Privacy policy

Updated 4.2.2022

1 Name of the register

The customer, subcontractor, and marketing directory of Keravan Energia concern.

2 Register controller

Keravan Energia Oy (0891026-0) and Sipoon Energia Oy (1030712-9)
Street address: Tervahaudankatu 6, 04200 Kerava
Mail address: PL 37, 04201 Kerava
Telephone: 09-584 9550

3 Contact information on issues regarding the register

info@keoy.fi
Tervahaudankatu 6, 04200 Kerava
Tel. 09-5849 550

4 The data content of the register

In our directory we handle personal data regarding our private customers, representatives of company customers and potential customers of all groups. In addition we handle data regarding our suppliers and subcontractors and our employees.

We collect and handle the following data:

• • person’s basic information, such as name, age, birth year, social security number
  • person’s contact details, such as address, email address and telephone number
  • all contacts such as emails and calls between customers and directory controller’s customer service
  • details regarding the use of products and services, such as energy consumption data, information on the place of use and information on equipment at the place of use
  • all information needed for invoicing
  • the customer’s credit information within the limits permitted and required by legislation
  • basic information of the subcontractor’s employee, such as name and date of birth
  • contact information of the subcontractor’s employee, such as postal address, email address and telephone number
  • information related to the employment relationship of the subcontractor’s employee, such as tax number, employer, employer’s social security number and country of residence
  • education, qualification and course information of the subcontractor’s employee, as well as information about a possible A1 certificate

Kerava Energia companies also process personal data collected through the Whistleblowing channel. You can find out more about the processing of personal data collected through the channel here.

You can find out more about the processing of the personal data of our subcontractors’ employees in the Ilmoita service.

5 The purpose of use and reason for personal data

The controller or a partner authorized by it (acting on behalf of the controller) uses the personal data of customers, potential customers and subcontractors in accordance with personal data legislation for the following purposes:

• managing and developing customer relations
• offering, delivery and production of products and services
• contract management and invoicing
• payment, payment monitoring and collection
• development of business, services and customer service
• marketing, advertising and sales of products and services,
• segmentation for marketing. The categories used in segmentation can be based on, for example, electricity consumption and
• handling the obligations according to the Act on the Contractor’s Obligations and Liability when Work is Contracted Out and reporting obligations in construction.

The directory controller has the right to handle personal data based on the following:

• The processing of personal data is necessary for the implementation of the contract between the controller and the customer or for the implementation of measures prior to the conclusion of the contract.

• The processing of personal data is necessary to comply with the legal obligation of the controller, such as to fulfill the obligations arising from the Act on the Contractor’s Obligations and Liability.

• The controller has a legitimate interest based on the customer relationship to use customer data for the development of services and for the marketing of products and services under the conditions and restrictions defined in legislation.

• On the basis of registered consent, when the data subject has given his consent to electronic marketing or another purpose expressly defined by the controller.

6 Regular sources of information

Information about customers is obtained from customers, e.g. in connection with requests for offers, orders, contracts and other contacts, as well as the information that is or will be saved from the use of the customer’s products or services. Information is also collected with the help of cookies and similar technologies in accordance with the procedures allowed by the regulations in force at any given time. The information of potential customers can be obtained in connection with possible raffles.

All customer contacts can be recorded and saved. The recordings are used e.g. in the authentication of business transactions and in the development of customer service.

Personal data can also be collected and updated from the registers of the Population Register Center, Suomen Asiakastieto Oy and other similar service providers.

The information is also updated based on the rules for exchanging information on the electricity market published by Energiateollisyys ry.

In the case of the employees of our subcontractors, personal data is collected directly from the registrants or their employers.

7 Data processors and other recipients

In principle, personal data is not disclosed to outside parties. Information may be disclosed to the authorities as required by the legislation in force.

In accordance with the electricity market legislation and the supplemental application instructions of the industry, information is disclosed to other parties in the electricity trade (electricity seller, distribution network operator) and to the data controller responsible for the electricity market data exchange solution (Fingrid Datahub Oy) via electronic message traffic.

Information can also be transferred for processing to Keravan Energia Oy’s partners, subsidiaries, service providers or subcontractors for the purposes specified in section five.

Our partners and subcontractors can process personal data only for tasks related to customer relationship management or maintenance performed on our behalf. We always ensure that our partners do not process transferred personal data for any other purposes.

8 Data transfer outside the EU or EEA

Data will not be transferred outside the EU or EEA, unless it is necessary for the technical implementation of the service or data processing. In this case, data protection and information security requirements set by data protection legislation are followed in the transfer of data.

9 Principles of personal data retention

Personal data according to this privacy statement will be stored as long as the data controller uses the data for the purposes described in section five. Personal data stored in the register are deleted when there is no longer a legal basis for their processing.

In the customer information system, personal data is stored for a maximum of ten years from the end of the customer relationship or until the customer requests the deletion of the data.

Personal data may also have to be stored longer than this, if the applicable legislation or our contractual obligations towards third parties require a longer storage period.

Subcontractors’ personal data is stored for six years after the end of the year in which the construction site was completed.

If we process personal data based on consent, the given consent can be revoked at any time.

Personal data processed on the basis of consent will be deleted immediately after withdrawal of consent, if there is no other legal basis for the processing.

10 Principles of registry protection

The data security of the register and the confidentiality, integrity and usability of personal data are ensured by appropriate technical and organizational measures.

Only persons employed by the Keravan Energia Group or its authorized operators, whose job duties require the processing of personal data, have access to the information.

Register data is protected with personal usernames and passwords. Viewing and editing rights are limited by user rights. We require staff and partners to commit to keeping customer information confidential.

11 Rights of the registrant

The registered person has rights according to data protection legislation. Please note that the more precise application of the rights in each individual situation depends on the purpose and situation of personal data processing.

The registered person must send requests regarding his rights in writing and signed to the address:

Keravan Energia Oy
PL 37
04201 Kerava

or via email to info@keoy.fi.

Requests regarding your rights can also be submitted personally on location to the controller’s representative.

As a general rule, the data controller does not charge the data subject a fee for processing the request.

However, if the data subject’s requests are obviously unfounded or unreasonable, such as if they are presented repeatedly, the data controller may charge the data subject a reasonable fee based on the administrative costs of processing the request.

The right to get access to personal data and to receive a copy of personal data

The registrant has the right to receive confirmation as to whether the registrant’s personal data is being processed, as well as the information defined in the data protection legislation about the processing of personal data. In addition, the data subject has the right to receive a copy of the personal data being processed.

The right to check and correct data

The registered person has the right to check what information about him is stored in the register. The registered person has the right to demand the correction of incorrect or inaccurate personal data.

The right to data removal

The registered person has the right to have his personal data deleted without undue delay, provided that

• personal data is no longer needed for the purposes for which it was collected or for which it was otherwise processed;
• the data subject withdraws the consent on which the processing was based, and there is no other legal basis for the processing;
• personal data has been processed illegally; or
• personal data must be deleted in order to comply with a statutory obligation based on Union law or national legislation.

The right to restrict processing

The registered person has the right to have the controller limit the processing if

• the data subject disputes the accuracy of the personal data;
• the processing is against the law and the data subject opposes the deletion of personal data and instead demands the restriction of their use;
• the controller no longer needs the personal data in question for the purposes of processing, but the data subject needs them to prepare, present or defend a legal claim.

The right to withdraw consent

If the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw his consent to the processing at any time without affecting the legality of the processing carried out prior to this consent. However, the registered person’s personal data can be stored if compliance with the legal obligation of the controller requires the storage of personal data.

The right to transfer data from one system to another

The registered person has the right to receive the personal data concerning them, which they have provided to the data controller, in a structured, commonly used and machine-readable format, and the right to transfer the data in question to another data controller, if it is technically possible.

The right to file a complaint with the supervisory authority

The data subject has the right to file a complaint with the supervisory authority if the data subject considers that the processing of personal data concerning him/her violates applicable data protection regulations.

12 User tracking

We use Leadoo’s tracking service to follow what users are doing on the site and combine this behavioral data with other data we can gather from e.g. chat interactions. Leadoo uses etag tracking in order to hook together the same user’s behavior over several sessions – in practice this works similarly to cookie-based tracking. Please check out Leadoo Marketing Technologies Ltd’s Privacy Policy (https://leadoo.com/privacy-policy/) for more information on what is tracked and what your rights are. Leadoo works as the Processor, and we work as the Controller for the data in terms of GDPR. You can stop the tracking by emptying your browser’s cache after the visit. For more on how Leadoo works as a GDPR compliant processor, see https://leadoo.com/privacy-policy-processor.