This notice provides information about the processing of your personal data by the Vestas Group with Vestas Wind System A/S as the main data controller. “Vestas”, “we or “us” means the parent company, Vestas Wind Systems A/S, or any of its subsidiaries, joint ventures and affiliated companies in the Vestas group (together the “Vestas Group”), details of which can be found on the Vestas website (www.vestas.com).
Vestas may process personal data about you, if you act as an individual who do business and/or is interested in doing business with the Vestas Group e.g. as a consultant, or if you are or have been the employee of a company that is a business partner to the Vestas Group.
Vestas will primarily obtain your personal data from yourself and/or your employer and in some cases from publicly available resources.
Some personal data might also be automatically generated from Vestas’ IT-system, or equivalent, when you are creating or using access to online services provided by Vestas.
Categories of personal data
Vestas may process the following categories of personal data:
- Contact data, such as name, workplace address, e-mail address, telephone number;
- Individual data, such as preferred language and photo;
- Organizational data, such as company name, job position, place of work, country;
- IT-related data, such as user-ID, passwords, log-in details as well as data and logs about your usage of Vestas’s IT applications or services;
- Competence data, such as training activities;
- Contractual data, such as purchase orders, contracts and other agreements between you and Vestas.
For some business partners e.g. consultants, the following personal data is processed:
- Individual data, such as name, date of birth, gender, nationality, preferred language, photo;
- Organizational data, such as consultancy number, services description, place of work, business unit, department, manager, direct reports;
- Contact data, such as work location, home address, email, telephone number;
- Financial data, such as credit or payment information and bank account details;
- Contractual data, such as purchase orders, contracts and other agreements between you and Vestas;
- Consultancy administration data, such as consultancy contract and information about assignment start date and termination date;
- Time data, such as working hours, worked time;
- Security data, such as access cards, access rights and use of access cards and access rights;
- Health and safety data, such as information about work related incidents;
- Manufacturing/repair/service data, such as tracking and logging of activities undertaken by you in connection with manufacturing, maintenance, repair or service;
- Competence data, such as training activities;
- Travel administration data, such as information on business trips, booking details, passport number, travel invoices and allowances;
- Help desk and support data, such as questions from you relating to your assignment or IT-equipment or support provided to you in relation to the same;
- IT-related data, such as user-ID, passwords, log-in details as well as data and logs about your use of Vestas’ IT equipment, application or services, as per Vestas’ IT policies, as applicable from time to time;
- Compliance related data, such as information about relevant and significant litigation or other legal proceedings against you.
It is specifically noted that some aspects of health and safety data are regarded as sensitive data under the applicable data protection laws and shall be handled with extra care. It is specifically noted that sensitive data is only processed in case of legal obligation and/or explicit consent.
Vestas may also process a limited amount of personal data (name and contact details) of persons indicated by you as persons to be contacted by Vestas in case of emergency.
Legal basis and purposes of the processing
Vestas will process your personal data based on either of the following legal grounds, see also further details below.
- Legitimate interests. Vestas’ legitimate interests include the interest to manage its daily operations according to lawful and fair business practices, including planning, performing and managing the (contractual) relationship with business partners. Vestas’ legitimate interests also include managing its daily operations, secure its facilities and equipment and keep internal control.
- Legal obligation.
In exceptional cases and only when no other legal ground can be applied, Vestas may ask separately for your consent to process your personal data. If consent is collected, you are always entitled to withdraw your consent, which will, however, not affect the lawfulness of the processing based on consent before its withdrawal.
Vestas will process your personal data for the following purposes:
Generally, to plan, perform and manage Vestas’ relationship with business partners.
- Administration purposes
- Compliance and regulatory purposes
- Reporting purposes
- Work environment and product safety purposes
- Training and development purposes
- Employment management purposes
- Service and quality management purposes
- Dispute handling purposes
- Security purposes
Disclosure and transfer of your personal data
Vestas is a global business. Our customers and our operations are spread around the world. As a result we collect and transfer personal data on a global basis. That means that we may transfer your personal data to locations outside of your country. Where we transfer your personal data to another country outside the EEA, we will ensure that it is protected and transferred in a manner consistent with legal requirements. We have internal policies in place to ensure an adequate level of protection irrespective of where in the Vestas Group your data is located.
We may also share your personal data outside of the Vestas Group as further described below:
- with third party service providers for the purposes of providing services to us that enable or support our fulfilment of the purposes described in this notification (for example, Vestas’ IT and communications providers). These third parties will be subject to appropriate data protection obligations;
- to the extent required by law, for example if we are under a duty to disclose your personal data to comply with any legal obligation, or to establish, exercise or defend our legal rights;
If a third-party service provider processes your personal data outside the EU/EEA, such transfer shall be based on a legal basis recognised by the relevant authorities or courts as providing an adequate level of protection for personal data, including but not limited to the EU-U.S. Privacy Shield or the EU Commission’s Standard Contractual Clauses or such other mechanisms as have been recognized or approved by the relevant authorities from time to time.
For how long will we store your personal data
How long we will hold your personal data for will vary and will be determined by the following criteria:
- the purpose for which we are using it e.g. to fulfill our legal or contractual obligations considering amongst others the contractual period, warranty and product liability requirements; and
- legal obligations – laws or regulations may set a minimum period for which we must keep your personal data.
You have the right to gain access to the data processed about you. You also have the right to object to the processing of your personal data, to request erasure of your personal data and rectification of the data processed if relevant. Please note that Vestas may not always be obliged to comply with such a request.
Furthermore, if you wish to exercise your right to access your personal data, to object to it being processed, to request erasure or to rectify processed data, please contact us at: firstname.lastname@example.org. Further, if you have any complaints about Vestas’ processing of your personal data, you may contact the Danish Data Protection Agency.