25 May 2018

Data privacy practices

ST1 Nordic Oy’s Privacy Notice

This privacy notice provides information to registered customers, the employees of customers and the supervisory authority in accordance with the requirements of the European Union’s General Data Protection Regulation (hereinafter the “GDPR”) and the national data protection regulations in force.

This privacy notice describes how St1 Nordic Oy (hereinafter “St1”) collects, uses, retains and protects personal data. St1 Nordic Oy and/or the St1 company that is the counterparty in the matter in question acts as the controller. In addition to St1 Finance Oy (Ab, AS), St1 companies include all companies that belong to the St1 Nordic Oy group of undertakings (St1 Oy, St1 Lähienergia Oy, St1 Deep Heat Oy, Lämpöpuisto Oy). For the sake of clarity, it is herein stated that the terms ‘we’ and ‘St1’ as referred to in these data protection practices refer to any company belonging to the ST1 Group and which acts as a controller in any given circumstances.

1) What personal data does St1 Oy collect for its operations

  1. basic information on individual customers (name, date of birth or personal identification number and contact details such as address, phone number and email address etc.)
    Basic information on company customers (information required for identifying the customer and for clarifying the customer’s financial status and political influence) 
  2. information on the customer relationship (such as the duration and nature of the customer relationship)
  3. consent (the data subject’s consent and withdrawals of consent related to the processing of personal data)
  4. information on the agreements concluded between the customer and St1
  5. information on customer transactions
  6. background information on the customer (title or occupation, and other information regarding the activities and status of the data subject with respect to private or public-sector duties) 
  7. behavioural data (such as data collected with cookies and points of interest)
  8. information on the content of recordings and messages (such as recordings of phone calls)
  9. technical identification data (such as information used to identify mobile application users) 

    Personal data is mainly collected from data subjects themselves. Personal data can be obtained from other file systems of the St1 companies as permitted by legislation.   

To the extent permitted by law, personal data can be collected and updated from the file systems of third parties, such as the following:   

  1. public registers maintained by authorities, such as the Population Register Centre, execution authorities and the police, as well as tax administration registers, business register and registers of supervisory authorities
  2. sanction lists (e.g. lists maintained by the EU, UN and national organisations) and other reliable sources that provide information, for example, on beneficial owners and persons with political influence
  3. controllers of credit information  

2) Purposes and legal bases for processing personal data 

St1 processes personal data in order to fulfil contractual and legal obligations and in order to provide services and guidance to its customers. The information below provides more details on the processing of personal data and the legal basis for the processing.

  1. Execution of contracts 

The purpose of personal data processing is to collect, process and verify personal data before concluding a product and service agreement and to document and carry out contractual obligations. Examples of such actions taken by St1 include the following:

  • tasks related to opening a customer account and granting a payment card and other payment instrument 
  • customer service during the customer relationship 
  • tasks related to exercising legal claims
  • measures related to debt collection

 b) Legal obligation 

Laws, regulations and requirements of authorities impose obligations on St1 concerning the processing of personal data, for example:

  • risk management obligations (operational risks, credit risks, prudential requirements)
  • accounting regulations 
  • reporting to authorities (tax, police, enforcement and supervisory authorities) 
  • other product and service-specific legal obligations.

c) Legitimate interest of the controller or a third party

St1 processes personal data in order to carry out marketing, product and customer analyses. Data collected in this connection is used, for example, in product and service development. 

Where national regulations so require, we request the consent of the data subject to the transmission of electronic direct marketing (such as e-mail or direct marketing via text messages). You may ithdraw your consent at any time. 

d) Automated decision-making

St1 utilises automated decision-making in its credit granting process to the extent permitted by law. Customers can always request that a manual decision-making process is applied instead of the automated process, express their opinion or contest only the decision that was made based on automated processing. If the offered product or service includes automated decision-making, customers are provided with additional details on the processing logic applied to automated decision-making, its meaning and possible consequences.

  1. Disclosure of personal data

Personal data may be disclosed to companies belonging to the same group of companies as the Company, and to St1 Finance Oy and companies belonging to the same group of companies as St1 Finance Oy. Personal data may be transferred to the data processors of the Company and to the aforementioned group companies, in accordance with the obligation to maintain professional secrecy and with the binding data processing agreement required by law.

Personal data may also be disclosed to the extent permitted and as required by the legislation in force, to those parties which have right of access to personal data under law.

In principle, personal data will not be transferred outside the European Economic Area unless this is necessary for technical reasons pursuant to fulfilling the purposes of processing personal data, in which case the transfer of personal data will abide by the requirements of data protection legislation for the implementation of the appropriate or adequate safeguards. In accordance with section 9, the Company shall provide a copy of these protection measures at the request of the data subject.

  1. Protection of personal data

Manual data is stored in locked facilities. Such data may only be processed by persons who have a legitimate reason, related to their duties, for processing the data.

The information systems are protected by various organisational and technical methods from access by third parties. Each user has a personal user ID and password for logging into the system. Access to the data is restricted to persons who process the personal data in question as part of their duties.

  1. Rights of customers

Right of access to data (right to inspect data)

The data subject shall have the right to inspect personal data relating to him or her that has been stored on the register. The data subject is also entitled to receive a copy of the personal data being processed. A request for right of access must be made in accordance with the instructions given in section 10 of this privacy notice. Right of access may be refused on the grounds laid down by law. Exercising right of access is free-of-charge in principle.

The right to require rectification, erasure or restriction of processing

The data subject shall have the right to have any data on the register rectified or deleted if such data is contrary to the purpose of the register, incorrect, superfluous, incomplete or outdated. The data subject may submit a request for the rectification or deletion of data in accordance with section 9 of the privacy notice.

The data subject shall also be entitled to require the controller to restrict the processing of his or her personal data, for example if the data subject is awaiting a response to a request from the controller for the rectification or deletion of such data.

Right to object to the processing of personal data

With respect to his or her particular circumstances, the data subject has the right to object to the profiling of him or her and other processing activities to which the controller is subjecting the data subject’s personal data, to the extent that the grounds for data processing are based on the legitimate interests of the controller.

The data subject may submit its objection in accordance with section 9 of this privacy notice. With respect to the objection, the data subject must identify the specific situation with respect to which he or she objects to processing. The Company may refuse to execute the request on the grounds laid down by law.

Right to withdraw consent given

If personal data is processed on the basis of the data subject's consent, the data subject has the right to withdraw such consent by notifying the Company thereof in accordance with section 9.

Right to data portability

In so far as the data subject has provided the register with data which is being processed for the purpose of implementing the agreement between the Company and the data subject, or with the consent of the data subject, the data subject shall have the right to receive such data in a structured, commonly used and machine-readable format and have the right to transmit the data to another controller (where technically possible).

Right to lodge a complaint with a supervisory authority

Every data subject shall have the right to lodge a complaint with a supervisory authority, if the Company has not complied with the applicable data protection regulation.

  1. Use of cookies

On our website, we use cookies and other similar technology to collect information related to the user’s terminal device. Cookies are usually small text files that your Internet browser saves so that the device user can be identified and re-identified. Cookies are used to identify the user’s browser, and the collected information can be used, for example, to count the number of browsers used for visiting our website and for the purpose of analysing the use of our website, such as carrying out statistical monitoring. Our objective is to develop our service so that the service provided to users will constantly improve.

Cookies enable the collection of information such as the following:

the IP address of the user; time of day; pages visited and time spent on the site; browser type; operating system of the terminal device; the URL from where the visitor came to the site and the URL to which the user goes after using our website and the server and domain name from where the user came to the website.

The website may also contain cookies from third parties such as those providing measurement and monitoring services. Third parties may install cookies on the terminal device when customers visit the website.

Cookies on third-party websites

In addition to cookies used on the website, cookies are also utilised on third-party websites to target the advertising of St1. Information collected with the cookies of cooperation partners and by means of other techniques enables targeted advertising based on previous online behaviour and other factors, enabling targeting of ads to users who are likely to be the most interested in the advertisements. In that case, behavioural data collected through websites other than the St1 site can also be utilised for targeting purposes.

In addition, our cooperation partners and we can collect information on the efficiency of the advertising we create. For this purpose, we can collect information such as the following: information on how many times some specific ad has been displayed in a browser; information on whether the ad was clicked and information on whether clicking the ad resulted in purchasing the product in the online shop.

Disabling cookies and preventing targeted advertising

Customers can control the extent to which they consent to the use of cookies and targeted advertising. Browser settings can be modified to disable cookies. As a result of disabling cookies, some of the website’s functionalities may no longer be available.

If customers do not want that advertising is targeted based on areas of interest, customers can prevent targeting. When you have prevented targeted advertising, you will still see as many ads as before, but the advertisements have not been selected based on your interest areas.

  1. Retaining personal data

Personal data shall be kept for as long as its processing is necessary with respect to the purpose for which the personal data was collected, unless the data subject has withdrawn their possible consent for such processing. The company shall maintain the personal data and delete or anonymize unnecessary data at regular intervals. Personal data shall be deleted from the register or anonymized as soon as there is no longer any need or grounds for its processing, or until such processing is no longer necessary for the Company in the fulfilment of a law, regulation or other official obligation.

  1. Contact information

If you would like to contact St1 or ask questions about the privacy notice, please use this form, contact us by e-mail at dataprivacy@st1.fi, or by post addressed to: 

St1 Nordic Oy
Customer Service
Purotie 1, 00380 Helsinki, Finland