This Privacy Policy describes the collection, use and disclosure of personal data by the Vestas Group with Vestas Wind System A/S as the main data controller. “Vestas”, “we or “us” means the parent company, Vestas Wind Systems A/S, or any of its subsidiaries, joint ventures and affiliated companies in the Vestas group (together the “Vestas Group”), details of which can be found on the Vestas website (www.vestas.com).

You can use this website without disclosing your identity. When you access our website, we may automatically (i.e., not by registration) collect non-personal data (e.g. type of Internet browser and operating system used, domain name of the website from which you came, number of visits, average time spent on the site, pages viewed). 

This Privacy Policy concerns personal data we may collect during your use of the website such as an IP address. If you register for any of our services or contact us via forms, there will be detailed information about what data we collect and how your data is processed in connection to your registration. It may be information about name, postal address, email address, other contact information, etc. 

If you follow a link to another website (including a website operated by Vestas), different privacy policies may apply. You should read these policies before you submit any personal data to these websites and agree that use of your personal data by those websites will be subject to those privacy policies.

By "processing" is meant that Vestas collects, uses, discloses, stores and deletes your personal data.

Vestas is responsible for ensuring that we use that personal data in compliance with data protection laws.

Vestas only collects and processes your personal information if we have a legal basis for the processing under applicable laws, for example:

• We have collected your consent,
• It is necessary to fulfill an agreement with you,
• We legally are obliged to do so, or
• We have a legitimate interest.

How we use your personal data

Vestas registers and processes personal data about you to deliver the requested services when you:

• Are contacting Vestas,
• Sign up for newsletters, or
• Give any kind of personal data to us via our website or applications.

We base the processing on our legitimate interest in running our daily business and being able to provide you with our services.

Vestas will be guided by the following principles when processing personal data:

1. We will only collect personal data for specific purposes;
2. We will not collect personal data beyond what is necessary to accomplish those purposes;
3. We will not use personal data for purposes other than that for which the data was collected, except as stated herein, or with prior consent;
4. We will not transfer personal data to third parties or across borders, except as stated herein, or with prior consent;
5. We will apply high technical standards to make our processing of personal data secure;
6. Except when stated herein, we will not store personal data in identifiable form longer than is necessary to accomplish its purpose, or as is required by law.

Disclosure and transfer of your personal data

Vestas is a global business. Our customers and our operations are spread around the world. As a result, we collect and transfer personal data on a global basis. That means that we may transfer your personal data to locations outside of your country. Where we transfer your personal data to another country outside the EEA, we will ensure that it is protected and transferred in a manner consistent with legal requirements. We have internal policies in place to ensure an adequate level of protection irrespective of where in the Vestas Group your data is located. 

We may also share your personal data outside of the Vestas Group as further described below:

• with third party service providers for the purposes of providing services to us that enable or support our fulfillment of the purposes described in this Privacy Policy (for example, Vestas’ IT and communications providers). These third parties will be subject to appropriate data protection obligations;
  
  
• to the extent required by law, for example, if we are under a duty to disclose your personal data in order to comply with any legal obligation, or to establish, exercise or defend our legal rights.

Security

Vestas takes all appropriate organisational and technical security measures to protect your personal data and has implemented necessary security measures in order to safeguard your data. Any personal data submitted will be treated as strictly confidential and will only be processed for the purposes for which they are collected.

Cookies

We automatically track how the content provided is used. This tracking allows us to gain a better understanding of potential areas for improvement so as to continually improve the relevance of and accessibility of the content we provide. One of the methods used is cookies. You can read more about our cookie policy under the cookie notice.

For how long will we store your personal data

How long we will hold your personal data for will vary and will be determined by the following criteria:

• the purpose for which we are using it (as further described in this policy) – we will need to keep the data for as long as is necessary for that purpose; and
• legal obligations – laws or regulations may set a minimum period for which we have to keep your personal data.

Your rights

You have the right to gain access to the data processed about you. You also have the right to object to the processing of your personal data and to rectify the data processed if relevant. Please note that Vestas may not always be obliged to comply with such a request. 

Furthermore, if you wish to exercise your right to access your personal data, to object to it being processed or to rectify processed data, please contact us at: dataprivacy@vestas.com. Further, if you have any complaints about Vestas’ processing of your personal data, you may contact the Danish Data Protection Agency.

This notice provides information about the processing of your personal data by the Vestas Group with Vestas Wind System A/S as the main data controller. “Vestas”, “we or “us” means the parent company, Vestas Wind Systems A/S, or any of its subsidiaries, joint ventures and affiliated companies in the Vestas group (together the “Vestas Group”), details of which can be found on the Vestas website (www.vestas.com).

Vestas may process personal data about you, if you as an individual, or the employee of a company, has bought a product or service offered by Vestas. We may also process your personal data when you have shown an interest in Vestas’ products and/or services by e.g. providing your business card to Vestas.

Vestas will primarily obtain your personal data from yourself and/or your employer and in some cases from publicly available resources.

Some personal data might also be automatically generated from Vestas’ IT-system, or equivalent, when you are creating or using access to online services provided by Vestas.

Categories of personal data

Vestas may process the following categories of personal data:

• Contact data, such as name, email address, telephone number;
• Individual data, such as preferred language and photo;
• Organizational data, such as company name, job position, place of work and country;
• Competence data, such as training activities;
• IT-related data, such as user-ID, passwords, log-in details as well as data and logs about your usage of Vestas’ IT applications and services; 
• Financial data, such as credit or payment information, bank account details.

Legal basis and purposes of the processing

Vestas will process your personal data based on either of the following legal grounds, see also further details below.

• Contractual obligation.

• Legitimate interests. Vestas’ legitimate interests include the interest to manage its daily operations according to lawful and fair business practices including planning, performing and managing the (contractual) relationship with customers.

• Legal obligation 

In exceptional cases and only when no other legal ground can be applied, Vestas may ask separately for your consent to process your personal data. If consent is collected, you are always entitled to withdraw your consent, which will, however, not affect the lawfulness of the processing based on consent before its withdrawal. 

Vestas will process your personal data for the following purposes:

Generally, to plan, perform and manage Vestas’ relationship with customers.

More specifically

• Administration purposes, such as performing transactions, processing payments, performing accounting, auditing, billing and collection activities, arranging shipments and deliveries, facilitating repairs and providing support services;
• Promotional communications and marketing purposes, such as periodic newsletter/magazines, information on our services, promotional and advertising material, sweepstakes, contests, invitations to events organized by us or from third-party companies with whom we collaborate;
• Customer surveys purposes, such as customer satisfaction surveys, product quality surveys, market analysis to improve customer engagement;
• Personalized services purposes, such as providing you merchandise in the right size when being invited to a Vestas organized event.
• Compliance and regulatory purposes, such as fulfilling our legal and compliance-related obligations to prevent illegal activity.
• Security purposes, such as maintaining and protecting the security of our products, services and websites, preventing and detecting security threats, fraud or other criminal or malicious activities; 
• Training and development purposes, such as enabling training activities;
• Dispute handling purposes, such as enforcing our contractual agreements and to establish, exercise or defend legal claims.
  
  

Disclosure and transfer of your personal data

Vestas is a global business. Our customers and our operations are spread around the world. As a result, we collect and transfer personal data on a global basis. That means that we may transfer your personal data to locations outside of your country. Where we transfer your personal data to another country outside the EEA, we will ensure that it is protected and transferred in a manner consistent with legal requirements. We have internal policies in place to ensure an adequate level of protection irrespective of where in the Vestas Group your data is located. 

We may also share your personal data outside of the Vestas Group as further described below:

• with third party service providers for the purposes of providing services to us that enable or support our fulfillment of the purposes described in this notification (for example, Vestas’ IT and communications providers). These third parties will be subject to appropriate data protection obligations;
  
  
• to the extent required by law, for example if we are under a duty to disclose your personal data to comply with any legal obligation, or to establish, exercise or defend our legal rights;

If a third-party service provider processes your personal data outside the EU/EEA, such transfer shall be based on a legal basis recognised by the relevant authorities or courts as providing an adequate level of protection for personal data, including but not limited to the EU-U.S. Privacy Shield or the EU Commission’s Standard Contractual Clauses or such other mechanisms as have been recognized or approved by the relevant authorities from time to time.

For how long will we store your personal data

How long we will hold your personal data for will vary and will be determined by the following criteria:

• the purpose for which we are using it e.g. to fulfill our legal or contractual obligations considering amongst others the contractual period, warranty and product liability requirements; and
  
  
• legal obligations – laws or regulations may set a minimum period for which we have to keep your personal data.

Your Rights

You have the right to gain access to the data processed about you. You also have the right to object to the processing of your personal data, to request erasure of your personal data and rectification of the data processed if relevant. Please note that Vestas may not always be obliged to comply with such a request.

Furthermore, if you wish to exercise your right to access your personal data, to object to it being processed, to request erasure or to rectify processed data, please contact us at: dataprivacy@vestas.com. Further, if you have any complaints about Vestas’ processing of your personal data, you may contact the Danish Data Protection Agency.

This notice provides information about the processing of your personal data by the Vestas Group with Vestas Wind System A/S as the main data controller. “Vestas”, “we or “us” means the parent company, Vestas Wind Systems A/S, or any of its subsidiaries, joint ventures and affiliated companies in the Vestas group (together the “Vestas Group”), details of which can be found on the Vestas website (www.vestas.com).

Vestas may process personal data about you, if you act as an individual who do business and/or is interested in doing business with the Vestas Group e.g. as a consultant, or if you are or have been the employee of a company that is a business partner to the Vestas Group.

Vestas will primarily obtain your personal data from yourself and/or your employer and in some cases from publicly available resources.

Some personal data might also be automatically generated from Vestas’ IT-system, or equivalent, when you are creating or using access to online services provided by Vestas.

Categories of personal data

Vestas may process the following categories of personal data:

• Contact data, such as name, workplace address, e-mail address, telephone number;
• Individual data, such as preferred language and photo;
• Organizational data, such as company name, job position, place of work, country;
• IT-related data, such as user-ID, passwords, log-in details as well as data and logs about your usage of Vestas’s IT applications or services;
• Competence data, such as training activities;
• Contractual data, such as purchase orders, contracts and other agreements between you and Vestas.

For some business partners e.g. consultants, the following personal data is processed:

• Individual data, such as name, date of birth, gender, nationality, preferred language, photo;
• Organizational data, such as consultancy number, services description, place of work, business unit, department, manager, direct reports;
• Contact data, such as work location, home address, email, telephone number;
• Financial data, such as credit or payment information and bank account details;
• Contractual data, such as purchase orders, contracts and other agreements between you and Vestas;
• Consultancy administration data, such as consultancy contract and information about assignment start date and termination date;
• Time data, such as working hours, worked time;
• Security data, such as access cards, access rights and use of access cards and access rights;
• Health and safety data, such as information about work related incidents;
• Manufacturing/repair/service data, such as tracking and logging of activities undertaken by you in connection with manufacturing, maintenance, repair or service;
• Competence data, such as training activities;
• Travel administration data, such as information on business trips, booking details, passport number, travel invoices and allowances;
• Help desk and support data, such as questions from you relating to your assignment or IT-equipment or support provided to you in relation to the same;
• IT-related data, such as user-ID, passwords, log-in details as well as data and logs about your use of Vestas’ IT equipment, application or services, as per Vestas’ IT policies, as applicable from time to time;
• Compliance related data, such as information about relevant and significant litigation or other legal proceedings against you.

It is specifically noted that some aspects of health and safety data are regarded as sensitive data under the applicable data protection laws and shall be handled with extra care. It is specifically noted that sensitive data is only processed in case of legal obligation and/or explicit consent.

Vestas may also process a limited amount of personal data (name and contact details) of persons indicated by you as persons to be contacted by Vestas in case of emergency.

Legal basis and purposes of the processing

Vestas will process your personal data based on either of the following legal grounds, see also further details below.

• Contractual obligation.

• Legitimate interests. Vestas’ legitimate interests include the interest to manage its daily operations according to lawful and fair business practices, including planning, performing and managing the (contractual) relationship with business partners. Vestas’ legitimate interests also include managing its daily operations, secure its facilities and equipment and keep internal control.
  
  
• Legal obligation.

In exceptional cases and only when no other legal ground can be applied, Vestas may ask separately for your consent to process your personal data. If consent is collected, you are always entitled to withdraw your consent, which will, however, not affect the lawfulness of the processing based on consent before its withdrawal.

Vestas will process your personal data for the following purposes:

Generally, to plan, perform and manage Vestas’ relationship with business partners.

More specifically

• Administration purposes
• Compliance and regulatory purposes
• Reporting purposes
• Work environment and product safety purposes
• Training and development purposes
• Employment management purposes
• Service and quality management purposes
• Dispute handling purposes
• Security purposes

Disclosure and transfer of your personal data

Vestas is a global business. Our customers and our operations are spread around the world. As a result we collect and transfer personal data on a global basis. That means that we may transfer your personal data to locations outside of your country. Where we transfer your personal data to another country outside the EEA, we will ensure that it is protected and transferred in a manner consistent with legal requirements. We have internal policies in place to ensure an adequate level of protection irrespective of where in the Vestas Group your data is located. 

We may also share your personal data outside of the Vestas Group as further described below:

• with third party service providers for the purposes of providing services to us that enable or support our fulfilment of the purposes described in this notification (for example, Vestas’ IT and communications providers). These third parties will be subject to appropriate data protection obligations;
  
  
• to the extent required by law, for example if we are under a duty to disclose your personal data to comply with any legal obligation, or to establish, exercise or defend our legal rights;

If a third-party service provider processes your personal data outside the EU/EEA, such transfer shall be based on a legal basis recognised by the relevant authorities or courts as providing an adequate level of protection for personal data, including but not limited to the EU-U.S. Privacy Shield or the EU Commission’s Standard Contractual Clauses or such other mechanisms as have been recognized or approved by the relevant authorities from time to time.

For how long will we store your personal data

How long we will hold your personal data for will vary and will be determined by the following criteria:

• the purpose for which we are using it e.g. to fulfill our legal or contractual obligations considering amongst others the contractual period, warranty and product liability requirements; and
  
  
• legal obligations – laws or regulations may set a minimum period for which we must keep your personal data.

Your Rights

You have the right to gain access to the data processed about you. You also have the right to object to the processing of your personal data, to request erasure of your personal data and rectification of the data processed if relevant. Please note that Vestas may not always be obliged to comply with such a request.

Furthermore, if you wish to exercise your right to access your personal data, to object to it being processed, to request erasure or to rectify processed data, please contact us at: dataprivacy@vestas.com. Further, if you have any complaints about Vestas’ processing of your personal data, you may contact the Danish Data Protection Agency.

This notice provides information about the processing of your personal data by the Vestas Group with Vestas Wind System A/S as the main data controller. “Vestas”, “we or “us” means the parent company, Vestas Wind Systems A/S, or any of its subsidiaries, joint ventures and affiliated companies in the Vestas group (together the “Vestas Group”), details of which can be found on the Vestas website (www.vestas.com).

This privacy notice explains how Vestas processes your personal data in our administration of our shareholders. 

We will primarily obtain your personal data from yourself.  When we collect information from another source than you, the source(s) maybe: banks or other relevant players in the financial community.

Categories of personal data 

We may collect the following categories of personal data: 

Name, address, email address, telephone number, bank account number, information on communication preferences, Vestas stock portfolio information, information relating to the annual general meeting (e.g. your attendance at the annual general meeting and/or your voting at the annual general meeting) and any other information relevant to the shareholding.

Legal basis and purposes of the processing  

Vestas will process your personal data based on either of the following legal grounds, see also further details below.

• Contractual obligation.
  
  
• Legitimate interests. Vestas’ legitimate interests include the interest to manage its daily operations according to lawful and fair business practices including managing its relationships with its shareholders.
  
  
• Legal obligation 

In exceptional cases and only when no other legal ground can be applied, Vestas may ask separately for your consent to process your personal data. If consent is collected, you are always entitled to withdraw your consent, which will, however, not affect the lawfulness of the processing based on consent before its withdrawal. 

We will use your personal data for the following purposes:

Generally, to plan, perform and manage Vestas’ relationship with its shareholders.

More specifically

• Administration purposes
• Compliance and regulatory purposes

To keep a register of our shareholders and to be able to share relevant news and notices, e.g. the annual report and information regarding our annual general meeting as requested by you. 

Disclosure and transfer of your personal data

Vestas is a global business. Our customers and our operations are spread around the world. As a result, we collect and transfer personal data on a global basis. That means that we may transfer your personal data to locations outside of your country. Where we transfer your personal data to another country outside the EEA, we will ensure that it is protected and transferred in a manner consistent with legal requirements. We have internal policies in place to ensure an adequate level of protection irrespective of where in the Vestas Group your data is located. 

We may also share your personal data outside of the Vestas Group as further described below:

• with third party service providers for the purposes of providing services to us that enable or support our fulfillment of the purposes described in this notification (for example, Vestas’ IT and communications providers). These third parties will be subject to appropriate data protection obligations;
  
  
• to the extent required by law, for example if we are under a duty to disclose your personal data to comply with any legal obligation, or to establish, exercise or defend our legal rights;

If a third-party service provider processes your personal data outside the EU/EEA, such transfer shall be based on a legal basis recognised by the relevant authorities or courts as providing an adequate level of protection for personal data, including but not limited to the EU-U.S. Privacy Shield or the EU Commission’s Standard Contractual Clauses or such other mechanisms as have been recognized or approved by the relevant authorities from time to time.

For how long will we store your personal data

How long we will hold your personal data for will vary and will be determined by the following criteria:

• the purpose for which we are using it e.g. to fulfill our legal or contractual obligations; and
  
  
• legal obligations – laws or regulations may set a minimum period for which we must keep your personal data.

Your Rights

You have the right to gain access to the data processed about you. You also have the right to object to the processing of your personal data, to request erasure of your personal data and rectification of the data processed if relevant. Please note that Vestas may not always be obliged to comply with such a request.

Furthermore, if you wish to exercise your right to access your personal data, to object to it being processed, to request erasure or to rectify processed data, please contact us at: dataprivacy@vestas.com. Further, if you have any complaints about Vestas’ processing of your personal data, you may contact the Danish Data Protection Agency.

This notice provides information about the processing of your personal data by the Vestas Group with Vestas Wind System A/S as the main data controller. “Vestas”, “we or “us” means the parent company, Vestas Wind Systems A/S, or any of its subsidiaries, joint ventures and affiliated companies in the Vestas group (together the “Vestas Group”), details of which can be found on the Vestas website (www.vestas.com).

This privacy notice explains how vestas processes your personal data in our administration of our Investor Relations activities.

We will primarily obtain your personal data from yourself. 

Categories of personal data 

We may collect the following categories of personal data:

• Contact data, such as name, email address, telephone number and country of residence;
• Individual data, such as preferred language and communication preferences.

Legal basis and purposes of the processing

Vestas will process your personal data based on either of the following legal grounds, see also further details below.

• Contractual obligation.
  
  
• Legitimate interests. Vestas’ legitimate interests include the interest to manage its daily operations according to lawful and fair business practices including providing communication about Vestas’ activities.
  
  
• Legal obligation

In exceptional cases and only when no other legal ground can be applied, Vestas may ask separately for your consent to process your personal data. If consent is collected, you are always entitled to withdraw your consent, which will, however, not affect the lawfulness of the processing based on consent before its withdrawal.

We will use your personal data for the following purposes:

To provide information services which you have signed up for through our news services e.g. audiocasts, changes in the share price (stock threshold alerts), disclosed company announcements, press releases, and financial reports.

Disclosure and transfer of your personal data

Vestas is a global business. Our customers and our operations are spread around the world. As a result, we collect and transfer personal data on a global basis. That means that we may transfer your personal data to locations outside of your country. Where we transfer your personal data to another country outside the EEA, we will ensure that it is protected and transferred in a manner consistent with legal requirements. We have internal policies in place to ensure an adequate level of protection irrespective of where in the Vestas Group your data is located. 

We may also share your personal data outside of the Vestas Group as further described below:

• with third party service providers for the purposes of providing services to us that enable or support our fulfillment of the purposes described in this notification (for example, Vestas’ IT and communications providers). These third parties will be subject to appropriate data protection obligations;
  
  
• to the extent required by law, for example if we are under a duty to disclose your personal data to comply with any legal obligation, or to establish, exercise or defend our legal rights;

If a third-party service provider processes your personal data outside the EU/EEA, such transfer shall be based on a legal basis recognised by the relevant authorities or courts as providing an adequate level of protection for personal data, including but not limited to the EU-U.S. Privacy Shield or the EU Commission’s Standard Contractual Clauses or such other mechanisms as have been recognized or approved by the relevant authorities from time to time.

For how long will we store your personal data

How long we will hold your personal data for will vary and will be determined by the following criteria:

• the purpose for which we are using it e.g. to fulfill our legal or contractual obligations; and
  
  
• legal obligations – laws or regulations may set a minimum period for which we must keep your personal data.

Your Rights

You have the right to gain access to the data processed about you. You also have the right to object to the processing of your personal data, to request erasure of your personal data and rectification of the data processed if relevant. Please note that Vestas may not always be obliged to comply with such a request.

Furthermore, if you wish to exercise your right to access your personal data, to object to it being processed, to request erasure or to rectify processed data, please contact us at: dataprivacy@vestas.com. Further, if you have any complaints about Vestas’ processing of your personal data, you may contact the Danish Data Protection Agency.