ET

EN

Enefit Green AS Principles of Processing Personal Data

1. GENERAL PROVISIONS

1.1. We aim to be a reliable partner and to keep the data entrusted to us protected.

1.2. The described principles provide an overview of how Enefit Green AS (registry code: 11184032; address: Harju maakond, Tallinn, Kesklinna linnaosa, Lelle tn 22, 11318) processes personal data and ensures the protection of personal data.

1.3. The described principles have been drawn up to comply with the requirements of the controller laid down in Article 12 ‘Transparent information, communication and modalities for the exercise of the rights of the data subject’ of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR) and to inform natural persons of the principles of the processing of personal data and the safeguarding of rights.

1.4. Enefit Green AS Principles of Processing Personal Data apply to the customers, shareholders and partners of Enefit Green AS. The processing of employees' personal data is regulated by a separate document.

1.5. In the processing of personal data, we adhere to the following principles: lawfulness, fairness, transparency, purposeful and minimised data processing, accuracy, storage limitation, integrity and confidentiality, accountability, data protection by design and by default. We have also set ourselves the objective of following the guidelines and recommendations of both the Estonian Data Protection Inspectorate and the European Data Protection Board in the implementation of data protection requirements.

1.6. Enefit Green AS attaches great importance to people’s privacy and the protection of their data by using secure solutions for data processing. We implement appropriate technical and organisational measures to protect personal data against unauthorised access, unlawful processing or disclosure, accidental loss, alteration or destruction.

1.7. For the purposes of the Group’s internal management as well as for making management and business decisions, personal data may also be processed by other legal persons belonging to the same Group as Enefit Green AS.


2. DEFINITIONS

2.1. For the purposes of these principles, we use the terms as defined in the General Data Protection Regulation (GDPR).

2.2. ‘Data subject’ means a natural person whose personal data Enefit Green AS processes.

2.2.1. ‘Customer’ means natural persons related to a legal entity client of Enefit Green AS (including company representatives), whose data have been disclosed to Enefit Green. Enefit Green also considers as a customer the owner of a real estate with whom a contract has been concluded on the personal right of use (including real servitudes), building rights or other rights under the law of property or the law of obligations.

2.2.2. ‘Shareholder’ means a natural person who holds an Enefit Green share (EGR1T).

2.2.3. ‘Cooperation partner’ means an external service provider (eg maintenance partner) with whom Enefit Green AS has a contract for the provision of a service. Enefit Green also considers as the cooperation partner the representative and employees of the cooperation partner.

2.3. ‘Data protection legislation’ means the Estonian Personal Data Protection Act, the GDPR and other applicable legislation at national and European Union (EU) level.

2.4. ‘Personal data’ means any information relating to an identified or identifiable natural person.

2.5. ‘Processing’ means any operation which is performed on personal data (eg transfer, recording, entry of data).

2.6. ‘Controller’ means Enefit Green AS, who determines the purposes and means of the processing of personal data.

2.7. ‘Processor’ means a contractual partner of Enefit Green AS (an entity separate from the controller) who processes personal data on behalf of Enefit Green AS.


3. INFORMATION ON DATA AND ITS COLLECTION METHODS

3.1. The composition of the data processed in relation to a data subject depends on whether the data subject is a customer, shareholder or cooperation partner.

3.1.1. The customer data we process include: first name and surname, personal identification number and/or date of birth, email address, (postal) address, property registration number, bank account details.

3.1.2. The data we process in relation to a shareholder include: first name and surname, personal identification number, number of shares.

3.1.3. The data that we process in relation to a cooperation partner include: first name and surname, personal identification number and/or date of birth, number of identity document (eg passport, ID card, residence permit) and other related information, email address, telephone number.

3.2. We do not process special categories of personal data for the purposes listed in Chapter 4 (GDPR Article 9). However, we cannot definitively exclude the processing of such data if the data subject decides to disclose the special categories of personal data to us.

3.3. We mainly receive data from the data subjects themselves. We also process data when we obtain data relating to the data subject from other sources (eg other service providers or public registers).


4. PURPOSES OF AND LEGAL BASES FOR THE PROCESSING OF PERSONAL DATA

4.1. Processing of personal data the legal basis for which is a contract

In a situation where we conclude a contract with you or prepare it, perform the contract concluded with you or manage contract-related matters in our systems, we rely on the legal basis necessary for the performance of a contract or in order to take steps prior to entering into a contract when processing personal data (Article 6(1)(b) of the GDPR).

4.1.1. Enefit Green AS processes personal data on a contractual basis:

4.1.1.1. to identify the customer, the cooperation partner and/or their representative;

4.1.1.2. to prepare an offer prior to entering into a contract and provide information;

4.1.1.3. for the performance of a contract with a customer or a cooperation partner;

4.1.1.4. for the calculation of fees related to a contract, the preparation and sending of notices and invoices;

4.1.1.5. to ensure the performance of a contract (eg to provide guarantees, letters of guarantee);

4.1.1.6. to manage the debt process and ensure the performance of the payment obligation;

4.1.1.7. where necessary, for the purposes of other activities necessary for the preparation, conclusion, performance, management or termination of the contract.

4.2. Processing of personal data the legal basis for which is the performance of an obligation arising from a legal act (legal obligation)

Pursuant to legislation, we process data for the following purposes:

  • to organise and conduct general meetings of shareholders;
  • to fulfil the requirements of the Electricity Market Act and the grid code;
  • to perform the obligations arising from accounting and tax laws;
  • to fulfil the requirements of other legislation applicable to our activities.

4.3. Processing of personal data on the basis of legitimate interest

4.3.1. In certain situations, we may process your data on the basis of legitimate interest (Article 6(1)(f) of the GDPR). We rely on legitimate interest in the processing of data in the context of the activities and purposes described below:

4.3.1.1. ensuring network and information security, complying with data protection requirements and ensuring the operation of the video surveillance system for the purposes described in the document ‘Group’s Video Surveillance System Procedure’;

4.3.1.2. processing of personal data to the extent necessary to safeguard the rights of legal persons belonging to the same Group as Enefit Green AS, including for the purposes of dispute resolution and the fulfilment of legal requirements;

4.3.1.3. conducting satisfaction surveys to obtain feedback;

4.3.1.4. ensuring the internal management of the Group;

4.3.1.5. developing and improving services;

4.3.1.6. risk management, internal audits, fraud prevention and whistleblowing mechanisms;

4.3.1.7. carrying out major transactions concerning structural changes and financing of the Group (eg transfer, sale, purchase, division, merger of a company/undertaking) during the negotiation and/or execution of a business transaction (sharing/transferring data with the counterparty to the transaction);

4.4. Retention of personal data

As a rule, we retain personal data for the period necessary to achieve the purposes for which the personal data are processed, for the period prescribed by law or until the expiry of the limitation period for any claims arising from the contractual relationship.

In the retention of data, we adhere to the following main time limits:

Retention periodContent
3 yearsThree years after the expiry of the contract, we delete the basic data of the contract and any data generated during the performance of the contract (eg data subject communications, correspondence, complaint handling, notices), provided that there is no ongoing recovery procedure related to the performance of the contract after the expiry of the contract. We generally keep records of whistleblowing complaints for 3 years. In the event that a criminal investigation is opened on the basis of a complaint, we will keep the data until the end of the investigation.
10 yearsData concerning the fulfilment of accounting requirements (contracts and related documents).
10 yearsInformation on outstanding invoices and debts if there is no ongoing recovery procedure.


5. RIGHTS OF THE DATA SUBJECT

5.1. Right to obtain information and right of access.

5.2. Right to rectification of personal data. The data subject has the right to rectify their data if the data are incorrect or incomplete.

5.3. Right to request erasure of personal data. In certain cases, data subjects have the right to request the erasure of their personal data. However, this right is not absolute; for example, it does not apply in situations where we process the data subject’s personal data in order to comply with legal obligations. We would also like to point out that if a data subject has a valid contract and they wish to exercise their right to erasure, it will not be possible to continue performing the contract.

5.4. Right to object to the processing of your personal data, including processing based on legitimate interest. The data subject has the right to object to the processing of their personal data by making a reasoned request. The controller will no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject (eg processing is carried out to fulfil an obligation arising from applicable legislation or a valid contract) or for the establishment, exercise or defence of legal claims (eg in a situation where the data subject has breached the contract).

5.5. Right to restriction of processing. In certain cases, the data subject has the right to request the restriction of processing of their personal data. This is the case, for example, where the data subject contests the accuracy of the personal data and the processing is restricted for a period which enables the controller to verify the accuracy of the personal data.

5.6. Right to data portability. The right to data portability applies if the processing is based on consent or a contract and the processing is carried out by automated means.

5.7. Right to address a court and/or supervisory authority. We wish to solve any disagreements with the data subject by negotiation first. To ensure fair and transparent processing concerning the data subject, we are also obliged under applicable legislation to inform data subjects of the right to file a complaint with a supervisory authority (in Estonia, the Estonian Data Protection Inspectorate) by emailing [email protected].


6. THIRD PARTIES RELATED TO DATA PROCESSING

6.1. In addition to ourselves, processors may also be involved in the processing. Processors are our contractual partners who, for example, engage in organising billing, marketing services, reselling services or providing other services using communication services, etc. A processor has the right to process data only for the specific purpose authorised by us and on the basis of a contract containing a confidentiality obligation concluded with us. A list of our processors is available on our website here.

6.2. With regard to potential mergers, acquisitions and financing processes concerning the Group, personal data may also be processed by related third parties, subject to all the principles governing the processing of personal data.

6.3. We would also like to point out that in certain cases we are obliged by law to transfer data to third parties. For example, we may transfer data to state agencies (including the police, courts) where there is a legal basis pursuant to law.

6.4. If you have authorised third persons to legally represent you on the basis of a power of attorney, these persons are considered third parties to the processing.

6.5. Third parties to processing may include the providers of audit, legal and other such services. In addition, third parties to processing may also include debt recovery service providers, enforcement agents and companies dealing with payment defaults.


7. PROCESSING OF PERSONAL DATA ON SOCIAL NETWORKING SITES

7.1. The following settings apply to the use of our LinkedIn page (Enefit Green):

  • our LinkedIn page is visible to internet users and LinkedIn account holders;
  • the page can be followed by selecting the appropriate option;
  • anyone can comment on the posts on the page, we may also remove comments (eg to prevent the spread of scams);
  • our working languages are Estonian and English. It is possible to comment on posts and contact us in both languages;
  • anyone can contact us privately;
  • if you share, like or comment on a post, we receive a notification;
  • when you visit our account, data concerning you is collected for us by a third party, over which we have no control;
  • we receive visitor statistics in non-personalised form.

7.2. The following settings apply to the use of our YouTube channels (Enefit Green):

  • the page is visible to internet users and YouTube account holders;
  • it is possible to subscribe to the account;
  • anyone can comment on the videos on the account, we may also remove comments (eg to prevent the spread of scams);
  • anyone can like and share the videos;
  • our working languages are Estonian and English;
  • when you visit our account, data concerning you is collected for us by a third party, over which we have no control;
  • we receive visitor statistics in non-personalised form.

7.3. The following settings apply to the use of our Facebook channels (Enefit Eesti):

  • the page is visible to internet users and Facebook account holders;
  • the page can be followed by selecting the appropriate option;
  • anyone can comment on the posts on the page, we may also remove comments (eg to prevent the spread of scams);
  • our working language is Estonian, but it is possible to comment on posts and contact us in both Estonian and English;
  • anyone can contact us privately via messages;
  • if you share, like or comment on a post, we receive a notification;
  • when you visit our account, data concerning you is collected for us by a third party, over which we have no control;
  • we receive visitor statistics in non-personalised form.

7.4. The following settings apply to the use of our Instagram channel (Enefit Green):

  • the Enefit Eesti and Enefit Green page is visible to internet users and Instagram account holders;
  • if you like, save, share or comment on a post, we receive a notification;
  • when you visit our account, data concerning you is collected for us by a third party, over which we have no control;
  • we receive visitor statistics in non-personalised form.


8. COOKIES

Cookies are small text files that allow websites to provide a better user experience. We use cookies to personalise website content and advertisements, provide social media features and analyse website traffic. For more detailed information about cookies, please visit the ‘Cookie Settings’ link at the bottom of the www.enefitgreen.ee homepage, where you can also change your cookie preferences.


9. CONTACT

If you have any questions regarding the processing of your personal data and exercising your rights as a data subject, please send a written request to our Data Protection Officer at [email protected]. We will reply as soon as possible but not later than within 30 calendar days. In exceptional cases, legislation allows us to extend the deadline for reply by two months. We kindly ask you to sign the request digitally so that we can verify the identity of the person submitting the request/enquiry and prevent the data from being disclosed to unauthorised third parties.


10. FINAL PROVISIONS

These principles apply from 19.02.2025. We reserve the right to change and update these principles as necessary. We always keep these principles up to date and available on our website www.enefitgreen.ee. We will inform you of any material changes to this document via our website or other appropriate means.