Oomi Oy’s customer register
This privacy statement provides data subjects, i.e. the controller’s customers, and the supervisory authority with the information required by data protection legislation on how and why Oomi Oy processes the personal data of its customers.
1 Controller
Oomi Oy
Business ID: 3101315-4
Postal address: Teknobulevardi 7, 01530 Vantaa
Website: oomi.fi
2 Persons responsible for the register and their contact information
Person responsible for the register
Sami Naskali
Data protection officer
Olli Turpeinen
Enquiries about data protection
tietosuoja@oomi.fi
3 Name of register
Oomi Oy’s customer register for electricity sales (‘Customer Register’)
The register’s data subjects are customers of Oomi Oy.
4 Purpose and legal basis of the processing of personal data
Oomi Oy processes the personal data of its customers for the purposes presented in more detail below.
Oomi Oy processes the personal data of its customers
- to manage its customer relationships;
- to offer, sell and market its products and services as well as communicate about them, analyse the use of services and products;
- to develop its products and services;
- for compiling statistics;
- for customer satisfaction surveys, opinion polls and market research; as well as
- to comply with the obligations related to the applicable laws as well as official regulations and instructions.
The processing of personal data is primarily based on Oomi Oy’s legitimate interest to provide, support and develop business services as well as manage and develop customer relationships. If the customer of Oomi Oy is a private customer, the personal data processing is, in this respect, also based on the implementation of the contract between the customer and Oomi Oy.
Oomi utilises digital marketing channels and the generally used advertising opportunities within and, in certain forms of advertising, customer data to a limited extent in order to create target audiences. We do not use customers who have opted out of marketing when forming these anonymous advertising audiences.
Oomi offers content on many social media websites and also carries out marketing measures through them. The use of the content of social media websites complies with the terms of the social media service provider. You can check out the privacy settings and marketing practices in the settings of the services in question.
5 Data content of the register
For the purposes mentioned above, we may process the following data related to customers or other data subjects:
- basic information about the data subject (such as names, personal identity code, address, business ID, customer number, ID and address of the location of use, user ID and/or other unique identifier, password and native language);
- information concerning companies’ contact persons (such as information on the employer and the data subject’s professional status);
- contact information (such as address, phone number and email address);
- information related to payment and invoicing (such as information concerning invoicing, payments, payment and collection, preliminary estimates, information on compensation for damages and credit information requests as well as payment card information);
- information related to the customer account and contracts (such as information on the contract, subscription, valid and terminated services, service use and authorisations; contact recordings and records (such as phone call recordings and email records); correspondence and other communications with Oomi Oy as well as information related to marketing);
- information on services and products (such as information on subscriptions, validity, changes and end dates; the necessary information concerning the use of mobile services; information provided by the data subject on their interests; cookies and information on their use; and user profiles formed based on the data processed in the context of the Customer Register);
- information on electricity consumption (such as projected annual consumption and reports related to consumption) and
- possible other information collected with the specific consent of the data subject (such as direct marketing opt-ins and opt-outs);
- any other information concerning an insurance agreement (such as health information, employment status information).
6 Regular sources of data
Data concerning data subjects is regularly received from
- the data subjects themselves when they become customers of Oomi Oy, register as users of Oomi Oy’s services, use Oomi Oy’s services or when some other proper connection is established between Oomi Oy and the data subject;
- Oomi Oy’s Customer Register may also collect, record and update data through bodies such as the Digital and Population Data Services Agency and Suomen Asiakastieto Oy;
- from other parties operating on the electricity market on the basis of information sharing that is based on applicable law, procedures and official regulations;
- from companies producing insurance services.
Personal data may also be collected and updated from the authorities and other third parties within the limits permitted by the applicable legislation for the purposes described in this privacy statement.
Oomi Oy records phone calls made to and received from customers in order to ensure and develop the quality of customer service. Phone calls between customers and cooperation partners acting on behalf of Oomi Oy are also recorded. Phone call recordings are kept for 25 months.
7 Automatic decision-making
Oomi Oy has the right to check the credit of persons from the Suomen Asiakastieto register before signing an agreement concerning products and services. Credit information is used in the decision-making related to granting contracts. Credit information is processed in accordance with the Credit Information Act (527/2007).
Applicants have the right to require a human to participate in the data processing, the right to express their opinion about a decision and the right to contest a decision made based on automatic decision-making.
8 Regular disclosures of data and data transfer outside the EU or EEA
In order to provide services, personal data may be processed in Oomi Oy’s data systems for the purposes presented in this privacy statement.
For the purposes described in this privacy statement and within the limits permitted and required by legislation, official regulations and instructions issued by industry associations that are in force at the time, personal data may be disclosed to the authorities, other energy companies operating on the electricity market, property owners and housing managers as well as parties to the electricity supply and sales contract (e.g. pass-thru invoicing), for example.
Personal data may also be disclosed to cooperation partners carefully selected by the controller (e.g. outsourced customer service) for purposes that support the purposes of personal data processing described in the Customer Register.
The controller may use subcontractors in data processing, and data is transferred outside the EU and EEA to a limited extent. When data is transferred outside the EU/EEA, the transfer is carried out by using the standard contractual clauses of the European Commission or other transfer mechanism permitted by legislation.
9 Data retention period
Data is retained only for as long as it is necessary to fulfil the purposes defined in this privacy statement; the contract details and information related to the contract are generally retained for the duration of the customer relationship. After this, the data is deleted, unless we are obligated to retain the data in accordance with legislation or the rights and obligations based on the contract between the parties.
The retention period of customer data that is based on a contract is ten (10) years according to the Terms of Electricity Sales and Terms of Electricity Supply.
The retention period of contact recordings (telephone calls and e-mail messages) is twenty-five (25) months.
Customer data related to insurance is retained for up to ten (10) years after the company’s responsibility has ended (section 73 of the Insurance Contracts Act).
The data is deleted in accordance with the deletion processes followed by the controller. After the end of the contractual relationship, the controller may process personal data for direct marketing purposes in accordance with applicable legislation.
10 Principles of register protection
Personal data is protected by means that are generally acceptable and reasonable in the sector, such as with access passes, training, firewalls and passwords.
Only identified employees of the controller or companies acting on assignment by or on behalf of the controller have access to the personal data processed in the Customer Register in accordance with the access rights granted by Oomi Oy. Oomi Oy takes into account the applicable legislation, official regulations and instructions issued by industry associations regarding ensuring confidential processing of personal data.
11 Rights of data subjects
Right of access
Data subjects have the right to see what data is recorded about them in the Customer Register. This right of access may be refused on grounds provided by law.
Electronic data access requests must be sent by email to tietosuoja@oomi.fi.
Written data access requests must be submitted in person at the controller’s place of business, where the data subject’s identity will be verified.
Oomi Oy will charge a reasonable compensation for providing the data if the data subject uses their right of access more often than once a year.
Right to object to direct marketing
Data subjects may opt in or out of the controller’s direct marketing on a channel-by-channel basis.
Data subjects have the right to object to the processing of their personal data for the purposes of direct mail, distance selling and direct marketing as well as market research and opinion polls. The right to object does not apply to customer communications related to services subscribed to and ordered by the customer or other service-related communications carried out in order to offer services.
Right to object to the processing of personal data
On account of their special personal situation, data subjects have the right to object to being profiled and to other processing measures carried out by the controller on the data subject’s personal data in so far as the data processing is based on the controller’s legitimate interest. When making the request, the data subject must identify the situation based on which they are objecting to the processing. The controller may refuse to fulfil the request concerning the objection on grounds provided by law.
Right to request rectification or deletion of data or restriction of processing
Data subjects have the right to request Oomi Oy to rectify, delete or complete any personal data in the register that is incorrect, unnecessary, insufficient or outdated for the purpose of processing.
Data subjects also have the right to request Oomi Oy to restrict the processing of their personal data in situations such as when the data subject is waiting for the controller to reply to their request regarding the rectification or deletion of their data.
Data subjects are personally responsible for the correctness of the data they provide. Data subjects must notify the controller of any changes to the data they have provided.
Right to withdraw consent
If the personal data processing is based on the data subject’s consent, the data subject has the right to withdraw their consent by notifying Oomi Oy of this.
Right to transfer data from one system to another
In so far as the data subject has personally provided the register with data that is processed in order to fulfil the contract between the data subject and Oomi Oy or based on consent given by the data subject, the data subject generally has the right to receive the data in machine-readable format or transfer it to another controller.
12 Filing a complaint with the data protection supervisory authority
If the data subject deems that the processing of personal data is in breach of the applicable legislation or that the data subject’s statutory rights have been infringed upon, they may file a complaint about the matter with the relevant data protection supervisory authority. In Finland, the legality of the processing of personal data is monitored by the Data Protection Ombudsman, whose contact information can be found at the following address: www.tietosuoja.fi/en/home.
13 Changes to the privacy statement
We retain the right to change and update this privacy statement. The up-to-date privacy statements can be found on our website at oomi.fi/privacy-statements.
5 November 2020