Skip to content

Privacy policy: Vantaa Energy Group, stakeholder register

Privacy policy: Stakeholder register of the Vantaa Energy Group

This privacy policy provides information to the data subject and to the supervisory authority as required by the data protection legislation.

1 Controller

Vantaa Energy Ltd
Business ID: 0124461-3
Postal address: P.O. Box 95, 01301 Vantaa, Finland
Telephone: 09 829 01

2 Persons responsible for register matters and their contact details

Person responsible for the register
Thomas Souranto
Postal address: P.O. Box 95, 01301 Vantaa, Finland
Street address: Peltolantie 27, 01300 Vantaa, Finland

Data Protection Officer
Heidi Itkonen
Postal address: P.O. Box 95, 01301 Vantaa, Finland
Street address: Peltolantie 27, 01300 Vantaa, Finland

Data protection enquiries

3 Name of register

Stakeholder register of the Vantaa Energy Group.

The data subjects of the register are the suppliers of the Vantaa Energy Group, employees of the suppliers, customers visiting the offices of Vantaa Energy, decision-makers, the media, the authorities, partners, and influencers. The data subject may be a private person, an entrepreneur or an organisation.

4 Purpose and legal basis of the processing of personal data

The purpose of processing the personal data contained in the stakeholder register is to manage the cooperation relationships and tasks related to the business operations of the Vantaa Energy Group.

Vantaa Energy complies with the applicable legislation in the processing of personal data, such as the Electricity Market Act and the Data Protection Act, as well as the EU’s General Data Protection Regulation. Personal data may be processed in order to comply with the obligations related to the applicable laws, and official regulations and guidelines.

The legal basis for the processing of personal data is an agreement, consent, legal requirement or the legitimate interest of the controller. Legitimate interests include the implementation and maintenance of the obligations and rights of the parties to the contractual relationship, the management of cooperation relationships and tasks related to the business operations, monitoring the operation of production processes, and ensuring industrial security and personal safety.

5 Data content of the register

The following data related to the data subject may be processed in connection with the stakeholder register:

  • basic data on the data subject (such as names, username and/or other identifier, password);
  • data of an external worker (date of birth, personal identity code, tax number, employer’s name and business ID, building site ID, access rights, grounds for the right to work, orientation and training data, start and end dates of working);
  • data concerning the contact persons of companies (such as information about the employer and the professional status of the data subject);
  • contact details (such as address details, telephone number and email address);
  • any other data collected separately with the specific consent of the data subject.

6 Regular sources of data

Data concerning data subjects is regularly received from

  • directly from the data subject or from the data subject’s employer. The data is entered manually;
  • from security cameras

7  Regular disclosure of data

The data may be disclosed to the authorities within the limits required by law.

8 Data retention period

The data shall be retained only for as long as it is necessary in order to fulfil the purposes defined in this Privacy Policy. After that, the data shall be erased unless we are obliged to retain the data according to the rights and obligations based on legislation or an agreement between the parties.

The data shall be erased in accordance with the erasure processes complied with by the controller.

9 Transfer of data out of the EU or the EEA

When transferring personal data outside the European Union (EU) or the European Economic Area (EEA), we use appropriate protection measures in accordance with the existing data protection legislation, such as standard contractual clauses accepted by the European Commission.

10 Principles of register protection

Personal data is protected in the industry by generally acceptable and reasonable technical means, such as access passes, training, firewalls and passwords.

The data in the register is gathered into databases that are protected with passwords, firewalls and other technical means. The data can be accessed only by a main user who is an employee of the Vantaa Energy Group and by their deputy and by persons who need the data in their duties. Vantaa Energy requires that its employees and partners are committed to the confidentiality of data. They shall use usernames and passwords.

11 Right of inspection, prohibition and rectification

By virtue of the General Data Protection Regulation, the data subject has the right to inspect what has been recorded of them in the stakeholder register. An electronic request to inspect this data shall be submitted at

A written inspection request is made in person at the controller’s office where the data subject’s identity is verified. Vantaa Energy shall charge a reasonable fee for providing the data if the data subject uses their right of inspection more often than once a year.

By virtue of the General Data Protection Regulation, data subjects have the right to prohibit the processing and sharing of their personal data for purposes of direct advertising, distance selling, direct marketing, and market research and opinion polling. The right to prohibit does not apply to customer communications related to services subscribed to or ordered by the customer or to other service-related communications carried out in order to provide services. 

By virtue of the General Data Protection Regulation, data subjects have the right to request the Vantaa Energy Group to rectify, erase or complement any personal data in the register that is incorrect, irrelevant, incomplete or out-of-date with respect to the purpose of processing the data.

The data subjects also have the right to restrict the processing of personal data or its transfer to another controller by virtue of the General Data Protection Regulation.

Data subjects are personally responsible for the accuracy of information they have provided. Data subjects shall notify if there are any changes in the information they have provided. 

12 Lodging a complaint with the supervisory authority

Should the data subject believe that the processing of personal data infringes the applicable law or their legal rights, the data subject may lodge a complaint with the Office of the Data Protection Ombudsman, the contact details of which are found at the following address: