Household

Business

Self service

SearchSupport

ET

EN

RU

Principles of Enefit AS customer data processing

16 December 2024

1. General provisions

1.1. We aim to be a reliable partner and to keep the data entrusted to us protected.

1.2. The described principles provide an overview of how Enefit AS (registry code: 16130213; address: Harju maakond, Tallinn, Kesklinna linnaosa, Lelle tn 22, 11318) processes personal data and ensures the protection of personal data.

1.3. The described principles have been drawn up to comply with the requirements of the controller laid down in Article 12 ‘Transparent information, communication and modalities for the exercise of the rights of the data subject’ of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR) and to inform natural persons of the principles of the processing of personal data and the safeguarding of rights.

1.4. The principles of Enefit AS customer data processing apply to Enefit AS and its customers.

1.5. In the processing of customer data, we adhere to the following principles: lawfulness, fairness, transparency, purposeful and minimised data processing, accuracy, storage limitation, integrity and confidentiality, accountability, data protection by design and by default. We have also set ourselves the objective of following the guidelines and recommendations of both the Estonian Data Protection Inspectorate and the European Data Protection Board in the implementation of data protection requirements.

1.6. Enefit AS attaches great importance to people’s privacy and the protection of their data by using secure solutions for data processing. We implement appropriate technical and organisational measures to protect personal data against unauthorised access, unlawful processing or disclosure, accidental loss, alteration or destruction.

1.7. For the purposes of the Group’s internal management as well as for making management and business decisions, personal data may also be processed by other legal persons belonging to the same Group as Enefit AS.


2. Definitions

2.1. For the purposes of these principles, we use the terms as defined in the General Data Protection Regulation (GDPR).

2.2. ‘Data subject’ means a natural person (customer) whose personal data Enefit AS processes.

2.3. ‘Data protection legislation’ means the Estonian Personal Data Protection Act, the GDPR and other applicable legislation at national and European Union (EU) level.

2.4. ‘Personal data’ means any information relating to an identified or identifiable natural person (eg the contact details of a customer or data related to the use of the service).

2.5. ‘Processing’ means any operation which is performed on personal data (eg transfer, recording, entry of data).

2.6. ‘Customer data’ means the personal data of an Enefit AS customer.

2.7. ‘Customer’ means a natural person who has concluded a contract with us or provided us with their data and expressed a wish to register as a customer or receive an offer from Enefit to conclude a contract, but who has not yet concluded a contract. Enefit also considers a customer owners of immovable property with and obligation to tolerate utility networks or civil engineering works as well as any natural persons who use our services or our e-environment.

2.8. ‘Controller’ means Enefit AS, which determines the purposes and means of the processing of personal data.

2.9. ‘Processor’ means a contractual partner of Enefit AS (an entity separate from the controller) who processes personal data on behalf of Enefit AS.


3. Information on data and its collection methods

3.1. We offer a wide range of services and e-environments for our customers to use. The composition of the data processed with regard to the data subject depends on which services or e-environments the data subject uses, what data is needed to provide these services and e-environments, and to what extent the data is provided to us by the customer for this purpose (eg when contacting us, ordering a service or registering as a user).

3.2. The main data we process are: first name and surname, username, personal identification code, identity document number (eg passport, ID card, residence permit) and other related information, age, address, email address, information about services ordered or products purchased (eg composition of service, additional services, parameters, service address, used equipment, etc) and the related static IP address, domain name or device serial number, billing information (eg invoice address, reference number, billing address) as well as the data collected by customers during the use of the services in the e-environments.

3.3. We do not aim to process special categories of personal data (Article 9 of the GDPR). However, we cannot definitively exclude the processing of such data if the data subject decides to disclose the special categories of personal data to us.

3.4. We primarily receive data from the data subjects themselves: eg when a customer expresses a wish to conclude a contract, order a service, register as a customer or we receive a request for information. Additionally, we process data generated by the data subject during the use of the services and when we receive data related to the customer from other sources (eg other service providers or public registers).


4. Purposes of and legal bases for the processing of personal data

4.1. Processing of personal data the legal basis for which is consent. We carry out consent-based processing operations after obtaining valid consent from the data subject. In the consent form, we refer to the applicable data protection conditions. You have the right to not give consent or to subsequently withdraw your consent. The consent is valid until it is withdrawn.

4.1.1. It is possible to give consent to Enefit AS, among other things, for the use of the data for marketing purposes and the receipt of personalised offers.

4.1.2. It is possible to give Enefit AS consent to request information about the consumption points and volumes related to the data subject from Elering AS, which may be a precondition for the conclusion of an offer and/or contract.


4.2. Processing of personal data the legal basis for which is a contract. In a situation where we conclude a contract with you or prepare it, perform the contract concluded with you or manage contract-related matters in our systems, we rely on the legal basis necessary for the performance of a contract or in order to take steps prior to entering into a contract when processing personal data (Article 6(1)(b) of the GDPR).

4.2.1. Enefit AS processes personal data on a contractual basis:

4.2.1.1. to identify a customer and/or their representative;

4.2.1.2. to prepare an offer prior to entering into a contract and provide information;

4.2.1.3. to perform activities necessary for the provision of services or the sale of goods to a customer (including the sale and delivery of services and/or goods and the provision of information about services and goods to the customer);

4.2.1.4. to provide customer service, send reminders and eliminate faults;

4.2.1.5. to provide the customer with the e-environment and its services and functionalities;

4.2.1.6. to calculate service fees related to the contract, manage orders, prepare and send notices and invoices;

4.2.1.7. to send notices related to the contract and/or service to the customer by post;

4.2.1.8. for the maintenance and repair of the customer’s equipment and other after-sales activities related to the equipment;

4.2.1.9. to ensure the performance of the contract (eg provision of securities, conclusion of contracts of suretyship);

4.2.1.10. to manage the debt process and ensure the performance of the payment obligation;

4.2.1.11. where necessary, for the purposes of other activities necessary for the preparation, conclusion, performance, management or termination of the contract.


4.3. Processing of personal data the legal basis for which is the performance of an obligation arising from a legal act (legal obligation)

Pursuant to legislation, we process data for the following purposes:

  • to fulfil the requirements of the Electricity Market Act and the grid code;
  • to perform the obligations arising from accounting and tax laws;
  • to fulfil the requirements of other legislation applicable to our activities.


4.4. Processing of personal data on the basis of legitimate interest

4.4.1. In certain situations, we may process your data on the basis of legitimate interest (Article 6(1)(f) of the GDPR). We rely on legitimate interest in the processing of data in the context of the activities and purposes described below:

4.4.1.1. responding to the data subject’s enquiries outside the customer relationship (except in the case of pre-contract negotiations);

4.4.1.2. ensuring network and information security, complying with data protection requirements and ensuring the operation of the video surveillance system for the purposes described in the document ‘Group’s Video Surveillance System Procedure’;

4.4.1.3. recording of calls to ensure better service;

4.4.1.4. processing of information on payment defaults (checking of payment default) for the purpose of assessing creditworthiness;

4.4.1.5. processing of personal data to the extent necessary to safeguard the rights of legal persons in our Group, including for the purposes of dispute resolution and the fulfilment of legal requirements;

4.4.1.6. marketing and advertising activities, including and the receipt of customer letters and newsletters offering similar products and services (offering similar services / making offers to customers based on the existing customer relationship);

4.4.1.7 conducting satisfaction surveys to obtain feedback;

4.4.1.8. ensuring the internal management of the Group;

4.4.1.9. developing and improving the services / customer service;

4.4.1.10. risk management, fraud prevention and whistleblowing mechanisms;

4.4.1.11. contacting a customer who abandoned the submission of an application in order to send them a notification, provide personalised assistance or improve our service;

4.4.1.12. carrying out major transactions concerning structural changes and financing of the Group (eg transfer, sale, purchase, division, merger of a company/undertaking) during the negotiation and/or execution of a business transaction (sharing/transferring data with the counterparty to the transaction);

4.4.1.13. general profiling and segmentation of customer groups to offer better service management and customised content.


4.5. Retention of personal data

As a rule, we retain personal data for the period necessary to achieve the purposes for which the personal data are processed, for the period prescribed by law or until the expiry of the limitation period for any claims arising from the customer relationship.

In the retention of data, we adhere to the following main time limits:

Retention periodContent
1 yearPotential customers who have requested, for example, quotes, consultations or information on technical possibilities, but who have not become a customer of Enefit AS, as well as recordings of customer service calls.
3 years (retention period starts from the expiry of the contract)Three years after the expiry of the contract, we delete the basic data of the contract and any data generated during the performance of the contract (eg customer communications, correspondence, chatbot recordings, complaint handling, notices, consumption history), provided that there is no ongoing recovery procedure related to the performance of the contract after the expiry of the contract.
7 yearsData concerning the fulfilment of accounting requirements (contracts and related documents).
10 yearsInformation on outstanding invoices and debts if there is no ongoing recovery procedure.


5. Rights of the data subject

5.1. Right to obtain information and right of access. For example, the most convenient way for our customers to access their basic and contract details, contract data, point of consumption data and consumption data is through the self-service environment of Enefit, as well as by contacting customer service.

5.2. Right to rectification of personal data. The data subject has the right to rectify their data if the data are incorrect or incomplete. For example, if a customer’s data has changed or if a customer discovers that their data are incorrect, they always have the right, and in certain cases a contractual obligation, to rectify these data in the self-service or to contract customer service to have them rectified.

5.3. Right to request erasure of personal data. In certain cases, data subjects have the right to request the erasure of their personal data. However, this is not an absolute right. For example, this right does not apply in situations where we process the personal data of a customer to fulfil the obligations arising from the Electricity Market Act, the grid code or other legislation. We would also like to point out that if a data subject has a valid contract and they wish to exercise their right to erasure, it will not be possible to continue receiving services under the contract.

5.4. Right to object to the processing of your personal data, including processing based on legitimate interest. The data subject has the right to object to the processing of their personal data by making a reasoned request. The controller will no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject (eg processing is carried out to fulfil an obligation arising from applicable legislation or a valid contract) or for the establishment, exercise or defence of legal claims (eg in a situation where the customer has breached the contract).

5.5. Right to restriction of processing. In certain cases, the data subject has the right to request the restriction of processing of their personal data. This is the case, for example, where the data subject contests the accuracy of the personal data and the processing is restricted for a period which enables the controller to verify the accuracy of the personal data.

5.6. Right to data portability. The right to data portability applies if the processing is based on consent or a contract and the processing is carried out by automated means. For example, customers have the right to the portability of their consumption data. The easiest way to exercise this right is in the AVP customer portal (e-elering) here.

5.7. Right to address a court and/or supervisory authority. We wish to solve any disagreements with the data subject by negotiation first. To ensure fair and transparent processing concerning the data subject, we are also obliged under applicable legislation to inform data subjects of the right to file a complaint with a supervisory authority (in Estonia, the Estonian Data Protection Inspectorate) by emailing [email protected].


6. Automated decisions and profiling

6.1. An automated decision is a decision based on automated processing that is carried out without human intervention to make the process faster and smoother.

6.2. In the processing of personal data, Enefit may also make automated decisions, for example:

6.2.1. for conducting background checks upon the sale of goods and the provision of services on credit terms, in the context of which we process relevant information about your payment behaviour and background sourced from the information systems of Enefit as well as from public databases (public notices, information made available by enforcement agents, other official registers and publications, eg the commercial register, population register);

6.2.2. in debt proceedings, to transmit automatic notifications and limit the services provided in accordance with contractual and legal provisions.

6.3. The purpose of customer profiling is to develop different customer segments, types or profiles that allow to provide offers and services tailored to each customer. For profiling, we can analyse, for example, data on customer demographics (age, gender), service use data, location and behavioural patterns by using a variety of internationally recognised statistical analysis methods appropriate to the specific case.

6.4. The customer has the right to request further clarifications and to object to the automated decisions concerning the customer at any time by informing Enefit.


7. Third parties related to data processing

7.1. In addition to ourselves, processors may also be involved in the processing. Processors are our contractual partners who, for example, engage in organising billing, answering customer questions, marketing services, reselling services or providing other services using communication services, etc. A processor has the right to process data only for the specific purpose authorised by us and on the basis of a contract containing a confidentiality obligation concluded with us. A list of our processors is available on our website here.

7.2. With regard to potential mergers, acquisitions and financing processes concerning the Group, personal data may also be processed by related third parties, subject to all the principles governing the processing of personal data.

7.3. We would also like to point out that in certain cases we are obliged by law to transfer data to third parties. For example, we may transfer data to state agencies (including the police, courts) where there is a legal basis pursuant to law.

7.4. If you have authorised third persons to legally represent you on the basis of a power of attorney, these persons are considered third parties to the processing.

7.5. Third parties to processing may include the providers of audit, legal and other such services. In addition, third parties to processing may also include debt recovery service providers, enforcement agents and companies dealing with payment defaults.

7.6. Processing of Google account data.

7.6.1. If the customer uses a Google account to sign in to Enefit’s charging service application Volt, the application processes the Google account data submitted by the customer (ie email address, password) in order to:

7.6.1.1. create a charging service account for the customer in Enefit’s charging service application Volt at the customer’s request;

7.6.1.2. identify the customer when they have signed in to Enefit’s charging service application.

7.6.2. Enefit retains the customer’s Google account data in the European Union.

7.6.3. Enefit does not share the customer’s Google account data with third parties.

7.6.4. If you wish, you can read the Privacy Policy of Google on the Google website.


8. Processing of personal data on social networking sites

8.1. The following settings apply to the use of our Linkedin page:

  • our LinkedIn page is visible to internet users and LinkedIn account holders;
  • the page can be followed by selecting the appropriate option;
  • anyone can comment on the posts on the page, we may also remove comments (eg to prevent the spread of scams);
  • our working languages are Estonian and English. It is possible to comment on posts and contact us in both languages;
  • anyone can contact us privately; 
  • if you share, like or comment on a post, we receive a notification;
  • when you visit our account, data concerning you is collected for us by a third party, over which we have no control; 
  • we receive visitor statistics in non-personalised form. 

8.2. The following settings apply to the use of our Youtube channels: 

  • the page is visible to internet users and YouTube account holders;
  • it is possible to subscribe to the account;
  • anyone can comment on the videos on the account, we may also remove comments (eg to prevent the spread of scams);
  • anyone can like and share the videos;
  • our working languages are Estonian and English;
  • when you visit our account, data concerning you is collected for us by a third party, over which we have no control;
  • we receive visitor statistics in non-personalised form. 

8.3. The following settings apply to the use of our Facebook channels (Enefit Eesti, Enefit Volt): 

  • the page is visible to internet users and Facebook account holders;
  • the page can be followed by selecting the appropriate option;
  • anyone can comment on the posts on the page, we may also remove comments (eg to prevent the spread of scams);
  • our working language is Estonian, but it is possible to comment on posts and contact us in both Estonian and English;
  • anyone can contact us privately via messages; 
  • if you share, like or comment on a post, we receive a notification;
  • when you visit our account, data concerning you is collected for us by a third party, over which we have no control; 
  • we receive visitor statistics in non-personalised form. 

8.4. The following settings apply to the use of our Instagram channel:

  • the Enefit Eesti page is visible to internet users and Instagram account holders;
  • if you like, save, share or comment on a post, we receive a notification;
  • when you visit our account, data concerning you is collected for us by a third party, over which we have no control; 
  • we receive visitor statistics in non-personalised form. 


9. Cookies

Cookies are small text files that allow websites to provide a better user experience. We use cookies to personalise website content and advertisements, provide social media features and analyse website traffic. For more detailed information about cookies, please visit the ‘Cookie Settings’ link at the bottom of the www.enefit.ee homepage, where you can also change your cookie preferences.


10. Contact

Customers can contact the customer service of Enefit in matters related to the processing of customer data as follows:

For question relating to the processing of your personal data and the exercise of your rights as a data subject, please submit a corresponding written request. Our data protection officer can be reached at [email protected]. We will reply as soon as possible but not later than within 30 calendar days. In exceptional cases, legislation allows us to extend the deadline for reply by two months. We kindly ask you to sign the request digitally so that we can verify the identity of the person submitting the request/enquiry and prevent the data from being disclosed to unauthorised third parties.


11. Final provisions

This version of the privacy notice is valid from 16 December 2024. We have the right to amend and update this privacy notice as needed. We always keep the privacy notice up to data and available on our website www.enefit.ee. We will inform you of any material changes to this document via our website, email or other appropriate means.