1. Data Controller and Contact Information

Oy Herrfors Ab (“Controller”) Kauppiaankatu 10 68600 Pietarsaari FINLAND Tel. +358(0)6-7815 300 info@herrfors.fi


2. Contact Person for Register-Related Matters

Robert Ståhl, CIO Oy Herrfors Ab Kauppiaankatu 10 68600 Pietarsaari FINLAND Tel. +358(0)6-7815 326 robert.stahl@herrfors.fi


3. Name of Register

Oy Herrfors Ab’s customer register


4. Purpose of Personal Data Processing

The Controller or a cooperation partner authorized by the Controller uses the personal data of customers or potential customers for the following purposes:

  • maintenance and development of customer relationships;
  • provision and delivery of products and services;
  • payments, monitoring and collection of payments;
  • marketing and distance sales of the Controller’s products and services;
  • development of the Controller’s business operations and customer service.

The processing of personal data is primarily based on the data subject’s consent or the Controller’s legitimate interest.


5. Register’s Data Content and Personal Data Groups

Data from the Controller’s customer register: contact persons of customers, companies and cooperation partners as well as contact persons of potential customers and cooperation partners and information about the users of Herrfors’s webpage may be recorded in the register.

Customer data:

  • name;
  • social security number;
  • customer number;
  • legal or natural person;
  • language code;
  • contact information for communication (i.a. phone number and email address);
  • log data of electronic communication between companies (moving day, final reading, electricity provider, meter change).

Place of usage data:

  • street address;
  • postal code;
  • post office;
  • owner of the electricity connection;
  • usage times;
  • heating system (district heating);
  • electricity consumption estimate or data (statistics);
  • size of the main fuse;
  • micro generation data.

Invoicing and payment transaction data:

  • invoicing address and name of payer;
  • due date;
  • invoicing interval;
  • method of invoicing;
  • account number;
  • payment data;
  • electricity contract and electricity transfer contract data;
  • customer newsletter data.

Other data:

  • customer feedback;
  • customer satisfaction;
  • data on the use of services and purchasing behaviour;
  • statutory permission and restriction data concerning direct mail, distance sales and other direct marketing;
  • data concerning the customer’s or potential customer’s membership in a regular customer system or corresponding system maintained by the Controller or the Controller’s cooperation partners as well as data for the utilization of the benefits provided by these systems;
  • other such data obtained by the consent or authorization of the customer or potential customer that is necessary for the delivery of the requested service.


6. Regular Data Sources

Customer data is collected e.g. via tenders, orders, contracts and other communication as well as from the data that is recorded or will be recorded when the customer uses the Controller’s products or services. Data concerning potential customers is collected e.g. via competitions, raffles and telemarketing as well as through the use of online services (i.a. the Controller’s webpage and social media channels) and cookies or via other handling of matters or data that is collected in connection to event participation. Of this data, only the data of potential customers that have allowed marketing or communication will be recorded.

All contact by the Controller’s customers may be recorded. This data will be used in the verification of transactions, processing of complaints and development of customer service.

The data will also be updated in accordance with the electric industry’s information exchange specifications published by Finnish Energy.


7. Retention of Personal Data

Personal data will be stored only as long as it is necessary to implement the purposes of use defined

in this file description, taking into account statutory limitations. Due to obligations of applicable legislation, the Controller may need to retain the data longer than the abovementioned period of time.

Outdated and unnecessary data will be deleted appropriately. Personal data will be transferred to the register in the form provided by the data subject and updated in accordance with a notification from the data subject to the Controller.


8. Regular Disclosure of Data

The Controller’s customer register data will not be disclosed to third parties external to the Group. Data may be released to authorities as defined by law.


9. Disclosure and Transfer of Personal Data

The Controller may utilize the customer register’s subcontractors and service providers: maintenance of services, customer service, administration and analysis of user data, research, customer bulletins and implementation of various campaigns. Personal data may be disclosed to the Controller’s subcontractors and service providers only to the extent that the subcontractors and service providers participate in the implementation of the purposes of use defined in this file description.

The above mentioned third parties shall not use the personal data for other purposes than those mentioned in this file description and defined by the Controller. The Controller obliges the subcontractors and service providers to adhere to personal data confidentiality and to ensure that the level of privacy protection in the protection of personal data is sufficient.

Personal data may be disclosed in accordance with demands from competent authorities and in accordance with conditions of legislation.

The Controller’s customer register data shall not be transferred outside the European Union or the European Economic Area.


10. Cookies

The Controller’s webpage uses cookies. Cookies are small text files that are stored on the user’s device or other terminal device. They do not harm the user’s device.

Customer register: In order to develop our webpage, the Controller collects statistics based on the Google Analytics service. Google Analytics cookies record e.g. data on where the user came to the webpage (via a search engine, direct link etc.), which pages the user visited, and how long the user stayed on each page. This information allows us to develop our webpage and to monitor the success of our new development projects. We keep statistics on the number of users, user countries, usage times, preferred browsers and content that the user has visited.

The user may, if necessary, block the use of cookies in their browser settings. However, this may cause some of the webpage’s functions to slow down or completely block access to certain sites.


11. Register Protection Principles

The customer register data is recorded in databases protected by firewalls, passwords and other technical methods. The data is accessible only to such persons employed or authorized by the Controller who require access to the data in their work.

The Controller requires personal data confidentiality from its personnel and cooperation partners. The data can only be accessed with a username and password. Materials in manual form are stored in the Controller’s locked and monitored premises.


12. Right to Review Personal Data, Object to the Processing of Personal Data, and Request Correction of Personal Data

Right to Review Personal Data 

The data subject has the right to review his or her personal data that is recorded in the Controller’s customer register. The right to review data may only be refused if there are legal grounds to do so. The right to review personal data is free of charge once every calendar year.


Right to Limit and Refuse the Processing of Personal Data

The data subject has, at any time, the right to refuse the processing of his or her personal data if the data subject feels that the Controller has processed his or her personal data unlawfully or that the Controller has no right to process the data subject’s personal data.

The right to refuse does not, however, pertain to the data that is deemed necessary for the Controller to process in carrying out its legal obligation or due to other reasons as defined by law.


Right to Erasure of Personal Data

The data subject has the right to request the correction of inaccurate data or the completion of incomplete data as well as the right to request that his or her personal data is removed from the Controller’s customer register.

The right to erasure of personal data does not, however, pertain to the data that is deemed necessary for the Controller to process in carrying out its legal obligation or due to other reasons as defined by law.


Right to Disclose Personal Data

To the extent that the data subject has disclosed personal data to the Controller’s marketing register and this data is processed with the data subject’s consent or on the basis of a task, the data subject shall have the right to receive the aforementioned data primarily in electronic form and the right to transfer the said data to another controller.


Direct Marketing Restriction

The data subject has, at any time, the right to request that his or her personal data will no longer be used for direct marketing purposes.


Right of Appeal 

The data subject has the right to lodge a complaint to a competent supervisory authority if the Controller has not complied with the valid data protection legislation.


Other Rights

If personal data is processed on the basis of the data subject’s consent, the data subject has the right to withdraw his or her consent by a notification to the Controller in accordance with this file description’s 12th paragraph.

The request to review and correct personal data shall be sent in a written and signed form to the Controller’s customer service premises at Kauppiaankatu 10, 68600 Pietarsaari, FINLAND, or at Tulolantie 21, 84100 Ylivieska, FINLAND. The customer must be able to verify his or her identity. The Controller shall deliver a written answer to the customer within 30 days of receiving the customer’s written request or of the customer personally visiting the Controller’s customer service premises.


13. Changes to the Privacy Policy 

The Controller continuously develops its business operations and, therefore, reserves the right to amend this Privacy Policy by publishing a notification on its webpage. The amendments may also be based on legislative amendments. The Controller recommends that the data subjects regularly acquaint themselves with the contents of this Privacy Policy. Privacy Policy updated on 24 April 2018.