25 May 2018
Data privacy practices
ST1 Nordic Oy’s Privacy Notice
This privacy notice provides information to registered customers, the employees of customers and the supervisory authority in accordance with the requirements of the European Union’s General Data Protection Regulation (hereinafter the “GDPR”) and the national data protection regulations in force.
This privacy notice describes how St1 Nordic Oy (hereinafter “St1”) collects, uses, retains and protects personal data. St1 Nordic Oy and/or the St1 company that is the counterparty in the matter in question acts as the controller. In addition to St1 Finance Oy (Ab, AS), St1 companies include all companies that belong to the St1 Nordic Oy group of undertakings (St1 Oy, St1 Lähienergia Oy, St1 Deep Heat Oy, Lämpöpuisto Oy). For the sake of clarity, it is herein stated that the terms ‘we’ and ‘St1’ as referred to in these data protection practices refer to any company belonging to the ST1 Group and which acts as a controller in any given circumstances.
1) What personal data does St1 Oy collect for its operations
To the extent permitted by law, personal data can be collected and updated from the file systems of third parties, such as the following:
2) Purposes and legal bases for processing personal data
St1 processes personal data in order to fulfil contractual and legal obligations and in order to provide services and guidance to its customers. The information below provides more details on the processing of personal data and the legal basis for the processing.
The purpose of personal data processing is to collect, process and verify personal data before concluding a product and service agreement and to document and carry out contractual obligations. Examples of such actions taken by St1 include the following:
b) Legal obligation
Laws, regulations and requirements of authorities impose obligations on St1 concerning the processing of personal data, for example:
c) Legitimate interest of the controller or a third party
St1 processes personal data in order to carry out marketing, product and customer analyses. Data collected in this connection is used, for example, in product and service development.
Where national regulations so require, we request the consent of the data subject to the transmission of electronic direct marketing (such as e-mail or direct marketing via text messages). You may ithdraw your consent at any time.
d) Automated decision-making
St1 utilises automated decision-making in its credit granting process to the extent permitted by law. Customers can always request that a manual decision-making process is applied instead of the automated process, express their opinion or contest only the decision that was made based on automated processing. If the offered product or service includes automated decision-making, customers are provided with additional details on the processing logic applied to automated decision-making, its meaning and possible consequences.
Personal data may be disclosed to companies belonging to the same group of companies as the Company, and to St1 Finance Oy and companies belonging to the same group of companies as St1 Finance Oy. Personal data may be transferred to the data processors of the Company and to the aforementioned group companies, in accordance with the obligation to maintain professional secrecy and with the binding data processing agreement required by law.
Personal data may also be disclosed to the extent permitted and as required by the legislation in force, to those parties which have right of access to personal data under law.
In principle, personal data will not be transferred outside the European Economic Area unless this is necessary for technical reasons pursuant to fulfilling the purposes of processing personal data, in which case the transfer of personal data will abide by the requirements of data protection legislation for the implementation of the appropriate or adequate safeguards. In accordance with section 9, the Company shall provide a copy of these protection measures at the request of the data subject.
Manual data is stored in locked facilities. Such data may only be processed by persons who have a legitimate reason, related to their duties, for processing the data.
The information systems are protected by various organisational and technical methods from access by third parties. Each user has a personal user ID and password for logging into the system. Access to the data is restricted to persons who process the personal data in question as part of their duties.
Right of access to data (right to inspect data)
The data subject shall have the right to inspect personal data relating to him or her that has been stored on the register. The data subject is also entitled to receive a copy of the personal data being processed. A request for right of access must be made in accordance with the instructions given in section 10 of this privacy notice. Right of access may be refused on the grounds laid down by law. Exercising right of access is free-of-charge in principle.
The right to require rectification, erasure or restriction of processing
The data subject shall have the right to have any data on the register rectified or deleted if such data is contrary to the purpose of the register, incorrect, superfluous, incomplete or outdated. The data subject may submit a request for the rectification or deletion of data in accordance with section 9 of the privacy notice.
The data subject shall also be entitled to require the controller to restrict the processing of his or her personal data, for example if the data subject is awaiting a response to a request from the controller for the rectification or deletion of such data.
Right to object to the processing of personal data
With respect to his or her particular circumstances, the data subject has the right to object to the profiling of him or her and other processing activities to which the controller is subjecting the data subject’s personal data, to the extent that the grounds for data processing are based on the legitimate interests of the controller.
The data subject may submit its objection in accordance with section 9 of this privacy notice. With respect to the objection, the data subject must identify the specific situation with respect to which he or she objects to processing. The Company may refuse to execute the request on the grounds laid down by law.
Right to withdraw consent given
If personal data is processed on the basis of the data subject's consent, the data subject has the right to withdraw such consent by notifying the Company thereof in accordance with section 9.
Right to data portability
In so far as the data subject has provided the register with data which is being processed for the purpose of implementing the agreement between the Company and the data subject, or with the consent of the data subject, the data subject shall have the right to receive such data in a structured, commonly used and machine-readable format and have the right to transmit the data to another controller (where technically possible).
Right to lodge a complaint with a supervisory authority
Every data subject shall have the right to lodge a complaint with a supervisory authority, if the Company has not complied with the applicable data protection regulation.
Cookies enable the collection of information such as the following:
the IP address of the user; time of day; pages visited and time spent on the site; browser type; operating system of the terminal device; the URL from where the visitor came to the site and the URL to which the user goes after using our website and the server and domain name from where the user came to the website.
The website may also contain cookies from third parties such as those providing measurement and monitoring services. Third parties may install cookies on the terminal device when customers visit the website.
Cookies on third-party websites
In addition to cookies used on the website, cookies are also utilised on third-party websites to target the advertising of St1. Information collected with the cookies of cooperation partners and by means of other techniques enables targeted advertising based on previous online behaviour and other factors, enabling targeting of ads to users who are likely to be the most interested in the advertisements. In that case, behavioural data collected through websites other than the St1 site can also be utilised for targeting purposes.
In addition, our cooperation partners and we can collect information on the efficiency of the advertising we create. For this purpose, we can collect information such as the following: information on how many times some specific ad has been displayed in a browser; information on whether the ad was clicked and information on whether clicking the ad resulted in purchasing the product in the online shop.
Disabling cookies and preventing targeted advertising
If customers do not want that advertising is targeted based on areas of interest, customers can prevent targeting. When you have prevented targeted advertising, you will still see as many ads as before, but the advertisements have not been selected based on your interest areas.
Personal data shall be kept for as long as its processing is necessary with respect to the purpose for which the personal data was collected, unless the data subject has withdrawn their possible consent for such processing. The company shall maintain the personal data and delete or anonymize unnecessary data at regular intervals. Personal data shall be deleted from the register or anonymized as soon as there is no longer any need or grounds for its processing, or until such processing is no longer necessary for the Company in the fulfilment of a law, regulation or other official obligation.
St1 Nordic Oy
Purotie 1, 00380 Helsinki, Finland