Privacy Statement

At Neste, we care about your privacy and right to data protection. During the TA24 there will be thousands of employees and contractors working at the site for the project. We are committed to respect your privacy and protect your personal information, which is all the information that can be connected to you or can be used to identify you as an individual. In this privacy notice you can read about how your personal information is processed in connection with your work at the Neste Porvoo Turn Around 24.

1. Controller

Neste Corporation
Business ID 1626490-8
Keilaranta 21
tel. +358 10 45 811

2. Contact information

If you have any questions regarding the processing of your personal data, please submit a request at our website neste.com/privacy

If you wish to use your rights as a data subject, please see the instructions on chapter 7. “What are

your rights and how to use them?”

3. What are the purposes for processing your personal information and how do we collect information about you?

The processing of your personal information is carried out with the following purposes:

Ensuring Safety: Collecting data related to training, experience, and competence to maintain safety standards and to comply with standards and regulations, including personal information in incident reports. Ensuring adherence to safety protocols for on-site personnel. Monitoring the status of safety training programs.

Turnaround Management

  • Administering work-related documents, billing, and administration. Validating work and processing invoices. Enabling the work at the site. 
  • Managing on-site access control and ensuring adherence to safety protocols.
  • Monitoring safety training programs and fulfilling legal requirements for foreign and leased labor.
  • Generating access control logs for service records and invoice processing.

Regulatory Compliance

  • Providing necessary worker information to Finnish authorities for compliance with laws related to construction, repair, and maintenance activities and fulfilling other regulatory requirements.

Legal Compliance

The processing of personal data to comply with Finnish legislation, including but not limited to:

  • Law on Tax Administration (503/2010)
  • Taxation Procedure Act (1558/1995)
  • Act on tax number and tax number register 473/2021
  • Occupational Health and Safety Act (738/2002)
  • Act of Posting Workers (447/2016)
  • Act on the Contractor’s Obligations and Liability when Work is Contracted Out 1233/2006
  • Aliens Act 301/2004

Access and Security

  • Access Control and Surveillance: Preventing unauthorized access and ensuring the security and safety of the work environment. This includes collecting information for access cards. With access control and surveillance Neste prevents unauthorized access to its sites and premises and ensures the safety of the working environments and that the employees and external personnel have the needed certifications and/or permits. Generating comprehensive access control system logs for service record purposes.
  • Security clearance: Management and handling of security clearance data regarding tasks falling under the review (as required by law).
  • Invoice control: The access control logs may also be used for invoice control. 
  • Surveillance: Monitoring premises and video surveillance footage as necessary.

In individual cases, the information can be used in investigation of misuse, fraud or crime.

The collection and processing activities are based on a combination of legal obligations, contractual agreements, and legitimate interests. Neste’s legitimate interest lies in ensuring necessary project documentation and ensuring that individuals working in its areas are adequately trained and certified, preventing unauthorized access, and maintaining a safe and secure working environment. 

4. What information do we collect and how long do we store your information?

Neste processes a variety of personal data to support its operational, safety, and legal requirements. The data collected can be categorized as follows:

Basic Identification Data

  • Name, personal identification number, date of birth, tax number, nationality, address (in Finland and country of origin).

Professional and Project-Related Data

  • Professional competence (e.g., language skills, experience, certificates)
  • Training programs, work permits, and safety cards
  • Purchase orders and work orders
  • Information on contractors and subcontractors, including their country of registration and the contact details of foreign firms’ representatives in Finland
  • Employee personal details, citizenship status, residence permits, collective labor agreements (if applicable), safety induction records, security clearance data (if applicable)
  • Photo (if applicable)
  • Access control system data and timestamps

Taxation and Legal Compliance Data

  • Detailed employment information including the nature of employment, commencement, and estimated end dates, working hours, and employer details
  • Information required for taxation purposes and compliance with the Act of Posting Workers and other regulations

Safety and Security Data

  • Identification details of visitors and personnel, including vehicle owners
  • Management of access rights, real-time monitoring within facilities
  • Incident report data
  • Information on Neste employees, contractors, service providers, and other visitors, including access permit, training details, access card validity, and documentation verifying the right to work in Finland
  • Data for internal investigations

How We Collect Your Information

Neste collects your personal data through various means to support the purposes outlined above:

  • Direct Collection: From individuals working in Neste’s production areas, terminals, and stations, especially concerning safety and access.
  • Through Employers and Partners: Information may also be obtained from your employer, Neste’s business partners, or directly from the authorities if applicable.

5. Who has access to your personal information and who we share your information with?

At Neste, the information is processed by Neste’s construction site managers and relevant project managers, engineers, workers and TA2024 directors.

Neste uses third party service providers for software’s and other systems as well as support services. These service providers may have limited access to your personal information to be able to perform their work.

Some of the used software or applications may store your information outside EU/EEA or a support team may be located outside EU/EEA. If personal information is processed outside of EU/EEA, Neste will use appropriate safeguards to ensure the appropriate level of data protections. These safeguards are for example EU Commissions model clauses.

Neste is legally obligated to provide information regarding the personnel working at its construction sites to national authorities. This obligation entails regular reporting to tax authorities and providing requested details to the regional State Administrative Agency (AVI). The information to be provided pertains to activities associated with construction, repair, and maintenance conducted on these sites, encompassing both the businesses and workers engaged in these endeavors. 

Furthermore in case of a request, information may be disclosed to authorities, such as police, border authorities or tax authorities.

6. How long is your data stored?

Neste stores your personal data for at least the duration of the contractual relationship between Neste and its service provider, after which Neste will review the necessity of storing your personal data. In certain circumstances when it is serving as the main operator on a construction site, Neste is obligated to store your basic information for at least six years from when the site is closed. 

In any case, your personal data will be deleted at the latest when 10 years have passed since the end of the contractual relationship between Neste and its service provider unless there is an overriding requirement to store it longer.

General Retention Policy: Personal data is stored for the duration necessary to fulfill the specified purposes. Specific retention periods are:

  • Construction Site Personnel Logs: Stored for 6 years post the construction site closure.
  • TA2024 Project Data: Stored for 2-10 years depending on the information.
  • Maintenance Data: Stored in accordance with the requirements i.e. maintenance data is stored as long as the device or part is used.
  • Safety and Security Data: Kept for periods as required to ensure safety, compliance, and for investigatory purposes.

7. What are your rights and how to use them?

You can exercise your rights listed below by submitting a request through Neste’s service portal at https://www.neste.com/send-your-gdpr-request. For Neste Employees you may use your rights, you can do it by making a request via Neste Service Portal.

You have the right to access your information. This means that you have the right to know what personal information about you is stored. Please notice that the access right to your information can be restricted to the extent that the disclosure of the information can be deemed to expose and harm the safeguards used at Neste.

You also have the right to request for the rectification of inaccurate information concerning you or the erasure of your information from the systems. Please notice that information collected for the purposes of IT security cannot be deleted or rectified in general because of the nature of the processing. Your information will be deleted automatically after the retention period.

You have the right to object to the processing of your personal information that is based on Neste’s legitimate interest. However, this means that you are not able to use the systems.

Finally, you have the right to demand that Neste restricts the processing of your personal information. This means that Neste can only store your information but cannot use it in other ways. You have this right if you contest the accuracy of your personal information and processing will be restricted until the accuracy of the personal information is verified. You have this right also if you need the information after Neste’s retention periods for the establishment, exercise or defense of legal claims.

8. How do we secure your personal information?

Neste has appropriate technical measures and organizational security policies and procedures in place to protect personal data and information from loss, misuse, alteration, or destruction. Every employee and contractor in Neste is subject to information security policy that is supplemented with more detailed instructions.

Access to Neste networks are managed and controlled to protect information in systems and applications. Networks are separated from public network with appropriate firewall solutions and network traffic is monitored to detect anomalies and malicious activity.

Where Neste engages third parties to host electronic data on its behalf, a set of information security requirements need to be met. To verify the security measures taken by vendors and service providers, Neste has built a comprehensive audit program.

9. The right to lodge a complaint with the supervisory authority

If an individual is concerned that the processing may be breaching privacy laws or their individual rights under the privacy legislation have not been respected, they have the right to complain to the national data protection authority.

10. How to Contact Neste Data Protection Officer

If an individual is concerned that the processing may be breaching privacy laws or their individual rights under the privacy legislation have not been respected, they have the opportunity to contact Neste Data Protection Officer via the following link: https://www.neste.com/send-your-gdpr-request.