Privacy Notice – Custom and Business Partner Relations and Marketing

Updated 17 April 2026

The purpose of this privacy notice is to provide information on how we process personal data in connection with managing our business partner relationships and carrying out marketing activities. This includes the processing of personal data relating to our customers, prospective customers, subcontractors and other business partners.

Controller

eSett Oy
Läkkisepäntie 23
00620 Helsinki
+358 10 5018500
(hereafter “We” or “eSett”)
(Business-ID 2582499-7)

Contact Details in Privacy Matters

eSett Oy / Privacy Matters
Läkkisepäntie 23, 00620 Helsinki
+358 10 501 8500
ict@esett.com

Name of this Register

Customer and business partner relationships and marketing register

What are the Legal Bases for and Purpose of the Processing of Personal Data?

We collect information related to our business partners. When performing marketing, customer or business partner relationship management activities we process personal data of contact persons or decision makers of our partners. We also process personal data in order to facilitate sourcing, purchasing, invoice handling and contract management activities.

The processing of personal data is based on a contract, legitimate interests of eSett (e.g. direct marketing, customer relationship management), a legal obligation of the controller or a third party (including obligations arising from the Finnish Electricity Market, Commission Regulation on electricity balancing and other applicable energy market legislation) and/or your consent (e.g. related to the cookies). We may use cookies to provide the best user experience, to analyze traffic, and to provide relevant content and information. For more information, please view our Cookie Notice.

The information is processed to fulfill our agreement with you, GDPR 6 (1) (b) if you are an individual or a sole trader, and legitimate interest, GDPR 6 (1) (f) if you are an employee or representative of a company. Our legitimate interest in such a case is to fulfill our contractual obligations towards our customer/partner/your employer and to ensure effective communication, including marketing.

In other cases, we may also need to process personal data based on our legal obligations (GDPR 6(1)(c). For example, we may need to process information about payment history, transactions and other relevant material to comply with our legal obligations under the applicable laws.

We process personal data to:

  • deliver and develop our imbalance settlement services to meet our customers’ and authorities’ needs,
  • entering into and performing business contracts the company you represent and to issue and process invoices and payments
  • fulfill our contractual and other promises and obligations,
  • take care of the business partner relationship and communications, direct marketing,
  • collect customer feedback and implement opinion and market surveys,
  • organize marketing events,
  • plan and develop business operations and services,
  • identify users and management of access rights,
  • enable electronic and direct communication and
  • detect and prevent fraud or misuse.

What Data Do We Process?

We process the following personal data on decision makers and contact persons of our business partners and customers (incl. newsletter subscribers, users of our online services, individuals who have requested a quote or submitted a contact request, and participants of events and/or trainings):

  • Basic information such as name*, date of birth, personal identification number, username and/or other identifier, photograph;
  • Contact information such as e-mail address*, phone number*, postal address;
  • Information of the company of the data subject such as company name* and Business ID*;
  • Information of the connection and device the data subject is using such as the IP address, device ID or other device identifier, or location data;
  • Customer history (e.g. participation in the events);
  • Login credentials and usage log of electronic services (e.g. eSett Online Service)
  • Direct marketing permissions and/or prohibitions;
  • Other possible information relevant for the business relationship.

We collect following data on potential customer companies’ or organizations’ decision makers and contact persons:

  • Name, company/employer, contact details e.g. postal address, e-mail address, phone number;
  • Information about individual’s duties and position in business life or a public office;
  • Direct marketing permissions and/or prohibitions.

(*) Committing personal data marked with an asterisk is a requirement for our contractual and/or customer relationship. Without necessary information we are not able to provide the service.

From Where Do We Receive Data?

We primarily collect personal data directly from you, for example by phone, in meetings, through electronic communications, or by other equivalent means. Personal data is also collected in connection with the conclusion and performance of a customer or business agreement and otherwise during the customer or business relationship.

In addition, personal data may be collected and updated from reliable public registers and other publicly accessible sources, such as official registers and company websites. Furthermore, we may receive personal data from authorities and from commercial data providers, including credit information companies, in accordance with applicable legislation. Data updating is carried out either manually or through automated technical processes (such as system integrations). These processes are limited to maintaining and verifying data accuracy and do not include automated decision-making.

To Whom Do We Share Data and Do We Transfer Data Outside EU or EEA?

Unless you prohibit the disclosure of your data, we may disclose data i.e. to the selected collaboration partners within the limits of the legislation for providing the service.

We use services of external service providers for, e.g.,

  • maintaining customer and business partner information
  • processing information of individuals participating in events
  • performing customer feedback surveys
  • IT management
  • maintaining newsletter mailing lists.

In accordance with data protection agreements, each service provider can only process personal data to the extent that is necessary for the provision of the service in question.

We primarily store and process personal data within the EU or EEA, including through cloud services operated in EU/EEA data centre regions. However, certain service providers may (such as Microsoft), in limited circumstances, access personal data remotely from countries outside the EU/EEA for the purposes of providing technical support, maintenance, or other service-related activities. Such access may constitute a transfer of personal data to third countries.

Where personal data is transferred to a country outside the EU/EEA, we ensure that an appropriate transfer mechanism under applicable data protection legislation is in place. Where applicable, transfers to organisations in the United States are based on the European Commission’s adequacy decision for the EU-US Data Privacy Framework. In the absence of the adequacy decision, we apply Standard Contractual Clauses (SCCs) approved by the European Commission or other lawful transfer mechanisms, supplemented by appropriate technical and organisational safeguards to ensure adequate level of data protection. SCCs available: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.

Further information on the applicable transfer mechanism may be obtained by contacting us.

How Do We Protect the Data and How Long Do We Store Them?

The information is collected into databases protected by firewalls, passwords and other technical measures. The databases and the backup copies of them are in locked premises and can be accessed only by certain pre-designated persons. Each user has a personal username and password to the systems where personal data are stored.

We store the data as long as it is necessary for the purpose of use (e.g. customer or business relationship) and delete personal data that is no longer needed for the purpose it was processed for. We regularly review the need for data storage taking into account the applicable legislation. In addition, we take all reasonable actions to ensure that no incompatible, outdated or inaccurate personal data are stored in the register taking into account the purpose of the processing. We correct or erase such data without delay.

What Are Your Rights as a Data Subject?

You can contact us if you have any questions related to personal data processing. As a data subject, you have the following rights in relation to the processing of personal data under the GDPR.

Right of access, rectification and erasure

As a data subject you are entitled to obtain information of your personal data processed by eSett. You have also a right to inspect the personal data concerning yourself, which is stored in the register, and a right to require rectification or erasure of your data.

Direct marketing prohibition and right to restrict the processing

You have the right to object or to demand the restriction of the processing and prohibit direct marketing.

Withdrawal of a consent

When the processing of information is subject to your consent, you may withdraw your consent at any time. Withdrawing your consent does not affect the lawfulness of processing before the withdrawal of the consent. Withdrawals can be made by requesting withdrawal from ict@esett.com or our cookie consent by adjusting your preferences through our cookie settings tool available on our website.

Right to lodge a complaint with a supervisory authority

If you consider that the processing of personal data relating to you infringes the data protection regulation, you have the right to lodge a complaint with a supervisory authority. You may lodge your complaint in the EU Member State of your habitual residence, place of work or place of the alleged infringement.

Other rights

You may also request the personal data collected based on your consent or for the performance of a contract to which you are party and concerning you to be transmitted to another controller in a case where the data is in machine-readable and transferable format.

Whom can you contact?

If you have any questions related to the personal data processing or you want to exercise your above mentioned rights, please contact ict@esett.com.

Updates to privacy notice

We drive to develop continuously our business and data protection tools and reserve the right to amend this privacy notice. When required by applicable laws, we may contact you in order to provide information about updates or changes that have effects on you.