4.6.2020 - Data privacy practices
St1 Nordic Oy’s Privacy Notice
This privacy notice provides information to registered customers, the employees of customers and the supervisory authority in accordance with the requirements of the European Union’s General Data Protection Regulation (hereinafter the “GDPR”) and the national data protection regulations in force.
This privacy notice describes how St1 Nordic Oy (St1) collects, uses, retains and protects personal data. St1 as a counterparty in the matter in question acts as the controller. St1 companies include all companies that belong to the St1 Nordic Oy group of undertakings (St1 Finance Oy, St1 Oy, St1 Sverige AB, St1 Norge AS, St1 Refinery AB, St1 Norge Marine AS, St1 Lähienergia Oy, St1 Deep Heat Oy, Lämpöpuisto Oy). For the sake of clarity, it is herein stated that the terms ‘we’, ‘the Company’ and ‘St1’ as referred to in these data protection practices refer to any company belonging to the St1 Nordic Group, If not explicitly stated otherwise, which acts as a controller in any given circumstances.
1) What personal data does St1 collect for its operations
a.) basic information on individual customers (name, date of birth or personal identification number and contact details such as address, phone number and email address etc.)
b.) basic information on Company customers (information required for identifying the customer and for clarifying the customer’s financial status and political influence)
c.) information on the customer relationship (such as the duration and nature of the customer relationship)
d.) consent (the data subject’s consent and withdrawals of consent related to the processing of personal data)
e.) information on the agreements concluded between the customer and St1
f.) information on customer transactions
g.) background information on the customer (title or occupation, and other information regarding the activities and status of the data subject with respect to private or public-sector duties)
h.) behavioural data (such as data collected with cookies and points of interest)
i.) information on the content of recordings and messages (such as recordings of phone calls)
j.) technical identification data (such as information used to identify mobile application users)
For the sake of clarity, the following information is collected only from our customer’s located in Norway:
a.) information about your device and internet connection
b.) information about your use of our services
c.) information about your location (geoinformation)
d.) Information from co-operation partners for customers also taking part in our payment app solution (e.g. Trumf).
Personal data is mainly collected from data subjects themselves. Personal data can be obtained from other IT systems of the St1 companies as permitted by legislation.
To the extent permitted by law, personal data can be collected and updated from the IT systems of third parties, such as the following:
a.) public registers maintained by authorities, such as the Population Register Centre, execution authorities and the police, as well as tax administration registers, business register and registers of supervisory authorities
b.) sanction lists (e.g. lists maintained by the EU, UN and national organisations) and other reliable sources that provide information, for example, on beneficial owners and persons with political influence
c.) controllers of credit information
2) Purposes and legal bases for processing personal data
St1 processes personal data in order to fulfil contractual and legal obligations and in order to provide services and guidance to its customers. The information below provides more details on the processing of personal data and the legal basis for the processing.
a.) Execution of contracts
The purpose of personal data processing is to collect, process and verify personal data before concluding a product and service agreement and to document and carry out contractual obligations. Examples of such actions taken by St1 include the following:
b.) Legal obligation
Laws, regulations and requirements of authorities impose obligations on St1 concerning the processing of personal data, for example:
c.) Legitimate interest of the controller or a third party
St1 processes personal data in order to carry out marketing, product and customer analyses. Data collected in this connection is used, for example, in product and service development. In addition, in order to defend against claims or mitigate for such, St1 can process (store) personal data based on legitimate interest.
Where national regulations so require, we request the consent of the data subject to the transmission of electronic direct marketing (such as e-mail or direct marketing via text messages). You may withdraw your consent at any time.
For gas stations or retail sites with specified clearly marked signs, St1 is using recordable CCTV cameras to ensure safety of the visitors at the site, protect the St1 assets by enable investigations for frauds and criminal activities (for which legal basis of processing might change to fulfillment of legal obligation towards authorities) and enable support on customer service disputes. St1 is not disclosing information within the recordings to any external parties outside St1 Group and chosen data processors.
d.) Targeted marketing
St1 processes the customer data to connect customer specific purchases, purchase categories and locations (from St1 gas stations or retail sites) to enable St1 to target marketing based on customer preferences and behaviour. These actions do not cause any legal effects towards the customer as such.
e.) Automated decision-making
St1 Sverige AB and St1 Finance Oy utilises automated decision-making in its credit granting process to the extent permitted by law related to St1 Mastercard, St1 Privatkort and Shell Card Private-products. Customers can always request that a manual decision-making process is applied instead of the automated process, express their opinion or contest only the decision that was made based on automated processing. If the offered product or service includes automated decision-making, customers are provided with additional details on the processing logic applied to automated decision-making, its meaning and possible consequences.
3) Disclosure of personal data
Personal data may be disclosed to companies belonging to the St1 Nordic Oy group of undertakings. Personal data may be transferred to the data processors of the Company and to the aforementioned group companies, in accordance with the obligation to maintain professional secrecy and with the binding data processing agreement required by law.
In addition to the aforesaid, St1 discloses data subject’s contact details to chosen partners who may offer services directly to the data subject, provided that St1 has received an explicit consent to this disclosure from the data subject. St1 has binding data processing agreements required by law with such chosen partners.
Personal data may also be disclosed to the extent permitted and as required by the legislation in force, to those parties which have right of access to personal data under law.
In principle, personal data will not be transferred outside the European Economic Area unless this is necessary for technical reasons pursuant to fulfilling the purposes of processing personal data, in which case the transfer of personal data will abide by the requirements of data protection legislation for the implementation of the appropriate or adequate safeguards. By submitting a request in accordance with section 8, the Company shall provide a copy of these protection measures.
4) Protection of personal data
Physical data is stored in locked facilities. Such data may only be processed by persons who have a legitimate reason, related to their duties, for processing the data.
The information systems are protected by various organisational and technical methods from access by third parties. Each user has a personal user ID and password for logging into the system. Access to the data is restricted to persons who process the personal data in question as part of their duties.
5) Rights of customers
Right of access to data (right to inspect data)
The data subject shall have the right to inspect personal data relating to him or her that has been stored in the register. The data subject is also entitled to receive a copy of the personal data being processed. A request for right of access must be made in accordance with the instructions given in section 8 of this privacy notice. Right of access may be refused on the grounds laid down by law.
Exercising right of access is free-of-charge in principle. We may charge a reasonable fee corresponding to the administrative costs of fulfilling the request if the data subject requests several copies of the data or if the requests are made repeatedly or otherwise found manifestly excessive or unfounded.
The right to require rectification, erasure or restriction of processing
The data subject shall have the right to have any data on the register rectified or deleted if such data is contrary to the purpose of the register, incorrect, superfluous, incomplete or outdated. The data subject may submit a request for the rectification or deletion of data by contacting the Company in accordance with section 8 of the privacy notice.
The data subject shall also be entitled to require Company to restrict the processing of his or her personal data, for example if the data subject is awaiting a response to a request from the Company for the rectification or deletion of such data.
Right to object to the processing of personal data
With respect to his or her particular circumstances, the data subject has the right to object to the profiling of him or her and other processing activities to which St1 is subjecting the data subject’s personal data. Upon the objection St1 shall no longer process the personal data unless the grounds for data processing are based on the legitimate interests of the Company which override the interests, rights and freedoms of the data subject. If the personal data is processed for direct marketing, the data subject has the right to object to the processing without any specific grounds, after which the Company will no longer process the data for purposes of direct marketing.
The data subject may submit his or her objection by contacting the Company in accordance with section 8 of this privacy notice. With respect to the objection, the data subject must identify the specific situation with respect to which he or she objects to processing. The Company may refuse to execute the request on the grounds laid down by law.
Right to withdraw consent given
If personal data is processed on the basis of the data subject's consent, the data subject has the right to withdraw such consent by notifying the Company thereof in accordance with section 8.
Right to data portability
The data subject shall have the right to receive his or her personal data which the data subject has provided to the Company and the processing of which is automated and based on an execution of a contract or on data subject’s consent, in a structured, commonly used and machine-readable format and have the right to transmit the data to another controller (where technically possible).
Right to lodge a complaint with a supervisory authority
Every data subject shall have the right to lodge a complaint with a supervisory authority, if the Company has not complied with the applicable data protection regulation.
The complaint shall be lodged to the supervisory authority in the Member State of his or her habitual residence, place of work or place of the alleged infringement of data protection regulation. Complaint concerning St1’s actions in relation to data protection regulation can be lodged to the supervisory authority of the data subject’s habitual residence or alternatively to the Finnish Data Protection Ombudsman. Further information about your right to data protection is available on the website of the Data Protection Ombudsman at: tietosuoja.fi.
Cookies enable the collection of information such as the following:
the IP address of the user; time of day; pages visited and time spent on the site; browser type; operating system of the terminal device; the URL from where the visitor came to the site and the URL to which the user goes after using our website and the server and domain name from where the user came to the website.
The website may also contain cookies from third parties such as those providing measurement and monitoring services. Third parties may install cookies on the terminal device when customers visit the website.
Cookies on third-party websites
In addition to cookies used on the website, cookies are also utilised on third-party websites to target the advertising of St1. Information collected with the cookies of cooperation partners and by means of other techniques enables targeted advertising based on previous online behaviour and other factors, enabling targeting of ads to users who are likely to be the most interested in the advertisements. In that case, behavioural data collected through websites other than the St1 site can also be utilised for targeting purposes.
In addition, our cooperation partners and we can collect information on the efficiency of the advertising we create. For this purpose, we can collect information such as the following: information on how many times some specific ad has been displayed in a browser; information on whether the ad was clicked and information on whether clicking the ad resulted in purchasing the product in the online shop.
Disabling cookies and preventing targeted advertising
If customers do not want that advertising is targeted based on areas of interest, customers can prevent targeting. When you have prevented targeted advertising, you will still see as many ads as before, but the advertisements have not been selected based on your interest areas.
7) Retaining personal data
Personal data shall be kept for as long as its processing is necessary with respect to the purpose for which the personal data was collected. Upon a withdrawal of data subject’s consent to process his or her personal data for direct marketing purposes, the Company shall only delete such data if there are no other legitimate grounds for processing the data.
The Company shall delete or anonymize unnecessary data at regular intervals. Personal data shall be deleted from the register or anonymized as soon as there is no longer any need or grounds for its processing, or until such processing is no longer necessary for the Company in the fulfilment of a law, regulation or other official obligation.
8) Contact information
Data subjects can contact the data protection officer in all matters related to the processing of their personal data or the exercise of rights based on the GDPR. You can contact our data protection officer on any questions about the privacy notice by e-mail at firstname.lastname@example.org, or by post addressed to:
St1 Nordic Oy
Tripla Workery West, Firdonkatu 2, 00521 Helsinki, Finland