Nefco – Global Privacy Policy
1. Introduction
As the data controller, Nordic Environment Finance Corporation (“Nefco”, “we” or “us”) is fully committed to protecting your individual rights and keeping your personal data safe.
In this Privacy Policy, we describe why and how we collect and use personal data on individuals with whom we interact, such as representatives of our clients, potential clients, stakeholders, cooperation partners, consultants and suppliers, users of our website, job applicants and visitors on our premises. This Privacy Policy also explains which rights you have as the data subject, and how to use those rights.
2. Data controller details
The contact details of the data controller are:
Nordic Environment Finance Corporation
Fabianinkatu 34, FI-00100 Helsinki
P.O. Box 241, FI-00171 Helsinki
Finland
Tel +358 10 618 003
Nefco has appointed a Data Protection Officer (DPO), who monitors the processing of personal data within Nefco and acts as the contact point for data subjects in matters regarding the processing of their personal data. If you have any questions about this Global Privacy Policy or wish to exercise your privacy rights, please contact our DPO at dataprotection@nefco.int
3. Purposes and lawful bases for processing personal data
Nefco only processes personal data that is necessary for a specific, explicit and lawful purpose. In practice, we process personal data mainly for the following purposes:
- Communicating with our clients, stakeholders and cooperation partners and maintaining business relationships with individuals close to us, which is based on Nefco’s legitimate interest to maintain good business relationships, sending newsletters, marketing our products and services and monitoring the implementation of our purpose.
- Carrying out project and client appraisal processes, which is based on Nefco’s legitimate interest to assess the financial strength and eligibility of financing projects or proposals.
- Carrying out procurement processes, which is based on Nefco’s legitimate interest to ensure efficient and reliable procurement processes.
- Providing, promoting, and developing our products and services, which may include marketing our products and services, sending newsletters and managing the client relationship. Such processing is based on Nefco’s legitimate interest to provide financing in accordance with our purpose to accelerate the green transition by financing the initial scale-up of Nordic green solutions.
- Managing and developing our website and providing you with the information and services you request by contacting us through the site. Such processing is based on Nefco’s legitimate interest to offer our products and services, to continuously improve our operations and the performance of our website, and to maintain good business relationships. For these purposes, we also use cookies to collect information on your use of our website subject to prior consent, which is requested through a pop up request when opening the website. For further information on cookies and our use of them, please see our Cookie Declaration.
- Carrying out the recruitment process, which may include assessing your qualifications and suitability for specific job openings, communicating with you and carrying out background checks (for specific positions). Such processing is necessary for preparing to enter into an employment agreement with you, but also for Nefco’s legitimate interest to carry out our recruitment process.
- Granting access to Nefco’s premises and keeping track of visitors, which is based on Nefco’s legitimate interest to manage visitors and ensure the safety and security of our premises.
- Preventing and investigating misconduct and non-compliance, which is based on Nefco’s legitimate interest to ensure accountability, ethical conduct and compliance with the relevant policies, regulations and governance requirements of Nefco.
- Risk management and ensuring the security of services, which is based on Nefco’s legitimate interest to maintain its financial strength so as to be able to continue to fulfil its purpose.
- Satisfying statutory obligations and any other official rules and regulations that Nefco determines are required for the performance of its activities and in accordance with our Legal Framework. Such processing is based on Nefco’s legitimate interest to comply with its Legal Framework.
4. Categories of personal data
Nefco mainly processes the following information for the purposes mentioned in section 3:
Company and contact information
- Basic contact information of the individual (e.g. name, title, organisation, telephone number, email address, company address, and the primary address, if different from the company address)
- Information on services ordered by or provided to the client (e.g. service delivery, contract and billing information)
- Client, stakeholder and partner communications (meetings, communications relating to the client, stakeholder, partner or other relationship)
- Identification and background information necessary for fulfilling our obligations relating to anti-money laundering and counter-terrorist financing
Project and client as well as procurement appraisal information
- Contact details
- CV’s from consultancy services
- Data relating to integrity screening
- Nationality and birth date
Information relating to recruitment (for jobseekers)
- Applications, CVs and other information provided during the recruitment process
- Background security clearance information (for certain positions)
Information on the use of the Nefco website
- Nefco uses cookies on its website, which can collect personal data on your use of the website and your device, such as IP address, browser type and settings, device type and settings, operating system, mobile network information, unique identifiers, session state, log information and cookie consent status. For further information on our use of cookies, please see our Cookie Declaration.
5. Sources of data
Personal data is collected either directly from you, received from our client, potential client, stakeholder or partner organisations, collected with cookies when you use our website or otherwise during the course of Nefco’s business activities.
6. Retention periods
Nefco will keep your data for as long as they are needed for the purposes for which your data was collected and processed. The maximum retention periods for personal data are as follows:
- Client information: 10 years after the loan is fully paid or exit undertaken or 10 years from the date of signing of the financing agreement (in case the project was cancelled) or 5 years from the date on which the first steps of processing the transaction were taken (in case of non-approval of project).
- Project and client appraisal information: As for client information.
- Procurement information: 10 years after the expiry of the relevant agreement.
- Recruitment information: For applications to specific positions the retention period is 6 months from closing the recruitment process. For open applications the data is stored for 12 months from receiving the application but will be deleted if requested by the candidate.
- Information on your use of the Nefco website: Expiry periods for cookies, which are used to collect data on information concerning website use, are explained in our Cookie Declaration.
- Company and contact information on visitors to Nefco’s premises: 3 months after your visit.
Further details are available from the Data Protection Officer at dataprotection@nefco.int.
7. Transfers of personal data
When processing the data for the purposes mentioned above in section 3, Nefco may disclose personal data to certain public authorities and other third parties to satisfy legal obligations that Nefco determines are required for the performance of its activities and in accordance with our Legal Framework.
We have also outsourced the processing of certain personal data to third party service providers, such as the Nordic Investment Bank and external IT service providers. When transferring personal data, Nefco shall ensure that the party receiving the data maintains an adequate level of protection.
Nefco may also transfer data outside of the EU or EEA. When data is transferred outside of the EU or EEA, we ensure a similar level of protection to your personal data by implementing necessary contractual or other safeguards to protect your data.
8. Your rights
You as a data subject have rights in respect of personal data we hold about you. You have the following rights:
- Right to request access to your personal data. You have the right to get a confirmation as to whether Nefco processes personal data on you. If so, you are entitled to receive a copy of the personal data being processed.
- Right to request rectification of inaccurate or incomplete data. You have the right to ask Nefco to rectify personal data concerning you. You also have the right to have incomplete personal data completed.
- Right to request erasure. You have the right to ask Nefco to delete personal data on you in certain situations.
- Right to object to processing based on Nefco’s legitimate interest. In cases where Nefco’s processing is based on legitimate interest, you have the right to object to the processing on grounds relating to your particular situation. That is to ask, that the personal data shall no longer be processed for such purposes. In case of marketing, you always have the right to object to the data processing by Nefco for such purposes.
- Right to request restriction of processing of personal data. You have the right to request that Nefco restricts the processing of your personal data under certain circumstances. The restriction of processing means that the personal data that is subject to the restriction may, besides from storage, only be processed (i) with your consent; (ii) for the establishment, exercise or defence of legal claims; (iii) for the protection of the rights of another natural or legal person; or (iv) for reasons of important public interest.
- Right to data portability. You have the right to receive the personal data you have personally provided to Nefco in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller, if the processing is based on consent or contract, and is carried out by automated means.
- Right to withdraw consent. If the processing is based on consent, you have the right to withdraw your consent at any time.
If you wish to use your above rights as a data subject, please submit your request to the Data Protection Officer at dataprotection@nefco.int
If you consider that your personal data is not processed in accordance with this Policy, you may file a complaint with the Data Protection Officer.
9. Principles of securing personal data
The personal data is protected by limited and assigned access to protected databases where such data is kept in a secure manner. Destruction of personal data is handled in a secured manner.