Privacy Policy for Supplier Relations

1. Privacy policy

When we receive personal data about you, we aim to ensure that you trust we will process your personal data in a transparent and secure manner. Therefore, it is important to us that you take the time to read this privacy policy, which will inform you of how we handle your personal data.

At Ørsted, we receive data about our customers, visitors, suppliers, shareholders and jobseekers, among others. For this reason, we have different privacy policies.  

This privacy policy applies to the processing of personal data about people who act as contact persons or take part in delivering services to Ørsted on behalf of a company (such as a supplier or partner). 

The company is obliged to ensure that people in the above categories are made aware of the information in this privacy policy. 

If we collect other data about you, or if we use the data we have about you for purposes not described in this policy, we will inform you separately about this. 

 

1.1 Data controller
The legal entity responsible for collecting and processing your personal data is the company in Ørsted mentioned in the agreement governing the delivery by the company you represent to Ørsted. 

 

1.2 We use personal data for the following purposes and in accordance with the stated legal basis for processing
At Ørsted, we only collect necessary data about you. In the table below, we describe how we process your personal data. 

Purpose Categories of personal data Legal basis for processing Erasure

Administration of business relationships:

We process your personal data when you act as a contact person or representative for a company that works with Ørsted, to enable us to manage our business relationship and conduct our business.

This is done for the following purposes: 

Communication
We use your personal data to allow us to communicate with you and the company you are acting as a contact person or representative for, and to allow us to manage our business relationship.

Issuing of purchase orders and conclusion of commercial agreements
We process your personal data in connection with the conclusion of commercial agreements concerning the delivery of goods or services.

Invoicing, accounting, etc.
We use your personal data in connection with our bookkeeping, invoice processing and other forms of accounting that are necessary to maintain our business relationship with the company you act as a contact person or representative for.

We collect data from the following sources:

  • Directly from you
  • Your employer
  • Ørsted’s supplier database 
 

We process the following categories of personal data about you:

General personal data:

  • Contact information, including the name of the contact person, job title, work email address, work address, work phone number. 

  • Data that is necessary for signing documents, including signature, certificates and authorisations.

We process your personal data as described, and in accordance with:

  • GDPR article 6(1)(c) (legal obligation). The legal obligation is section 5 of the Danish Bookkeeping Act, which sets out the rules on storing accounting records.
  • GDPR article 6(1)(f) (legitimate interests). Our legitimate interests are to run our business and to be able to manage Ørsted’s business relationship with the companies we work with to drive our activity, including being able to communicate with you.
 
 

We store your personal data as long as it is necessary for the purposes mentioned:

This means that we will process the personal data described below. 

Communication
As a general rule we store our communication with you as long as we have an active relationship with the company you represent, and for up to 12 months from the end of the year in which the relationship is terminated. 

Commercial documents
Personal data included in commercial documents are stored as long as the documents are stored. These documents are stored for five years from the end of the year in which the delivery is completed, unless longer storage is required as a result of special legislation.

Accounting records
Personal data included in accounting records (invoices etc.) is stored in accordance with the rules of the Danish Bookkeeping Act (i.e. five years from the end of the financial year in which the records are made).

 


Prequalification and tendering:

We use your personal data to identify, evaluate and select your business as a supplier when we need to put out tenders for goods or services that your company can provide. We use your personal data to be able to communicate with you if we need to send follow-up questions.

Ørsted’s processing of personal data in connection with tenders is described in the tendering documents. 

We collect data from the following sources:

  • Directly from you
  • Your employer
  • Achilles 
  • Scanmarket
  • Ørsted’s supplier database 
 

We process the following categories of personal data about you:

General personal data:

  • Contact information, including the name of the contact person, job title, work email address, work phone number, mobile phone number, fax number, country, timezone and language. 
 

We process your personal data as described, and in accordance with:

General personal data:

  • GDPR article 6(1)(b) (conclusion of agreement)
  • GDPR article 6(1)(f) (legitimate interests). Our legitimate interest is to be able to communicate effectively with you in connection with the prequalification process. 
 

We store your personal data as long as it is necessary for the purposes mentioned:

This means that we will process the personal data described below:

  • As a general rule we store our communication with you as long as we have an active relationship with the company you represent, and for up to 12 months from the end of the year in which the relationship is terminated. 
 

Contract management:

When Ørsted has entered into a contract with a supplier, we process personal data in connection with managing the contract. 

Furthermore, we process personal data to follow up on and manage supplier performance. 

We collect the data from:

  • Directly from you
  • Your employer
  • Group enterprises – see list of Ørsted enterprises in our annual report  
 

We process the following categories of personal data about you:

 General personal data:

  • Contact information, including your name as the contact person, company name, department, contract information, contract manager, job title, username, initials, as well as information about the individual project participants and the supplier’s overall performance. 
 

We process your personal data as described, and in accordance with:

  • GDPR article 6(1)(f) (legitimate interests). 

    Our legitimate interest is manage and follow up on our suppliers’ performance. 
 

We store your personal data as long as it is necessary for the purposes mentioned:

This means that we will process the personal data described below. 

  • Supplier performance measurements
    We retain personal data included in supplier performance measurements for up to 12 months after the expiry of the contract. 


Documentation:

We process personal data to be able to live up to our documentation obligations when the services you provide can only be performed by people with sufficient documented qualifications, e.g. welding certificates.  
 

We process the following categories of personal data about you:

General personal data:

  • Name, date of birth, information about training and certificates, photo and other information that may be mentioned in the relevant certificates. 
 

We process your personal data as described, and in accordance with:

  •  GDPR article 6(1)(c) (legal obligation). The legal obligation is based in part on the EU Pressure Equipment Directive and national legislation implementing this directive.
  • GDPR article 6(1)(f) (legitimate interests). Our legitimate interest is our documentation obligation.  
 

We store your personal data as long as it is necessary for the purposes mentioned:

This means that we will process the personal data described below.

  • We will keep data for as long as required by the legal documentation requirements applying to the service in question, for example the Pressure Equipment Directive (the equipment’s service lifetime, but at least 10 years).
 

1.3. Recipients of personal data
Depending on the circumstances, Ørsted may share your data with:

  • Suppliers who work with us to assist Ørsted
  • Group enterprises – see list of Ørsted enterprises in our annual report
  • Public authorities
  • Business partners
  • Players in the energy sector (distribution companies, Energinet.dk, public authorities and energy suppliers)

 

1.4. Personal data about other parties that you provide 
If you provide personal data about other people (e.g. contact information for colleagues in the company in which you are employed), you must make sure that they agree to it, and that you have permission to provide us with such data. This means that you must refer them to this Privacy Policy when you provide us with their data.

 

1.5. Transfer to third countries 
We may transfer your personal data to the following countries outside the EU/EEA:

  • USA
  • Taiwan 
  • Malaysia

This will take place based on the following basis: 

  • These countries have not been determined by the European Commission to be countries offering an adequate level of data protection. We will therefore ensure that there are appropriate safeguards using the standard contractual provisions for the transfer of personal data to third countries, as published by the European Commission. You can obtain a copy of this contract by contacting us on info@orsted.com.

 

1.6. Your rights
When we process your data, you have the following rights:

  • You have the right of access to, rectification, or erasure of your personal data.
  • You also have the right to object to the processing of your personal data and to have the processing of your personal data restricted.
  • In particular, you have an unconditional right to object to the processing of your personal data for use for direct marketing purposes.
  • If the processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. Your withdrawal of consent will not affect the lawfulness of the processing performed before withdrawal of your consent.
  • You have the right to receive the personal data that you have provided yourself in a structured, commonly used and machine-readable format (data portability).
  • You have the right to lodge a complaint with a supervisory authority, for instance the Danish Data Protection Agency.

You can exercise your rights by contacting us; see clause 1.7. These rights may be conditional or restricted. For example, you may not have the right to data portability in this particular case. It depends on the specific circumstances of the processing operations.

 

1.7. Contact Ørsted regarding the processing of personal data
You can always contact Ørsted if you have questions about our processing of your personal data, or if you wish to object to how your personal data is processed, by writing to info@orsted.com or by phoning +45 99 55 11 11. 


If you are unhappy with our response, you can lodge a complaint with your local data protection authority. 

In Denmark, the regulator is:

 

1.8. Amendments to our privacy policy
This privacy policy replaces all previous versions. It will be necessary to update and amend this policy on an ongoing basis, and we thus reserve the right to do so. In the event of an important amendment, we will notify you at orsted.com or send an email if we deem this necessary.

This privacy policy was last updated in January 2019.