Privacy notice

In this privacy notice, we aim to tell as openly as possible how we process your data. We treat the data as if it was our own: we want to be worthy of your trust.

It is important for us to be able to give our users information that is as clear as possible with respect to the way we process personal data and the data derived from the use of our services. Trust, safety and transparency are the key words. On this website we explain the kind of data we collect, the purpose of use of the data we collect, the way we process data, and your rights according to the EU and national legislation in Finland concerning personal data.

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data when we process your data for the purposes of legitimate interests pursued by us. Further information is available in sections 3 and 6 of this notice.

1. Controller

Each of our following companies applies the practices described in this privacy notice when it processes your personal data as a controller. For example, when you are a customer of EPV Energia Oy, EPV Energia Oy will process your customer data as a controller. If you are a customer of Seinäjoen Voima Oy, the company in question will act as the controller of your personal data. When applying for a job, for example, at Suomen Merituuli Oy, the company will act as the controller of your job application and other data you have provided in connection with your application. However, if you are interested in career opportunities in the EPV Group in general and you have not addressed your job application to just one of our companies, the personal data you have submitted to us may be processed by several EPV Group companies, each of them acting as the controller.

If you are not sure which company or companies are acting as the controller of your personal data, please contact us by email at tietosuoja@epv.fi.

NameBusiness IDAddressEmail address
EPV Energia Oy0216734-9Kirkkopuistikko 0, 65100 Vaasatietosuoja@epv.fi
EPV Alueverkot Oy0944372-1Kirkkopuistikko 0, 65100 Vaasatietosuoja@epv.fi
EPV Bioturve Oy2185077-6Kirkkopuistikko 0, 65100 Vaasatietosuoja@epv.fi
EPV Tase Oy2558846-1Kirkkopuistikko 0, 65100 Vaasatietosuoja@epv.fi
EPV Teollisuusverkot Oy2592125-2Kirkkopuistikko 0, 65100 Vaasatietosuoja@epv.fi
EPV Tuotantoverkot Oy2002112-4Kirkkopuistikko 0, 65100 Vaasatietosuoja@epv.fi
Suomen Energiavarat Oy2270826-1Kirkkopuistikko 0, 65100 Vaasatietosuoja@epv.fi
Vaasan Voima Oy2990528-4Kirkkopuistikko 0, 65100 Vaasatietosuoja@epv.fi
Vaskiluodon teollisuuskiinteistöt0779122-0Kirkkopuistikko 0, 65100 Vaasatietosuoja@epv.fi
Seinäjoen Voima Oy2887036-6Kirkkopuistikko 0, 65100 Vaasatietosuoja@epv.fi
Tornion Voima Oy1958842-2Kirkkopuistikko 0, 65100 Vaasatietosuoja@epv.fi
EPV Tuulivoima Oy2152955-2Kirkkopuistikko 0, 65100 Vaasatietosuoja@epv.fi
Rajakiiri Oy2113785-8Kirkkopuistikko 0, 65100 Vaasatietosuoja@epv.fi
Suomen Merituuli Oy2205820-3Kirkkopuistikko 0, 65100 Vaasatietosuoja@epv.fi

2. Personal data collected by us, and its storage periods

In this section you will find a list of the data we collect of our customers, stakeholders, suppliers, job applicants, and via camera surveillance on our premises.

This section also provides information about the storage periods we have specified for personal data. When we determine the appropriate storage periods for personal data, we take into account not only the legal requirements, but also the amount, nature and sensitivity of the data, possible risk of damage caused by unauthorised use or sharing of your data, the purposes for which we process your personal data, and whether we can fulfil these purposes in other ways. Please note that we shall store your personal data only for as long as is necessary for fulfilling the purposes for which we collected the data – including implementing our legal obligations or obligations related to accounting or reporting.

In some situations, we may anonymise your personal data so that it can no longer be connected to you. We may use this kind of anonymised data without notifying you of it and store it for a longer period than specified in the following.

We may also be obliged to store the data for longer than is described in the following if it is necessary for scientific research purposes, for the purpose of an ongoing legal process or for compliance with a decision of a court or authority.

Customer register

We may collect the following personal data of our customers (the set of data is referred to as the “customer register”):

  • consumer customer
    • name of the person
    • contact details (telephone number, email address, address)
    • personal identity code (account holders)
    • contract number
    • payment details and history
    • contact requests and claims
    • copy of a passport or other identity document for the purpose of identifying the person
  • business customer
    • name, position and email address of contact person
    • contact requests and claims
    • photograph.

The data in the customer register shall be stored for 10 years calculated from the last contact related to the customer relationship. However, a copy of a passport or other identity document shall be destroyed immediately after the person has been identified.

Camera surveillance register 

We take care of the safety of our premises, for example, with camera surveillance. The material recorded by cameras is referred to as the “camera surveillance register”. This register includes the following data:

  • Video surveillance material

The material is stored for a maximum of one year, however, the storage period may be longer if it is necessary for scientific research purposes, for the purpose of an ongoing legal process or for compliance with a decision of a court or authority.

Recruitment register 

We may collect the following personal data on our job applicants (the set of data is referred to as the “recruitment register”):

  • Name of applicant and referee
  • Contact details of the applicant and referee (telephone number, email address, address)
  • Applicant’s date of birth
  • Job application and CV
  • A photo or video of the applicant
  • Results of the applicant’s aptitude tests
  • Applicant’s criminal record data
  • Applicant’s credit data
  • Copy of the applicant’s or referee’s passport or other identity document for the purpose of identifying the person.

Please note that we will not necessarily collect all of the above information about you.

The name and contact details of the applicant and the referee, the applicant’s date of birth, the application, CV, photo and video and the results of the aptitude tests will be erased two years after notifying the applicants of the recruitment decision. Criminal record and credit data will be erased immediately after the applicant’s reliability has been assessed. Any copies of a passport or other identity document will be destroyed immediately after the person has been identified.

Stakeholder register 

Our operations also involve stakeholders, by which we refer to landowners and our shareholders. We may collect the following personal data of our stakeholders (the set of data is referred to as the “stakeholder register”:

  • Name and contact details (telephone number, email address, address) of the person or company belonging to a stakeholder group
  • Property identifier
  • Copy of a passport or other identity document for the purpose of identifying the person.

The data will be erased after 10 years, where applicable, either from the last contact related to the stakeholder relationship or from the termination of the land tenancy agreement.

Any copies of a passport or other identity document will be destroyed immediately after the person has been identified.

Supplier register 

We may collect the following personal data of our suppliers (the set of data is referred to as the “supplier register”):

  • The name, contact details and bank account details of the supplier’s contact person
  • The supplier’s name and contact details on the service providers’ reserve lists
  • Copy of a passport or other identity document for the purpose of identifying the person.

The data will be deleted after 10 years, where applicable, either from the last contact related to the supplier relationship or from the termination of the supplier agreement.

Any copies of a passport or other identity document will be destroyed immediately after the person has been identified.

Website register 

We collect the following data of the visitors to our website (the set of data is referred to as the “website register”):

Our website can be browsed anonymously. However, like many other websites, we use cookies in order to develop our website. When a customer accesses the service for the first time, a cookie defines a random value for the browser, which, however, does not reveal the user’s identity. Cookies help us to find out the most popular sections of the website, how the visitors move on the website and how long they stay there. This information is used, for example, to develop the user-friendliness of the website. It is not possible to identify individual users from the data collected with cookies.

The data will be erased two years after it has been collected.

3. Purposes and legal bases of processing personal data

The purposes for which we collect and process your personal data are listed in the following. The legal basis we have for processing the data in question is found next to each purpose. Please note that, as a rule, we apply one lawful basis for processing personal data, but there may be more than one basis for the processing measures depending on the situation.

Customer register

Purposes of processingProcessing bases
• Management of customer relationship
• Provision of services
• Compliance with contractual obligations
• Delivery and invoicing of products
•The processing is necessary in order to implement the contract we have signed with you or the company you represent or to be able to carry out the necessary measures for entering into the contract
• The processing is also necessary for the purposes of our legitimate interests. In this case, our legitimate interests include management of customer accounts, management and development of customer services, implementing the services we provide, and the development of our business operations
Customer communications, including crisis communications• Processing is necessary for the purposes of our legitimate interests, which in this case include management of customer account, management and development of customer services, and customising our services and communications
• In terms of crisis communications, processing is necessary for compliance with a legal requirement (for example, reporting of a data breach)

• Management and planning of the company
• Analysis of sales indicators
• Processing is necessary for the purposes of pursuing our legitimate interests. In this case, our legitimate interests include processing of complaints and other demands, resolving disputes and carrying out strategic planning and resource analyses, developing our business operations and improving their efficiency, carrying out risk analyses, customising our services and communications, and updating customer data and preferences
• Compliance with the Accounting Act and other legal requirements • Processing is necessary for compliance with a legal requirement (for example, due to correct and accurate accounting)
• Management of legal processes, compliance with court rulings and safeguarding of our rights• Processing is necessary in order to comply with a legal requirement
• Processing is also necessary for the purpose of our legitimate interests, which in this case are protecting our immaterial and other rights or responding to the demands of the authorities
• Implementing restructuring measures • Processing is necessary for the purpose of our legitimate interests, which are the development of our company and business operations and the management of the company
• Historical research• Processing is necessary for the realisation of public interest
• Processing is necessary for the purpose of our legitimate interests, which are drawing up historical reviews and collecting past events to record our development over time, and to respond to general need for information
• Identification purpose• Processing is necessary for legal requirements (for example, so that personal data is not revealed to a wrong person)

 

Camera surveillance register

Purposes of processingProcessing bases
• Ensuring the personal safety of our employees and other people present on our premises
• Protecting our property
• Supervising the appropriate operation of our production processes
• Preventing and investigating situations that pose a risk to safety, property or the production process
• Scientific research
• Processing is necessary for the purposes of pursuing our legitimate interests. In this case, our legitimate interests are promoting the safety of the areas and facilities in our use and that of our employees, as well as monitoring and assessing the operation of the equipment and machinery, and their development
• Crisis communications• Processing is necessary for compliance with a legal requirement (for example, reporting of a data security breach)
• Managing legal processes, complying with court rulings and safeguarding our rights• Processing is necessary in order to comply with a legal requirement
• Processing is also necessary for the purpose of our legitimate interests, which in this case are protecting our rights or responding to the demands of the authorities
• Identification purpose• Processing is necessary for legal requirements (for example, so that personal data is not revealed to a wrong person)

 

Recruitment register

Purposes of processingProcessing bases
• Remuneration and selection of new employees
• Organising meetings and events
• In certain cases, processing can only be possible on the basis of your consent. In such a case, we will ask for your consent and tell you the purposes for which your consent is requested.
• Processing may also be necessary for the purposes of pursuing our legitimate interests. In this case, our legitimate interests are the remuneration of new employees, establishing the reliability of job applicants, and communication to job applicants.
• Processing may also be necessary to implement measures prior to drawing up a contract of employment.
• Recruitment communications and crisis communications• Processing is necessary for compliance with a legal requirement (for example, reporting of a data security breach)
• Managing legal processes, complying with court rulings and safeguarding our rights• Processing is necessary in order to comply with a legal requirement
• Processing is also necessary for the purpose of our legitimate interests, which in this case are defending against claims related to an employee’s recruitment process or responding to the requirements of the authorities
• Identification purpose• Processing is necessary for legal requirements (for example, so that personal data is not revealed to a wrong person)

 

Stakeholder register

Purposes of processingProcessing bases
• Handling of land tenancy matters
• Managing environmental permit matters
• Energy invoicing to shareholders
• Processing is necessary in order to implement the contract we have signed with you or the company you represent
• Processing is also necessary for the purposes of pursuing our legitimate interests. In this case, our legitimate interests include performance of measures necessary in order to offer our services and the management of stakeholders
• Stakeholder communications, including crisis communications• Processing is necessary for the purposes of our legitimate interests, which in this case include management of stakeholders, management of customer services, and customising our services and communications
• In terms of crisis communications, processing is necessary for compliance with a legal requirement (for example, reporting of a data breach)
• Management and planning of the company• Processing is necessary for the purposes of pursuing our legitimate interests. In this case, our legitimate interests include processing of complaints and other demands, resolving disputes, strategic planning, carrying out risk analyses, and updating stakeholder data
• Compliance with the Accounting Act and other legal requirements • Processing is necessary for compliance with a legal requirement (for example, due to correct and accurate accounting)
• Management of legal processes, compliance with court rulings and safeguarding of our rights• Processing is necessary in order to comply with a legal requirement
• Processing is also necessary for the purpose of our legitimate interests, which in this case include protecting our rights with respect to land ownership and other rights, or responding to the demands of the authorities
• Implementing restructuring measures • Processing is necessary for the purpose of our legitimate interests, which are the development of our company and business operations and the management of the company
• Identification purpose• Processing is necessary for legal requirements (for example, so that personal data is not revealed to a wrong person)

 

Supplier register

Purposes of processingProcessing bases
• Establishing service providers on the reserve list• Processing is necessary in order to implement the contract or to carry out the necessary measures before concluding the contract
• Supplier communications, including crisis communications• Processing is necessary for the purposes of our legitimate interests, which in this case are managing and informing suppliers, and customising our communications
• In terms of crisis communications, processing is necessary for compliance with a legal requirement (for example, reporting of a data security breach)
• Implementing restructuring measures • Processing is necessary for the purpose of our legitimate interests, which are the development of our company and business operations and the management of the company
• Identification purpose• Processing is necessary for legal requirements (for example, so that personal data is not revealed to a wrong person)

 

Website register

Purposes of processingProcessing bases
• Website analytics• Processing is necessary in terms of our legitimate rights, which include the development of our business operations, and the development and customisation of our services and communications
• Support for the network and system security• Processing is necessary in terms of our legitimate interests, which include supervision of data traffic and network security

4. Regular information sources

The information recorded in the register is obtained mainly from the person themselves, but we also collect information from our other group companies, from public sources such as registers maintained by the authorities, the LinkedIn service, and with cookies and other similar technologies.

It is not compulsory to provide personal data, but it may be needed in order to provide our services to you, to draw up a contract and for communication purposes. When you draw up a contract with us, it may also be an obligation arising from the contract to provide your personal data so that we can comply with our own contractual obligations. If you do not provide us with the personal data we have requested, we may be unable to conduct a business relationship with you, to offer you our services or to contact you, and we may have to terminate our contractual or other relationship.

5. Recipients of personal data

As a rule, the data is not disclosed outside the company or group. However, depending on the situation and where applicable, we may have to disclose your personal data to the following:

  • service providers (e.g. accountant, IT service providers, security services)
  • tax and other authorities
  • insurance companies
  • auditor
  • recruitment and temporary employment agencies, and aptitude test providers
  • third parties as part of a corporate transaction
  • advisors (e.g. external legal advisors).

We always make sure that we have a clear basis in law to share the data.

Your data shall not be transferred outside the EU or the European Economic Area. We have also ensured that our service providers comply with the data protection legislation. We have selected secure data centres located in Finland or in the EU/EEA countries for storing your data.

6. Rights of the data subject

If you have any questions concerning this notice, or if you are concerned about protecting your privacy or the use of your data or you suspect that your data protection has been breached, please contact us by email at tietosuoja@epv.fi.

In addition, you will always have the following rights, and requests with respect to exercising these rights must be made in person at the controller’s place of business or by sending an email to tietosuoja@epv.fi. We will handle your request in confidence without undue delay, and we will contact you if necessary.

Before responding to your request, we may have to ask you for information in order to confirm your identity. This is a safety measure by which we aim to make sure that your personal data will not be disclosed to anyone who has no right to receive it.

Right of access

You have the right to verify whether we process your personal data, and if we do, you have the right to access your own personal data and to obtain the following information:

  • the categories of personal data concerned
  • the recipients or categories of recipient
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
  • the existence of the right to request rectification or erasure of your personal data and the option of restricting the processing of your personal data or of objecting to such processing
  • the right to lodge a complaint with a supervisory authority
  • if the personal data has not been collected from you, information as to its source
  • information whether automated decision-making is used, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you
  • appropriate safeguards applied to the transfer of personal data to countries outside the EU and the EEA.

You have the right to receive a copy of the processed personal data as long as the copy shall not adversely affect the rights or freedoms of others. We may charge a reasonable fee based on administrative costs for the provision of any extra copies.

Right of rectification

If you detect inaccurate or insufficient information about yourself, you can ask us to rectify or complete the information.

We will notify the rectified personal data to all recipients to whom we have disclosed your personal data unless this proves to be impossible or would involve a disproportionate effort. We will inform you of these recipients at your request.

Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data if we process your personal data on grounds of our legitimate interests. After the objection we will no longer process your data unless (i) we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or (ii) the processing is necessary for the establishment, exercise or defence of legal claims.

Right of restriction

You have the right to restrict the processing of your data in each of the following situations:

  • you contest the accuracy of your personal data, in which case we will restrict the processing of your data until the accuracy of the data has been verified
  • the processing is unlawful, but you oppose the erasure of the personal data and request the restriction of its use instead
  • we no longer need the personal data for the purposes referred to in this document, but the data is required by you for the establishment, exercise or defence of legal claims
  • you have objected to processing pursuant to your rights, and the processing is based on our legitimate interest referred to in this document, and the processing is restricted pending the verification whether the legitimate grounds of the controller override those of the data subject.

If the processing of your data has been restricted, we will notify you before we lift the restriction.

We will communicate any restriction of processing of your personal data to all recipients to whom we have disclosed your personal data unless this proves to be impossible or involves a disproportionate effort. We will inform you of these recipients at your request.

Direct marketing restriction

We shall not approach you via direct marketing. We shall never sell or otherwise hand over your personal data to others so that they could send you direct marketing. In any event, you have the right at any time to prohibit us from using your data for direct marketing purposes.

Withdrawal of consent

If we process your personal data on the basis of your consent, you have at any time the right to withdraw your consent. Once we have received your communication about the withdrawal of your consent, we will no longer process your data for the purpose or purposes to which you originally consented unless we have some other legal basis for the processing.

Right of transfer

You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format (such as in XML format with the relevant metadata) and to transmit the data in question to another controller, if:

  • we process your personal data on the basis of your consent; or
  • we process your personal data because it is necessary for implementing a contract concluded between us; and
  • the processing is carried out by automated means; and
  • this right does not adversely affect the rights and freedoms of others.

In the above-mentioned cases, you have the right to have your personal data transmitted directly from us to another controller, where technically feasible.

Right of erasure

You have the right to require us to erase your personal data without undue delay where one of the following grounds applies:

  • the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed
  • you withdraw your consent on which the processing has been based, and there is no other legal ground for the processing
  • you object to the processing, and there is no justifiable reason for the processing
  • you object to the processing of your data for the purposes of direct marketing
  • your personal data has been unlawfully processed
  • the personal data has to be erased for compliance with a legal obligation to which we are subject.

Please note that the data protection legislation recognises situations where processing may be necessary despite the application of the above grounds for erasure. We shall always notify you separately of these conditions and the grounds for processing.

We shall notify of the erasure of your personal data to all recipients to whom we have disclosed your personal data unless this proves to be impossible or involves a disproportionate effort. We shall inform you of these recipients at your request.

Right of appeal

We hope that you will contact us if you have any questions in relation to the processing of your personal data. You shall at all times have the right to lodge a complaint with an appropriate supervisory authority if you believe that we do not comply with the applicable data protection legislation. In Finland, the supervisory authority in data protection matters is the Data Protection Ombudsman. Please note that, in principle, the Data Protection Ombudsman will not take a position in cases where the data subject has not contacted the controller themselves in the first instance.

7. Protection of the register

Safe processing of your personal data is important to us. We use the following protection measures to ensure the safety of your data:

  • The data is stored in systems, which require a valid username and password to access them. The systems are also protected with firewalls and appropriate security solutions.
  • Only specific, predefined persons have access to and are entitled to use the data contained in registers stored in the systems.
  • The servers containing the data in the registers are located in data centres, the unauthorised access to which is prevented.
  • Backup copies are made of the registers on a regular basis.
  • The data contained in manual registers is located in locked and guarded facilities.

We shall notify the authorities or the data subjects of any data security breaches in accordance with the applicable legislation. If necessary, we may close the system that is causing the threat in order to protect personal data.

8. Amendments to the notice

We constantly develop our services and reserve the right to amend this privacy notice. The amendments may also be based on a change in legislation. We will publish the amended notice on our website and, if the amendments are substantial and will considerably change this privacy policy, we will also notify you of the matter by email or by other means before the amendments enter into force. We recommend to always familiarise yourself with the most up-to-date privacy notice.

This privacy notice was last updated on 26 September 2018.