuracy, reliability, independent judgment or good reaction and performance skills, and the performance of the related duties may result in injury, we may use drug testing to determine the selected candidate’s work ability and capability for the position concerned.
Future recruiting needs: If you would like us to, we can store your personal data for our future recruiting needs. In this case, the processing is based on your consent (GDPR Article 6(1)(a)) and we will keep your personal data for future recruitment and vacancies after the recruitment process has ended. You have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of the processing carried out before withdrawal.

Visitors to our premises:

Video surveillance and access control at our premises for the purposes of ensuring the security of our employees and others on or visiting our premises, the protection of property, the prevention of incidents that may endanger the safety, security, property or supply of our products or services, the prevention of vandalism and crime, the detection of incidents that may jeopardise safety, security, property or supply chains, and the detection of crimes or offences. In such cases, the processing is based on our legitimate interests or those of a third party (such as other persons or organisations operating at the sites we control and which they represent) (Article 6(1)(f) GDPR), where the legitimate interest in question is one or more of the purposes listed above.

All data subject groups

Other legitimate interests related to our business: We may also process your personal data for certain other limited legitimate interests related to our business, such as developing and improving the quality, functionality or user experience of our products, services and website, for security purposes or to ensure and improve the operation and security of our premises, information network or natural gas or other infrastructure; to protect our property; to prevent abuses or to investigate suspected abuses; to prepare for any claims or litigation and to submit or defend claims: to organise our business through acquisitions or other similar arrangements; or for other similar justified purposes. The processing of personal data is based on our legitimate interest (GDPR Article 6(1)(f)) and the legitimate interest in question is the purposes of use relating to our business.

The processing of personal data as described in this Privacy Policy is based, for some purposes (customer relationship management and customer communication), on an agreement between us and the organisation you represent for the supply and use of our products. In these contexts, failure to provide personal information may prevent us from fulfilling our contractual or other obligations or commitments to the organisation you represent, which may result in the termination of our business relationship with you.

What personal data we process

Representatives of customers and potential customers, service providers and other suppliers, partners, media and other stakeholders

Statutory duties	Identification and contact details of the contracting party and contact person, the Gasgrid portal, the Guarantee of Origin system or the Gas Data Hub main user and the user’s user ID.
Management of customer, supplier or stakeholder relationship	Basic information (first name and last name of customer/supplier/other stakeholder representative, title/role, name of organisation); contact details (email address, telephone number, mobile phone number); information about your position (your employer, your occupation, your job title, your qualifications, your position in your entity and any rights of representation); information about the management of the relationship, such as language and communication and meeting information. In addition, regarding supplier representatives, information on work history and educational background that the data subject has provided to us in the context of our procurement procedures to assess the qualifications of our suppliers. We also carry out personal security clearance, as required by the Security Clearance Act (726/2024), for each supplier representative working on our premises or accessing our systems. In this context, we will receive information from the Finnish Security and Intelligence Service on whether the report has been approved. In addition, every person working for Gasgrid Finland also completes an online safety course. The course participant fills in the online course statistics with their name, email address, company and business ID, the validity period of the occupational safety & hot work card and the tax number.
Billing	Basic information (first name and last name); contact details (email address, postal address).
Event arrangement	Basic information (first name and last name, role, workplace of attendee); contact details (email address, phone number, mobile number), information about attendance, allergies, special diets, marketing permission.
Marketing and similar communication	Users of our website’s functionalities (such as forms): basic information (first name and last name); contact details (email address, phone number); any other information that the user may enter in the free text field of the form. Newsletter subscribers, participants in any competitions and content uploaders: Basic information (first name and last name); contact information (email address).
Sales	Basic information (first name and last name of the customer’s representatives, in some cases title); contact information (email address, phone number and workplace address), any information about right to sign.
Product development	Responses to customer satisfaction, stakeholder or marketing surveys.
Compliance with obligations under other applicable legislation	Basic information (first and last name, title/role of the customer representative, name of the organisation); contact details (email address, phone number, mobile phone number), information related to your position (your employer, occupation, job role, qualifications, position in your entity and any rights of representation); information related to the management of the relationship, the username or only some of these.
Ensuring agreement compliance and control of abuse	Basic information (first and last name, title/role of the customer representative, name of the organisation); contact details (email address, phone number, mobile number), information related to your position (your employer, occupation, job role, qualifications, position in your entity and any rights of representation); information related to the management of the relationship, the username or only some of these.

Natural gas end users

Responsibilities under the Natural Gas Market Act: The centralised information exchange systems for natural gas trading process the consumption data of natural persons covered by remote reading, as well as the location IDs of consumption points, which can be used to connect consumption data to customers in the customer registers of retailers and distribution network operators. Location information may include the end customer’s address and name.

Visitors to our website

Enabling use of our website: Technical information: cookies, IP addresses, device information, pages visited on our website and analytics based on them (technical information is not linked to your name or contact details). Read more about use of cookies on our website in our Cookie Policy at https://gasgrid.fi/en/cookie-policy/.

Whistleblowing channel

Our obligation under applicable law to ensure that our operations comply with the law: Information about abuse or other unethical conduct reported through Gasgrid group Whistleblowing Channel. The report may contain personal data concerning a third person (the subject of the report), e.g. name and contact information, as well as image files or other personal data related to the reported activity, depending on what information the person submitting the report provides on the report form. The report may also contain personal data concerning the person making the report, if the whistleblower voluntarily provides it (name and contact details), but reports can also be made anonymously.

Sponsorship applications

Signing and implementing a sponsorship agreement: The contact details provided in connection with the sponsorship application (contact person’s name and contact details, bank account number), as well as any additional information about the sponsorship target provided in connection with the sponsorship application.

Jobseekers

Recruiting process

Identification information (such as name, date of birth, personal identity code, age), contact details, information about suitability for the job, including education and course information, academic transcripts or certificates, information about previous work experience, and other information collected during the recruitment process, such as information about any aptitude assessments, job application and CV, salary requirement, information about the reference, and information about communication about the recruitment process.

Future recruiting needs

Visitors to our premises:

Video surveillance and access control at our premises: Data collected with the help of recording camera surveillance, i.e. video or other image material, including camera surveillance recordings in connection with which the date and time of filming are recorded, as well as data collected with access control.

All data subject groups

Other legitimate interests related to our business: All or only some of the above groups of personal data, depending on the necessary needs of the legitimate interest in concerned.

How we collect personal data

As a rule, we collect personal data directly from you, for example when you communicate with us by phone or email, when you visit our websites, when you fill in feedback or contact forms, when you meet our representatives at scheduled meetings, events arranged by us or otherwise, or when you provide us with documents.
If you are the contact person needed to implement an agreement, we may also obtain the data from the entity you represent.
In the case of reports made through the whistleblowing channel, we receive the personal data of the person subject of the report from the person who submitted the report
In addition, we may also collect personal data from third parties, such as through the whistleblowing channel, from persons taking tests related to recruitment processes, and from private and public registers, including the following:
- Suomen Asiakastieto Oy
- Suomen Tunnistetieto Oy
- Population Register
- Trade Register
- Fonecta Oy
For end customers using natural gas, data is received from other gas market participants, who also inform the data subjects of the processing.

How long we store personal data

We only retain personal data for as long as is necessary to achieve the purposes for which the personal data was collected, in accordance with applicable law. We have defined retention periods for personal data. The retention period is not always a pre-determined fixed period, but the defined period is based on the purpose of our processing and its lawful legal basis (including the duration of a marketing campaign or the validity of an agreement) or the fulfilment of a statutory obligation. When the retention period ends and we no longer need the personal data, we erase the data from our systems or anonymise it irreversibly.

We periodically evaluate the purposes for which personal data is processed and the legal bases for the processing of personal data, and we erase personal data for which the purpose or legal basis for processing has expired.

Below, we have listed the retention periods that we comply with for the different groups of data subjects according to the processing context.

Representatives of customers and potential customers, service providers and other suppliers, partners, media and other stakeholders

Statutory duties	The data collected in conjunction with entries related to the maintenance of the Guarantee of Origin Register is stored for 6 years from the end of the calendar year in which the data on the granting, transfer, cancellation and invalidation of the Guarantee of Origin was collected (section 35 of the Act on Guarantees of Origin for Energy). The data of the users of the Guarantee of Origin Register is stored for the duration of the user’s use of the register. The data stored in Data Hub is stored for 6 years from the event to which the data relates or, in the case of information concerning a contract, for 6 years from the termination of the contract; User management data is stored for 5 years from the end of the contract.
Management of customer, supplier or stakeholder relationship	The retention period for the personal data of customers, service providers and other suppliers, as well as representatives of partners, media and other stakeholders, is ultimately tied to the duration of the business relationship between us and the organisation you represent, and the general minimum retention period is 3 calendar years from the termination of the agreement between us and the organisation you represent. If the contact person changes, we will erase the previous contact person’s information from our information systems within a reasonable time after the change of contact person. However, personal data may also be stored for a longer period of time if retention is justified by the appropriate connection between us and the data subject, for example for marketing purposes, and the person has not prohibited the processing. Agreement documents themselves, which may also contain personal data, are stored for 10 years from the end of the calendar year during which the agreement ended. The above also applies to all communications that are part of the agreement or that clarify the content of the agreement. In addition, personal data recorded in documents that are considered part of accounting records, such as invoices, are stored for at least 6 years from the end of the calendar year in which the accounting period closed. We store the information obtained from personnel security clearance vetting only for as long as is necessary for the purpose of the vetting, however, for a maximum of 6 months from the date on which the information about the vetting has been received (section 45 of the Security Clearance Act).
Billing	Personal data stored in material that is considered part of accounting material, such as invoices, is stored as part of the accounting material in accordance with accounting legislation until the end of the calendar year in which the invoice was provided, and for 6 years thereafter (Accounting Act (1336/1997), chapter 2, section 10).
Event arrangement	Personal data collected and stored at events, including information about participants, is stored for as long as necessary for the arrangement of the event, and will be erased no later than 24 months after the event.
Marketing and similar communication	Personal data stored for marketing purposes will be erased no later than 24 months after the last registered activity.
Sales	After the conclusion of the agreement, personal data is erased from the sales information systems, and the customer relationship information, including the customer’s contact details, is transferred to customer relationship management, in which case the above-mentioned retention periods for customer relationship management apply. If the sales interaction with the data subject does not immediately lead to the conclusion of an agreement, the data subject’s personal data will be stored for 24 months in the sales information systems for any future contacts.
Product development	Personal data collected in conjunction with responses to customer satisfaction, stakeholder or marketing surveys are stored for a maximum of 2 years from the completion of the survey.
Compliance with obligations under other applicable legislation	Based on the requirements of applicable legislation.
Ensuring agreement compliance and control of abuse	As stated in the section Management of customer, supplier or stakeholder relationship.

Natural gas end customers

Responsibilities under the Natural Gas Market Act: Data stored in Data Hub is stored for 6 years from the event to which the data relates or, in the case of information concerning a contract, for 6 years from the termination of the contract.

Users of our website

Enabling use of our website: Please refer to the information on the use of cookies and their validity periods at https://gasgrid.fi/en/cookie-policy/.

Whistleblowing channel

Our obligation under applicable law to ensure that our operations comply with the law: Personal data is erased 5 years after the receipt of the report, unless its retention is necessary for the exercise of rights or obligations provided for by law or for the establishment, exercise or defence of a legal claim; personal data that is clearly not relevant to the processing of the report is erased without undue delay (section 29 of the Act on the Protection of Persons Reporting Infringements of European Union and National Law).

Sponsorship applications

Signing and implementing a sponsorship agreement: Regarding approved sponsorship applications, the retention period of the data subjects is ultimately tied to the duration of the sponsorship relationship between us and you or the organisation you represent, and the general minimum retention period for the data is 3 calendar years from the termination of the agreement between us and the organisation you represent. If the contact person changes, we will erase the previous contact person’s information from our information systems within a reasonable time after the change of contact person. However, personal data may also be stored for a longer period of time if retention is justified by the appropriate connection between us and the data subject, for example for marketing purposes, and the person has not prohibited the processing. Agreement documents themselves, which may also contain personal data, are stored for 10 years from the end of the calendar year during which the agreement ended. The above also applies to all communications that are part of the agreement or that clarify the content of the agreement. In addition, personal data recorded in documents that are considered part of accounting records, such as invoices, are stored for at least 6 years from the end of the calendar year in which the accounting period closed. If the sponsorship application is not approved, the data will be erased three years after the rejection decision was issued.

Jobseekers

Recruiting process

We generally store job applicants’ data for 12 months from the date of making the recruitment decision (section 12 of the Act on Equality between Women and Men (609/1986)).

We store the personal data of the person selected for the position in accordance with the internal HR Privacy Policy.

Future recruiting needs

Until consent has been withdrawn, subject, however, to a maximum of 3 years.

Visitors to our premises:

Video surveillance and access control at our premises: We store data for 30 days for a recording video system and 24 months for access control.

All data subject groups

Other legitimate interests related to our business: Time to be determined by the applicable legitimate interest at any given time.

With whom your personal data is shared

We may disclose personal data to third parties as described below.

When we disclose personal data to a service provider or other party that processes personal data on our behalf, i.e. to data processors, we have, among other things, made contractual arrangements to ensure that the service providers or other parties concerned process personal data in accordance with our instructions and solely for the purposes specified in this Privacy Policy. The processing carried out by the processors includes, for example, the provision of information systems and other IT and software services.

We may disclose personal information to the extent permitted or required by applicable laws, such as to government agencies, third-party advisors, or other third parties, as described below:

Our user community: If you post, comment or engage in other similar activities on our user communities or other platforms that allow public messages to be displayed, anyone with access to such platforms may read and use this information, and we are not responsible for the information you submit on such platforms nor for what third parties do with your information.
Our partners and service providers: We may share personal data with our partners and service providers if it is lawful from a business perspective and in accordance with applicable data protection legislation. If the service is provided by our partners in accordance with the agreement between us and the organisation you represent, we will provide them with the information required for the provision of the service, mainly the contact details of the contact person. We may also disclose personal data for marketing purposes to advertiser partners in order to carry out targeted advertising and online marketing, for example when targeting advertising on social media platforms to people who have responded to an awareness advertising campaign. We may also disclose personal data, for example, to a debt collection agency for debt collection purposes or to our other service providers or partners, but only to the extent that the performance of their duties requires the processing of the disclosed personal data. The recipients may act as independent controllers or joint controllers together with us.
Authorities: The police and other authorities may request us to grant them access to personal data. In these cases, we will only disclose the data if there is a legal obligation, court order or similar compelling obligation to do so. We may also disclose personal data if disclosure is necessary to present or defend legal claims, either in judicial or administrative proceedings.
M&A: If we are involved in a merger, business acquisition or other corporate restructuring, we will disclose personal data to the buyer once the transaction has been confirmed. We may also disclose limited amounts of personal data to potential buyers and their representatives in connection with the preparation of the transaction in accordance with applicable legislation.

In conjunction with events and webinars, we may disclose information on participants to event partners and co-organisers. Information on end customers in the natural gas market is disclosed in accordance with legislation. If necessary, we will ask for your consent to the disclosure of personal data. In addition, we may be required to disclose personal data concerning you to the authorities (e.g. customs, tax administration, Finnish Energy Authority or the police).

Disclosure of personal data to third countries

In our operations, we strive to avoid the disclosure of personal data outside of the EU or EEA and only use the services of service providers that do not transfer data. However, some of our service providers to whom we transfer personal data are located or may store personal data outside of the European Union or the European Economic Area, and therefore we may also, where necessary, transfer personal data outside the EU or EEA. In such cases, we will ensure an adequate level of protection for the personal data we disclose and, where necessary, apply appropriate additional safeguards to ensure the protection of personal data. Typically, personal data is transferred to countries or recipients that have been found by the European Commission to have an adequate level of data protection, or the transfer is based on standard contractual clauses approved by the European Commission, which you can read in the EU Legal Information Service at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914. If you would like more detailed information about transfers of your personal data outside the EU or EEA and the safeguards applicable to them at any given time, please contact us using the contact details provided above in this Privacy Policy.

Your rights

You have a number of different rights concerning your personal data. Below you can find a summary of these rights, as well as information on how you can exercise these rights and what restrictions apply. As a data subject, you have the following rights:

Access to your personal data
- You can check what personal data we process concerning you. Once we have verified your identity, we will provide you with the data we process and other information required by the EU General Data Protection Regulation, such as further information about your rights.
Correction of incorrect or incomplete personal data
- You can have your incorrect or incomplete data corrected.
Erasure of your personal data (“the right to be forgotten”)
- You can request the erasure of your personal data, provided that there is no legal basis for processing and the erasure of the personal data is not restricted by, for example, a statutory obligation or the resolution of a pending dispute.
Restrictions on the processing of your personal data
- If there is any doubt about the legal basis of our processing or the accuracy of your data, you can ask us to restrict the processing of your personal data while we investigate the matter.
Transfer of your personal data from one system to another
- If personal data about you, which you have provided yourself, is processed automatically with your consent or on the basis of an agreement between you and us, you can request that the data be provided in a structured, commonly used and machine-readable form, as well as request that the personal data be transferred to another controller, and we will transfer the data where technically feasible.
Objecting to the processing of personal data
- You can object to the processing of your personal data where the processing is based on our (or a third party’s) legitimate interest and you have a reason relating to your particular personal situation to object to the processing. For example, you can ban our direct marketing as instructed.
Right to withdraw your consent
- If the processing is based on your consent, you have the right to withdraw your consent to such processing at any time. However, the withdrawal of consent does not affect the lawfulness of the processing of personal data carried out on the basis of consent before the withdrawal of consent.
Complaint to a supervisory authority
- You also have the right to file a complaint with the national data protection authority. In Finland, you can file a complaint with the Office of the Data Protection Ombudsman at https://tietosuoja.fi/en/notification-to-the-data-protection-ombudsman.

Please note that some of the rights listed above only apply to certain bases for processing personal data and there may be other restrictions on their application. In these cases, we will provide you with details of the applicable exception or limitation and help you exercise your rights to the fullest extent possible in accordance with applicable law. You can read more about the different situations in which the rights of data subjects are applied on the website of the Office of the Data Protection Ombudsman at:https://tietosuoja.fi/en/what-rights-do-data-subjects-have-in-different-situations.

Requests regarding your right to erasure or access to your personal data should be addressed in writing by post or email, after which we will contact you to implement the request. Any requests based on your rights will be requested to be made using the contact details mentioned above.

In conclusion

We will revise this Privacy Policy if our information protection or other circumstances in effect at the time this Privacy Notice was prepared change. The latest version of our Privacy Policy can be found on our website. If we make material changes to the Privacy Policy that materially change our privacy practices, we may also notify you of the changes by other means, such as by email, or by posting a notice of the changes on our website or social media channels prior to the changes taking effect.

We value your opinion. If you have any comments or questions about our Privacy Policy, privacy protection, or potential violations of privacy or data protection, please send them to info (at) gasgrid.fi or via the feedback form at https://gasgrid.fi/yhteystiedot/#anna-palautetta. We will treat your message confidentially. Our representative will contact you to resolve any concerns and we will map out options to address them. We strive to ensure that comments, questions, and concerns are resolved in a timely and appropriate manner.

This Privacy Policy was updated on 12 February 2025.

Liitteet