Principles of Enefit AS customer data processing

1 February 2024
From 16.12.2024, we will update our principles of customer data processing, so as to be even more transparent in the processing of personal data. Review the updated principles via the link below.

1. General

1.1. The data controller is Enefit AS, registry code 16130213, address Lelle str 22, Tallinn.

1.2. The processing of Enefit's customer data is based on Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 96/95/46/EC (General Data Protection Regulation), which is often abbreviated in English as GDPR and other relevant legislation, including the Electricity Market Act, the Personal Data Protection Act and good business practices.

1.3. Enefit also follows the guidelines and instructions of Data Protection Inspectorate and the European Union data protection expert group WP29.

1.4. These principles are general, additional and/or clarifying conditions, and privacy notices may also be included in agreements, documents, forms and on Enefit's website www.enefit.ee (hereinafter - Principles). The Principles are an integral part of these general conditions for the provision of services. Enefit refers to the Principles when concluding a contract with the Client, offering a service, goods and/or e-environment to the Client and enables the Client to get acquainted with the Principles. The Principles are part of the Agreement and Enefit has the right to assume that the Customer is aware of the Principles and has read them.

1.5. If the Customer finds that his/her Data is not processed in accordance with the applicable rules, he/she has the opportunity to contact Enefit's data protection specialist at [email protected]. This option does not affect the customer's right to apply to the Data Protection Inspectorate of the data protection supervisory authority or to a court if necessary.


2. Purpose

2.1. The principles of Enefit's customer data processing (the Principles) apply to Enefit and its Customers.

2.2. The Principles determine how Enefit may use the Customer's Data in communication with the Customer and provide information on important issues related to the use of the Data.

2.3. The Principles do not apply to the services or goods of other companies, even if they are available to the Customer via the Enefit e-environment or the Service.


3. Definitions

3.1. Enefit uses the terms in the sense defined in the General Data Protection Regulation here.

3.2. A customer is any natural person who has entered into an agreement with Enefit or has provided his or her information and expressed a wish to register as a customer or to receive an offer from Enefit to enter into an agreement, but has not entered into an agreement. Enefit also treats as a customer the landowners with a technical network and facility tolerance obligation and natural persons who use Enefit's Services or the e- environment.

3.3. Data is all data of an Enefit customer that enables it to be directly, or indirectly identified, distinguished, associated or derived. Processing of customer data is any operation performed on customer data.

3.4. Anonymous data is information that cannot be associated with a specific Customer, as the Customer's identifying information has been removed from the data;

3.5. By ensuring the secure processing of data, we mean the use of up-to-date physical, organizational and IT security measures. These measures include the protection of employees, IT infrastructure as well as office buildings and technical equipment. The purpose of the measures is, in particular, to control the risks and to mitigate the risks posed by both persons and technology. In order to ensure compliance with the measures, the company's and the group's internal procedures have been established for mandatory compliance. Enefit´s employees are subject to Data confidentiality and protection requirements and are responsible for fulfilling these obligations. The Data Processors authorized by Enefit are obliged to ensure compliance with the same rules in respect of their employees and they are responsible for compliance with the requirements for the use of Data.


4. Enefit´s Principles of Data Protection

4.1. Enefit uses the Data in the manner specified in the Principles and only for the purpose for which Enefit collected the Data and to the extent necessary to fulfil this purpose. Enefit may combine Data collected in connection with different Services if such Data has been collected for the same purpose.

4.2. Enefit considers the Customer's privacy and Data protection very important, using secure solutions for data processing.


5. The role of the customer in ensuring data security

5.1. The Customer must use the Services and e-environments safely and diligently and ensure that the devices (e.g. computer, smart phone, application, etc.) used by the Customer to use the Enefit´s Services or eenvironment are secure. The Customer is obliged to keep their Password, user IDs and passwords related to the Customer, their device, the Service or the e-environment or other information or information carriers (e.g. ID card or Mobile ID) related to himself/herself secret from other persons.

5.2. The Customer must be aware of and take into account the fact that Enefit cannot guarantee the security of the Data and is not liable if the Data is not protected due to the Customer's breach of the obligation specified in clause 5.1 (incl. because the Customer has not changed the original PIN or other initial settings or the Customer's ID card, Mobile ID or their PIN codes have been used by unauthorized persons). In such case, the customer is responsible for all consequences that may occur to them.

5.3. If the Customer allows the User (e.g. the Customer's family members, employees, etc.) to consume the Services or the e-Environment on the basis of the Agreement concluded between the Customer and Enefit, the Customer is responsible for the User reading and agreeing with the Principles.


6. Data collection

6.1. Enefit offers Customers various Services and e-environments for use. The composition of the Data collected by Enefit per Customer depends on which specific Services or e-environments the Customer uses, which Data is necessary to provide them; the extent to which the Customer transmits Data to Enefit for this purpose (e.g. when ordering the Service, registering as a User, etc.) and consents The Client provides Enefit for data processing.

6.2. According to the nature and purposes of the data processing, the data collected is divided into three main categories:

6.2.1. Basic information, such as: first and last name, user name, personal identity number, date of birth, identity document number (e.g. passport, ID card, residence permit) and other related information, age, address, e-mail address, services ordered or information about purchased products (e.g. service composition, additional services, parameters, service address, devices used, etc.) and related static IP address, domain name or device serial number, billing information (e.g. billing address, reference number, account number, etc.). Also data collected by Customers in the course of using the services in e-environments;

6.2.2. Specific types of personal data, such as racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data used for the unique identification of a natural person, health data or data on a person's sexual life and sexual orientation. The purpose of Enefit is not to collect your specific personal data, but it may become known to us by chance, for example, through a letter or telephone call received by us as part of a customer relationship, when you disclose it to us. In accordance with the principles of secure data processing, the processing of such data shall be restricted or deleted;

6.2.3. Non-personalized data is data that is not attributable to any particular Customer, but which Enefit must also process in order to provide services. Non-personalized data is, for example, data collected when using websites, which is collected by non-personalized customers for Enefit in the course of using the services.

6.3. Enefit collects Data in the following ways:

6.3.1. Enefit receives Data from the Customer, for example, when ordering the Service, registering as a Customer, making an information request to Enefit;

6.3.2. The Data is generated by the Customer when using the Services (e.g. when using the e-environment) and it is necessary for the performance of the Agreement or ensuring the performance of the Agreement, such processing of the Data is prescribed by Legislation or is based on the Customer's consent;

6.3.3. Enefit receives Data related to the Customer from other sources (e.g. other service providers or public registers, etc.) if it is necessary for the performance of the Agreement or to ensure the performance of the Agreement, such processing of the Data is prescribed by Legislation or is based on the Customer's consent.


7. Use of data for the performance of the Agreement and to ensure the performance of the Agreement

7.1. Enefit may use the Data on the basis of the Legislation without the separate consent of the Customer for the performance of the Agreement or to ensure the performance of the Agreement in the following cases:

7.1.1. To identify the customer and their representative;

7.1.2. To perform activities necessary for the provision of Services or sale of goods to the Customer (incl. for sale and delivery of Services and/or goods and for forwarding information on Services and goods to the Customer);

7.1.3. Customer service and troubleshooting;

7.1.4. To provide and develop the e-environment, its services and functionalities and a good level and personal user experience (e.g. recording of language preference, etc.) and to provide the Customer with information related to the possibilities and security of using the e-environment;

7.1.5. To calculate the service fees related to the Agreement, to prepare and send notices and invoices to the Client;

7.1.6. To send notices related to the Agreement and/or the Service to the Customer by post;

7.1.7. for documenting business and service activities and exchanging business information (incl. for submission to auditors when auditing Enefit);

7.1.8. To better serve customers, including measuring the quality, usage activity or customer satisfaction of the e-Environment and Services, and to develop the Services and business;

7.1.9. For the maintenance or repair of other Customer's equipment procured by Enefit or on the Customer's order and for other after-sales activities related to the equipment;

7.1.10. To record and preserve telephone calls between Enefit and the Customer, with the purpose of using these call recordings to prove the declarations of intent or transactions made by the Parties and to better serve the Customer;

7.1.11. To assess and prevent potential business risks or losses related to the provision of the Service;

7.1.12. To ensure the performance of the contract (e.g. to establish guarantees, enter into surety agreements);

7.1.13. Enefit for the protection of violated or disputed rights and debt collection (incl. for the transmission of Data related to breach of the Agreement and/or indebtedness to persons providing collection services, lawyers, etc. authorized by Enefit for processing the respective Data on the basis of the Agreement).

7.2. The overview of the use of the Data for the purpose of performing the Agreement and ensuring the performance of the Agreement provided in Clause 7.1 is not exhaustive. This means that Enefit may, if necessary, use the Data for the performance of the Agreement or to ensure the performance of the Agreement for some purpose not highlighted in clause 7.1.

7.3. When using the Service or the e-environment, the Customer cannot refuse to use the Data for the purposes specified in clause 7.1, as this would make it impossible to offer the Service or the e-Environment for the Customer.

7.4. Enefit may use the following Data for the purposes specified in clause 7.1:

7.4.1. Basic customer data;

7.4.2. Customer relationship information: Information concerning the use of Enefit´s Services, details of the Agreements entered into by the Customer, submitted orders and customer contacts, invoices and related information (e.g. payment data, etc.), information entered by the Customer into the eenvironment (incl. data entered during account registration), e-environment, its services and data on the use of functionalities and data collected with the help of cookies (see clause 14) and data related to the Customer's payment discipline/indebtedness;

7.4.3. The list of data in Section 7.4 is not exhaustive. This means that, if reasonably necessary and to a reasonable extent, Enefit may also process Data not specified in clause 7.4 for the purpose of performing the Agreement and ensuring the performance of the Agreement.


8. Use of data subject to consent

8.1. In certain cases, Enefit also requests separate consent from the Customer for the processing of the Data (hereinafter: Consent). When asking for consent, Enefit explains the purpose of asking for consent and provides information on the planned processing.

8.2. The conditions of use of the Data set out in the Principles apply to the consent. Enefit refers to the Principles when accepting the Consent from the Customer, and the Customer has the opportunity to get acquainted with the Principles. The Customer has the right not to give the Consent or to withdraw the Consent later, notifying Enefit via the e-environment or in writing or in a form that can be reproduced in writing. The consent is valid until revoked.

8.3. On the basis of the consent, the data will be processed for example as follows:

8.3.1. To prepare and send personal offers to the customer electronically (e.g. via e-mail, SMS or social media). The preparation of personal offers may include a marketing analysis of the Customer's Services, environment, etc. usage preferences, with the aim of finding out the Customer's usage needs and preparing personal offers based on it;

8.3.2. For the transmission of data to companies belonging to the same group as Enefit or to Enefit's cooperation partners for the purpose of offering services to the Customer jointly or reciprocally;

8.3.3. To find out the Customer's expectations, preferences and needs and to develop new and better services and possibilities of using the e-environment;

8.3.4. In the e-environment for delivering personalized content, offers and advertisements to the Customer.

8.4. Unless otherwise described in the specific consent, Enefit may use the following Data on the basis of the Consent:

8.4.1. Name, date of birth, personal identification code, language of communication, preferred contact information (eg, telephone number, e-mail, regular mail) of the Customer and the person or contact person authorized by the Customer, information on the Customer's segmentation;

8.4.2. Information concerning the use of services and the purchase of goods (e.g. field of goods, price class, delivery information, etc.);

8.4.3. Data related to the customer's creditworthiness, payment discipline/indebtedness;

8.4.4. information on the details concerning the consumption of Enefit´s services by the Customer (incl. volume, quantity, method, time, etc. of use of the Services by type of services (e.g. used electricity or gas)) and information on additional services ordered by the Customer, as well as meter) data;

8.4.5. Data transmitted by the Customer to Enefit via the e-environment (incl. data entered upon account registration);

8.4.6. Data on the use of the e-environment or its services and functionalities by the Customer and information collected by means of cookies;

8.4.7. Data published about the Customer in public databases or on the Internet (e.g. information about the Customer's interests, work or studies, etc.);

8.4.8. Data received from other persons on a lawful basis (e.g. data transmitted by Elering AS or collected by AS Krediidiinfo).

8.5. The Customer has the right at any time, regardless of whether the Customer agrees to the processing of his/her Data on the basis of consent, to prohibit sending offers or otherwise processing data on the basis of the consent in the e-environment or following the instructions in the e-mail or message or in any other electronic way provided by Enefit. Depending on the application channel, the Customer will also be notified of the deadline for enforcing his or her request, which is usually not more than 5 working days.

8.6. Pursuant to the Consent and the Legislation, Enefit may also forward offers addressed to the Customer to a user whom Enefit has become aware of, who was enabled by the Customer to use Enefit's services under the Agreement between the Customer and Enefit and the representative or contact person of Enefit´s business customer. These persons may prohibit from sending offers by electronic means (e.g. by e-mail, SMS or MMS) to them in the e-environment or by following the instructions provided in the e-mail or message or in any other electronic way offered by Enefit. Only the Customer has the right to withdraw the consent.


9. Processing of data on the basis of a legitimate interest

9.1. In certain cases, Enefit also processes the Data in its legitimate interests. For Enefit, a legitimate interest is a commercial interest in which the processing of the Data is justified and necessary and which outweighs the possible infringement of the data protection rights of the customer accompanying such data processing. Within the framework of a legitimate interest, Enefit processes customer data for the following purposes, for example:

9.1.1. Transmission of periodic news and information letters, incl. to introduce additional services and offers to customers. The customer can refuse getting news and information letters at any time without giving a reason;

9.1.2. Improving the user experience by asking customers for feedback on services and processes and using it to compile statistics and surveys. Giving feedback is voluntary for the customer;

9.1.3. Improvement and further development of Enefit's technical systems, self-service environment and IT systems, incl. security incident prevention and resolution;

9.1.4. Analysis of breakdowns, sales, consumption and other statistics required to provide proactive customer service;

9.1.5. General customer group profiling;

9.1.6. Settlement of claims and prevention of fraud;

9.1.7. To assess the customer's creditworthiness and reliability (payment behaviour) (incl. to decide on the provision of credit for services);

9.1.8. In case of breach of contract, for transmitting the Client's payment default (data related to overdue debt, including debtor's name, personal identification code, information on the amount of debt, time of occurrence of debt and type of debt-related transaction) to credit information companies authorized by Enefit.

9.1.9. To carry out major transactions related to changes in the corporate structure and financing (such as the transfer, sale, purchase, division, merger of a company orb usiness owner) for the purpose of negotiations and/or execution of the business transaction (sharing/transferring personal data with the counterparty).


10. Specific cases of data processing arising from the legislation

10.1. Pursuant to legislation, Enefit processes customer data for the following purposes, for example:

10.1.1. Transmission of electricity seller data to Elering AS and receipt of relevant data in connection with concluding or terminating a customer contract.

10.1.2. to meet obligations under accounting or tax laws.


11. Data retention period

11.1. Enefit will retain the Data for as long as is necessary to achieve the purpose of using the Data specified in the Principles or until the term prescribed in the Legislation.

11.2. When storing data, Enefit follows the following main deadlines:

11.2.1. After 3 years, we will delete the Data of persons who have requested, for example, price offers or information on the existence of a technical possibility, but have not become a customer of Enefit, as well as call recordings of customer service telephones and recordings of customer service security devices;

11.2.2. 7 years after the termination of the contract, we will delete the basic data of the contract and the data generated during the performance of the contract (customer appeals, settlement of claims, notices, etc.), if there is no ongoing collection procedure related to the performance of the contract.

11.3. In justified cases, Enefit may also change the terms described in clause 11.2, if such a need is due to, for example, specific management, legislation or Enefit's legitimate interest.


12. Automatic decision making and profiling

12.1. Enefit may also make automatic decisions when processing personal data, for example:

12.1.1. For background checks on the sale of goods and services on credit terms, in the framework of which we process relevant information about your payment behaviour and background from Enefit´s information systems as well as public databases (official notices, information disclosed by bailiffs and other official registers and publications, e.g. commercial register, population register);

12.1.2. To provide automatic notifications in the framework of debt proceedings and to limit the services provided in accordance with the provisions of the contracts and the law.

12.2. The purpose of marketing profiling is to develop different customer segments, types or profiles that allow us to offer each customer offers and services that are just right for them. For profiling, we can analyse, for example, customer demographics (age, gender), service usage data, location, and behavioural patterns using a variety of internationally recognized methods of statistical analysis appropriate to the particular case.

12.3. The customer has the right to ask for additional explanations and submit objections regarding automatic decisions concerning the customer at any time by notifying Enefit.


13. Use of data by authorized processors

13.1. Pursuant to the Legislation, Enefit may also grant the right to use the Data to authorized processors. Authorized processors are Enefit's partners who, for example, deal with the organization of billing, answering customer questions, marketing services, reselling services or providing other services provided through communication services, etc. The authorized processor has the right to use the Data only for the performance of specific operations requested by Enefit and on the basis of an agreement entered into with Enefit containing a confidentiality obligation.

13.2. The list and contact details of Enefit's authorized processors are provided on Enefit's website.


14. Customer rights in connection with the use of data

14.1. Right of access to your data. The customer can most conveniently get acquainted with their basic and contact data, contract data, place of consumption and consumption data in Enefit's self-service environment, as well as receive information from customer service.

14.2. Right to rectify personal data. The customer has the right to correct their data if it is incorrect or incomplete. If the customer's basic and contact information has changed or the customer discovers that their data is incorrect, he/she always has the right, and in some cases also the obligation under the contract, to correct it in self-service or to contact customer service to correct the data.

14.3. The right to request the deletion of your data. In certain cases, the customer has the right to have their personal data deleted. This right does not apply in a situation where Enefit processes the customer's personal data in order to fulfil obligations arising from the Electricity Market Act, network rules or other legislation. The customer must also take into account that if they wish to be forgotten, it is not possible to continue receiving services under the contract.

14.4. Right to object. The customer has the right to object at any time to the processing of personal data concerning him or her, which Enefit performs on the basis of a legitimate interest. When submitting an objection, Enefit shall consider whether the interests of the customer outweigh the interests of Enefit and, if possible, terminate the processing of the personal data in question. The right to object cannot be exercised if Enefit processes the customer's data for the performance of the contract, as this would not enable Enefit to fulfil the obligations arising from the contract. The right to submit objections cannot be exercised even in a situation where Enefit needs to prepare, file or defend a legal claim, for example, in a situation where the customer has breached the contract from the point of view of Enefit. Nor can objections be raised if Enefit processes the customer's personal data in order to fulfil an obligation arising from the applicable legislation.

14.5. Right to restrict data processing. The customer has the right to demand a restriction on the processing of their personal data if, in his or her opinion, the data is inaccurate if the customer needs the data for the preparation, submission or protection of a legal claim. The customer may also request a restriction on the processing of their personal data if Enefit processes it for the purpose of a legitimate interest and the customer wishes to find out whether the interests of Enefit outweigh the interests of the customer.

14.6. Right to data transfer. Enefit's customers have the right to transfer their consumption data (portability). The easiest way to do this is through AVP here.


15. Contacting details of Enefit for Data processing related matters

15.1. The Customer can contact Enefit for questions related to the Principles or the processing of the Customer´s Data at the following contacts: by phone at 7774040 and by e-mail at [email protected] or [email protected].


16. Use of cookies in Enefit´s e-environments

16.1. As with most websites, Enefit's e-environments use cookie technology. Cookies are small text files that are downloaded to the user's computer via the e-environment server. As a result, the browser can transmit cookie information back to the e-environment each time the e-environment is used, with the aim of allowing the same user to be identified without identification (anonymously) and providing the user with a personal and more convenient e-environment experience (e.g. maintaining user preferences and interests, etc.) and analysing and developing the Services offered in the e-environment and directing offers and advertisements.


17. Processing of Google user data

17.1. If the Customer uses a Google user account to log in to the Enefit charging service application "Volt", the Enefit charging service application "Volt" processes the Google user data entered by the Customer (i.e. e-mail address, password) in order to:

17.1.1. create a charging service user account for the Customer at his request in the "Volt" charging service application of Enefit;

17.1.2. to identify the Customer when he is logged in to the Enefit charging service application.

17.2. Enefit stores the Customer's Google user data in the European Union.

17.3. Enefit does not share the Customer's Google user data with third parties.

17.4. Customer can view Google's privacy policy on the Google website.


This version of the Principles is valid for Enefit and all Customers from 01.02.2024. Enefit has the right to unilaterally amend and update the Principles as necessary. We keep the Principles up-to-date and available on Enefit's website www.enefit.ee. We will notify you of significant changes to the Principles via our website, e-mail or other reasonable means.