Respect for privacy and personal data protection is part of Statkraft’s corporate culture. This enables us to maintain an environment where our customers, vendors and other stakeholders can trust Statkraft to process their personal data.
As a customer, vendor or stakeholder, your privacy is important to us. We constantly strive to ensure compliance with all applicable data protection laws and regulations and our privacy and data protection policies.
This privacy statement explains how, why and for how long Statkraft processes your personal data.
The personal data we process
Statkraft collects personal data to operate effectively and provide you with the necessary services. We process customer and vendor data, including:
- contact information of the relevant persons involved
- information relating to accounts
- spend thresholds, spending and spending patterns
- details on what you are empowered to do on behalf of the organisation you represent (customers and vendors)
We also process environmental and social management data, including information about local stakeholders such as information on livelihood, health, contact information and other similar information.
Additionally, we process other partner and stakeholder data, including information about politicians, press contacts and journalists as well as relevant interest groups.
Why we process your personal data
Statkraft processes your personal data to provide or procure goods or services to or from you or your organization. For example, we will process your personal data:
- to ensure good communication lines with our vendors and customers. Our lawful basis for processing this information is based on the performance of the contract into which we enter with our vendors and customers.
- to ensure the security and availability of our services. Our lawful basis for processing this information is our legitimate interest in safeguarding our business operations and any applicable legal requirements relating to this.
- to improve our services and communication channels. Our lawful basis for processing this information is based on our legitimate interest to ensure we are providing those who interact with us a high-quality service.
- for marketing and other customer relation and management purposes, Our lawful basis for processing this information is based on either consent that you have provided to us, or our legitimate interest to provie marketing to you.
- for contract management purposes. Our lawful basis for processing this information is based on the performance of the contract into which we enter with our vendors and customers.
- to manage trading services. Our lawful basis for processing this information is based on the performance of contracts we enter into with trading partners, as well as legal obligations pertaining to trade activities.
- for communication and social media purposes. We process your information for this purpose based on consent that you have provided to us, or based on our legitimate interest where we have identified this to be applicable.
- for audit, control and review purposes. Our lawful basis for processing information for this purpose is under our legal obligations, such as the Norwegian Transparency Act, as well as safeguarding our legitimate interest in ensuring correct operating procedures in the business.
- for emergency response purposes. Our lawful basis for processing information for this purpose is to comply with legal obligations across our jurisdictions concerning emergency response.
- for due diligence purposes. Our lawful basis for processing this information is based on our legitimate interest to ensure that Statkraft enter into business relations with reputable and trustworthy third parties.
- for procurement purposes. Our lawful basis for processing this information is our legitimate interest in ensuring Statkraft enter into agreements with suppliers, business partners and customers who can provide a high quality service to Statkraft.
- for recruitment purposes. Our lawful basis for processing this information is based on information required to enter into a contract with you, and your consent where you allow us to store the information to consider you for future roles. When you are taking part in a recruitment process, we will provide you with a separate privacy notice that provides more detail on how we process the personal data.
How we collect your personal data
We collect your personal data from different sources. You provide some of this data directly through a customer or vendor relationship. Other data is collected from your activities as a customer, vendor or other stakeholder. We also obtain data from other sources.
Here are some situations where we process your personal data:
Information provided by you, such as:
- when you enter into contracts or agreements with us
- when you submit forms to us
- when you access our webpages or use our social media platforms
- when you establish a customer or vendor account with us
- when you send us emails or contact us through other means
Information we receive from your activities as a customer, vendor or other stakeholder, such as:
- your use of our trading portals
- your use of our webpages
- when you order goods or services from us
Information we receive from your activities as a customer, vendor or other stakeholder, such as:
- public authorities
- credit institutions
- other publicly available information
Retention of your personal data
Your personal data is stored for as long as is needed, or as is permitted in relation to the purpose for which it was collected and any applicable laws. The legal basis for which we process your personal data, as described above, heavily influence the storage period we rely on.
Where there is a legal obligation to which Statkraft are subject, we will retain your personal data for as long as is stipulated in the law. Once this period has been fulfilled, we will then delete your personal data.
If you have provided us with consent to process your personal data, we will delete the personal data should you contact us to revoke your consent.
Should the processing be based on the performance of a contract you have entered in to with Statkraft, your personal data will be deleted on the fulfilment or expiry of the contract.
Where we have identified that your personal data is processed based on Statkraft’s legitimate interest, we will retain it for as long as is necessary to achieve the purpose for which it was collected. In some cases, we may need to retain personal data longer than after your relationship with Statkraft has ceased. An example of this may be where we retain information to answer complaints or queries, and we retain the data for longer in case further queries still arise .
Reasons we share your personal data
We share your personal data with:
Other companies in the Statkraft group
To the extent it is necessary for fulfilling any of the purposes above, your data is shared with other companies in the Statkraft group.
Statkraft is currently implementing Binding Corporate Rules (BCR). The BCR will establish a legal basis for intra-group transfer of personal data outside the EU/EEA and will be binding for the entire Statkraft group.
We use a number of vendors who provide services such as IT services and support, cloud services, etc. We may allow such vendors to access/receive your personal data to the extent relevant to deliver these services.
We will ensure adequate data processing agreements with our suppliers for the purpose of protecting your privacy. When processors outside of the EU/EEA are used, we will ensure that a legal basis for the transfer of personal data exists.
We will also disclose your personal data where required by law, by order or requirement of a court, administrative agency or government tribunal or in response to legal process.
How we secure your personal data
Statkraft is committed to protecting the security of your personal data.
- We manage information so it is accurate, readily available and handled in accordance with its sensitivity.
- We use a variety of security technologies and information security procedures to help protect your personal data from unauthorized access, use or disclosure.
- We limit access to your personal data to only personnel or third parties who are tasked with processing this data on Statkraft’s behalf. These parties are subject to strict requirements regarding confidentiality and Statkraft can implement disciplinary actions or terminate the agreement if these conditions are not met.
Who is responsible for your personal data
Statkraft AS is the controller and is responsible for the main decisions about the purposes and means of the processing of your personal data. The various Statkraft subsidiaries are responsible for selected processing activities within their sphere of control.
Legal basis for processing your personal data
Statkraft processes personal data only if, and to the extent, that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
- processing is necessary for compliance with a legal obligation to which the controller is subject
- processing is necessary in order to protect the vital interests of the data subject or of another natural person
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data
At any time, you have the right to ask us to:
- provide you with further details on how we use your personal data
- provide you with a copy of the information that you have provided to us
- update/correct your personal data
- provide information about the logic involved in the automatic processing of your personal data in the case of the automated decision-making
- delete any personal information that we no longer have legal grounds to process
- provide you with your personal data in a structured, commonly used and machine-readable format or transmit the data to another controller
- stop particular processing where this is based on legitimate interests unless our reasons for processing the information outweigh any prejudice to your data protection rights
- restrict how we use your information whilst a complaint is under investigation
- lodge a complaint through the contact details in this privacy statement or to the relevant regulatory authority
How to contact us
If you have any requests, questions or complaints about how we process your personal data, please contact us at firstname.lastname@example.org.
About this privacy statement
This privacy statement is based on the transparency requirements in Regulation (EU) 2016/679 (General Data Protection Regulation). This privacy statement will be updated when necessary. Any changes will be published on this page.
Last updated: December 2022.
Business ethics and compliance
We have a zero-tolerance for corruption, we work to ensure fair competition, avoid unethical business partners, protect personal data and prevent all forms of fraud.