Privacy Policy

This Privacy Policy describes the collection, use and disclosure of personal data by the Vestas Group with Vestas Wind System A/S as the main data controller. “Vestas”, “we or “us” means the parent company, Vestas Wind Systems A/S, or any of its subsidiaries, joint ventures and affiliated companies in the Vestas group (together the “Vestas Group”), details of which can be found on the Vestas website (www.vestas.com).

You can use this website without disclosing your identity. When you access our website, we may automatically (i.e., not by registration) collect non-personal data (e.g. type of Internet browser and operating system used, domain name of the website from which you came, number of visits, average time spent on the site, pages viewed).

This Privacy Policy concerns personal data we may collect during your use of the website such as an IP address. If you register for any of our services or contact us via forms, there will be detailed information about what data we collect and how your data is processed in connection to your registration. It may be information about name, postal address, email address, other contact information, etc.

If you follow a link to another website (including a website operated by Vestas), different privacy policies may apply. You should read these policies before you submit any personal data to these websites and agree that use of your personal data by those websites will be subject to those privacy policies.

By "processing" is meant that Vestas collects, uses, discloses, stores and deletes your personal data.

Vestas is responsible for ensuring that we use that personal data in compliance with data protection laws.

Vestas only collects and processes your personal information if we have a legal basis for the processing under applicable laws, for example:

We have collected your consent,
It is necessary to fulfill an agreement with you,
We legally are obliged to do so, or
We have a legitimate interest.

How we use your personal data

Vestas registers and processes personal data about you to deliver the requested services when you:

Are contacting Vestas,
Sign up for newsletters, or
Give any kind of personal data to us via our website or applications.

We base the processing on our legitimate interest in running our daily business and being able to provide you with our services.

Vestas will be guided by the following principles when processing personal data:

We will only collect personal data for specific purposes;
We will not collect personal data beyond what is necessary to accomplish those purposes;
We will not use personal data for purposes other than that for which the data was collected, except as stated herein, or with prior consent;
We will not transfer personal data to third parties or across borders, except as stated herein, or with prior consent;
We will apply high technical standards to make our processing of personal data secure;
Except when stated herein, we will not store personal data in identifiable form longer than is necessary to accomplish its purpose, or as is required by law.

Disclosure and transfer of your personal data

Vestas is a global business. Our customers and our operations are spread around the world. As a result, we collect and transfer personal data on a global basis. That means that we may transfer your personal data to locations outside of your country. Where we transfer your personal data to another country outside the EEA, we will ensure that it is protected and transferred in a manner consistent with legal requirements. We have internal policies in place to ensure an adequate level of protection irrespective of where in the Vestas Group your data is located.

We may also share your personal data outside of the Vestas Group as further described below:

with third-party service providers for the purposes of providing services to us that enable or support our fulfillment of the purposes described in this Privacy Policy (for example, Vestas’ IT and communications providers). These third parties will be subject to appropriate data protection obligations;
to the extent required by law, for example, if we are under a duty to disclose your personal data in order to comply with any legal obligation, or to establish, exercise or defend our legal rights.

Security

Vestas takes all appropriate organisational and technical security measures to protect your personal data and has implemented necessary security measures in order to safeguard your data. Any personal data submitted will be treated as strictly confidential and will only be processed for the purposes for which they are collected.

Cookies

We automatically track how the content provided is used. This tracking allows us to gain a better understanding of potential areas for improvement so as to continually improve the relevance of and accessibility of the content we provide. One of the methods used is cookies. You can read more about our cookie policy under the cookie notice.

For how long will we store your personal data

How long we will hold your personal data for will vary and will be determined by the following criteria:

the purpose for which we are using it (as further described in this policy) – we will need to keep the data for as long as is necessary for that purpose; and
legal obligations – laws or regulations may set a minimum period for which we have to keep your personal data.

Your rights

You have the right to gain access to the data processed about you. You also have the right to object to the processing of your personal data and to rectify the data processed if relevant. Please note that Vestas may not always be obliged to comply with such a request.

Furthermore, if you wish to exercise your right to access your personal data, to object to it being processed or to rectify processed data, please contact us at: dataprivacy@vestas.com. Further, if you have any complaints about Vestas’ processing of your personal data, you may contact the Danish Data Protection Agency.

Visitor Privacy Notice

This notice provides information about the processing of your personal data by the Vestas Group with Vestas Wind System A/S as the main data controller. “Vestas”, “we or “us” means the parent company, Vestas Wind Systems A/S, or any of its subsidiaries, joint ventures and affiliated companies in the Vestas group (together the “Vestas Group”), details of which can be found on the Vestas website (www.vestas.com).

Vestas may process personal data about you, if you as an individual, or the employee of a company, visits Vestas. We may also process your personal data when you have shown an interest in Vestas’ products and/or services by e.g. providing your business card to Vestas.

Vestas will primarily obtain your personal data from yourself and/or your employer and in some cases from publicly available resources.

Some personal data might also be automatically generated from Vestas’ IT-system, or equivalent when you are creating or using access to online services provided by Vestas.

Categories of personal data

Vestas may process the following categories of personal data:

Contact data, such as full name, email address, telephone number;
Organizational data, such as company name
Vehicle registration number, used for parking permits on Vestas sites
IT-related data, such as user-ID, passwords, log-in details as well as data and logs about your usage of Vestas’ IT applications and services;

Legal basis and purposes of the processing

Vestas will process your personal data based on either of the following legal grounds, see also further details below.

Legitimate interests
Vestas’ legitimate interests include the interest to manage its daily operations according to lawful and fair business practices including planning, performing and managing the relationship with the visitor.

Legal obligation
In exceptional cases and only when no other legal ground can be applied, Vestas may ask separately for your consent to process your personal data. If consent is collected, you are always entitled to withdraw your consent, which will, however, not affect the lawfulness of the processing based on consent before its withdrawal.

Vestas will process your personal data for the following purposes:

Generally, to plan, perform and manage Vestas’ daily operations and handling of visitors.

More specifically

Administration purposes, such as arranging shipments and deliveries, facilitating meetings and providing support services;
Communications purposes, such as invitations to events organized by us or from third-party companies with whom we collaborate;
Compliance and regulatory purposes, such as fulfilling our legal and compliance-related obligations to prevent illegal activity.
Security purposes, such as maintaining and protecting the security of our products, services, and websites, preventing and detecting security threats, fraud or other criminal or malicious activities;
Dispute handling purposes, such as enforcing our contractual agreements and to establish, exercise or defend legal claims.

Disclosure and transfer of your personal data

Vestas is a global business. Our business partners and our operations are spread around the world. As a result, we collect and transfer personal data on a global basis. That means that we may transfer your personal data to locations outside of your country. Where we transfer your personal data to another country outside the EEA, we will ensure that it is protected and transferred in a manner consistent with legal requirements. We have internal policies in place to ensure an adequate level of protection irrespective of where in the Vestas Group your data is located.

We may also share your personal data outside of the Vestas Group as further described below:

with third party service providers for the purposes of providing services to us that enable or support our fulfillment of the purposes described in this notification (for example, Vestas’ IT and communications providers). These third parties will be subject to appropriate data protection obligations;
to the extent required by law, for example, if we are under a duty to disclose your personal data to comply with any legal obligation, or to establish, exercise or defend our legal rights;

If a third-party service provider processes your personal data outside the EU/EEA, such transfer shall be based on a legal basis recognised by the relevant authorities or courts as providing an adequate level of protection for personal data, including but not limited to the EU-U.S. Privacy Shield or the EU Commission’s Standard Contractual Clauses or such other mechanisms as have been recognized or approved by the relevant authorities from time to time.

For how long will we store your personal data?

How long we will hold your personal data for will vary and will be determined by the following criteria:

the purpose for which we are using it e.g. to fulfill our legal or contractual obligations considering amongst others the contractual period, warranty and product liability requirements; and
legal obligations – laws or regulations may set a minimum period for which we have to keep your personal data.
Unless we are required to keep the data for a longer period, the data will be stored for 30 days, after which they will be anonymized so they will no longer be connected to any person. This is done so we can create statistics on the traffic of visitors on Vestas locations.

Your Rights

You have the right to gain access to the data processed about you. You also have the right to object to the processing of your personal data, to request the erasure of your personal data and rectification of the data processed if relevant. Please note that Vestas may not always be obliged to comply with such a request.

Furthermore, if you wish to exercise your right to access your personal data, to object to it being processed, to request erasure or to rectify processed data, please contact us at: dataprivacy@vestas.com. Further, if you have any complaints about Vestas’ processing of your personal data, you may contact the Danish Data Protection Agency.

Customer Privacy Notice

Vestas may process personal data about you, if you as an individual, or the employee of a company, has bought a product or service offered by Vestas. We may also process your personal data when you have shown an interest in Vestas’ products and/or services by e.g. providing your business card to Vestas.

Vestas will primarily obtain your personal data from yourself and/or your employer and in some cases from publicly available resources.

Some personal data might also be automatically generated from Vestas’ IT-system, or equivalent, when you are creating or using access to online services provided by Vestas.

Categories of personal data

Vestas may process the following categories of personal data:

Contact data, such as name, email address, telephone number;
Individual data, such as preferred language and photo;
Organizational data, such as company name, job position, place of work and country;
Competence data, such as training activities;
IT-related data, such as user-ID, passwords, log-in details as well as data and logs about your usage of Vestas’ IT applications and services;
Financial data, such as credit or payment information, bank account details.

Legal basis and purposes of the processing

Vestas will process your personal data based on either of the following legal grounds, see also further details below.

Contractual obligation.

Legitimate interests.
Vestas’ legitimate interests include the interest to manage its daily operations according to lawful and fair business practices including planning, performing and managing the (contractual) relationship with customers.

Legal obligation
In exceptional cases and only when no other legal ground can be applied, Vestas may ask separately for your consent to process your personal data. If consent is collected, you are always entitled to withdraw your consent, which will, however, not affect the lawfulness of the processing based on consent before its withdrawal.

Vestas will process your personal data for the following purposes:

Generally, to plan, perform and manage Vestas’ relationship with customers.

More specifically

Administration purposes, such as performing transactions, processing payments, performing accounting, auditing, billing and collection activities, arranging shipments and deliveries, facilitating repairs and providing support services;
Promotional communications and marketing purposes, such as periodic newsletter/magazines, information on our services, promotional and advertising material, sweepstakes, contests, invitations to events organized by us or from third-party companies with whom we collaborate;
Customer surveys purposes, such as customer satisfaction surveys, product quality surveys, market analysis to improve customer engagement;
Personalized services purposes, such as providing you merchandise in the right size when being invited to a Vestas organized event.
Compliance and regulatory purposes, such as fulfilling our legal and compliance-related obligations to prevent illegal activity.
Security purposes, such as maintaining and protecting the security of our products, services and websites, preventing and detecting security threats, fraud or other criminal or malicious activities;
Training and development purposes, such as enabling training activities;
Dispute handling purposes, such as enforcing our contractual agreements and to establish, exercise or defend legal claims.

Disclosure and transfer of your personal data

We may also share your personal data outside of the Vestas Group as further described below:

with third party service providers for the purposes of providing services to us that enable or support our fulfillment of the purposes described in this notification (for example, Vestas’ IT and communications providers). These third parties will be subject to appropriate data protection obligations;
to the extent required by law, for example if we are under a duty to disclose your personal data to comply with any legal obligation, or to establish, exercise or defend our legal rights;

For how long will we store your personal data

How long we will hold your personal data for will vary and will be determined by the following criteria:

the purpose for which we are using it e.g. to fulfill our legal or contractual obligations considering amongst others the contractual period, warranty and product liability requirements; and
legal obligations – laws or regulations may set a minimum period for which we have to keep your personal data.

Your Rights

You have the right to gain access to the data processed about you. You also have the right to object to the processing of your personal data, to request erasure of your personal data and rectification of the data processed if relevant. Please note that Vestas may not always be obliged to comply with such a request.

Supplier Privacy Notice

Vestas may process personal data about you, if you act as an individual who do business and/or is interested in doing business with the Vestas Group e.g. as a consultant, or if you are or have been the employee of a company that is a business partner to the Vestas Group.

Vestas will primarily obtain your personal data from yourself and/or your employer and in some cases from publicly available resources.

Some personal data might also be automatically generated from Vestas’ IT-system, or equivalent, when you are creating or using access to online services provided by Vestas.

Categories of personal data

Vestas may process the following categories of personal data:

Contact data, such as name, workplace address, e-mail address, telephone number;
Individual data, such as preferred language and photo;
Organizational data, such as company name, job position, place of work, country;
IT-related data, such as user-ID, passwords, log-in details as well as data and logs about your usage of Vestas’s IT applications or services;
Competence data, such as training activities;
Contractual data, such as purchase orders, contracts and other agreements between you and Vestas.

For some business partners e.g. consultants, the following personal data is processed:

Individual data, such as name, date of birth, gender, nationality, preferred language, photo;
Organizational data, such as consultancy number, services description, place of work, business unit, department, manager, direct reports;
Contact data, such as work location, home address, email, telephone number;
Financial data, such as credit or payment information and bank account details;
Contractual data, such as purchase orders, contracts and other agreements between you and Vestas;
Consultancy administration data, such as consultancy contract and information about assignment start date and termination date;
Time data, such as working hours, worked time;
Security data, such as access cards, access rights and use of access cards and access rights;
Health and safety data, such as information about work related incidents;
Manufacturing/repair/service data, such as tracking and logging of activities undertaken by you in connection with manufacturing, maintenance, repair or service;
Competence data, such as training activities;
Travel administration data, such as information on business trips, booking details, passport number, travel invoices and allowances;
Help desk and support data, such as questions from you relating to your assignment or IT-equipment or support provided to you in relation to the same;
IT-related data, such as user-ID, passwords, log-in details as well as data and logs about your use of Vestas’ IT equipment, application or services, as per Vestas’ IT policies, as applicable from time to time;
Compliance related data, such as information about relevant and significant litigation or other legal proceedings against you.

It is specifically noted that some aspects of health and safety data are regarded as sensitive data under the applicable data protection laws and shall be handled with extra care. It is specifically noted that sensitive data is only processed in case of legal obligation and/or explicit consent.

Vestas may also process a limited amount of personal data (name and contact details) of persons indicated by you as persons to be contacted by Vestas in case of emergency.

Legal basis and purposes of the processing

Vestas will process your personal data based on either of the following legal grounds, see also further details below.

Contractual obligation.

Legitimate interests.
Vestas’ legitimate interests include the interest to manage its daily operations according to lawful and fair business practices, including planning, performing and managing the (contractual) relationship with business partners. Vestas’ legitimate interests also include managing its daily operations, secure its facilities and equipment and keep internal control.
Legal obligation.
In exceptional cases and only when no other legal ground can be applied, Vestas may ask separately for your consent to process your personal data. If consent is collected, you are always entitled to withdraw your consent, which will, however, not affect the lawfulness of the processing based on consent before its withdrawal.

Vestas will process your personal data for the following purposes:

Generally, to plan, perform and manage Vestas’ relationship with business partners.

More specifically

Administration purposes
Compliance and regulatory purposes
Reporting purposes
Work environment and product safety purposes
Training and development purposes
Employment management purposes
Service and quality management purposes
Dispute handling purposes
Security purposes

Disclosure and transfer of your personal data

Vestas is a global business. Our customers and our operations are spread around the world. As a result we collect and transfer personal data on a global basis. That means that we may transfer your personal data to locations outside of your country. Where we transfer your personal data to another country outside the EEA, we will ensure that it is protected and transferred in a manner consistent with legal requirements. We have internal policies in place to ensure an adequate level of protection irrespective of where in the Vestas Group your data is located.

We may also share your personal data outside of the Vestas Group as further described below:

with third party service providers for the purposes of providing services to us that enable or support our fulfilment of the purposes described in this notification (for example, Vestas’ IT and communications providers). These third parties will be subject to appropriate data protection obligations;
to the extent required by law, for example if we are under a duty to disclose your personal data to comply with any legal obligation, or to establish, exercise or defend our legal rights;

For how long will we store your personal data

How long we will hold your personal data for will vary and will be determined by the following criteria:

the purpose for which we are using it e.g. to fulfill our legal or contractual obligations considering amongst others the contractual period, warranty and product liability requirements; and
legal obligations – laws or regulations may set a minimum period for which we must keep your personal data.

Your Rights

Shareholder Privacy Notice

Introduction
As part of handling investor relations Vestas Wind Systems A/S, Hedeager 42, 8200 Aarhus N, Denmark and Vestas Group (“Vestas”), will be processing personal data about its shareholders, proxies and advisors. This privacy policy sets out how and why we process personal data in connection with administration of our relationship with our shareholders, proxies and advisors, including registration in the register of shareholders and when providing notice of and holding general meetings.

Vestas is the data controller for the processing activities set out in this privacy policy (also referred to as “we”, “our” in this privacy policy).

How and why we collect personal data

Below, it is listed what type of personal data we collect about our shareholders, proxies and advisors and for which purposes we use the personal data.

Purpose	Personal Data Processing Activity	Legal Basis
Identifying shareholders and maintaining our register of shareholders	In order to identify shareholders and maintain the register of shareholders, we will be collecting information about each shareholder, including name, address, e-mail address, dates of acquisition/sales, shareholding, voting rights, and pledges. Additionally, we may occasionally carry out shareholder identification exercises involving selected third party service providers to identify shareholders keeping their shares through nominee and/or custodian structures.	We process the personal data to comply with our legal obligations and shareholder’s rights set out in the Danish Companies Act. Shareholder identification exercises will be based on our legitimate interests in being able to identify our shareholders. For shareholders registered by name in our shareholder register, we keep the personal data as long as you are a shareholder and for a period of 25 months after becoming aware that you are no longer a shareholder. Shareholder identification exercises will be carried as set out in the Danish Capital Markets Act and the Danish Companies Act and we will keep the personal data collected via the shareholder identification exercise for as long as you are a shareholder and for a period of 12 months after becoming aware that you are no longer a shareholder.
Notice of general meetings	Notice of a general meeting in Vestas will be distributed based on the information registered in the register of shareholders, including name, address and email address. We will in this respect process personal data for the purpose of forwarding the notice of the general meeting to shareholders having requested to receive a copy of the notice, including to enable the shareholders to exercise their administrative rights at the general meeting.	We process the personal data to comply with our legal obligation set out in the Danish Companies Act.
Notification of participation, granting proxy and voting by correspondence	When a shareholder provide notification of the shareholder’s or an advisor’s participation at the general meeting or grant a proxy to a third party, we will issue an admission card, which will contain personal data about the shareholder, any proxy holder and/or advisor representing the shareholder, including name, address, email address and shareholding. Notification of the shareholder’s participation implies that we will process personal data based on the information registered about the shareholder in the register of shareholders or provided in connection with notification of participation. Processing of the personal data also takes place in connection with granting proxy to a third party, proxy to the board of directors or voting by correspondence. Similarly, processing of the personal data will take place in order to manage the voting process, if the shareholder vote at the general meeting (in writing or electronically), including to provide confirmation of an electronic vote. If the shareholder grant proxy to a third party and/or register attendance of an advisor, we will collect and process personal data about such persons (name and address). Collecting and processing data takes place for the purpose of ensuring that the relevant persons are granted access to Vestas’ general meeting and ensuring that they can exercise their rights.	We process the personal data to comply with our legal obligations and shareholder’s rights as set out in the Danish Companies Act.
Submitting questions prior to the general meeting	When submitting written questions prior to the general meeting, shareholders must document status as a shareholder or a proxy holder and in this respect collection and processing of the personal data will take place. If questions are replied to in writing, these may include the shareholder’s name, and our replies, will be published through our Q&A function, which is available on Vestas’ website.	Collection and processing of personal data will in such event be based on our legitimate interests in being able to identify the shareholder, in order for the shareholder to be able to exercise its rights as a shareholder to submit questions.
Submission of proposals prior to the general meeting	In connection with a request for a specific issue to be included on the agenda for the general meeting, the personal data and the contents of the proposal will be collected and processed by Vestas. If the request fulfils the requirements, the proposal and the shareholder’s name will be included (i) on the agenda, in the notice to convene and in the complete proposals, (ii) on the forms for granting proxy or voting by correspondence, which will subsequently be published in accordance with the rules in this respect, and (iii) in the minutes of the general meeting.	The personal data will in this respect be collected based on our legitimate interests in being able to identify the shareholder in order to enable the shareholder to exercise its right to submit proposals to be included on the agenda.
The right to speak and pose questions at the general meeting	If a shareholder chooses to speak at the general meeting, e.g. in order to pose questions to the board of directors’ report or the annual report, the shareholder will be requested to document status as a shareholder or a proxy. The statement and name will be included in the minutes of the general meeting.	In this respect, the personal data will be collected and processed based on our legitimate interests in being able to identify the shareholder in order for the shareholder to exercise its right to speak and potentially pose questions at the general meeting.
Minutes of meeting from the general meeting	After the general meeting, Vestas will prepare minutes of the general meeting, and therefore personal data may, in addition to the initial collection and processing of personal data, e.g. when submitting proposals or exercising the right to speak at the general meeting, be processed in this respect.	The minutes are required to be prepared pursuant to the Danish Companies Act, and the processing of shareholders personal data thus takes place in order for us to comply with our legal obligation. When submitting a proposal to be included on the agenda or when making statements at the general meeting, it is not possible to refuse having the name of the shareholders, proxy holders or advisors, as applicable, stated in the minutes. The minutes of the general meeting will be made available on Vestas’s website, www.vestas.com, for a period up to 5 years from the date of the meeting. The minutes will be available to shareholders and to the general public during this period. We may store the minutes of the general meeting until it is no longer necessary for Vestas to store the information for the purpose of protecting Vestas’ and the shareholders’ interests, including for the purpose of documenting the deliberations and resolutions passed at the general meeting. This implies that minutes will never be deleted.
Photography and recording of the general meeting	Vestas may take photographs at the general meeting for communications and documentation purposes. Further, the general meeting is recorded for the purpose of drafting minutes of the general meeting. The recording, which includes both picture and sound, will cover the podium and the platform at the general meeting, and personal data will be collected and processed, when a shareholder choose to speak at the general meeting. Recordings will only be used in connection with preparing minutes of the general meeting and will only be transferred to Vestas’ advisors assisting with preparing the minutes of the meeting. Photographs may be taken of participants of the general meeting during the whole event and may be published on Vestas’ website and in communications material in general. Before shareholders, proxy holders or advisors can address the assembly, the status as a shareholder, proxy holder or advisor must be documented and by speaking from the platform (e.g. in connection with posing a question in respect of the board of directors’ report or the annual report) the shareholders, proxy holders or advisors, as applicable, accept our collection and processing of the personal data, including name and picture/recording. Shareholders, proxy holders or advisors cannot refuse the recording, if shareholders, proxy holders or advisors choose to speak at the general meeting.	The personal data from picture and sound recordings will be collected based on our legitimate interest in being able to identify the shareholders, proxy holders or advisors who are exercising their rights at the general meeting for purposes of drafting the minutes of meeting and for documenting the general meeting. The recording will be kept for a period of up to 5 years after the general meeting, after which it will be deleted. The legal basis for processing photographs of participants at the general meeting is our legitimate interest in being able to communicate what has taken place during the event. Participants may at any time object to the processing of their photograph for communication purposes cf. section below of this privacy notice.
Webcasting of the general meeting	The general meeting may be webcasted live to those shareholders who has accepted the notice to the general meeting, however, is unable to attend the general meeting in person. The recording will not be available after the general meeting. The recording, which includes both picture and sound, will cover the podium and the platform at the general meeting, and personal data will be collected and processed, when a shareholder chooses to speak at the general meeting. Before shareholders, proxy holders or advisors can address the assembly, the status as a shareholder, proxy holder or advisor must be documented and by speaking from the platform (e.g. in connection with posing a question in respect of the board of directors’ report or the annual report) the shareholders, proxy holders or advisors, as applicable, accept our collection and processing of the personal data, including name and picture/live recording. Shareholders, proxy holder or advisors cannot refuse the recording, if shareholders, proxy holders or advisors choose to speak at the general meeting.	The personal data will be collected based on our legitimate interests in being able to identify the shareholders, proxy holders or advisors in order to enable them to exercise their rights at the general meeting and in order to ensure transparency concerning the deliberations and resolutions passed at the general meeting, also in order for the shareholders, who are unable to attend the general meeting in person, to follow the proceedings by watching the recording. The recording will not be available after the general meeting. The recording will following the general meeting only be used in connection with preparing minutes of the general meeting and will be kept for a period of up to 5 years after the general meeting, after which it will be deleted.

Third parties with whom we share personal data
We may share the personal data about shareholders, proxies and advisors with relevant employees in the Vestas Group and with relevant third party advisors and service providers. We may also share the personal data with public authorities as well as the general public through publication on our website in accordance with applicable law. Some of these parties may be located in countries outside of the EU/EEA. Please be informed that the level of data protection as currently applied and enforced in some countries outside the European Union does not conform to the level of data protection for personal data currently applied and enforced within the European Union. If personal data is being processed outside of the EU/EEA, such transfer of personal data will either be subject to the EU-U.S. Privacy Shield or the European Commission’s standard contractual clauses. You can request a copy of the agreement covering the transfer of personal data by sending an e-mail to dataprivacy@vestas.com.

How long will we store the personal data
We will only store the personal data for as long as is necessary to fulfil the purposes outlined on this policy. With respect to information about shareholders, proxies and advisors, unless stated otherwise above, we will generally be keeping the personal data for 5 years after the end of the financial year in which the shareholder no longer owns shares in Vestas. We may store the minutes of the general meeting until it is no longer necessary for Vestas to store the information for the purpose of protecting Vestas’ and the shareholders’ interests, including for the purpose of documenting the deliberations and resolutions passed at the general meeting. This implies that minutes will never be deleted.

Your rights as a data subject
Right to information. You can obtain further information on the personal data which we stores and processes about you by sending an e-mail to dataprivacy@vestas.com stating this request.

Right to object. You may object to your personal data being processed. If you wish to object to your personal data being processed, please send an e-mail to dataprivacy@vestas.com stating this request.

Right to rectification and restriction of processing. You may request that your personal data is rectified or restrict the processing of your personal data. If you wish to have your data rectified or restrict the processing, please send an e-mail to dataprivacy@vestas.com stating this request.

Right to a copy of your personal data. You may be entitled to obtain a copy of your personal data in a structured, commonly used and machine-readable format by sending an e-mail to dataprivacy@vestas.com stating this request. If technically feasible, you may request that the personal data is transmitted directly to another company or person acting as a data controller.

Right to make a compliant. If you have any complaints about our processing of your personal data, you may contact the Danish Data Protection Agency.

Changes to this policy
We may change this privacy policy from time to time by issuing a new version on our website.

Contact details
Our contact details are:

Vestas Wind Systems A/S
Hedeager 42
8200 Aarhus N
Denmark
T: +45 97 30 00 00
E: dataprivacy@vestas.com

Investor Relation News Services Subscriber Privacy Notice

This privacy notice explains how vestas processes your personal data in our administration of our Investor Relations activities.

We will primarily obtain your personal data from yourself.

Categories of personal data

We may collect the following categories of personal data:

Contact data, such as name, email address, telephone number and country of residence;
Individual data, such as preferred language and communication preferences.

Legal basis and purposes of the processing

Vestas will process your personal data based on either of the following legal grounds, see also further details below.

Contractual obligation.
Legitimate interests.
Vestas’ legitimate interests include the interest to manage its daily operations according to lawful and fair business practices including providing communication about Vestas’ activities.
Legal obligation
In exceptional cases and only when no other legal ground can be applied, Vestas may ask separately for your consent to process your personal data. If consent is collected, you are always entitled to withdraw your consent, which will, however, not affect the lawfulness of the processing based on consent before its withdrawal.

We will use your personal data for the following purposes:

To provide information services which you have signed up for through our news services e.g. audiocasts, changes in the share price (stock threshold alerts), disclosed company announcements, press releases, and financial reports.

Disclosure and transfer of your personal data

We may also share your personal data outside of the Vestas Group as further described below:

with third party service providers for the purposes of providing services to us that enable or support our fulfillment of the purposes described in this notification (for example, Vestas’ IT and communications providers). These third parties will be subject to appropriate data protection obligations;
to the extent required by law, for example if we are under a duty to disclose your personal data to comply with any legal obligation, or to establish, exercise or defend our legal rights;

For how long will we store your personal data

How long we will hold your personal data for will vary and will be determined by the following criteria:

the purpose for which we are using it e.g. to fulfill our legal or contractual obligations; and
legal obligations – laws or regulations may set a minimum period for which we must keep your personal data.

Your Rights

Innovation Partnering Privacy Notice

This Privacy notice provides information about the processing of your personal data by the Vestas Group with Vestas Wind System A/S as the main data controller. “Vestas”, “we or “us” means the parent company, Vestas Wind Systems A/S, or any of its subsidiaries, joint ventures and affiliated companies in the Vestas group (together the “Vestas Group”), details of which can be found on the Vestas website (www.vestas.com).

Vestas may process personal data about you, if you act as an individual who do business and/or is interested in doing business with the Vestas Group e.g. as an innovation partner, or if you are or have been the employee of a company that is an innovation partner to the Vestas Group.

Vestas will primarily obtain your personal data from yourself and/or your employer and in some cases from publicly available resources.

Some personal data might also be automatically generated from Vestas’ IT-system, or equivalent, when you are creating or using access to online services provided by Vestas.

Categories of personal data

Vestas may process the following categories of personal data:

Contact data, such as name, workplace address, e-mail address, telephone number;
Individual data, such as CV, work and education experience, preferred language and photo;
Organizational data, such as company name, job position, place of work, country;
IT-related data, such as user-ID, passwords, log-in details as well as data and logs about your usage of Vestas’s IT applications or services;
Competence data, such as training activities;
Contractual data, such as purchase orders, contracts and other agreements between you and Vestas.

For some partners, the following personal data may be processed:

Individual data, such as name, date of birth, gender, nationality, work and education experience, preferred language, photo;
Organizational data, such as consultancy number, services description, place of work, business unit, department, manager, direct reports;
Contact data, such as work location, home address, email, telephone number;
Financial data, such as credit or payment information and bank account details;
Contractual data, such as purchase orders, contracts and other agreements between you and Vestas;
Consultancy administration data, such as consultancy contract and information about assignment start date and termination date;
Time data, such as working hours, worked time;
Security data, such as access cards, access rights and use of access cards and access rights;
Health and safety data, such as information about work related incidents;
Manufacturing/repair/service data, such as tracking, and logging of activities undertaken by you in connection with manufacturing, maintenance, repair or service;
Competence data, such as training activities;
Travel administration data, such as information on business trips, booking details, passport number, travel invoices and allowances;
Help desk and support data, such as questions from you relating to your assignment or IT-equipment or support provided to you in relation to the same;
IT-related data, such as user-ID, passwords, log-in details as well as data and logs about your use of Vestas’ IT equipment, application or services, as per Vestas’ IT policies, as applicable from time to time;
Compliance related data, such as information about relevant and significant litigation or other legal proceedings against you.

Vestas may also process a limited amount of personal data (name and contact details) of persons indicated by you as persons to be contacted by Vestas in case of emergency.

Legal basis and purposes of the processing

Vestas will process your personal data based on either of the following legal grounds, see also further details below.

Legitimate interests.

Vestas will be processing your personal data for the legitimate purpose of developing a partner project on innovation including document competences for the project, seeking project funding for innovation projects, fulfilling contractual obligations and documenting the projects and it is the assessment of Vestas that this legitimate interest of Vestas, to process your personal data, is not overridden by your interest in Vestas processing the data.

Contractual obligation.
Legal obligation.

In exceptional cases and only when no other legal ground can be applied, Vestas may ask separately for your consent to process your personal data. If consent is collected, you are always entitled to withdraw your consent, which will, however, not affect the lawfulness of the processing based on consent before its withdrawal.

Vestas will process your personal data for the following purposes:

Generally, to plan, perform and manage Vestas’ relationship with innovation partners and government funding bodies including developing a partner project on innovation including document competences for the project.

More specifically

Administration purposes related to partner projects, including development and implementation
Compliance and regulatory purposes
Reporting purposes
Work environment and product safety purposes
Training and development purposes
Employment management purposes
Service and quality management purposes
Dispute handling purposes
Security purposes

Disclosure and transfer of your personal data

We may also share your personal data outside of the Vestas Group as further described below:

with third party service providers for the purposes of providing services to us that enable or support our fulfilment of the purposes described in this notification (for example, Vestas’ IT and communications providers). These third parties will be subject to appropriate data protection obligations;
to the extent required by law, for example if we are under a duty to disclose your personal data to comply with any legal obligation, or to establish, exercise or defend our legal rights;

If a third-party service provider processes your personal data outside the EU/EEA, such transfer shall be based on a legal basis recognized by the relevant authorities or courts as providing an adequate level of protection for personal data, including but not limited to the EU-U.S. Privacy Shield or the EU Commission’s Standard Contractual Clauses or such other mechanisms as have been recognized or approved by the relevant authorities from time to time.

For how long we will store your personal data

How long we will hold your personal data for will vary and will be determined by the following criteria:

the purpose for which we are using it e.g. to fulfil our legal or contractual obligations considering amongst others the contractual period, warranty and product liability requirements; and
legal obligations – laws or regulations may set a minimum period for which we must keep your personal data.

Third parties with whom we share personal data

Your information will only be shared with partners involved in the innovation project on a need-to-know basis, as well as with governmental authorities in case the project is government funded.

Your Rights