Privacy Policy for Business Relations

When we receive personal data about you, we aim to ensure that you trust we will process your personal data in a transparent and secure manner. Hence, this privacy policy contains information about how we process your personal data.

This privacy policy for business relations applies to the processing of personal data about people who act as contact persons or take part in delivering services to Ørsted on behalf of a company (such as suppliers and business partners).

1. Data controller

The legal entity responsible for processing your personal data is the company in Ørsted mentioned in the agreement governing the delivery by the company you represent to Ørsted or which is part of the collaborative relationship with the company or authority (hereinafter “Company”) you represent. You can find an overview of our companies in our annual report.

2. We use personal data for the following purposes and in accordance with the stated lawfulness of processing

At Ørsted, we only process necessary personal data about you. In the table below, we describe how we process your personal data.

Purpose Categories of personal data Legal basis for processing

Supplier Database:

We process your personal data if you have registered as an interested supplier in our supplier database. This includes the following purposes: We process your personal data in our supplier database in order to contact you and your company in relation to supply chain opportunities within our wider supply chain. We will also process your personal data in order to compile statistics for supply chain development overview purposes.

We collect your personal data from the following source(s):

  • Directly from you

  • Your employer

  • Public sites, e.g. your company website

We process the following categories of personal data:

Ordinary personal data:

  • Contact information, including name of the contact person, job title, work email address, and work phone number.

Sole trader:

  • If you are a sole trader (or in some countries partnerships), we process information about your company name, company registration number, city, country, zip code, country of production, business locations, geographic areas of interest, what products or services you provide, which management systems and certificates you have, references and work experience.

We process your personal data on the following legal basis:

  • GDPR Article 6(1)(f) (legitimate interests). Our legitimate interest is to develop our supply chain globally and to support the establishment and growth of supply chains in markets in which we operate. Further, our legitimate interests are to run our business and to be able to manage Ørsted’s business relationship with the suppliers we work with to drive our activity, including being able to communicate with you.

Administration of business relationships:

We process your personal data as a contact person or representative for a company that works with Ørsted, to enable us to manage our business relationship and to conduct our business.

The administration of our business relations means that we process your personal data for the following purposes: communication (emails), when sending purchase orders and conclusion of commercial agreements, and in connection with invoicing, accounting etc. in connection with financial statements.

We collect data from the following sources:

  • Directly from you
  • Your employer
  • Ørsted’s supplier database 
 

We process the following categories of personal data about you:

Ordinary personal data:

  • Contact information, including name of the contact person, job title, work email address, work address and work phone number.
  • Personal data that are necessary for signing documents, including signature, certificates and authorisations.



We process your personal data as described, and in accordance with:

  • GDPR Article 6(1)(b) (necessary for the performance of a contract between the company that you represent and Ørsted).
  • GDPR Article 6(1)(c) (legal obligation). The legal obligation follows from bookkeeping legislation, which sets out the rules on storing accounting records.
  • GDPR Article 6(1)(f) (legitimate interests). Our legitimate interests are to run our business and to be able to manage Ørsted’s business relationship with the companies we work with to drive our activity, including being able to communicate with you.
 
 



Prequalification and tendering:

We process your personal data to identify, evaluate and select your business as a supplier when we need to put out tenders for goods or services that your company can provide. We process your personal data to be able to communicate with you in connection with the tender process.


We collect data from the following sources:

  • Directly from you
  • Your employer
  • Achilles 
  • Jaegger
  • Ørsted’s supplier database 
 

We process the following categories of personal data about you:

General personal data:

  • Contact information, including name of the contact person, job title, work email address, work phone number, mobile phone number, fax number, country, time zone and language.
 

We process your personal data as described, and in accordance with:

  • GDPR Article 6(1)(c) (legal obligation). The legal obligation follows from tender legislation.
  • GDPR Article 6(1)(f) (legitimate interests). Our legitimate interest is to be able to communicate effectively with you in connection with the prequalification process.
 



Contract management:

When Ørsted has entered into a contract with a supplier, we process personal data in connection with managing the contract. Further, we process personal data to follow-up on and manage our suppliers’ performance.

We collect the data from:

  • Directly from you
  • Your employer
  • Group enterprises – see list of Ørsted enterprises in our annual report  
 

We process the following categories of personal data about you:

General personal data:

  • Contact information, including name of the contact person, company name, department, contract information, contract manager, job title, username, initials, as well as information about the individual project participants and the supplier’s overall performance.
 

We process your personal data as described, and in accordance with:

  • GDPR Article 6(1)(b) (performance of a contract between Ørsted and the company that you represent)
  • GDPR Article 6(1)(c) (legal obligation).
  • GDPR Article 6(1)(f) (legitimate interests). Our legitimate interest is to manage and follow-up on our suppliers’ performance.
 


 
Documentation:

We process personal data to be able to live up to our documentation obligations when the services you provide can only be performed by people with sufficient documented qualifications e.g. welding certificates.  
 

We process the following categories of personal data about you:

General personal data:

  • Name, date of birth, information about training and certificates, photo and other information that may be mentioned in the relevant certificates.
 

We process your personal data as described, and in accordance with:

  • GDPR Article 6(1)(c) (legal obligation). The legal obligation follows in part from the EU Pressure Equipment Directive and national legislation implementing this directive.
  • GDPR Article 6(1)(f) (legitimate interests). Our legitimate interest is our documentation obligation.
 


 
Ørsted Learning Portal (People Portal):

We process personal data with the purpose to administrate necessary training for employees and employees of our suppliers and business partners. This involves sending invitations and reminders to courses, maintaining an overview of completed courses and necessary cookies when you access our Learning Portal.

We collect the data from the following sources:

  • Directly from you
  • Your employer
We process the following categories of personal data about you:

Ordinary personal data:

  • User-ID, name, work email address, company name, data about completed training sessions as well as information that may appear from the relevant training and necessary cookies (IP address).
We process your personal data as described, and in accordance with:

  • GDPR Article 6(1)(f) (legitimate interests). Ørsted’s legitimate interest is to ensure that our suppliers and business partners receive the necessary training, so that, among other things, safety at Ørsted’s locations is maintained.

3. Recipients of personal data

Depending on the circumstances, Ørsted may share your data with:

  • Suppliers who work with us to assist Ørsted
  • Group enterprises – see list of Ørsted enterprises in our annual report
  • Public authorities
  • Business partners
  • Players in the energy sector (distribution companies, Energinet.dk, public authorities and energy suppliers)

 

4. Personal data about other parties that you provide 

If you provide personal data about other people (e.g. contact information for colleagues in the company in which you are employed), you must ensure that they agree to it, and that you have permission to provide us with such personal data. This means that you must refer them to this privacy policy when you provide us with their personal data.

 

5. Transfer of personal data to third countries 

In certain situation, Ørsted will be transferring personal data to countries outside EU/EEA.
Such transfers to third countries will be made on the following legal basis:

  • If the countries have been deemed by the Commission of the European Union to have an adequate level of protection of personal data (so called safe third countries).

  • If the countries have not been deemed by the Commission of the European Union to have an adequate level of protection of personal data: Ørsted will provide appropriate safeguards for the transfer through standard contractual clauses, as published by the Commission of the European Union, for the transfer of personal data to third countries. You can obtain a copy of this contract by contacting us on info@orsted.com.


6. Storage of your personal data

We will store your personal data as long as it is necessary for the purpose described in section 2 above and/or as required under applicable law, and we will then delete or anonymise your personal data appropriately.

The criteria we will use to determine the storage period of your personal data will therefore depend on the purpose for which the personal data have been collected as well as the rules on storage which is required by specific national legislation.

 

7. Your rights

When we process your data, you have the following rights:

  • You have the right of access to, rectification, or erasure of your personal data.
  • You also have the right to object to the processing of your personal data and to have the processing of your personal data restricted.
  • In particular, you have an unconditional right to object to the processing of your personal data for use for direct marketing purposes.
  • If the processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. Your withdrawal of consent will not affect the lawfulness of the processing performed before withdrawal of your consent. 
  • You have the right to receive the personal data that you have provided yourself in a structured, commonly used and machine-readable format (data portability).
  • You have the right to lodge a complaint with a supervisory authority (in Denmark the Danish Data Protection Agency).

You can exercise your rights by contacting us; see clause 8. These rights may be conditional or restricted. For example, you may not have the right to data portability in a particular case. It depends on the specific circumstances of the processing activities.

 

8. Contact Ørsted regarding the processing of personal data

You can always contact Ørsted if you have questions about our processing of your personal data, or if you wish to object to how your personal data is processed, by writing to info@orsted.com or by phoning +45 99 55 11 11. 


You can also lodge a complaint with your local data protection authority. In Denmark, the supervisory authority is:

 

9. Amendments to our privacy policy

This privacy policy replaces all previous versions. It will be necessary to update and amend this privacy policy on an ongoing basis, and we thus reserve the right to do so. In the event of an important amendment, we will notify you at orsted.com or send an email if we deem this is necessary.

This privacy policy was last updated in October 2020.