Privacy Policy for customers

The purpose of this Privacy Policy is to explain why and how Syklo processes the personal data of its customers. In addition, we talk about the rights of the data subjects in this register. For the purposes of this Privacy Policy, a data subject means a customer who may be an individual, an entrepreneur, or a representative of a client company or other entity.

At Syklo, customer data can be processed by one or more data controllers belonging to the Oulun Energia Group, each of whom is independently responsible for the processing of personal data for its own purposes. The company acting as the data controller is determined on the basis of which Oulun Energia Group company the customer has entered into an agreement with, for example, for the delivery of products and services.

For more information on the processing of personal data for marketing purposes, please refer to the Syklo marketing Privacy Policy.

Data controller

The data controllers in accordance with the data protection legislation are:

  • Syklo, Business ID: 3275158-9, PL 116, 90101 Oulu
  • Oulun Energia Oy, Business ID: 0989376-5, PL 116, 90101 Oulu
  • Oulun Energia Sähköverkko Oy, Business ID: 2080002-1, PL 116, 90101 Oulu

(hereinafter referred to as “Syklo,” “the data controller”). Syklo is responsible for ensuring that the processing of personal data is carried out in accordance with this Privacy Policy and applicable data protection legislation.

What personal data do we collect?

We collect personal data about our customers primarily from the customer themselves in connection with requests for tender, contracts, orders, and other customer contacts.

In certain circumstances, the data controller may also collect information about its customers from other sources, such as energy meters installed at the customer’s sites, the population information system, or the register of Suomen Asiakastieto Oy.

Oulun Energia Sähköverkko Oy also collects information on the registrant from other energy companies operating in the electricity market from the centralised data exchange system (Fingrid Datahub Oy) on the basis of the exchange of data based on the applicable laws or official regulations.

We collect and process the following information about our customers:

  • basic information, such as name, age, year of birth/personal identification number;
  • contact information, such as postal address, email address, and telephone number;
  • customer service contacts, such as customer calls between the customer and the data controller;
  • information related to the use of the customer’s products and services, such as information on the place of energy use, equipment information located at the place of use, and energy consumption data;
  • the information necessary for invoicing;
  • customer credit information to the extent permitted and required by law

On what basis do we process your personal data, and what do we use it for?

Customer relationship management and offering products and services

We process our customers’ personal data primarily to provide our customers with the products and services they have ordered. In order to manage the customer relationship, personal data is also processed for invoicing and customer communications. In this case, the processing of personal data is based on an agreement between the data controller and the customer.

Product and service development

We also process personal data to a limited extent to improve our services and to develop new products and services. In this case, the processing of personal data is based on our legitimate interest in collecting sufficient and relevant information to develop and improve our operations.

Security

We process personal data (including camera surveillance recordings) to ensure the security of our customer service facilities, in order to prevent inappropriate access to our premises, to investigate abuses, and to increase the security of our personnel. In this case, the processing of personal data is based on our legitimate interest in ensuring the security of our premises and personnel, as well as the smooth operations of our personnel.

When the legal basis for the processing is the legitimate interest in the above-mentioned sections 2-3, Syklo has carried out an assessment of the processing of personal data using the so-called balance test, in accordance with data protection legislation. The customer has the right to object to the processing based on Syklo’s legitimate interest at any time. For further information, please contact the data protection officer whose contact details can be found at the beginning of this Privacy Policy.

To whom do we transfer or disclose your personal data?

We may transfer and disclose the personal data of our customers to third parties in the following situations:

  • when required or within the limits of legislation or a contractual relationship, for example, to the parties involved in the electricity market and to the centralized data exchange system (Fingrid Datahub Oy) within the limits permitted and required by electricity market and other legislation;
  •  
  • to the extent required by and within the limits of the law or contractual relationship;
  • to trusted external service providers (including outsourced customer service) who act on our behalf and who have no independent right of access to the information we transfer to them;
  • within the Oulun Energia Group, if it is appropriate, for example, to organise customer relationship management;
  • if our company is involved in a corporate transaction; and
  • when we believe in good faith that the disclosure of information is necessary to safeguard our rights, to protect you and others, to investigate fraud, or to respond to requests from the authorities

Do we transfer your personal data outside the EU or the EEA?

We may transfer personal data outside the EU or the European Economic Area (EEA) if our trusted service provider operates completely or partly outside these territories. In these cases, we will provide appropriate safeguards, in accordance with applicable data protection legislation.

How long do we retain your personal data?

Personal data shall be retained only for as long as it is necessary to fulfil the purposes specified in this Privacy Policy.

Examples of our usual storage times:

  • As a rule, we store customer information for the duration of the customer relationship; customer agreements are stored for up to 10 years from the end of the last agreement.
  • We retain phone records for 1 year.

Some personal data may also be stored after the end of the customer relationship, within the limits and in accordance with applicable data protection legislation. For example, the Accounting Act (1336/1997) requires us to keep some personal data as part of the invoicing records for six years from the end of the financial year.

How do we protect your personal data?

We have the necessary technical and organisational data security measures in place to protect personal data from elimination, destruction, misuse, and unauthorised access. Our security measures include data protection and security training for our staff, and management of access and access rights (firewalls, secure equipment facilities, facility access control, limited and personal role-based access rights), that we use to restrict access to your data only to personnel who need to process such data for their work. With regard to subcontractors, we have ensured the implementation of data protection legislation by means of a separate data protection agreement.

What rights do you have?

As a data subject, you have the right to be informed about how and for what purpose your personal data will be processed. Alternatively, you can submit a request directly to the Syklo customer service. When you request information, we will verify your identity. We will respond to requests within one (1) month of submitting the request, unless there are specific reasons to extend the response time. We may also refuse to comply with your request on the grounds provided by applicable law.

For more information on the processing of personal data for marketing purposes and your rights as a marketing data subject, such as prohibiting marketing, please refer to the Syklo marketing Privacy Policy.

As a data subject, the following rights are guaranteed to you under applicable data protection legislation:

Right of access

You have the right to request access to your personal data within the limits and in accordance with the applicable data protection laws. You have the right to be informed about how and for what purpose your personal data is processed.

Right to request rectification and erasure of data and to restrict the processing of personal data

You have the right to request rectification, erasure, or restriction of your data, within the limits and in accordance with applicable data protection legislation.

You have the right to demand that the data controller restrict the processing of your personal data, such as when you are waiting for the controller’s response to your request to rectify or erase your data.

When you, as a customer of Oulun Energia Sähköverkko Oy, request an update to your personal information (name, social security number, postal address, telephone number, and/or email address), we will forward the request to update your customer information to your provider, who is primarily in charge of maintaining your customer information.

Right to object to the processing of personal data

You have the right to object to the processing of personal data within the limits and in accordance with applicable data protection legislation. You have the right to object to the processing of your data based on a legitimate interest of the data controller. When you make the request, you must identify the situation on the basis of which you object to the processing.

You have the right to object to direct marketing. You can prohibit direct marketing at Syklo’s customer service.

Right to transfer data between systems

To the extent of the data you have provided to the controller yourself, you have the right to transfer data from one system to another, that is, to receive personal data relating to you in a structured and commonly used format, and to transfer it to another data controller, within the limits and in accordance with applicable data protection laws.

The right of the data subject to withdraw consent

If personal data is processed on the basis of the data subject’s consent, you have the right to withdraw your consent by requesting it from Syklo’s customer service.

You can also withdraw your consent to email marketing and targeted online marketing at any time by using the unsubscribe link at the end of each newsletter.

Marketing cookies are used on our website, and based on the information collected by them, you are provided with recommendations for content that may be of interest to you. The use of marketing cookies is based on your consent, which we request before storing any cookies. You can also withdraw your consent at any time from the cookie banner on our website. For more information, please see our Cookie Policy.

Right to lodge a complaint with the supervisory authority

You have the right to lodge a complaint with the national data protection authority (in Finland, the Data Protection Ombudsman) or another data protection authority of the European Union or the European Economic Area, if you think that your statutory rights have been violated.

Contact information

If you have any questions regarding the Privacy Policy or the processing of your personal data, you can contact us by email at: mira.juola@oulunenergia.fi.

Amendments to the Privacy Policy

We reserve the right to change and update this Privacy Policy. If we make changes to the Privacy Policy, we will add this information to our website, where you can also find the latest version of the Privacy Policy.

Last updated 17 May 2022.