Privacy Policy for Business Customers

Privacy Policy for Business Customers

About us and Our Strategy

St1 Nordic Oy and its subsidiaries and any other entities belonging to the St1 Group (hereinafter “We” or “St1”) main activity is to research and develop economically viable, CO2-aware energy solutions. St1 focuses on fuels marketing activities, oil refining and renewable energy solutions such as waste-based advanced biofuels and industrial wind power. The Group has over 1200 stations: unmanned and service stations as well as heavy goods vehicle (HGV) sites together with network of gas distribution and EV charging points in Finland, Sweden and Norway.[MC1]

We take the protection of your personal data seriously. We are committed to protect personal data of our customers, employees and partners, and to fulfilment of our data protection obligations set by the General Data Protection Regulation, as well as other relevant laws and regulations.

Contact details

Identity of the personal data controller

St1 Nordic Oy Data Protection 2082259-7 Tripla Workery West, Firdonkatu 2, 00521 Helsinki

Any questions regarding your personal data processing can be sent to the St1 company in your country of residence: St1 Suomi Oy Tietosuoja 0201124-8 Tripla Workery West, Firdonkatu 2, 00521 Helsinki dataprivacy@st1.fi

St1 Sverige AB Dataskydd (Nordic DPO) 556308-5942 Box 11057 161 11 Bromma dataprivacy@st1.se

St1 Norge AS Databeskyttelse (Nordic DPO) 913 285 670 Postboks 1154 Sentrum 0107 Oslo dataprivacy@st1.no

Processing of personal data

Personal data is obtained from the following groups of data subjects:

Customer company refers to St1's customer companies that have entered into an agreement with St1, as defined in these terms and conditions. These companies have contact person (s) whose data is processed in connection with the company information.

User refers to both a Customer company and the employees of Customer company who have the right to use the service in the name of the Customer company.

Sources of personal data

We receive personal data directly from the User e.g. in the course of using the products and services or from external sources, as described in the table below.

Personal data we receive

Source

Any type of personal data: name, contact details, purchase history or any other data that is generated in connection with the customer relationship

Personal data can be obtained from the Customer company for the provision of services.

Personal data can be obtained from other IT systems of the St1 companies as permitted by legislation To the extent permitted by law, personal data can be collected and updated from the IT systems of third parties

Cookie information or other consent mechanism: technical identification information such as the IP address of the user; time of day; pages visited, and time spent on the website

Personal data is obtained when visiting St1’s website or using the mobile application

Credit check information of Customer Companies: credit decision and credit monitoring

Credit check service provider

Purposes of processing personal data

In the table below you can find what personal data is being processed, the purpose for processing the personal data and the legal bases for such processing. All the purposes apply to Users unless documented otherwise.

Processing purpose

Legal basis

Data types

Customer service

Contract, Legal obligation

Name, title, role, contact details, purchase data and case / communication history, call recordings (where applicable)

Customer account creation and service delivery

Contract

Name, address, title, role, contact details, union/association membership of Customer company, SSN, credit check information, account events, activity log

Direct marketing (Digital)

Legitimate interests for marketing our products and services

Customer can opt-out from receiving digital marketing in connection with each marketing communication.

Name, title, role, contact details, purchase history, activity log (Email/App/MyPages/etc.), union/association membership of Customer company (where available), historical NPS results, location

Voluntary data: geoinformation, communication preferences and other data that allows costomization.

Customer relationship management and profiling

Contract, Legitimate interest

Name, contact details, title, role

Voluntary data: purchase history, communication preferences and other data that allows customization.

Customer satisfaction

Legitimate interests for developing our products

Name (service agent, B2B salesperson), title, role, satisfaction score & free text (provided by the customer), Customer satisfaction data is linked with CRM Account data

Camera Surveillance (CCTV)

Legitimate interest for ensuring safety and security of the customers, St1 employees and environment at the site, protect the St1 assets by enable investigations for frauds and criminal activities and enable support on customer service disputes.

Video footage recorded at the service stations

Credit and Know Your Customer processes, incl. sanction list and sustainability checks of Customer company

Contract, Legal obligation

Name of the representatives of the company, contact details, credit information, purchase history, credit decision, invoicing history, payment history, credit rating, credit monitoring, information of the company structure and the beneficial owner, possible results from the checks on sanction lists and other relevant results of the checks

Financial processes in which Customer company data is processed

Contract, Legal obligation

Name, contact details, contract information, SSN, bank account number, invoice data, purchase data and other financial and banking data

Closed loop payment cards (St1 and Shell cards)

Contract

Name, contact details, purchase history or any other data that is generated in connection with the customer relationship

Retention times

We have determined retention periods based on the purpose of the processing and the applicable legislation. For example, the accounting related laws require us to store your personal data for a certain period. We review the personal data we collect regularly to ensure that the personal data we have is up to date and is not retained longer than needed or required by the relevant laws.

When not limited by applicable legislation, the retention periods are defined as follows:

Processing purpose

Retention time

Customer service

Name, title, role, contact details, purchase data and case / communication history

36 months from the last activity on St1’s digital channels or from the last purchase of St1’s products or services

Customer service calls are stored for 365 days from the recording of the call

Customer account creation and service delivery

name, title, role, contact details, union/association membership of Customer company, SSN, Credit check information, account events, activity log

36 months from the last activity on St1’s digital channels or from the last purchase of St1’s products or services

Direct marketing (Digital)

Name, title, role, contact details, purchase history, activity log (Email/App/My Pages/etc.), union/association membership of Customer company (where available), historical NPS results, location

Voluntary data: geoinformation, communication preferences and other data that allows customization

36 months from the last activity on St1’s digital channels or from the last purchase of St1’s products or services

Customer relationship management and profiling

Name, contact details, title, role

Voluntary data: purchase history, communication preferences and other data that allows customization.

36 months from the last activity on St1’s digital channels or from the last purchase of St1’s products or services

Customer satisfaction

Name (customer service agent, B2B salesperson) title, role, satisfaction score & free text (provided by the customer), Customer satisfaction data is linked with CRM Account data

36 months from the last activity on St1’s digital channels or from the last purchase of St1’s products or services

Camera Surveillance (CCTV)

Video footage recorded at the service stations

Video footage is deleted automatically in 30 days from the recording

If a security incident occurs and the recordings are necessary to further investigate the incident or use the recordings as evidence, the relevant footage is retained longer than the normal retention period for as long as it is necessary for these purposes

Credit and Know Your Customer processes, incl. sanction list and sustainability checks of Customer company

Name of the representatives of the company, contact details, credit information, purchase history, credit decision, invoicing history, payment history, credit rating, credit monitoring information of the company structure and the beneficial owner, possible results from the checks on sanction lists and other relevant results of the checks

12 months from receiving the decision.

36 months for former customers from the end of the customership.

AML and KYC process: Customer due diligence data is retained for a period of five years after the end of the permanent customer relationship. In case of occasional transactions data shall be retained for a period of five years from the conclusion of the transaction (Act on Preventing Money Laundering and Terrorist Financing)

Financial Processes in which Customer company data is processed

Name, contact details, contract information, SSN, bank account number, invoice data, purchase data and other financial and banking data

Data that is processed for accounting is stored 6 years after the end of the year during which the financial year ended (Accounting Act)

Data that is processed for treasury is stored 10 years from the end of the financial year (Accounting Act)

Other financial data is stored for 10 years from collecting the data.

Closed loop payment cards (St1 and Shell cards)

Name, contact details, purchase history or any other data that is generated in connection with the customer relationship

Data that is stored 6 years after the end of the year during which the financial year ended (Accounting Act)

If you wish to have more detailed information about our retention times, please contact us by sending a request to our data protection email.

Recipients of the personal data

We use service providers to provide our services and to help operate our business efficiently. As a responsible company, we always use various contractual and other arrangements to ensure that our service providers process your personal data in accordance with the laws and advanced data processing practices.

To ensure the confidentiality and high level of protection for your data, we have a data processing agreement with every service provider involved in the processing of personal data. Our service providers do not have the permission to process your information in any ways beyond the agreed services.

Recipients of our data are described below.

Recipient

Data types

Companies belonging to the St1 Group

Any type of personal data: name, contact details, purchase history or any other data that is generated in connection with the customer relationship

Customer relationship management service provider

Acting as a processor on behalf of us

Any type of personal data: name, contact details, purchase history or any other data that is generated in connection with the customer relationship

Marketing partners

Acting as a processor on behalf of us

Contact details

Financial audit companies

Acting as an independent controller

Name, bank account number, address, invoice data

Credit check service providers

Acting as an independent controller

Name of the representatives of the company, email, address, credit information, purchase history, credit decision, invoicing history, payment history, credit rating, credit monitoring

Financial processes service providers

Acting as a processor on behalf of us

Name, purchase and financial data, bank account number, address, invoice data, other banking data

Shell closed loop payment card service provider

Acting as an independent controller

Any type of personal data: name, contact details, purchase history or any other data that is generated in connection with the customer relationship

St1 closed loop payment card service provider

Acting as a processor on behalf of us

Any type of personal data: name, contact details, purchase history or any other data that is generated in connection with the customer relationship

We may have to disclose certain information to public or law enforcement authorities when this is required by law. We only do so on the basis of an adequate legal warrant or subpoena issued by the relevant court.

In case of mergers or acquisitions, the acquiring entity may obtain access to relevant customer data assets.

Data transfers outside of the EU/EEA

Some of our service providers or their support functions are located outside the European Union and European Economic Area. When the processing involves transferring personal data outside EU or EEA, we use appropriate safeguards to ensure the same level of data protection.

Recipient

Data types

Location and transfer mechanism

Marketing partners

Contact details

USA: Commission’s adequacy decision

Credit check service providers

Name of the representatives of the company, email, address, credit information, purchase history, credit decision, invoicing history, payment history, credit rating, credit monitoring

UK: Commission’s adequacy decision

Closed loop payment card service provider

Any type of personal data: name, contact details, purchase history or any other data that is generated in connection with the customer relationship

UK: Commission’s adequacy decision

Security of your personal data

We have appropriate security policy and procedures in place to protect your personal data from loss, misuse or unauthorized access.

We do our outermost to ensure that your data is kept confidential and secure. All the employees authorized to process your data are committed themselves to confidentiality. We have a role-based access control, meaning that each employee is given access to resources and personal data based on the employee’s role and job description. All networks and services used by our employees are protected with appropriate security measures.

The information systems are protected by various organizational and technical methods from access by third parties. Each user has a personal user ID and password for logging into the system. Access to the data is restricted to persons who process the personal data in question as part of their duties.

We have a procedure to manage data breaches which allows us to assess the possible risks, notify the relevant authorities and alert you in case your personal data may have been affected. We regularly educate all employees to ensure the protection of your personal data.

Your rights

You have certain rights concerning your personal data, such as right to access, update, delete and have a copy of your data. We seek to ensure that you can exercise your rights efficiently. Any questions regarding your personal data processing can be sent to the St1 company in your country of residence: in Sweden: dataprivacy@st1.se, in Finland: dataprivacy@st1.fi and in Norway: dataprivacy@st1.no. You can exercise your rights by sending a request to us. The list of your rights and explanation of them is listed below.

The Right to be Informed

You have the right to be informed about our organization and the details of personal data processing activities we carry out with your personal data. In addition, you have a right to receive information about the recipients to whom your personal data might be disclosed.

The Right to Access

You have the right to know that we are processing your personal data and have access to this data.

The Right to Rectification

You have the right to request from us to correct inaccurate personal data concerning you.

The Right to Erasure (“Right to be Forgotten”)

You have the right to request deletion of your personal data and customer account. In certain cases this right might be limited by the legal obligation to retain such information in accordance with compulsory statutory limitations, about which weSt1 will inform you.

In case you want to exercise your data subject rights, such as right to be forgotten, please contact the St1 in your country of residence. In case you are a mobile app user and want to exercise your right to have your account erased, please open Profile in the mobile app and klick on Remove account and follow the instructions.

The Right to Restrict Processing

You have the right to restrict the processing of your personal data. Restricting the processing means that we will limit the processing of certain data to only storing it. Consider that restricting the processing of your personal data might negatively impact your ability to receive expected products, goods or services from us.

The Right to Data Portability

You have a right to request from us your personal data in a structured, commonly used and machine-readable format that allows transmitting such data to another controller.

The Right to Object to Processing

In certain cases, you have a right to object to processing of personal data concerning you. In this case we will analyze whether legal bases for data processing are sufficient to continue processing or we shall stop processing your personal data.

Rights Related to Automated Decision Making

You have the right not be subject to a decision based solely on automated processing, which produces legal or similar effects concerning you. It means that you have a right to demand human intervention to overview the decisions made in the course of automated processing.

During the card application process, St1 has an automatic approval process, if the criteria for the company and for the applied credit are met.

Rights to withdraw consent

In case the processing of personal data is based on your consent you have the right to withdraw consent unconditionally at any time. This, however, does not affect the lawfulness of the processing based on consent before its withdrawal.

Right to lodge a complaint with supervisory authority

If you consider that the processing of personal data relating to you infringes the GDPR, you have the right to lodge a complaintwith your local data protection authority. Complaint concerning St1’s actions in relation to data protection regulation can be lodged to the supervisory authority of the data subject’s habitual residence or alternatively to St1’s lead supervisory authority the Finnish Data Protection Ombudsman. Further information about your right to data protection is available on the website of the Data Protection Ombudsman at: https://www.tietosuoja.fi.

In Sweden, it is the Integritetsskyddsmyndigheten (IMY) that checks that data protection legislation is followed. Further information on the protection of personal data can be found on the website of the Swedish Privacy Agency (IMY) https://www.imy.se/.

In Norway, it is the Data Protection Authority that monitors compliance with the GDPR in Norway. Further information about your rights is available on the Norwegian Data Protection Authority's website https://www.datatilsynet.no/.

Please note that the request must be sufficiently specific as the requests will be evaluated on a case-by-case basis and we must verify the identity of the customer who is a requester before we are able to respond or fulfil the request.

We will notify you if we are unable to fulfil the request in some respects, such as deleting information that we have the right to keep, for example due to the execution of the contract or due to St1’s legal obligation.

If you need more information or help with the exercise of your rights, or if you have any other questions related to the processing of your data or this privacy statement, please contact us by using the above contact details of the St1 company in your country of residence.

Changes to this statement

We reserve the right to update this data protection statement in case our activities change. In that situation we seek to notify you about the updates.

This Privacy Policy for B2B customers has been last updated 1.6.2024.