St1 Nordic Oy and its subsidiaries and any other entities belonging to the St1 Group (hereinafter “We” or “St1”) main activity is to research and develop economically viable, CO2-aware energy solutions. St1 focuses on fuels marketing activities, oil refining and renewable energy solutions such as waste-based advanced biofuels and industrial wind power. The Group has over 1200 stations: unmanned and service stations as well as heavy goods vehicle (HGV) sites together with network of gas distribution and EV charging points in Finland, Sweden and Norway.
We take the protection of your personal data seriously. We are committed to protect personal data of our customers, employees and partners, and to fulfilment of our data protection obligations set by the General Data Protection Regulation, as well as other relevant laws and regulations.
Identity of the personal data controller
St1 Nordic Oy
Data Protection
2082259-7
Tripla Workery West, Firdonkatu 2, 00521 Helsinki
Any questions regarding your personal data processing can be sent to the St1 company in your country of residence:
St1 Oy
Tietosuoja
0201124-8
Tripla Workery West, Firdonkatu 2, 00521 Helsinki
dataprivacy@st1.fi
St1 Sverige AB
Dataskydd (Nordic DPO)
556308-5942
Box 11057
161 11 Bromma
dataprivacy@st1.se
St1 Norge AS
Databeskyttelse (Nordic DPO)
913 285 670
Postboks 1154 Sentrum
0107 Oslo
dataprivacy@st1.no
We receive personal data directly from you. Personal data is collected either in the course of product or service delivery or by visiting our website.
We might get the information from external sources, as described in the table below.
| Personal data we receive | Source |
|---|---|
| Any type of personal data: name, contact details, purchase history or any other data that is generated in connection with the customer relationship |
Personal data can be obtained from other IT systems of the St1 companies as permitted by legislation To the extent permitted by law, personal data can be collected and updated from the IT systems of third parties |
| Cookie information: technical identification information such as the IP address of the user; time of day; pages visited, and time spent on the website | Personal data is obtained when visiting St1’s website or using the mobile application |
In the table below you can find what personal data is being processed for what purpose and which purposes and what are the legal bases for such processing.
| Processing purpose | Legal basis | Data types |
|---|---|---|
| Customer service | Contract, Legal Obligation | Name, contact details, purchase data and case / communication history |
| Customer account creation and service delivery | Contract | Name, contact details, Union / association membership data, customer group, account events, activity log, St1 or third-party customer programme, |
| Direct marketing (Digital) |
Consent The customer can manage their marketing permits by logging into mobile application or by contacting St1’s customer service. The consent for use of location data is handled in the mobile application and preferences can be changed with Customers mobile device. |
Name, contact details, marketing consent status, purchase history, activity log (Email/App/MyPages/etc.), Union/association information (where available), historical NPS results, location, St1 or third-party customer programme, Voluntary data: geoinformation, communication preferences and other data that allows customization |
| Customer relationship management and profiling |
Contract, Consent The customer can manage their marketing permits by logging into mobile application or by contacting St1’s customer service. The consent for use of location data is handled in the mobile application and preferences can be changed with Customers mobile device. |
Contact details Voluntary data: purchase history, communication preferences and other data that allows customization |
| Customer satisfaction | Legitimate interest for developing our products and services. Answering to the customer satisfaction survey is voluntary | Name, satisfaction score & free text (provided by the customer), customer satisfaction data is linked with salesforce account data, customer service agent name |
| Camera Surveillance (CCTV) | Legitimate interest for ensuring safety and security of the customers, St1 employees and environment at the site, protect the St1 assets by enable investigations for frauds and criminal activities and enable support on customer service disputes. | Video footage recorded at the service stations |
| Merchant-initiated transaction (MIT) for Electrical Vehicle Charging (EVC) | Contract | Birth date, name, address, |
We have determined retention periods based on the purpose of the processing and the applicable legislation. For example, the accounting related laws require us to store your personal data for a certain period. We review the personal data we collect regularly to ensure that the personal data we have is up to date and is not retained longer than needed or required by the relevant laws.
When not limited by applicable legislation, the retention periods are defined as follows:
| Processing purpose | Retention time |
|---|---|
|
Customer service Name, contact details, purchase data and case / communication history |
36 months from the last activity on St1’s digital channels or from the last purchase of St1’s products or services Customer service calls are stored for 365 days from the recording of the call |
|
Customer account creation and service delivery Name, contact details, Union/association membership data, customer group, account events, activity log, St1 or third-party customer programme |
36 months from the last activity on St1’s digital channels or from the last purchase of St1’s products or services |
|
Direct marketing (Digital) Name, contact details, marketing consent status, purchase history, activity log (Email/App/MyPages/etc.), Union/association information (where available), historical NPS results, location, St1 or third-party customer programme Voluntary data: geoinformation, communication preferences and other data that allows customization |
36 months from the last activity on St1’s digital channels or from the last purchase of St1’s products or services |
|
Customer relationship management and profiling Voluntary data: purchase history, communication preferences and other data that allows customization |
36 months from the last activity on St1’s digital channels or from the last purchase of St1’s products or services |
|
Customer satisfaction Name, satisfaction score & free text (provided by the customer), customer satisfaction data is linked with salesforce account data, customer service agent name |
36 months from the last activity on St1’s digital channels or from the last purchase of St1’s products or services |
|
Camera Surveillance (CCTV) Video footage recorded at the service stations |
Video footage is deleted automatically in 30 days from the recording If a security incident occurs and the recordings are necessary to further investigate the incident or use the recordings as evidence, the relevant footage is retained longer than the normal retention period for as long as it is necessary for these purposes. |
| Merchant-initiated transaction (MIT) for Electrical Vehicle Charging (EVC). In markets where St1 offers EVC and MIT as a service. | 36 months from the last activity on St1’s digital channels or from the last purchase of St1’s products or services |
If you wish to have more detailed information about our retention times, please contact us by sending a request to our data protection email.
We use service providers to provide our services and to help operate our business efficiently. As a responsible company, we always use various contractual and other arrangements to ensure that our service providers process your personal data in accordance with the laws and advanced data processing practices.
To ensure the confidentiality and high level of protection for your data, we have a data processing agreement with every service provider involved in the processing of personal data. Our service providers do not have the permission to process your information in any ways beyond the agreed services.
Recipients of our data are described below.
| Recipient | Data types |
|---|---|
|
Companies belonging to the St1 Group |
Any type of personal data: name, contact details, purchase history or any other data that is generated in connection with the customer relationship |
|
Customer relationship management service provider |
Any type of personal data: name, contact details, purchase history or any other data that is generated in connection with the customer relationship |
|
Marketing partners |
Contact details |
| Partner providing collection services for Merchant-initiated transaction (MIT) service. | Birth date, name, address |
| Partner providing Third party customer programme. | Member number and verification of activating membership, transactions |
We may need to disclose certain information to authorities, for example law enforcement authorities, when required by law. We only do this on the basis of a legally binding decision or judgment and when otherwise required to protect St1's interests in legal proceedings.
In case of mergers or acquisitions, the acquiring entity may obtain access to relevant customer data assets.
Some of our service providers or their support functions are located outside the European Union and European Economic Area. When the processing involves transferring personal data outside EU or EEA, we use appropriate safeguards to ensure an equivalent level of data protection that is provided in the GDPR.
| Recipient | Data types | Location and transfer mechanism |
|---|---|---|
| Marketing and marketing partners | Contact details | USA: Commission’s adequacy decision |
We have appropriate security policy and procedures in place to protect your personal data from loss, misuse or unauthorized access.
We guarantee that your data is kept confidential and secure. All the employees authorized to process your data are committed themselves to confidentiality. We have a role-based access control, meaning that each employee is given access to resources and personal data based on the employee’s role and job description. All networks and services used by our employees are protected with appropriate security measures.
Physical data is stored in locked facilities. Such data may only be processed by persons who have a legitimate reason, related to their duties, for processing the data.
The information systems are protected by various organizational and technical methods from access by unauthorized third parties. Each user has a personal user ID and password for logging into the system. Access to the data is restricted to persons who process the personal data in question as part of their duties.
We have a procedure to manage data breaches which allows us to assess the possible risks, notify the relevant authorities and alert you in case your personal data may have been affected. We regularly educate all employees to ensure the protection of your personal data.
You have certain rights concerning your personal data, such as right to access, update, delete and have a copy of your data. We seek to ensure that you can exercise your rights efficiently. Any questions regarding your personal data processing can be sent to the St1 company in your country of residence: in Sweden: dataprivacy@st1.se, in Finland: dataprivacy@st1.fi and in Norway: dataprivacy@st1.no. You can exercise your rights by sending a request to us. The list of your rights and explanation of them is listed below.
| The Right to be Informed | You have the right to be informed about our organization and the details of personal data processing activities we carry out with your personal data. In addition, you have a right to receive information about the recipients to whom your personal data might be disclosed. |
| The Right to Access | You have the right to know that we are processing your personal data and have access to this data. |
| The Right to Rectification | You have the right to request from us to correct inaccurate personal data concerning you. |
| The Right to Erasure (“Right to be Forgotten”) |
You have the right to request deletion of your personal data and customer account. In certain cases this right might be limited by the legal obligation to retain such information in accordance with compulsory statutory limitations, about which we will inform you. In case you want to exercise your data subject rights, such as right to be forgotten, please contact the St1 in your country of residence. In case you are a mobile app user and want to exercise your right to have your account erased, please open Profile in the mobile app and klick on Remove account and follow the instructions. |
| The Right to Restrict Processing | You have the right to restrict the processing of your personal data. Restricting the processing means that we will limit the processing of certain data to only storing it. Consider that restricting the processing of your personal data might negatively impact your ability to receive expected products, goods or services from us. |
| The Right to Data Portability | You have a right to request from us your personal data in a structured, commonly used and machine-readable format that allows transmitting such data to another controller. |
| The Right to Object to Processing | In certain cases, you have a right to object to processing of personal data concerning you. In this case we will analyze whether legal bases for data processing are sufficient to continue processing or we shall stop processing your personal data. |
| Rights Related to Automated Decision Making |
You have the right not be subject to a decision based solely on automated processing, which produces legal or similar effects concerning you. It means that you have a right to demand human intervention to overview the decisions made in the course of automated processing. Currently St1 does not make automated decision-making that could have legal consequences or other similar significant consequences on you. If such decision-making were to occur in our services, we would actively inform you about it in this St1’s Privacy Policy and when such a service is introduced. |
| Rights to withdraw consent |
In case the processing of personal data is based on your consent you have the right to withdraw consent unconditionally at any time. This, however, does not affect the lawfulness of the processing based on consent before its withdrawal. We use consent as a legal basis for processing. Please see details above. |
| Right to lodge a complaint with supervisory authority |
If you consider that the processing of personal data relating to you infringes the GDPR, you have the right to lodge a complaint with your local data protection authority. Complaint concerning St1’s actions in relation to data protection regulation can be lodged to the supervisory authority of the data subject’s habitual residence or alternatively to St1’s lead supervisory authority the Finnish Data Protection Ombudsman. Further information about your right to data protection is available on the website of the Data Protection Ombudsman at: https://www.tietosuoja.fi. In Sweden, it is the Integritetsskyddsmyndigheten (IMY) that checks that data protection legislation is followed. Further information on the protection of personal data can be found on the website of the Swedish Privacy Agency (IMY) https://www.imy.se. In Norway, it is the Data Protection Authority that monitors compliance with the GDPR in Norway. Further information about your rights is available on the Norwegian Data Protection Authority's website https://www.datatilsynet.no. |
Please note that the request must be sufficiently specific as the requests will be evaluated on a case-by-case basis and we must verify the identity of the customer who is a requester before we are able to respond or fulfil the request.
We will notify you if we are unable to fulfil the request in some respects, such as deleting information that we have the right to keep, for example due to the execution of the contract or due to St1’s legal obligation.
If you need more information or help with the exercise of your rights, or if you have any other questions related to the processing of your data or this privacy statement, please contact us by using the above contact details of the St1 company in your country of residence.
We reserve the right to update this privacy policy in case our activities change. In that situation we will notify you about the updates.
This privacy policy for private customers has been last updated 1.11.2023.
