Home

Privacy Policy for Business Relations

When we receive personal data about you, we aim to ensure that you trust we will process your personal data in a transparent and secure manner. Hence, this privacy policy contains information about how we process your personal data.

This privacy policy for business relations applies to the processing of personal data about people who act as contact persons or take part in delivering services to Ørsted on behalf of a company (such as suppliers and business partners).

1. Data controller

The legal entity responsible for processing your personal data is the company in Ørsted mentioned in the agreement governing the delivery by the company you represent to Ørsted or which is part of the collaborative relationship with the company or authority (hereinafter “Company”) you represent. You can find an overview of our companies in our annual report.

2. We use personal data for the following purposes and in accordance with the stated lawfulness of processing

At Ørsted, we only process necessary personal data about you. In the table below, we describe how we process your personal data.

Purpose	Categories of personal data	Legal basis for processing
Supplier Database: We process your personal data if you have registered as an interested supplier in our supplier database. This includes the following purposes: We process your personal data in our supplier database in order to contact you and your company in relation to supply chain opportunities within our wider supply chain. We will also process your personal data in order to compile statistics for supply chain development overview purposes. We collect your personal data from the following source(s): Directly from you Your employer Public sites, e.g. your company website	We process the following categories of personal data: Ordinary personal data: Contact information, including name of the contact person, job title, work email address, and work phone number. Sole trader: If you are a sole trader (or in some countries partnerships), we process information about your company name, company registration number, city, country, zip code, country of production, business locations, geographic areas of interest, what products or services you provide, which management systems and certificates you have, references and work experience.	We process your personal data on the following legal basis: GDPR Article 6(1)(f) (legitimate interests). Our legitimate interest is to develop our supply chain globally and to support the establishment and growth of supply chains in markets in which we operate. Further, our legitimate interests are to run our business and to be able to manage Ørsted’s business relationship with the suppliers we work with to drive our activity, including being able to communicate with you.
Due diligence of potential or current suppliers and business relations: In connection with the establishment of a potential contractual relationship, we conduct a third-party screening (so-called ‘Know Your Supplier’ screening) which includes data related to relevant and significant litigation or other legal proceedings against members of a supplier’s board of directors and management. Such information is available in legal directories or sanctions lists. We collect data from the following sources: Publicly available information Compliance agencies	We process the following categories of personal data about you: Ordinary personal data: Contact information including name, job title and work address (location). Semi sensitive data: In specific situations we process information about whether you or the company you represent are on a sanction list and information about criminal convictions if made available by compliance agencies.	We process your personal data as described, and in accordance with: GDPR Article 6(1)(c) (legal obligation). If required by local regulation, we will conduct KYS screenings before entering a supplier relationship. GDPR Article 6(1)(f) (legitimate interests). Our legitimate interests are to run our business and ensure fair business practice, including planning, performing, and managing the contractual relationship and manage daily operations, and security. Danish Data Protection Act section 8(3), cf. section 7(1) and Article 9(1)(f) of the GDPR.
Administration of business relationships and collaborations: We process your personal data in your capacity as a contact person or representative for a company that works with Ørsted or other external party collaborating with Ørsted, to enable us to manage our business relationships and to conduct our business. The administration of our business relations and collaborations means that we process your personal data for the purpose of handling communication (primarily emails), incl. when sending purchase orders and conclusion of commercial agreements, and in connection with invoicing, accounting etc. in connection with financial statements. Further, we process your personal data for the purpose of administering your accesses to our systems to allow for collaboration and exchange of information in our business relationships, such as in projects and other business operations. We collect data from the following sources: Directly from you Your employer Ørsted’s supplier database	We process the following categories of personal data about you: Ordinary personal data: Contact information, including name of the contact person, job title, work email address, work address and work phone number. Personal data that are necessary for signing documents, including signature, certificates and authorisations. User data (incl. login details) and data about accesses and permissions to Ørsted systems.	We process your personal data as described, and in accordance with: GDPR Article 6(1)(b) (necessary for the performance of a contract between the company that you represent and Ørsted). GDPR Article 6(1)(c) (legal obligation). The legal obligation follows from bookkeeping legislation, which sets out the rules on storing accounting records. GDPR Article 6(1)(f) (legitimate interests). Our legitimate interests are to run our business and to be able to manage Ørsted’s business relationship with the companies we work with to drive our activity, including being able to communicate with you.
Prequalification and tendering: We process your personal data to identify, evaluate and select your business as a supplier when we need to put out tenders for goods or services that your company can provide. We process your personal data to be able to communicate with you in connection with the tender process. We collect data from the following sources: Directly from you Your employer Achilles Jaggaer Ørsted’s supplier database	We process the following categories of personal data about you: General personal data: Contact information, including name of the contact person, job title, work email address, work phone number, mobile phone number, fax number, country, time zone and language. Personal data that are necessary for the assessment of experience in the prequalification and tendering process such as certificates and résumés.	We process your personal data as described, and in accordance with: GDPR Article 6(1)(c) (legal obligation). The legal obligation follows from tender legislation. GDPR Article 6(1)(f) (legitimate interests). Our legitimate interest is to be able to communicate effectively with you in connection with the prequalification process.
Contract management: When Ørsted has entered into a contract with a supplier, we process personal data in connection with managing the contract. Further, we process personal data to follow-up on and manage our suppliers’ performance. We collect the data from: Directly from you Your employer Group enterprises – see list of Ørsted enterprises in our annual report	We process the following categories of personal data about you: General personal data: Contact information, including name of the contact person, company name, department, contract information, contract manager, job title, CV, email, ID, username, initials, as well as information about the individual project participants and the supplier’s overall performance including time data such as working hours and worked time. Security data, such as access cards, access rights and use of access cards and access rights. Help desk and support data, such as questions from you relation to your assignment or IT-equipment or IT support provided to you.	We process your personal data as described, and in accordance with: GDPR Article 6(1)(b) (performance of a contract between Ørsted and the company that you represent) GDPR Article 6(1)(c) (legal obligation) in order to ensure appropriate security measures. GDPR Article 6(1)(f) (legitimate interests). Our legitimate interest is to manage and follow-up on our suppliers’ performance.
Documentation: We process personal data to be able to live up to our documentation obligations when the services you provide can only be performed by people with sufficient documented qualifications e.g. welding certificates. We collect data from the following sources: Directly from you Your employer	We process the following categories of personal data about you: General personal data: Name, date of birth, information about training and certificates, photo and other information that may be mentioned in the relevant certificates.	We process your personal data as described, and in accordance with: GDPR Article 6(1)(c) (legal obligation). The legal obligation follows in part from the EU Pressure Equipment Directive and national legislation implementing this directive. GDPR Article 6(1)(f) (legitimate interests). Our legitimate interest is our documentation obligation.
Ørsted Learning Portal (People Portal): We process personal data with the purpose to administrate necessary training for employees and employees of our suppliers and business partners. This involves sending invitations and reminders to courses, maintaining an overview of completed courses and necessary cookies when you access our Learning Portal. We collect the data from the following sources: Directly from you Your employer	We process the following categories of personal data about you: Ordinary personal data: User-ID, name, work email address, company name, data about completed training sessions as well as information that may appear from the relevant training and necessary cookies (IP address).	We process your personal data as described, and in accordance with: GDPR Article 6(1)(f) (legitimate interests). Ørsted’s legitimate interest is to ensure that our suppliers and business partners receive the necessary training, so that, among other things, safety at Ørsted’s locations is maintained.
Recording of communication including telephone conversations: We record communications, incl. telephone conversations when you interact with Ørsted Bioenergy & Thermal Power A/S. The purpose of the recordings is to comply with the regulation on wholesale energy market integrity and transparency (“REMIT”) and being able to investigate and assess incidents related to handling and publishing insider information. We collect data from the following sources: Directly from you	We process the following categories of personal data about you: Ordinary personal data: Name, phone conversation, including any personal data you may disclose in such conversation. Personal data in emails and other communication: contact information, including the sender’s name, job title, work email address, work address and work phone number, as well as other personal data disclosed in such communication.	We process your personal data as described, and in accordance with: GDPR Article 6(1)(c) (Legal obligation). The legal obligation in Article 13(2)(d) of REMIT. GDPR Article 6(1)(f) (legitimate interests). Ørsted’s legitimate interest is document compliance with the regulations and the ability of investigating disputes.

Purpose

Categories of personal data

Legal basis for processing

Supplier Database:

We process your personal data if you have registered as an interested supplier in our supplier database. This includes the following purposes: We process your personal data in our supplier database in order to contact you and your company in relation to supply chain opportunities within our wider supply chain. We will also process your personal data in order to compile statistics for supply chain development overview purposes.

We collect your personal data from the following source(s):

Directly from you
Your employer
Public sites, e.g. your company website

We process the following categories of personal data:

Ordinary personal data:

Contact information, including name of the contact person, job title, work email address, and work phone number.

Sole trader:

If you are a sole trader (or in some countries partnerships), we process information about your company name, company registration number, city, country, zip code, country of production, business locations, geographic areas of interest, what products or services you provide, which management systems and certificates you have, references and work experience.

We process your personal data on the following legal basis:

GDPR Article 6(1)(f) (legitimate interests). Our legitimate interest is to develop our supply chain globally and to support the establishment and growth of supply chains in markets in which we operate. Further, our legitimate interests are to run our business and to be able to manage Ørsted’s business relationship with the suppliers we work with to drive our activity, including being able to communicate with you.

Due diligence of potential or current suppliers and business relations:

In connection with the establishment of a potential contractual relationship, we conduct a third-party screening (so-called ‘Know Your Supplier’ screening) which includes data related to relevant and significant litigation or other legal proceedings against members of a supplier’s board of directors and management.
Such information is available in legal directories or sanctions lists.

We collect data from the following sources:

Publicly available information
Compliance agencies

We process the following categories of personal data about you:

Ordinary personal data:

Contact information including name, job title and work address (location).

Semi sensitive data:

In specific situations we process information about whether you or the company you represent are on a sanction list and information about criminal convictions if made available by compliance agencies.

We process your personal data as described, and in accordance with:

GDPR Article 6(1)(c) (legal obligation). If required by local regulation, we will conduct KYS screenings before entering a supplier relationship.
GDPR Article 6(1)(f) (legitimate interests). Our legitimate interests are to run our business and ensure fair business practice, including planning, performing, and managing the contractual relationship and manage daily operations, and security.
Danish Data Protection Act section 8(3), cf. section 7(1) and Article 9(1)(f) of the GDPR.

Administration of business relationships and collaborations:

We process your personal data in your capacity as a contact person or representative for a company that works with Ørsted or other external party collaborating with Ørsted, to enable us to manage our business relationships and to conduct our business.

The administration of our business relations and collaborations means that we process your personal data for the purpose of handling communication (primarily emails), incl. when sending purchase orders and conclusion of commercial agreements, and in connection with invoicing, accounting etc. in connection with financial statements. Further, we process your personal data for the purpose of administering your accesses to our systems to allow for collaboration and exchange of information in our business relationships, such as in projects and other business operations.

We collect data from the following sources:

Directly from you

Your employer

Ørsted’s supplier database

We process the following categories of personal data about you:

Ordinary personal data:

Contact information, including name of the contact person, job title, work email address, work address and work phone number.
Personal data that are necessary for signing documents, including signature, certificates and authorisations.
User data (incl. login details) and data about accesses and permissions to Ørsted systems.

We process your personal data as described, and in accordance with:

GDPR Article 6(1)(b) (necessary for the performance of a contract between the company that you represent and Ørsted).
GDPR Article 6(1)(c) (legal obligation). The legal obligation follows from bookkeeping legislation, which sets out the rules on storing accounting records.
GDPR Article 6(1)(f) (legitimate interests). Our legitimate interests are to run our business and to be able to manage Ørsted’s business relationship with the companies we work with to drive our activity, including being able to communicate with you.

Prequalification and tendering:

We process your personal data to identify, evaluate and select your business as a supplier when we need to put out tenders for goods or services that your company can provide. We process your personal data to be able to communicate with you in connection with the tender process.

We collect data from the following sources:

Directly from you

Your employer

Achilles

Jaggaer

Ørsted’s supplier database

We process the following categories of personal data about you:

General personal data:

Contact information, including name of the contact person, job title, work email address, work phone number, mobile phone number, fax number, country, time zone and language.
Personal data that are necessary for the assessment of experience in the prequalification and tendering process such as certificates and résumés.

We process your personal data as described, and in accordance with:

GDPR Article 6(1)(c) (legal obligation). The legal obligation follows from tender legislation.
GDPR Article 6(1)(f) (legitimate interests). Our legitimate interest is to be able to communicate effectively with you in connection with the prequalification process.

Contract management:

When Ørsted has entered into a contract with a supplier, we process personal data in connection with managing the contract. Further, we process personal data to follow-up on and manage our suppliers’ performance.

We collect the data from:

Directly from you

Your employer

Group enterprises – see list of Ørsted enterprises in our annual report

We process the following categories of personal data about you:

General personal data:

Contact information, including name of the contact person, company name, department, contract information, contract manager, job title, CV, email, ID, username, initials, as well as information about the individual project participants and the supplier’s overall performance including time data such as working hours and worked time.
Security data, such as access cards, access rights and use of access cards and access rights.
Help desk and support data, such as questions from you relation to your assignment or IT-equipment or IT support provided to you.

We process your personal data as described, and in accordance with:

GDPR Article 6(1)(b) (performance of a contract between Ørsted and the company that you represent)
GDPR Article 6(1)(c) (legal obligation) in order to ensure appropriate security measures.
GDPR Article 6(1)(f) (legitimate interests). Our legitimate interest is to manage and follow-up on our suppliers’ performance.

Documentation:

We process personal data to be able to live up to our documentation obligations when the services you provide can only be performed by people with sufficient documented qualifications e.g. welding certificates.

We collect data from the following sources:

Directly from you

Your employer

We process the following categories of personal data about you:

General personal data:

Name, date of birth, information about training and certificates, photo and other information that may be mentioned in the relevant certificates.

We process your personal data as described, and in accordance with:

GDPR Article 6(1)(c) (legal obligation). The legal obligation follows in part from the EU Pressure Equipment Directive and national legislation implementing this directive.
GDPR Article 6(1)(f) (legitimate interests). Our legitimate interest is our documentation obligation.

Ørsted Learning Portal (People Portal):

We process personal data with the purpose to administrate necessary training for employees and employees of our suppliers and business partners. This involves sending invitations and reminders to courses, maintaining an overview of completed courses and necessary cookies when you access our Learning Portal.

We collect the data from the following sources:

Directly from you

Your employer

We process the following categories of personal data about you:

Ordinary personal data:

User-ID, name, work email address, company name, data about completed training sessions as well as information that may appear from the relevant training and necessary cookies (IP address).

We process your personal data as described, and in accordance with:

GDPR Article 6(1)(f) (legitimate interests). Ørsted’s legitimate interest is to ensure that our suppliers and business partners receive the necessary training, so that, among other things, safety at Ørsted’s locations is maintained.

Recording of communication including telephone conversations:

We record communications, incl. telephone conversations when you interact with Ørsted Bioenergy & Thermal Power A/S. The purpose of the recordings is to comply with the regulation on wholesale energy market integrity and transparency (“REMIT”) and being able to investigate and assess incidents related to handling and publishing insider information.

We collect data from the following sources:

Directly from you

We process the following categories of personal data about you:

Ordinary personal data:

Name, phone conversation, including any personal data you may disclose in such conversation.
Personal data in emails and other communication: contact information, including the sender’s name, job title, work email address, work address and work phone number, as well as other personal data disclosed in such communication.

We process your personal data as described, and in accordance with:

GDPR Article 6(1)(c) (Legal obligation). The legal obligation in Article 13(2)(d) of REMIT.
GDPR Article 6(1)(f) (legitimate interests). Ørsted’s legitimate interest is document compliance with the regulations and the ability of investigating disputes.

3. Recipients of personal data

Depending on the circumstances, Ørsted may share your data with:

Suppliers, including IT suppliers, support, suppliers of goods and financial institutions that we work with in order to assist Ørsted.

Group enterprises – see list of Ørsted enterprises in our annual report

Public authorities

Business and joint venture partners

Players in the energy sector (distribution companies, Energinet.dk, public authorities and energy suppliers)

4. Personal data about other parties that you provide

If you provide personal data about other people (e.g. contact information for colleagues in the company in which you are employed), you must ensure that they agree to it, and that you have permission to provide us with such personal data. This means that you must refer them to this privacy policy when you provide us with their personal data.

5. Transfer of personal data to third countries

The international nature of Ørsted’s business means that we may in some situations need to transfer your personal data to countries outside the EU/EEA (so-called third countries). Such transfers to third countries will be made on the following legal bases:

Transfers to recipients in Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, Japan, United Kingdom and South Korea: If we need to transfer your personal data to recipients in these countries, we will rely on Article 45 (1) of the GDPR for such transfers. These countries have been deemed by the Commission of the European Union to have an adequate level of protection of personal data.

Transfers to recipients in the United States: If we need to transfer your personal data to recipients in the United States, we will rely on Article 45 (1) of the GDPR for such transfers, provided that the recipients have self-certified under the EU-US Data Privacy Framework (“DPF"). If the recipients have not self-certified under the DPF, we will provide appropriate safeguards for the transfers through standard contractual clauses, as published by the Commission of the European Union, in accordance with Article 46(2)(c) of the GDPR.
Transfers to recipients in countries that have not been deemed by the Commission of the European Union to have an adequate level of protection of personal data: If we need to transfer your personal data to recipients in countries that do not have an adequate level of protection of personal data, we will provide appropriate safeguards for the transfers through standard contractual clauses, as published by the Commission of the European Union, in accordance with Article 46(2)(c) of the GDPR.

You can obtain a copy of this contract by contacting us on info@orsted.com.

6. Storage of your personal data

We adhere to the general principles of data minimization and storage limitation, and we will therefore only retain the personal data we need for as long as this is necessary to fulfil the purposes for which the personal data was collected in accordance with the described in section 2 above, and as required to comply with applicable law. Subsequently, we will erase your personal data.

When we establish our retention periods, we apply the following criteria:

As long as we have an ongoing business relationship with you (or for a shorter period provided that we no longer need the personal data in relation to the purposes for which it was collected);
As required by legal obligations to which we are subject;
As advisable in light of our legal position in order to establish, exercise and defend legal claims; and
As necessary to meet our legitimate business needs (such as planning, reporting, follow-up, etc.).

7. Your rights

You have the following rights:

Right of access
You have the right to request confirmation as to whether or not we process your personal data and, if so, request access to (a copy of) such personal data, as well as other supplementary information about how we process your personal data. This will provide you with an insight into what personal data we process about you as well as an overview of how we process your personal data.

Right to rectification
You have the right to request that we rectify inaccurate personal data or complete personal data about you that you consider inaccurate or incomplete.

Right to erasure
You have the right to request that we erase your personal data if for example (1) the personal data is no longer needed in relation to the purpose(s) for which it was collected, or (2) the personal data that we process is based on your consent and you withdraw your consent.

In certain situations, we will be unable to erase your personal data upon your request. This is for example the case when the personal data remains necessary to process for the purpose(s) for which it was collected, such as when our interest in processing the personal data exceeds your interest in having the personal data erased, or when we have a legal obligation to retain it, or for the establishment, exercise or defence of legal claims.

Right to restrict processing
If you believe that your personal data is inaccurate, that our processing of your personal data is unlawful or that we do not need the personal data for a mentioned purpose, you have the right to request that we restrict the processing of such personal data. You also have the right to request that we halt our processing of your personal data while we assess your request. If you object to the processing of your personal data in accordance with what is described under (e) below, you may also request that we restrict our processing of your personal data while we make our assessment.

Right to withdraw consent
Where we process your personal data based on your consent, you have the right to withdraw your consent at any time. If you withdraw your consent, we will stop our processing of your personal data that we process based on your consent. Withdrawal of your consent will not affect the lawfulness of the processing carried out prior to your withdrawal of consent.

You may withdraw your consent by sending an e-mail to info@orsted.com.

Right to object
You have the right to object to the processing of your personal data as follows:

If the processing of your personal data is based on article 6(1)(e) or 6(1)(f) of the GDPR (see above regarding legal basis), you have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data.
Where your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data about you for such marketing.

Right to data portability
You have the right to request a copy of the personal data that you have provided to us for the performance of a contract with you, or based on your consent, in a structured, commonly used and machine-readable format, and also require us to transmit this personal data to another data controller where this is technically possible. This will allow you to use this personal data elsewhere.

You can exercise your rights by contacting us; see clause 8. These rights may be conditional or restricted. For example, you may not have the right to data portability in a particular case. It depends on the specific circumstances of the processing activities.

8. Contact Ørsted regarding the processing of personal data

You can always contact Ørsted if you have questions about our processing of your personal data, or if you wish to object to how your personal data is processed, by writing to info@orsted.com or by phoning +45 99 55 11 11.

You can also lodge a complaint with your local data protection authority. In Denmark, the supervisory authority is:

The Danish Data Protection Agency
Tel.: +45 33 19 32 00
Email address: dt@datatilsynet.dk
Website: www.datatilsynet.dk

9. Amendments to our privacy policy

This privacy policy replaces all previous versions. It will be necessary to update and amend this privacy policy on an ongoing basis, and we thus reserve the right to do so. In the event of an important amendment, we will notify you at orsted.com or send an email if we deem this is necessary.

This privacy policy was last updated in July 2024.