Valkea may collect and process various types of personal data, where applicable, such as:

• Personal details
  including your contact details (such as your name, address, phone number, and email address), professional details and additional details such as your segment group)
• Online data & identifiers
  data that is collected with cookies or similar technologies about your use of our services, such as your browsing activities and segments, your IP address, cookie ID, mobile device ID, details about browser and device, and location.

• Security data
  data that is used for securing the use of our services and our premises, such as your password and login details, security logs, and camera surveillance recordings.

The personal data which we process about you comes from different sources:

• You: when you use our services, when you fill in a form of interest, participate in a survey or competition, create an account, browse our website, or otherwise interact with us.
• Third parties, such as public address registers, credit reference agencies, debt collection agencies, installation partners, marketing partners, electricity and insurance companies, and other data providers.
• Valkea Group companies, which share information for purposes mentioned below in section 6.

We will use your personal data for predefined purposes based on contract, consent, legal obligation and legitimate interest. We will use your personal data for the following purposes:

3.1 Service delivery & customer service

We collect and use personal data about you to process orders, deliver products and services, to provide customer service and to manage payments, contracts and transactions.

The data needed for delivering services vary depending on the product or service in question. We may communicate with you in contract-related matters via phone, mail, email, SMS, chat, automated calls, and other digital channels including social media.

When required by law, we may ask for your consent to deliver certain services, for example, location-based services.

3.2 Sales, marketing and stakeholder communications

We may contact you through marketing even if you are not our customer. We will ask for your consent to contact you when required by law, otherwise, our contacting is based on legitimate interest.

Without consent, we can send automated electronic marketing messages that relate to your customer or business relationship with us, and use traditional marketing channels (e.g. post, telephone), when allowed by law. Below you can read more about the different types of marketing.

• 3.2.5
  What data is used to optimize sales & marketing (“Profiling”)
  For marketing and advertising, we use data that is collected during the customer relationship and from customer surveys; online behavioral data; and derived data that for example predicts the users’ interests
• 3.2.6
  Stakeholder relations
  We manage stakeholder relationships by communicating about relevant topics and promoting events which we arrange. Communications are sent directly by email to the contact addresses received from the stakeholders or their company.

3.3 Product and service development

We may process personal data to improve and develop better services for our customers, to support our business decision making, and to consider our customers’ feedback and needs. The basis for processing data for product and service development is legitimate interest.

This is done, for example, by collecting feedback directly from users using surveys, test panels, interviews, questionnaires and other forms of market research; by utilizing the data generated from the use of our services in analytics; by using recorded or transcribed phone calls for training and service quality improvement; and by testing system functionality with temporary sample data that is collected during normal service use.

Data processing for our product and service development generally happens with de-identified data to the extent possible. In the case that the customer’s real contact details are collected in connection to the survey, or if we conduct interviews personally with the customer, we may inform you specifically about the use of the contact details in connection to the survey or interview. We may occasionally use samples of real data, for example, to test the functioning of our systems.

In analytics, we do not process identifying data, but we aggregate large volumes of service use data in order to create statistical models, reports, predictions and trend analyses for the support of business decision making, create analyses about service/feature performance, and calculate customer segments that are used to improve our sales and marketing as described in Chapter 3.2.5.

3.4 Legal obligations

We process personal data to comply with our legal requirements, for example, accounting and tax laws, and anti-money laundering laws.

3.5 Defense of legal rights & ensuring the security of our services and customers

We use personal data to defend and secure our own rights and our customers’ rights.

The basis for processing data for the defense of legal claims, debt collection, credit checking, information security, and prevention of fraud and misconduct is typically legitimate interest. Personal data is used for ensuring the security of our products and services, for example, by keeping access logs and system backups, authenticating users, and preventing attacks.

Valkea deletes or de-identifies personal data when it is no longer necessary for the purposes it was collected for.

We only keep the necessary information and the information that is required by law, from example, by the Finnish Accounting Act. In Finland, data related to invoicing can be kept for up to 10 years.

Where applicable, we may share your personal data with:

Fortum Group companies
Our Group companies may use your personal data for the purposes defined in this notice, based on a legitimate interest to the extent permitted by applicable law, including for marketing their products and services to you.

Consent, contract or request
We may share your personal data if we have your consent to do so. Some of our products and services allow you to share your personal data with others. We may also share your personal data with a third party when this is required to fulfil our obligations under a contract with you or to fulfil a request by you. As an example, we will disclose your address to the postal, courier or installation service to be able to deliver a product or service which you have ordered.

Our subcontractors
We use subcontractors to provide certain services.

Such subcontractors may have access to your personal information and are processing it on our behalf but they are not allowed to use the personal data for any other purpose than to provide the service agreed with us.

We ensure through appropriate contractual arrangements that the processing of personal data is in accordance with this notice. Typical service providers that process personal data include for example payment and invoicing partners, and IT software & service providers.

Mergers and acquisitions
If we decide to sell, merge or otherwise reorganize our businesses, this may involve us disclosing personal data to prospective or actual purchasers and their advisers.

Authorities, legal proceedings and law
We will disclose your data to competent authorities, such as the police, to the extent required by law.

We may also disclose your personal data in relation to legal proceedings or at the request of an authority on the basis of applicable law, or court order or in connection with a trial or authority process, or as otherwise required or permitted by law.

Some of our service providers and group companies operate internationally, which means that data is occasionally located outside of the European Economic Area.

When personal data is transferred outside the EU or the EEA, Valkea uses appropriate safeguards, such as the standard contractual clauses provided by the European Commission. You can obtain more information about the transfers by contacting us.

Valkea employs appropriate organizational and technical security measures to protect your data from loss or misuse.

We have a cybersecurity governance model which describes roles and responsibilities on the group level, and our instructions give detailed information on how personal data must be handled within Valkea.

By conducting awareness programs, we engage Valkea employees in privacy and security considerations. Where we contract with third-party suppliers to provide services that may enable them to access your personal data, we require them by contract to have similar security controls in place.

When you use our services or visit our websites, Valkea can collect data about your devices using cookies and other similar technologies. Our website may also include cookies and other similar technologies used by third parties.

You can get more information about how to manage cookies and online data use below:

We may use cookies or similar techniques, such as mobile identifiers or web beacons, on the websites, but never so that your privacy protection would be jeopardised.

If we use cookies there will be a cookie banner on the page. You have the opportunity to accept all cookies from the cookie banner visible when you enter the website. If you accept all cookies, the website works as expected and you will have access to all the functions.

For the purpose of the EU General Data Protection Regulation 2016 (GDPR), the data controller of the data collected or processed is Fortum Corporation and its subsidiaries (“Fortum”).

8.1 Third-party cookies and social plugins on our services

First-party cookies are cookies placed on our the website by us. In addition to first-party cookies, our services may include third-party cookies of advertising networks, providers of analytics and monitoring services, social media services, etc.

We may use tools such as Google Analytics to monitor the use of our services. Data stored in cookies used by Google tools (such as IP addresses) can also be sent to Google servers around the world for storing.

Due to this, these data may be processed on servers located outside the user’s country of residence. Google uses these data to analyse how users browse website contents and to compile summary reports on the use of websites. Google also prepares reports on the use of services offered in connection with websites and produces statistics on the use of the Internet.

Google can also use the data to customise the content of advertisements shown to users based on their previous browsing history. Furthermore, Google may disclose the data to third parties if required so by law, or if Google has commissioned a third party to process the data. Google does not link user IP addresses to any other data stored by Google.

Our services may also include social plugins, such as the Facebook Like button or the Twitter Like and Share buttons. Although such social plugin buttons may be visible on our services, the related content comes directly from the service provider in question.

Social plugins on our service recognise if the user has logged into the service in question and can then display customised content for the user in the social plugin on the website. Social media services using social plugins can collect data about the user’s visit in accordance with their valid privacy policies. The services in question do not disclose the data they collect to Valkea, unless the user has provided their explicit consent to do so.

Below, you can see your rights regarding personal data that Valkea processes about you. If you have any question about your rights or want to exercise them, please contact us.

Rights may not be applicable for example if the data cannot be connected to you.

• Right to access personal data
  You have the right to be informed about the processing that we do and to request a copy of your personal data.
• Right to correct personal data
  You can ask for the information about you to be corrected, if it is not accurate or if it needs to be updated.
• Right to data portability
  You are able to obtain and reuse the personal data you have provided us. We can provide a selected set of the data delivered in a machine-readable format, where the basis of processing has been either contract or consent.
• Right to deletion
  We will delete the data at your request if it is no longer legitimately needed.
• Right to withdraw your consent
  If you have given consent for data processing, you are always entitled to withdraw your consent.
• Right to object to the processing
  You have the right to object to the processing of your personal data on Valkea’s legitimate interests, such as developing our products and services, and other purposes explained above in sections 3 and 6 above. Valkea may reject your request if there is a compelling reason for continuing the processing.
• Right to restrict the processing
  In certain circumstances, you have the right to have the processing restricted.
• To opt-out from electronic marketing communications and customer surveys
  If you no longer want to receive marketing messages from Valkea, you can choose to opt-out at any time. The easiest way is to click the link at the end of the marketing message.

• Right to restrict the processing
  In certain circumstances, you have the right to have the processing restricted.
• To opt-out from electronic marketing communications and customer surveys
  If you no longer want to receive marketing messages from Valkea, you can choose to opt-out at any time. The easiest way is to click the link at the end of the marketing message.

Please note that you may still receive marketing messages for a short period after opting out while we update our systems. Also, we sometimes use marketing partners, who may display our products and services to you, but who have not received any personal data about you from us.

To opt-out from such marketing or to exercise your other rights, you will need to contact the specific marketing partner directly.

How to lodge a complaint:
If we do not take action in accordance with your requests, we will inform you of the reasons. If you are not satisfied with our response, or with the way we handle personal data, please contact us.

If you are still not pleased with the handling, you can contact your national data protection authority.

Valkea reserves the right to amend this Privacy Notice. Possible amendments to the Privacy Notice will be notified about on our website, or by communicating directly to you.

The data controller who is responsible for your data is typically the Valkea company, with whom you have contracted.

Please contact us at:
Valkea
Maria 01
Lapinlahdenkatu 16
00180 Helsinki
Finland