Updated on 11 November 2025

1. CONTROLLER

Lumme Energia Oy (later Lumme Energia)

Business ID: 2038931-6

Visiting address: Prikaatinkatu 3A, 50100 Mikkeli

Telephone: +358 (0)29 1800 056

Online service: www.lumme-energia.fi

2. ELECTRICITY SALES

2.1. Purpose and Legal Basis for Processing Personal Data

The purpose of processing personal data is to conclude and perform a contract; to analyze data for the purposes of predicting electricity usage and developing services and products; to identify and know the customer; to ensure the quality of customer service; to manage invoicing and debt collection; to fulfill statutory reporting obligations; to communicate with customers; to send notifications related to the agreement; to notify about data breaches; and to conduct direct marketing.

The processing of personal data is based on:

a contractual relationship between the data subject and Lumme Energia;
the consent of the data subject, when they have given consent to electronic marketing or other consent separately requested by Lumme Energia;
Lumme Energia's statutory obligations, including compliance with the Electricity Market Act and its supplementary decrees, the Energy Efficiency Act, and the Consumer Protection Act.

2.2. Categories of Personal Data

Customer Information:

Authorizations and marketing prohibitions for electronic direct marketing
Customer number
Guardianship information
Name and contact details (address, telephone number, and email address)
Non-disclosure orders
Other information obtained with the consent of the customer or potential customer that is necessary to deliver the agreed service
Potential contact persons or representatives
Segmentation enrichment data
Self-imposed credit bans
Social security number

Contract Information:

Contract subject, product, duration, and pricing
Service channel (electronic/paper)

Billing Information:

Bank details
Basis of invoicing
Billing address
Information on payments and payment behavior
Invoice delivery method

Customer Service Interaction Details:

Recordings of chat conversations
Recordings of customer calls
Service experience data from customer surveys
Times and reasons for service events

Online Behavior:

Browser type
Cookies
Downloads of materials from the online service
Operating system
Services used
Subscribed publications
Website browsing data

2.3. Regular Sources of Personal Data

Personal data is collected from the customer or their representative, as well as from Suomen Asiakastieto Oy and Ropo Suomi Oy. In addition, Lumme Energia has a statutory obligation to receive information from the centralized data exchange service maintained by Fingrid Datahub Oy. Further information on the processing of personal data in this context is available at: Privacy statement - Fingrid.

2.4. Regular Disclosures of Personal Data

Lumme Energia uses external service providers for the processing of personal data, for example in connection with sales and customer service. The processing of personal data is always carried out under the responsibility and supervision of Lumme Energia.

Lumme Energia ensures, through contractual and technical arrangements with all personal data processors, that personal data is processed in accordance with applicable data protection legislation and otherwise in an appropriate manner.

In addition, Lumme Energia has a statutory obligation to disclose data from the centralized data exchange service maintained by Fingrid Datahub Oy. Further information on the processing of personal data in this context is available at: Privacy statement - Fingrid.

2.5. Transfers of Personal Data Outside the EU/EEA

Personal data may only be transferred outside the EU or EEA with appropriate safeguards in place, such as the European Commission adequacy decisions and standard contractual clauses, or the EU-U.S. Data Privacy Framework.

2.6. Automated Decision-Making

An automated decision-making procedure is applied when issuing a credit decision.

3. ELECTRIC MOBILITY

3.1. Purpose and Legal Basis for Processing Personal Data

The purpose of processing personal data is to conclude and perform a contract; to analyze data for the development of services and products; to identify and understand the customer; to ensure the quality of customer service; to manage invoicing and debt collection; to fulfill statutory reporting obligations; to communicate with customers; to send notifications related to the agreement; to notify about data breaches; and to conduct direct marketing.

The processing of personal data is based on:

a contractual relationship between the data subject and Lumme Energia;
the consent of the data subject, when they have given consent to electronic marketing or other consent separately requested by Lumme Energia;
Lumme Energia's statutory obligations, including compliance with the Electricity Market Act and its supplementary decrees, the Energy Efficiency Act, and the Consumer Protection Act.
Lumme Energia's legitimate interest in improving customer service, developing its services, ensuring data security, and transferring personal data within the Group for administrative purposes.

3.2. Categories of Personal Data

Customer Information:

Authorizations and marketing prohibitions for electronic direct marketing
Customer number
Customer segmentation
Data collected through the charging point mapping survey
EV charging data
Name and contact details (address, telephone number, and email address)
Other information obtained with the consent of the customer or potential customer that is necessary to deliver the agreed service
Potential contact persons or representatives
Segmentation enrichment data
Social security number

Usage Site and Device Information:

Address information of the usage site
Information related to installed devices
Information related to the planning and dimensioning of the usage site
Information required for the installation at the usage site
Information required to manage and ensure the functionality of the service

Contract Information:

Contract subject, product, duration, and pricing

Billing Information:

Bank details
Basis of invoicing
Billing address
Information on payments and payment behavior
Payment card information

Customer Service Interaction Details:

Recordings of chat conversations
Recordings of customer calls
Service experience data from customer surveys
Times and reasons for service events

Online Behavior:

Browser type
Cookies
Downloads of materials from the online service
Operating system
Services used
Website browsing data

3.3. Regular Sources of Personal Data

3.4. Regular Disclosure of Personal Data

3.5. Transfers of Personal Data Outside the EU/EEA

3.6. Automated Decision-Making

An automated decision-making procedure is applied when issuing a credit decision.

4. PHOTOVOLTAIC SYSTEMS

4.1. Purpose and Legal Basis for Processing Personal Data

The purpose of processing personal data is to conclude and perform a contract; to analyze data for the development of services and products; to identify and know the customer; to ensure the quality of customer service; to manage invoicing and debt collection; to fulfill statutory reporting obligations; to communicate with customers; to send notifications related to the agreement; to notify about data breaches; and to conduct direct marketing.

The processing of personal data is based on:

a contractual relationship between the data subject and Lumme Energia;
the consent of the data subject, when they have given consent to electronic marketing or other consent separately requested by Lumme Energia;
Lumme Energia's statutory obligations, including compliance with the Electricity Market Act and its supplementary decrees, the Energy Efficiency Act, and the Consumer Protection Act.
Lumme Energia's legitimate interest in improving customer service, developing its services, ensuring data security, and transferring personal data within the Group for administrative purposes.

4.2. Categories of Personal Data

Customer Information:

- Authorizations and marketing prohibitions for electronic direct marketing
- Customer number
- Customer segmentation data
- Name and contact details (address, telephone number, and email address)
- Other information obtained with the consent of the customer or potential customer that is necessary to deliver the agreed service
- Potential contact persons or representatives
- Segmentation enrichment data
- Social security number

Usage Site and Device Information:

- Address information of the usage site
- Connection information
- Data collected through the solar power calculator
- Equipment information for small-scale production
- Information related to the planning and dimensioning of the usage site
- Information required for the installation at the usage site
- Information required to manage and ensure the functionality of the service
- Production data
- Purpose of use of the usage site

Contract Information:

- Subject, duration, and price of the contract

Billing Information:

- Bank details
- Basis of invoicing
- Billing address
- Information on payments and payment behavior

Customer Service Interaction Details:

- Recordings of chat conversations
- Recordings of customer calls
- Service experience data from customer surveys
- Times and reasons for service events

Online Behavior:

- Browser type
- Cookies
- Downloads of materials from the online service
- Operating system
- Services used
- Subscribed publications
- Website browsing data

4.3. Regular Sources of Personal Data

4.4. Regular Disclosures of Personal Data

Lumme Energia uses external service providers for the processing of personal data, for example in connection with sales, customer service, and installations. The processing of personal data is always carried out under the responsibility and supervision of Lumme Energia.

4.5. Transfers of Personal Data Outside the EU/EEA

4.6. Automated decision-making

An automated decision-making procedure is applied when issuing a credit decision.

5. ENERGY MANAGEMENT SYSTEMS

5.1. Purpose and Legal Basis for Processing Personal Data

The processing of personal data is based on:

a contractual relationship between the data subject and Lumme Energia;
the consent of the data subject, when they have given consent to electronic marketing or other consent separately requested by Lumme Energia;
Lumme Energia's statutory obligations, including compliance with the Electricity Market Act and its supplementary decrees, the Energy Efficiency Act, and the Consumer Protection Act.
Lumme Energia's legitimate interest in improving customer service, developing its services, ensuring data security, and transferring personal data within the Group for administrative purposes.

5.2. Categories of Personal Data

Customer Information:

- Authorizations and marketing prohibitions for electronic direct marketing
- Customer number
- Customer segmentation data
- Name and contact details (address, telephone number, and email address)
- Other information obtained with the consent of the customer or potential customer that is necessary for the performance of the agreed service
- Potential contact persons or representatives
- Segmentation enrichment data
- Social security number

Usage Site and Device Information:

- Address information of the usage site
- Connection information
- Device information for small-scale production
- Information related to the planning, dimensioning, and optimization of energy use at the usage site
- Information required for the installation at the usage site
- Information required to manage and ensure the functionality of the service
- Possible area and volume information
- Production data
- Purpose of use of the usage site

Contract Information:
- Contract subject, product, duration, and pricing

Billing Information:

- Bank details
- Basis of invoicing
- Billing address
- Information on payments and payment behavior

Customer Service Interaction Details:

- Recordings of customer calls
- Service experience data from customer surveys
- Times and reasons for service events

Online Behavior:

- Browser type
- Cookies
- Downloads of materials from the online service
- Operating system
- Services used
- Subscribed publications
- Website browsing data

5.3. Regular Sources of Personal Data

The customer may choose to provide information necessary for ensuring the installability of the system via WhatsApp. Meta processes personal data in accordance with its own privacy policy, which can be read here: https://www.whatsapp.com/legal/privacy-policy. This information can also be provided through other contact channels.

5.4. Regular Disclosures of Personal Data

5.5. Transfers of Personal Data outside the EU/EEA

5.6. Automated decision-making

An automated decision-making procedure is applied when issuing a credit decision.

6. ENERGY STORAGE SYSTEMS

6.1. Purpose and Legal Basis for Processing Personal Data

The processing of personal data is based on:
- a contractual relationship between the data subject and Lumme Energia;
- the consent of the data subject, when they have given consent to electronic marketing or other consent separately requested by Lumme Energia;
- Lumme Energia's statutory obligations, including compliance with the Electricity Market Act and its supplementary decrees, the Energy Efficiency Act, and the Consumer Protection Act.
- Lumme Energia's legitimate interest in improving customer service, developing its services, ensuring data security, and transferring personal data within the Group for administrative purposes.

6.2. Categories of Personal Data

Customer Information:
- Authorizations and marketing prohibitions for electronic direct marketing
- Customer number
- Customer segmentation data
- Name and contact details (address, telephone number, and email address)
- Other information obtained with the consent of the customer or potential customer that is necessary for the performance of the agreed service
- Potential contact persons or representatives
- Segmentation enrichment data
- Social security number

Usage Site and Device Information:

Contract Information:

- Contract subject, product, duration, and pricing

Billing Information:

- Bank details
- Basis of invoicing
- Billing address
- Information on payments and payment behavior

Customer Service Interaction Details:

- Recordings of chat conversations
- Recordings of customer calls
- Service experience data from customer surveys
- Times and reasons for service events

Online Behavior:

- Browser type
- Cookies
- Downloads of materials from the online service
- Operating system
- Services used
- Subscribed publications
- Website browsing data

6.3. Regular Sources of Personal Data

Personal data is collected from the customer or their representative, from Suomen Asiakastieto Oy, Ropo Suomi Oy, as well as consumption and production data from third-party services. In addition, Lumme Energia has a statutory obligation to receive information from the centralized data exchange service maintained by Fingrid Datahub Oy. Further information on the processing of personal data in this context is available at: Privacy statement - Fingrid.
The customer may choose to provide information necessary for ensuring the installability of the system via WhatsApp. Meta processes personal data in accordance with its own privacy policy, which can be read here: https://www.whatsapp.com/legal/privacy-policy. This information can also be provided through other contact channels.

6.4. Regular Disclosures of Personal Data

In addition, Lumme Energia has a statutory obligation to disclose data from the centralized data ex56change service maintained by Fingrid Datahub Oy. Further information on the processing of personal data in this context is available at: Privacy statement - Fingrid.

6.5. Transfers of Personal Data outside the EU/EAA

7. RECRUITMENT

This section applies to Lumme Energia's direct recruitment processes. If a recruitment partner is responsible for the recruitment, the job applicant's personal data will be processed under the privacy policy of that partner.

7.1. Purpose and Legal Basis for Processing Personal Data

The purpose of processing personal data is to carry out Lumme Energia's recruitment processes.
The processing is based on the data subject’s consent and on Lumme Energia’s legitimate interest in processing personal data as required by the recruitment process, within the context of an appropriate relationship between Lumme Energia and the job applicant.

7.2. Categories of Personal Data

As a general rule, the register contains the following information:

- CV information or other information related to education and work history, as provided by the job applicant
- Name and contact details (address, phone number, and email address)
- Other additional information provided by the job applicant that is relevant to the recruitment process
- Photograph of the job applicant
- Reference information
- Work samples

Lumme Energia is part of the Suur-Savon Sähkö Group, which is a substance-free workplace. In this context, a drug test is conducted as part of the pre-employment medical examination. In addition, selection for a position may involve credit checks, suitability assessments, or background checks. These requirements are always stated in the job advertisement or communicated during the recruitment process.

7.3. Regular Sources of Personal Data

Personal data is primarily collected from the data subject and, with consent, from other specified data sources.

7.4. Regular Disclosures of Personal Data

As a general rule, personal data is not disclosed outside the Suur-Savon Sähkö Group. However, it may be disclosed to partners involved in the recruitment process, such as for conducting suitability assessments.
Lumme Energia ensures, through contractual and technical arrangements with all personal data processors, that personal data is processed in accordance with applicable data protection legislation and otherwise in an appropriate manner.

7.5. Transfers of Personal Data outside the EU/EEA

7.6. Automated Decision-Making

The processing of data does not involve automated decision-making.

8. WEBSITE VISITORS

8.1. Purpose and Legal Basis for Processing Personal Data

The purpose of processing personal data is to target marketing, assess its effectiveness, and enhance the user experience of the website.

A website visitor may be, for example, our customer, a marketing recipient or a job applicant. The processing of this personal data is described in other sections of this Privacy Policy. This section contains only the general processing activities related to the website.

The processing of personal data is based on the consent provided by the data subject.

8.2. Categories of Personal Data

The register contains the following information:

- Additional data provided by web analytics tools and advertising platforms
- Browser type
- Cookies
- Device information
- Language
- Operating system
- Website browsing data

8.3. Regular Sources of Personal Data

Personal data is collected from the data subject and from the website platform.

8.4. Regular Disclosures of Personal Data

Lumme Energia uses external service providers for the processing of personal data, for example in connection with website development. The processing of personal data is always carried out under the responsibility and supervision of Lumme Energia.

8.5. Transfers of Personal Data Outside the EU/EEA

8.6. Automated decision-making

The processing of data does not involve automated decision-making.

9. MARKETING

9.1. Purpose and Legal Basis for Processing Personal Data

The purpose of processing personal data is to target marketing to existing and potential customers.
The processing of personal data is based on a contractual relationship between the data subject and Lumme Energia, the consent provided by the data subject, or Lumme Energia's legitimate interest in conducting direct marketing.

9.2. Categories of Personal Data

Customer Information:
- Authorizations and marketing prohibitions for electronic direct marketing
- Customer number
- Customer segmentation
- Date of birth
- Gender
- Information on participation in the loyalty or equivalent programs of the controller and its partner companies, as well as any additional data necessary for providing benefits related to such programs
- Language
- Name and contact details (address, telephone number, and email address)
- Segmentation enrichment data

Contract Information:
- Contract subject, duration, and pricing

Billing Information:
- Billing address

Online Behavior:
- Services used

Usage Site Information:
- Address information of the usage site
- Electricity connection information
- Emissions data for the usage site
- Energy consumption forecasts
- Other information provided by the customer related to the usage site
- Possible area and volume data
- Purpose of use of the usage site

9.3. Regular Sources of Personal Data

Personal data is collected from the data subject and from third-party services for the purpose of data enrichment. Personal data may also be collected, stored, and updated from sources such as the Digital and Population Data Services Agency or from other controllers that provide address, update, or similar services.

9.4. Regular Disclosures of Personal Data

9.5. Transfers of Personal Data outside the EU/EEA

9.6. Automated Decision-Making

The processing of data does not involve automated decision-making.

10. CUSTOMER SURVEY

10.1. Purpose and Legal Basis for Processing Personal Data

The purpose of processing personal data is to enhance customer understanding through research.
The processing of personal data is based on a contractual relationship between the data subject and Lumme Energia, or on Lumme Energia's legitimate interest in conducting customer research and, based on the results, developing its services to better meet customer needs.

10.2. Categories of Personal Data

Customer information:
- Authorizations and marketing prohibitions for electronic direct marketing
- Customer number
- Customer segmentation
- Name and contact details (address, telephone number and email address)
Online Behavior:
- Services used
- Subscribed publications

10.3. Regular Sources of Personal Data

The surveys are based on data from external survey providers and Lumme Energia’s own customer data, which is collected from the data subject.

10.4. Regular Disclosures of Personal Data

Lumme Energia uses external service providers to carry out surveys in connection with the processing of personal data. The processing is always carried out under Lumme Energia’s responsibility and supervision.
Lumme Energia ensures, through contractual and technical arrangements with all personal data processors, that personal data is processed in accordance with applicable data protection legislation and otherwise in an appropriate manner.

10.5. Transfers of Personal Data Outside the EU/EEA

10.6. Automated Decision-Making

The processing of data does not involve automated decision-making.

11. WHISTLEBLOWING CHANNEL

This s section concerns Lumme Energia’s external whistleblowing channel, available on the company’s website. The processing of personal data in connection with this channel has specific characteristics that differ from the other sections of this Privacy Notice. For more information, please refer to the separate Whistleblowing Channel Privacy Notice.

11.1. Purpose and Legal Basis for Processing Personal Data

The whistleblowing channel is used to monitor the implementation of Lumme Energia’s Supplier Code of Conduct. The purpose of processing personal data is to monitor and investigate suspected misconduct and unethical behavior. The data may also be used for the development, analysis, and statistical reporting of internal control and risk management.

The processing of personal data is based on Lumme Energia’s legitimate interest in obtaining information about misconduct related to the company and its operations in order to address such matters, as well as to ensure the ethical and lawful conduct of external stakeholders. As a result of a balancing test, it has been concluded that the rights and freedoms of data subjects do not override Lumme Energia’s legitimate interest.

Lumme Energia provides its personnel with an internal whistleblowing channel, which is accessible via the company’s intranet. In relation to this internal whistleblowing channel, the processing of personal data is also necessary for the data controller to comply with a legal obligation. The processing is based on the Whistleblower Act (Act on the Protection of Persons Reporting Breaches of European Union and National Law, 1171/2022). For the avoidance of doubt, when Lumme Energia’s personnel report suspected misconduct via the external whistleblowing channel, the legal bases for processing personal data are compliance with a legal obligation and legitimate interest.

11.2. Categories of Personal Data

The content of the register is based on the information provided by the person submitting the report. The register may contain the following types of personal data concerning the whistleblower, the subject of the report, and other individuals involved, such as witnesses:

• Name and contact details of the whistleblower (a report can also be submitted anonymously)
• Details of the report, such as the name of the subject, information related to the alleged unethical or unlawful conduct (including place and time), and information on witnesses
• Information related to the submission and processing of the report, as well as related communications (including the report code and status)
• Any other information voluntarily provided by the whistleblower
In addition, data is collected on individuals responsible for handling reports submitted through the whistleblowing channel.

The accuracy of the personal data contained in the reports cannot be verified in advance, but efforts are made to ensure their accuracy during the investigation of suspected misconduct. Personal data deemed irrelevant or excessive for the purposes of the case will be deleted. As a rule, special categories of personal data are not processed in connection with the whistleblowing procedure.

11.3. Regular Sources of Personal Data

The primary source of personal data is the whistleblower. In addition, personal data may be collected and generated during the processing of whistleblowing reports. This may include information obtained from individuals potentially involved in the matter and data retrieved from relevant IT systems. Other sources of information may be used where permitted by applicable legislation.

11.4. Regular Disclosures of Personal Data

At Lumme Energia, personal data is processed exclusively by specifically designated individuals within the company's compliance and sustainability function. Reports and related investigations are carried out by a limited group of designated personnel. Personal data may be disclosed to third parties, such as authorities or external auditors, only on a legal basis as provided by applicable law.

11.5. Transfers of Personal Data Outside the EU/EEA

Personal data will not be disclosed or transferred outside the EU or EEA.

11.6. Automated Decision-Making

The processing of data does not involve automated decision-making.

12. RETENTION PERIODS OF PERSONAL DATA

Lumme Energia retains personal data for as long as necessary for the purposes for which it was collected, such as fulfilling a customer agreement between Lumme Energia and the data subject or determining the rights and obligations arising from it. Retention periods are based on applicable legislation, such as the Electricity Market Act, or on the general terms and conditions confirmed by the Energy Authority. The retention periods vary depending on the category of the data.

Typically, personal data is retained for the duration of the customer relationship and for ten (10) years after its termination. When the data is no longer needed, Lumme Energia will delete or anonymize it as soon as reasonably possible. If you would like more information about the retention of your personal data, please contact our customer service.

13. DATA SECURITY

The register is protected with personal user IDs and passwords. Only authorized and designated users have access to the personal data they are responsible for maintaining. Regular backups of the register are taken. Customer register data is stored in databases that are protected by firewalls, passwords, and other technical security measures.

14. RIGHTS OF THE DATA SUBJECT

The data subject has access to the rights set out below. Please note that not all rights are absolute; their application depends on the legal basis for processing personal data.

14.1. Right of access

The data subject has the right to receive a copy of the data concerning them in a commonly used electronic format and to review their personal data.

If you wish to exercise your right of access, we ask you to use the information request form (in Finnish). Using the information request form requires strong identification. You can authenticate yourself with online banking credentials or a mobile certificate.

14.2. Right to rectification and restriction of processing

The data subject has the right to request the rectification of inaccurate or incorrect personal data and the completion of incomplete personal data. If there are any errors or missing information, please contact our customer service. If the data subject has access to Lumme Energia’s an electronic service channels, they can update their own information within the limits of those services.

The data subject may request that the controller restrict the processing of their personal data until it has been corrected or updated.

14.3. Right to data portability

The data subject has the right to have the personal data they have provided to the controller transferred to another system.

14.4. Right to erasure (“Right to be forgotten”)

The data subject has the right to request that the controller delete their personal data without undue delay if the controller no longer justifiably needs it.

14.5. Right not to be subject to automated decision-making

The data subject has the right not to be subject to automated decision-making that produces legal effects concerning them or similarly significantly affects them. They also have the right to object to automated decision-making if the process is not necessary for the conclusion or performance of a contract.

14.6. Right to withdraw consent

The data subject has the right to withdraw their consent to electronic marketing. Consent can be withdrawn by contacting customer service, updating preferences in Lumme Energia’s electronic channels, or using the unsubscribe link in electronic newsletters.

14.7. Right to object to the use of cookies

Lumme Energia’s digital services use cookies. Information on how to disable cookies and the consequences of doing so is described in terms of use for each service. You can view the cookies used on our website (lumme-energia.fi) here: Evästeiden käyttö | Lumme Energia (in Finnish).

14.8. Right to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint with a national supervisory authority if they believe that their personal data has been processed in violation of applicable data protection legislation. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman. For more information, visit: www.tietosuoja.fi.

15. CONTACT DETAILS

If you wish to exercise your rights, please refer to Section 12. For other inquiries regarding the processing of personal data, please contact us primarily by email at: tietosuoja@lumme-energia.fi. You can also contact our Data Protection Officer by phone: +358 40 560 1240 / Mikko Alftan.