The data controllers, in accordance with data protection legislation, are Syklo, Oulun Energia Oy, Oulun Energia Sähköverkko Oy, and Turveruukki Oy (hereinafter referred to as the “group member” or “data controller” or “Syklo”).
- Syklo, Business ID: 3275158-9, PL 116, 90101 Oulu
- Oulun Energia Oy, Business ID: 0989376-5, PL 116, 90101 Oulu
- Oulun Energia Sähköverkko Oy, Business ID: 2080002-1, PL 116, 90101 Oulu
- Turveruukki Oy, Business ID: 0210307-0, PL 116, 90101 Oulu
What personal data do we collect?
We primarily collect information about our stakeholders from the representative of the stakeholders themselves. In certain circumstances, the data controller may also collect information about stakeholders from other sources, such as the contact details provided by stakeholders themselves on their websites.
We collect and process the following information about stakeholders:
- basic information such as name, designation, professional title, position or function in the company, company name;
- contact information, such as postal address, email address, and telephone number;
- information related to the cooperation, such as the project, initiative, or customer relationship;
- information related to the use of the systems, such as user IDs for the information systems;
- video recordings of the surveillance camera (if the stakeholders do business at the site);
- information collected through cookies.
On what basis do we process your personal data, and what do we use it for?
We may process personal data for the following purposes and on the following grounds:
Management of cooperation under the Agreement
Personal data is processed for the purposes of organising and managing the business cooperation of the data controller, such as communication, organisation, maintenance, and development of cooperation between the data controller and stakeholder. Where an agreement on cooperation (e.g., a cooperation agreement or subcontracting agreement) has been made between the parties, the processing is based on the agreement between the data controller and the stakeholder.
Other cooperation with stakeholders
The data controller works together with a number of stakeholders, such as public authorities (e.g., the Energy Authority), interest groups (e.g., Finnish Energy) and other companies, for example in connection with the development of the energy sector. However, not all cooperation is necessarily based on a contractual relationship, but generally on maintaining good working relationships in the energy sector. Cooperation may include, for example, communication and organising events. In this respect, the processing is based on the legitimate interest of the data controller in maintaining appropriate cooperative relations with stakeholders in the energy sector.
Purposes required by legislation
Personal data may also be collected and processed on the basis of legislation, if required by the legislation applicable to the data controller, for example, for accounting purposes.
To whom do we transfer or disclose your personal data?
We may transfer and disclose the personal data of our customers to third parties in the following situations:
- to the extent required by and within the limits of the law or contractual relationship;
- to trusted external service providers acting on our behalf who do not have independent access to the information we transfer to them;
- within the Oulun Energia Group, if it is relevant, for example, to organising the customer relationship with the stakeholder;
- if our company is involved in a corporate transaction; and
- when we believe in good faith that the disclosure of information is necessary to safeguard our rights, to protect the rights of you and others, to investigate fraud, or to respond to requests from the authorities.
Do we transfer your personal data outside the EU or the EEA?
We may transfer personal data outside the EU or the European Economic Area (EEA) if our trusted service provider operates completely or partly outside these territories. In these cases, we will ensure appropriate safeguards are in place in accordance with the applicable data protection legislation, for example by using the European Commission’s standard contractual clauses.
How long do we retain your personal data?
What rights do you have?
An individualised request to exercise your rights as a data subject or a request for information on the processing of personal data should be sent to: email@example.com. When you request the information, we will verify your identity. We respond to requests within one (1) month of submitting the request, unless there are special circumstances that extend the response time. We may also refuse to comply with your request on the grounds provided by applicable laws.
As a data subject, the following rights are guaranteed to you under applicable data protection legislation:
Right of access:
You have the right to request access to your personal data, within the limits and in accordance with applicable data protection legislation. You have the right to be informed about how and for what purpose your personal data is processed.
Right to request rectification and erasure of data and to restrict the processing of personal data:
You have the right to request rectification or erasure of your data within the limits and in accordance with the applicable data protection laws.
You have the right to demand that the data controller restrict the processing of your personal data, such as when you are waiting for the controller’s response to your request to rectify or erase your data.
Right to object to the processing of personal data:
You have the right to object to the processing of personal data within the limits and in accordance with applicable data protection legislation. For example, you always have the right to prohibit direct marketing to you.
Right to transfer data between systems:
You have the right to transfer data from one system to another, that is, to receive personal data relating to you in a structured and commonly used format, and to transfer them to another data controller, within the limits and in accordance with applicable data protection laws;
The right of the data subject to withdraw consent:
If personal data is processed on the basis of the data subject’s consent, you have the right to withdraw your consent.
Right to lodge a complaint with the supervisory authority:
You have the right to lodge a complaint with the national data protection authority (in Finland, the Data Protection Ombudsman) or another data protection authority of the European Union or the European Economic Area, if you think that your statutory rights have been violated;
How do we protect your personal data?
We have the necessary technical and organisational data security measures in place to protect personal data from elimination, destruction, misuse, and unauthorised access. Our security measures include data protection and security training for our staff, and management of access and access rights (firewalls, secure equipment facilities, facility access control, limited and personal role-based access rights), which we use to restrict access to your data only to personnel who need to process such data for their work. With regard to subcontractors, we have ensured the implementation of data protection legislation by means of a separate data protection agreement.