1. Gasum

Gasum Group’s Privacy Statement

Gasum Group has committed to secure its customers’, employees’ and stakeholders’ personal data and to comply with national data protection regulation and EU General Data Protection Regulation (GDPR).

In our group we, as a controller of personal data, process personal data for various purposes. This Privacy Statement describes those purposes, their lawfulness and informs data subjects of their rights. Our processing activities are transparent and we collect personal data only to the extent necessary for our lawful processing purpose.

Controller definition within Gasum Group

The responsible controller within Gasum Group concerning the processing of customer and marketing data is our Finnish parent company Gasum Oy. Main subsidiaries of Gasum Oy in Finland are Gasum LNG Oy and Gasum Portfolio Services Oy. Main subsidiaries of Gasum Oy in Finland are Gasum LNG Oy and Gasum Portfolio Services Oy, in Sweden Gasum AB and Gasum Clean Gas Solutions AB, in Norway Gasum AS and Gasum Clean Gas Solutions AS and in Estonia Gasum Oü. The Gasum AB German Branch operates in Germany.

Our group companies within Gasum Group act as joint controllers of data for customer and marketing data, except for Gasum Portfolio Services Oy, which holds authorization under the Finnish Act on Investment Services granted by the Finnish Financial Supervisory Authority.

As a data subject, you are either our customer, potential customer, their contact person, our potential employee or other stakeholder to Gasum Group. It is extremely important or mandatory for us to be able to contact the foregoing groups of individuals in our operation.

Responsible controller:
Gasum Oy
Business id: 0969819-3
Visiting address: Revontulenpuisto 2 C
Postal address: PL 21, 02151 Espoo, Finland
E-mail: customerservice@gasum.com
Tel: +358 20 4471

Contents

This Privacy Statement contains the following information:

  • What types of personal data we process

  • What are our purposes of processing and legal basis

  • How do we collect personal data

  • How long do we store personal data

  • To who do we transfer personal data – recipient groups

  • Transfer of personal data to recipients in third countries

  • How do we secure data protection

  • Your rights

  • Cookies

  • Amendments

  • Contact details

What types of personal data we process

Personal data we process can be divided into following data groups:

  • Given names and surname.

  • Contact details (phone number, address and e-mail address).

  • Employment information (your employer, profession, title, scope of your work, degrees, your representation rights at your organization).

  • Social security number and date of birth.

  • Copies of passport, driving license or other personal identification (only for know your customer purposes under finance regulation)

  • Allergies and diet information (for event organization).

  • Your user code and password when using our online services, such as Gasum Online.

  • Customer and marketing survey answers.

  • Credit information.

  • Technical information: Cookies, IP-addresses, and device information. (Technical information won’t be directly associated to you or your name.)

  • Information provided to us for contact requests such as the contents of your associated message.

  • Footage (if you visit our premises or filling stations or you have given your consent to publish video or still images for marketing and communication purposes).

  • Information concerning your work experience, education and other corresponding information you have provided to us in a recruitment process or when we are procuring goods or services.

  • Your location and driving habits information if we have provided a marketing passenger vehicle for your use (does not apply to winners of marketing draws and third party owned vehicles).

  • Your filling amounts at our refueling stations (if you are our GasCard customer)

Processing Purpose and Lawfullness

We process your personal data only when considered lawful under applicable regulation. Our processing purposes are mainly based on the following lawful processing criteria:

  • Performance of a contract

    • If you represent an organization to whom we are in a contractual relationship with we can collect your:

      • Name

      • Contact details

      • Employment information

    • We can process the data to:

      • Contact you to perform and fulfill a contract and to maintain the associated relationship.

      • Improve the customer relationship, customer communications and executing customer surveys.

    • If you are a consumer customer (applicant or owner of our GasCard payment card), we can collect your:

      • Name

      • Contact details

      • Social security number, personal ID and birth date

    • We can process the data to:

      • Maintain and improve the customer relationship, customer communications, executing customer surveys, invoice, collect debt (if required).

      • Review your credit information in the beginning of your customer relationship or upon ordering if payment for goods or services is due after our performance.

      • We use your personal ID only for debt collection, if any, and to check your credit information.

  • To comply with a legal obligation

    • We might be required to comply with a mandatory legal obligation to treat your personal data. For example, your personal data can be stored longer than necessary to fulfill the particular processing purpose if applicable accounting laws so require.

    • One of our group companies in Finland, Gasum Portfolio Services Oy, holds authorization under the Finnish Act on Investment Services granted by the Finnish Financial Supervisory Authority, and is required under a legal obligation to identify its customers and process names, social security numbers, addresses and copies of passports or other personal identification documentation.

  • Based on our legitimate interest

    • Based on our legitimate interest, we can process your data in the following events:

    • Direct marketing, such as:

      • Issuing our written stakeholder publications

      • Issuing newsletters via e-mail if the marketing is closely connected to good or services we have already provided to you under a contract so that we have received your contact details through an existing customer relationship.

      • Profiling. Strictly for the purpose of direct marketing of our goods and services, based on any data acquired from you or from public registers.

      • You have the right to object direct marketing and opt-out of which we inform you when we exercise such marketing.

    • To transfer data to other Gasum Group companies.

    • To protect our assets, operation and property when you visit our production plants, terminals, filling stations or office premises. We have adequate camera surveillance (CCTV) in place recording video footage.

    • During public or private procurement processes, prior to enforcing a contract, if your organization has been requested to supply information on your employment and educational background to verify your level of competence.

  • Your consent

    • If you give your voluntary consent for us to process your data, we will inform you when asking your consent, the specific purpose for data processing.

    • We will request your consent, inter alia, in the following situations:

      • For our marketing campaigns and draws and any following marketing and communications.

      • For event organization (including stakeholder events, trainings, rescue personnel operations and trainings, marketing events). To organize the events, we might ask you to provide your name, contact details, employment details, and dietary information.

      • In our recruitment processes.

      • When answering our marketing and customer surveys.

      • When we collect your information to contact you.

      • When we hand-out a passenger car for marketing purposes to your use, we collect information on your driving habits and location data to protect our property (does not concern third party owned vehicles).

    • You can withdraw your consent at any time by contacting us or following the instructions provided when you gave your consent for the specific processing activity.

How do we collect personal data

We mainly collect personal data directly from you.

If you are a contact person necessary for the performance of a contract, we might receive your data directly from the organization you are representing.

We may also collect data from third parties, such as private and public registers such as national trade registers, private companies providing contact detail information, and public civil registries.

How long do we store personal data

We have set time limitations for processing of personal data. After the expiry of such time limitations, we will destroy the data. Limitations in this respect are not fixed, but instead they are based on the existence of a lawful processing purpose (inter alia, for the duration of a marketing campaign, the validity of a contract or the remainder of a legal obligation), which we review in regular set intervals. For example, data received in a marketing draw is deleted after the draw has ended. CCTV footage at our premises is deleted at regular intervals. We might have to maintain data for longer periods of time in case of disputes, accidents or other liability events to protect our rights.

To whom we transfer your data to – recipient groups

We transfer your personal data within Gasum Group to our group companies if such transfer complies with our lawful processing purpose. Our customer and communication register is joint with all of our group companies as described in the beginning of this statement.

We can transfer data to third party data processors whom we have chosen as preferred partners (including, inter alia, IT- and cloud service companies, collection agencies and event organizers). When transferring data to third party processors, we will ensure data protection compliance with applicable regulation by executing a data protection agreement with the processor and giving adequate instructions. When required, we will ask your consent to transfer data.

We might be also required under a legal obligation to transfer data to authorities or officials such as police, customs or tax authorities.

Transfer of Personal Data to Third Countries

First and foremost, your data won’t be transferred to locations or to third party processors in third countries outside of EU or the European Economic Area. In some limited events, we may transfer your data to our selected processing partners or their sub-contractors storing data in such third countries. In these situations, we fully follow and comply with the requirements of the EU General Data Protection Regulation of transfer of data to third countries:

  • The European Commission has decided that a third country has adequate level of protection of personal data. No specific permit or authorization is required for such transfer to third countries.

  • We otherwise secure fully adequate level of protection of personal data by utilizing the model standard contractual clauses provided by the European Commission for the transfer of personal data to third countries.

  • We execute a data protection agreement with the third party processor and provide them with adequate instructions.

How Do We Secure Data Protection

Your data protection is of utmost importance to us. We have taken and have in use adequate technical and organizational measures to secure protection of data and to fully avoid data breaches. We have in place high industry standard security programs and have limited access to the data to our employees who are in their scope of work required to process the data (access control).

Servers of our systems are located in a dedicated, locked and well-protected and monitored data centers. Personal data is, inter alia, protected from the public internet with a firewall, and access to any personal data requires verification by a user ID and password. User IDs and access rights are managed by Gasum Group information management.

Your Rights

As a data subject, you have the following rights:

  • Access

    • You can access and review what data we process of you. After we have validated your identity, we will provide the data we process of you and other information of your rights as required under applicable regulation.

  • Rectification

    • You can have your data rectified if it contains errors or the data is incomplete. We kindly ask you to notify us if you notice that your data is erranous or incomplete.

  • Erasure (”right to be forgotten”)

    • You can request us to erase and delete your data with the condition that no lawful processing principle exists and the processing is not otherwise required under mandatory law or to resolve an ongoing dispute.

  • Restriction of processing

    • If there exists ambiguity regarding the validity of our lawful processing principles or the authenticity of your data, you can request us to restrict the processing of your data until the ambiguity is resolved.

  • Data portability

    • You can request us to transfer your data to other controllers if it is technically possible and safe.

  • Objection of our legitimate interest

    • You can for example opt-out from our direct marketing as we instruct you when we exercise such marketing.

  • Complaint to national supervisory authorities

    • You can lodge a complaint to national supervisory authorities in all of our countries of operation.

Requests concerning the utilization of your rights in respect to access and erasure, we kindly ask you to provide the request in writing and duly signed either via e-mail or post to our official addresses described here. All requests are to be made to the contact details defined below.

Cookies

We are using cookies at our websites. Cookies are text files which are located in the device used for browsing. Cookies are used to improve user experience at our websites and for marketing analysis. You can decline the use of cookies directly at our websites or remove the cookies which might to some extent restrict the use of our websites.

Amendments

We have the right to amend this Privacy Statement if our purposes for processing data or if the existing circumstances change. We will not, however, change the processing purpose of your data without you knowing it or without your consent when consent is our lawful purpose. We are always committed to comply with existing and in force regulation to fulfil your rights even though changes might be made to this Privacy Statement. Up to date Privacy Statement can be found at our group websites described below.

Contact

You can contact us:

customerservice@gasum.com
Tel. +358204471
www.gasum.com

You can also contact or lodge a complaint to the national supervisory authority.

In Finland: Tietosuojavaltuutettu (www.tietosuoja.fi)

In Sweden: Integritetsskyddsmyndigheten (https://www.imy.se/)

In Norway: Datatilsynet (www.datatilsynet.no)

In Estonia: Andmekaitse Inspektsioon (https://www.aki.ee/et)

16.4.2021