This privacy statement describes the processing of Gasgrid Finland Oy’s personal data and informs data subjects of their rights.
Gasgrid Finland Oy is committed to ensuring the confidentiality and privacy of the personal data in its possession and to complying with national data protection legislation and the EU General Data Protection Regulation as amended.
Gasgrid Finland Oy processes personal data for various purposes. This privacy statement describes Gasgrid Finland Oy’s data protection practices and purposes of personal data processing, as well as provides data subjects with information about their rights. Gasgrid Finland Oy processes personal data confidentially and collects data only to the extent necessary for the lawful purpose of processing.
Data controller and content of the privacy statement
Gasgrid Finland Oy (Keilaranta 19 D, FI-02150 Espoo, business ID 3007894-1) acts as the data controller for the processing of personal data described in this statement.
As a data subject, you may be either our customer, a potential customer or a contact person for such a customer; a job seeker, an end customer of natural gas, a representative of a partner, an applicant for sponsorship or another person belonging to our stakeholders (“Data Subject”) with whom it is important or necessary for us to communicate.
This privacy statement applies to the processing of personal data mainly in the following situations:
- Managing our customer relationship (including processing our customer’s contact person data);
- Processing of data of partner, media and official contacts and other stakeholders, including stakeholder surveys;
- Procurement procedures
- The special features of our operations and our statutory obligations as a transmission system operator (including Gas data hub, Gasgrid portal, guarantee of origin system);
- Cooperation with authorities, crisis communication;
- Subscriptions to our newsletters and sending our other communications to stakeholders;
- Implementing competitions and campaigns and interacting on social media channels;
- Visits to our premises and locations;
- Invitations to and participation in our events and seminars;
- Recruitment processes;
- Contacts and feedback through our website and email addresses;
- Reports through our whistleblowing channel;
- Video surveillance and access control;
- Sponsorship applications;
- Cookies used on our websites and website analytics.
What personal data do we process
The personal data we process can be mainly divided into the following groups:
Customers, suppliers, partners and other stakeholders
- First and last name
- Contact details (phone number, address and email address)
- Information related to your position (your employer, occupation, job title, degree, position in your community and any rights of representation)
- Allergy and special diet information when organising events
- Username and password when using Gasgrid portal or Gas data hub
- Responses to customer satisfaction, stakeholder or marketing surveys
- Information on employment history and educational background provided by the Data Subject in connection with our procurement procedures when assessing the qualifications of our suppliers.
End customers of natural gas
- The centralised information exchange systems for natural gas trading process the consumption data of natural persons covered by remote reading, as well as the location IDs of consumption points, which can be used to connect consumption data to customers in the customer registers of retailers and distribution network operators. Location information may include the end customer’s address and name.
Users of the whistleblowing channel
- Information about abuse or other unethical conduct reported through Gasgrid’s whistleblowing channel. The report may contain personal data concerning a third party, such as name, contact details, image files or other personal data related to the reported conduct.
- The report may also contain personal data concerning the reporting person, if provided voluntarily by the person (name and contact details).
- Name, contact details, and information on work history and educational background.
- Other information that the Data Subject has provided to us in connection with the job application, such as a picture and other information contained in the job application and resumé.
- Any information related to personal and aptitude assessments, as well as information related to personnel security clearance and drug testing, in accordance with the rules of applicable employment data protection legislation.
Applicants for sponsorship
- Contact details provided in connection with a sponsorship application (name and contact details of contact person, account number).
- Any additional information about the target of sponsorship provided in connection with sponsorship applications.
- Information provided in connection with a contact request or feedback, such as contact details and information contained in any message.
- Footage of the Data Subject (if you visit our premises with camera surveillance or if you have given your consent to the processing and publication of your footage for our marketing).
Online safety course
- Everyone who works for Gasgrid completes an online safety course. Course participants fill in the online course statistics their name, email address, company and business ID, safety & hot work card validity period and tax number.
- Technical information: cookies, IP addresses, device information, pages visited on our website and analytics based on them (technical information is not linked to your name or contact details)
We do not make decisions based solely on automated processing, such as profiling, which have legal effects on the data subject.
Purpose and legal basis of personal data processing
We will only process your personal data for the purpose for which the lawfulness of the processing is met. Our purposes of processing are mainly based on the following legal bases:
- To implement an agreement
- Sponsorship agreements (if sponsorship is applied for by a natural person).
- To fulfil our statutory obligation
- Provision of services within the system responsibility of the transmission system operator under the Natural Gas Market Act.
- Responsibilities of the administrator of the guarantee of origin system under the Guarantee of Origin Act.
- Processing of reports received through the whistleblowing channel based on the European Union Directive on the protection of whistleblowers and the national legislation implementing it.
- Processing of data from recruitment processes in accordance with employment data protection and equality legislation.
- Your personal data may also be retained for a longer period of time under mandatory law than for the sole purpose of implementing an agreement, if this is required by, for example, accounting legislation.
- Based on our legitimate interest
- Processing of data concerning contact persons of customers, suppliers and partners to maintain contacts and maintain and manage the relationship.
- Sending customer and stakeholder bulletins.
- Sponsorship applications, sponsorship agreements (if the applicant for sponsorship is a community).
- Newsletters sent by email, in which we market items closely related to the ordered service or product and we have received your contact details, for example through a form on the website, as well as other communications to stakeholders.
- Direct marketing based on profiling. You have the right to opt-out of direct marketing, of which we will duly inform you in connection with our direct marketing.
- Securing our property and operations when you visit our premises and alongside our infrastructure. Some of our premises have camera surveillance.
- In connection with our procurement procedures, if your community has been required to provide information about your employment history and educational background to demonstrate your expertise.
- Customer satisfaction and stakeholder surveys.
- When we organise various events (including stakeholder meetings, trainings, rescue drills, webinars, information sessions and customer forums).
- Implementation of the online safety course.
- When we collect your contact details for our other contacting.
- Cookies and analytics used on our websites.
- Based on your consent
- If you give your voluntary consent to the processing of your personal data, we will tell you, when giving your consent, for what purpose we are collecting your personal data at any given time and what you are giving your consent to. You can withdraw your consent at any time by following the instructions provided in connection with your consent or by contacting us.
How do we collect personal data
- In principle, we always collect the personal data from you.
- If you are the contact person needed to implement an agreement, we may also obtain the data from the community you represent.
- In addition, we may also collect personal data from third parties, such as through the whistleblowing channel, from persons taking tests related to recruitment processes, and from private and public registers, such as the following:
- Suomen Asiakastieto Oy
- Population Register
- Trade Register
- Fonecta Oy
- For end customers using natural gas, data is received from other gas market participants, who also inform the Data Subjects of the processing.
How long do we store personal data
We have defined retention periods for personal data. At the end of the retention period, the data will be deleted. The retention period is not always a pre-determined fixed period, but the defined period is based on the purpose of our processing and its lawful legal basis (including the duration of a marketing campaign or the validity of an agreement) or the fulfilment of a statutory obligation.
We periodically evaluate the purposes for which personal data is processed and the legal bases for the processing of personal data, and we delete personal data for which the purpose or legal basis for processing has expired. For example, we will delete the data that we collected to organise a competition related to our marketing campaign after the competition, and we will delete the recordings of our camera surveillance at regular intervals unless we have to retain them in the event of an incident to protect our rights.
To whom do we disclose personal data – groups of recipients of personal data
We may disclose your personal data to our selected partners who process personal data on our behalf (e.g. IT and cloud services, collection companies, senders of event invitations, communication partners, printing houses, event and invitation platforms). We ensure through the agreement and the instructions given to the processor that the processor’s data security and data protection are at the level required by law.
In connection with events and webinars, we may disclose information on participants to event partners and co-organisers. Information on end customers in the natural gas market is disclosed in accordance with legislation. If necessary, we will ask for your consent to the disclosure of personal data. In addition, we may be required to disclose personal data concerning you to the authorities (e.g. customs, tax administration, Finnish Energy Authority or the police).
Disclosure of personal data to third countries
Your personal data will not, in principle, be disclosed outside the EU or the European Economic Area. In some cases, we may disclose and transfer your personal data to our selected partners in third countries who process personal data on our behalf. In these situations, we comply with the requirements of the EU General Data Protection Regulation for the transfer of data to third countries:
- The Commission has decided that the third country in question has provided for an adequate level of data protection. No special permit is required for this transfer.
- We will otherwise ensure an adequate level of data protection by using, for example, standard contractual clauses drawn up by the European Commission in connection with the transfer of data and any other safeguards required by data protection regulations.
- We will enter into a personal data processing agreement for the transfer and provide the necessary instructions to the processor.
How do we safeguard the privacy of personal data
Your privacy is a priority. The personal data is stored as confidential. Given the nature of our business, we have the appropriate technical and organisational means in place to safeguard privacy and prevent personal data breaches. We use high-standard security software and restrict access to the processing of personal data in our organisation and systems to those individuals for whom it is necessary to process your personal data in their work duties (access control).
The servers are located in a separate locked equipment space and the service provider’s servers in well-secured and controlled data centres. The data is e.g. protected by a firewall, and access to the personal data requires the use of a username and password. Usernames and access rights are managed by our company’s IT function.
As a data subject, you have the following rights:
- Access to your personal data
- You can check what personal data we process concerning you. Once we have verified your identity, we will provide you with the data we process and other information required by the EU General Data Protection Regulation, such as further information about your rights.
- Correction of incorrect or incomplete personal data
- You can have your incorrect or incomplete data corrected. Please let us know if you find your data to be incomplete or incorrect and we will correct it.
- Erasure of your personal data (“the right to be forgotten”)
- You can request the erasure of your personal data if, for example, the personal data is no longer needed for the purposes for which it was collected, if the processing is unlawful or if the personal data must be erased in order for us to comply with a statutory requirement. You can request the erasure of your personal data, provided that the erasure of the personal data is not restricted by, for example, a statutory obligation or the resolution of a pending dispute.
- Restrictions on the processing of your personal data
- If there is any doubt about the legal basis of our processing or the accuracy of your data, you can ask us to restrict the processing of your personal data while we investigate the matter.
- Transfer of your personal data from one system to another
- If personal data concerning you that you have provided is automatically processed with your consent or by agreement between you and us, you may request that the data be provided in a structured, commonly used and machine-readable form, and you may also request that the personal data be transferred to another data controller if it is technically possible.
- Objecting to the processing of personal data
- You have the right to object to certain processing of personal data, including the processing of your personal data for marketing purposes or when we otherwise use our legitimate interest as a basis for processing. For example, you can ban our direct marketing as instructed.
- Right to withdraw your consent
- If the processing is based on your consent, you have the right to withdraw your consent to such processing at any time.
- Complaint to a supervisory authority
- You also have the right to lodge a complaint with the national data protection authority. If you wish to lodge a complaint with the national supervisory authority about the processing of your personal data, you can do so by contacting your local data protection authority. In Finland, the relevant authority is the Data Protection Ombudsman (www.tietosuoja.fi).
Requests regarding your right to erase or access your personal data are requested to be addressed in writing and signed by mail or email, after which we will contact you to process the request. All requests based on your rights are requested to be addressed in accordance with the Contact Us section.
Changes to this privacy statement
We will amend this privacy statement if our basis for processing personal data or other circumstances in effect at the time of preparing this privacy statement change. However, we will not change the purpose of the processing of your personal data without your consent, if the basis for the processing is consent. We undertake to comply with the implementation of your statutory rights described above, regardless of any changes to this privacy statement. The latest version of our privacy statement can be found on our website (www.gasgrid.fi).
You can contact us by email: email@example.com. or via the feedback form: https://gasgrid.fi/en/contact-details/#give-us-feedback
You can also contact or lodge a complaint with the national data protection authority, which is Finland is the Data Protection Ombudsman (www.tietosuoja.fi).
This privacy statement was last updated on 19 August 2021. Gasgrid Finland Oy may update this privacy statement and strives to use reasonable means to notify the data subject in good time of any changes and their effects. Gasgrid Finland Oy urges the data subject to review this privacy statement after receiving information about any changes.