Privacy policy: Vantaa Energy Group, stakeholder register

This privacy policy provides the information required by data protection laws to the registered person and to the controlling authority.

1 Registrar/controller
Vantaan Energia Oy (“Vantaa Energy”)
Business (VAT) ID: FI01244613
Mailing address: PO Box 95, 01301 Vantaa, Finland
Telephone: +358 9 829 01
Online service:

2 Persons responsible for the register and their contact information
In charge of the register:
Mikko Koivulehto
Mailing address: PO Box 95, 01301 Vantaa, Finland
Street address: Peltolantie 27, 01300 Vantaa, Finland

Data Protection Officer
Heidi Itkonen
Mailing address: PO Box 95, 01301 Vantaa, Finland
Street address: Peltolantie 27, 01300 Vantaa, Finland

Data security inquiries

3 Title of the register
Vantaa Energy Group’s stakeholder register

The register is comprised of the Vantaa Energy Group suppliers, suppliers’ employees, visitors to Vantaa Energy premises, decision-makers, media, officials, collaborative partnerships and policy-makers. The registered party may be a private individual, business or other organisation

4 The purpose and legal basis of processing personal information
The purpose of processing the personal information included in the stakeholder register is to manage cooperation and assignments related to Vantaa Energy’s business and operations, to control the production process, and to ensure the security of both the company and persons.

In processing personal information, Vantaa Energy complies with applicable laws, including the Electricity Market and Data Protection Acts and EU’s General Data Protection Regulation (GDPR). Personal information may be processed to comply with obligations related to applicable laws and official orders and guidelines.

The legal basis for processing personal information is an agreement, consent, legal obligation, or legitimate interest pursued by the registrar/controller. Legitimate interests include execution and maintenance of contract parties’ obligations and rights, managing cooperation and assignments related to business and operations, controlling the production process, and ensuring the security of both the company and persons.

5 Information included in the register/data file
The following information may be processed related to the persons registered in the stakeholder register:

  • basic information about the registrant (including names, user ID and/or other identifier, password);
  • external employee information (date of birth, tax number, employer’s name and business ID, site identifier number, access
  • permissions, entitlement to work, induction and training records, start and end dates of employment/project);
  • information about contact persons in a company (including employer and professional status);
  • contact information (including address, telephone number and email address);
  • surveillance camera footage (date and place of recording);
  • any other information collected with the consent of the registrant.

6 Regular sources of data
Information about the registrant is regularly received from the following sources:

  • the registrant or their employer. The data is entered manually;
  • from surveillance cameras.

7 Regular disclosure of information
Information may be disclosed to authorities as required by law.

8 Data retention period
Information is retained only as long as is necessary for the purposes described in this privacy policy. After this, the data is removed, except if the rights and obligations given by law or by a mutual contract require that we retain the information.

For a specific reason (such as major catastrophe or occupational accident), the records may be retained longer; however, for one year (1) at maximum. These records are entered manually.

Data is removed in accordance with the registrar’s removal processes.

9 Data transfer outside the EU or the EEA
When transferring personal data outside the European Union (EU) or the European Economic Area (EEA), we use appropriate protection measures in accordance with the existing data protection legislation, such as standard contractual clauses approved by the European Commission.

10 Principles of register/data file protection
Personal information is protected by reasonable means generally approved for the industry, including access control, training, firewalls and passwords.

The information in the register is collected to databases which are protected by passwords, firewalls and other techniques. Only the administrator employed by Vantaa Energy and their substitutes and the persons who need this information at work have the right to use this information. Vantaa Energy requires its staff and partners to commit to maintaining the confidentiality of personal information. They have user IDs and passwords.

11 Right of inspection, prohibition and rectification
Based on the GDPR, the registrant has the right to inspect their personal information recorded in the stakeholder register. A digital request to inspect can be submitted via a digital form at A written request to inspect can be submitted in person at the registrar’s office where the registrant’s identity will be verified. If the registrant uses their right of inspection more than once per year, Vantaa Energy will charge a reasonable fee for their service.

Based on the GDPR, the registrant has the right to prohibit the use of their personal information for direct marketing and advertising, telesales, market surveys and opinion polls. This right of prohibition does not concern customer or other necessary communications related to the services ordered by the customer or other service-offering related communications.

Based on the GDPR, the registrant has the right to require that Vantaa Energy Group rectify, remove, or amend any personal information included in the customer register that is incorrect, unnecessary, faulty or outdated for the purpose of data processing.

Based on the GDPR, the registrant also has the right to restrict the processing and transfer of their personal information to another registrar.

The registrant is personally liable for the accuracy of the information given. The registrant must inform the registrar of any changes to their personal information.

12 Filing a complaint to the supervisory authority
If the registrant thinks that the processing of their personal information violates the applicable laws or that their legal rights have been violated, they can file a complaint to the Data Protection Ombudsman whose contact information is available at