Last updated 2.1.2023
The controller responsible for your data is the company with which you have made an agreement. In Finland, the company responsible for customer data is Neste Marketing Ltd.
Neste head office:
00095 Neste, Finland
Street address: Keilaranta 21, Espoo
Telephone (switchboard): +358 10 45811
The contact information for other Neste locations can be found on our website at neste.com.
2. What personal data do we collect about you?
The personal data we collect about you varies depending on which products or services you purchase or order from us. Please note that not all services are available in all countries.
- Personal data – We collect personal data about you when you purchase products and services from us. Such data includes your contact information (e.g. name, address, phone number and e-mail address); personal identity code; demographic data (e.g. gender, age, mother tongue, nationality, occupation); financial information and other information necessary for credit control, including information on debt collection (if applicable) and results of credit checks.
- Neste card details – Card holder and validity, credit limit, card type, and information necessary to prevent or expose money laundering and terrorist financing, as well as any information Neste requires to be able to comply with trade sanctions, always in accordance with local legislation.
- Neste discount card details – Card number and validity, name, phone number, e-mail address, address details, date of birth.
- Contract and transaction details – Information about your agreements, orders and purchases, including your purchases with Neste's payment instruments; invoice details and related payments; records of phone calls made to our customer services and credit control, and of your communication with us.
- Payment information – Payment instrument and bank account details, for example, which are needed to confirm or refund purchases, as well as the details of any discount or loyalty card.
- Neste service stations, Neste Easy Wash, Neste Easy Fill – Information related to purchase transactions and, depending on the service, the details used for authentication, such as a vehicle registration number. If the service station employs a queue camera or license plate identification for the identification of vehicles in the use of the services, this is indicated separately by the appropriate signs.
- Neste Easy Deli – The information used for authentication by Neste App, details related to purchase transactions and details related to payment transactions.
- Neste App – Information provided in connection with registration (name, email address, phone number, user ID). The card details stored in the Neste App are only on your device, they are never stored on Neste servers.
- Neste's servers. Oma Neste, Extranet – Information related to your customership and registration (customer number, name, address, contact information, user ID); information related to cards, information related to purchases, your activities in the service.
- Events – Information provided by you while signing up for an event.
- Contests, prize draws and games – The information you provide upon entering, such as your name, phone number, address and the answers you provide.
- Video surveillance – Neste retail locations, such as Neste service stations, Neste Easy Deli stores and Neste Easy Wash stations, have recording video surveillance. The premises may have surveillance cameras of both Neste and companies providing security services to Neste. The video recordings are used to ensure safety, to investigate complaints, and to prevent and resolve theft and other harmful activities, such as vandalism and other actions aiming to damage property or harm people. When necessary, we also use video footage to reach the owner or holder of a vehicle, for example, to protect a customer’s property or health or under other exceptional circumstances. We may use external service providers, such as the Finnish Transport Safety Agency or directory inquiries, to gain access to contact information.
3. How do we collect information on you?
- From you – In most cases, we receive personal data directly from you when you apply for a Neste card, for example, or when you buy products or services from us, create a user account or enter a contest or prize draw.
- From third parties – Including public address and vehicle registers, marketing partners, credit rating agencies, collection agencies and our other partners. To ensure that we process accurate data about you, we use the services of external service providers to supplement the data you provide to us and to keep it up to date. For customer acquisition purposes, we collect contact information from company websites.
- Neste Group companies – We share your personal data within Neste Group in connection with financial administration and credit control, for instance.
4. What do we do with your data?
We collect your personal data in order to maintain our customer relationship, to target marketing towards you and to both develop and offer products and services.
We process your personal data only for pre-defined and legitimate purposes based on a contract, consent, a legal obligation or legitimate interest.
4.1 Delivering products and services
This includes the receiving of an order and the delivery of a product or service, as well as processing invoices related to an order. If necessary, we also use personal data to collect late payments.
The processing of the data is based on an agreement between you and Neste and is necessary for fulfilling the obligations arising from the customer relationship. If required by law, we will ask for your consent to the provision of some services. Such services include services that employ location data.
4.2 Creditworthiness assessment and legal obligations
We assess your creditworthiness in connection to an order and when determining your credit limit. This is based on an agreement between you and us.
We use automated decision-making to facilitate creditworthiness assessments. We use credit agencies and public registers to assess the risk of non-payment and the likelihood that you are able to repay your debt. We compare this information with the terms of the agreement you are about to enter into with us. Based on this assessment, we determine whether and under what conditions we may grant you a term of payment.
We take the following information into account when making creditworthiness decisions:
- the data you have provided in your application
- your previous payment behavior in your customer relationship with Neste and information about any possible non-payment of debts
- the information provided by the credit rating agencies we use and the public information available on you.
- We may ask you to provide additional information before we can grant a term of payment; such data may consist of financial statements or the consent of a guardian, for example.
We collect information necessary to prevent or disclose money laundering and terrorist financing, as well as the information necessary for Neste to comply with trade sanctions, always in accordance with local legislation. Other legal obligations regarding the processing of personal data are imposed on us by, for example, tax and accounting legislation.
4.3 Customer service and improvement of services
We record customer service and credit control calls, emails and chat messages, so that we can respond to your questions and other requests concerning our products and services. We use call recordings to verify orders and to maintain and develop the quality of our customer service. It is our legitimate interest to improve our services.
4.4 Targeted marketing
We collect information about your contacts and communication with us, as well as about your purchases and use of our services, including electronic services, such as the Neste App and web pages, in accordance with our legitimate interest
- to better understand usage trends among customers
- to improve the customer experience
- to further develop our services and products to meet customers’ interests and needs
- to provide our services and products.
We analyze our customers’ use of our services and products and compile statistics on that use. We also collect data about your actions when you receive our marketing messages.
Based on the data we have collected, we create a profile that describes you as a customer as accurately as possible, to categorize you into various segments according to your total annual purchases, your purchase frequency or the product range you use, for example. We target marketing messages based on the profiles we create. The benefits offered and the content of the message vary from customer to customer. This creates added value for you: you will be provided with better services and products and receive marketing messages that better meet your needs. It also enables us to better meet the constantly changing needs and wishes of customers.
You are always entitled to request information about your profile and the personal data and categories of data on which it is based. In addition, you are always entitled to refuse to receive messages of this type. We do not engage in profiling that would produce legal effects or other significant effects concerning you, as described in the EU General Data Protection Regulation.
4.5 Online advertising
We market our products and services online, on our own or our partners’ websites according to our legitimate interest. The marketing takes place by means of targeting cookies placed on the web pages. We may also target marketing at you in social media based on your phone number, name and email address, if you have not blocked marketing.
We may also use marketing partners who display our products and services to you on their own services or channels, but have not received your personal data from us. If you wish to prevent such marketing or exercise any of your other rights, please contact the marketing partner in question directly.
4.6 Consent-based marketing
Electronic direct marketing is always based on your consent and the content of the messages is based on the category of products or services related to your customer relationship. We use electronic direct marketing via e-mail, SMS or push messages, for example. You have the right to withdraw your consent at any time, either by clicking the link in the message you receive, notifying Neste, or by changing your device settings, either by disabling or allowing push messages.
4.7 Customer communication
We may send you messages related to our customer relationship based on our legitimate interest. Such messages may contain information and offers on products and services. Messages can be sent as invoice attachments, for example.
If necessary, we may also send you safety data sheets. For such communication, we do not need your consent. For customer communications, we use electronic channels such as e-mail, SMS or push messages.
4.8 Delivery of contest prizes
We use your personal data to deliver the prizes of contests or prize draws. This is based on your consent to the terms and conditions and the rules of the contest.
5. How long do we store your personal data?
- Contractual data, such as customer relationship data, is stored for the duration of the customer relationship. We will then store your customer data for another two years for marketing purposes. The customer relationship is considered to be terminated if the customer relationship has no transactions or contacts for two years.
- Data processed on the basis of legal obligations is stored for the period defined by local law. The storage period of personal data is determined, for example, by accounting or anti-money laundering legislation.
- In accordance with the Accounting Act, we store accounting records, such as sales invoices, for six years from the end of the year during which the financial year ended.
- In accordance with anti-money laundering legislation, customer due diligence and transaction data must be stored for a period of five years from the end of the permanent customer relationship. This data includes the relevant person’s name, date of birth, personal identity code and address; the name, date of birth and personal identity code of the representative; a legal person’s full name, registration number, date of registration, registration authority and the address of the legal person’s registered office and, if different, the address of their principal place of business and, where appropriate, the articles of association or the corporation bylaws.
- The following are examples of personal data processed and stored on the basis of legitimate interest: the development of services using recordings of phone calls, direct marketing after the end of a customer relationship and video surveillance at retail locations. Data of this kind is stored for as long as the grounds for processing exist. If the customer has the possibility to object to the processing, the data will be deleted.
- Personal data based on consent is used only for pre-defined purposes for the time being or until you withdraw your consent. This includes electronic direct marketing and you always have the right to withdraw your consent.
6. Who has access to your data?
Only persons who have to process personal data while performing work tasks have access to the customer data. All such persons are bound to secrecy.
Neste Group companies
We share personal data within Neste Group when it is necessary for the purposes mentioned in this Privacy Statement. We share personal data with other Group companies in connection with financial administration and credit control, for example.
ICT service providers and vendors
We use carefully selected ICT partners that provide user support, maintenance and development services for ICT systems.
Marketing service providers
We use carefully selected marketing service providers, communications service providers and media agencies that help us deliver and produce marketing content based on the personal data we collect from our customers.
Customer service providers
We share personal data with an external service provider when they handle customer service on our behalf.
Credit control and other customer due diligence services
We share personal data with carefully selected credit rating agencies when evaluating your orders, assessing your creditworthiness and, if necessary, collecting past due claims from you or informing you of your outstanding invoices from Neste. Our partners also carry out mandatory background checks on our behalf, if necessary, so that we can comply with our obligations as a payment service provider and prevent money laundering and terrorist financing.
Payment and invoicing service providers
Trusted payment and invoicing service providers help us process payment and invoicing transactions.
Providers of transport services and suppliers of products
We disclose personal data to transport service providers and product suppliers to deliver the ordered products to customers.
We disclose personal data to our partners to ensure, for example, that they provide you with the appropriate benefits when you use your customer loyalty card at Neste stations. If necessary, we also disclose personal data to our partners under exceptional circumstances, such as protecting our customers’ property or health.
We disclose your personal data at the request of an authority, in connection with legal proceedings, by order of a court or in connection with the processes of public authorities.
In connection with business arrangements, we may disclose your personal data to buyers and their advisors.
7. Transfer of personal data to third countries
We do not transfer or disclose your personal data outside the European Union or the European Economic Area without legal grounds and unless it is adequately protected.
We ensure that we use the necessary contractual safeguards (e.g. the standard data protection clauses approved by the European Commission) when we transfer personal data to such service providers.
8. How do we ensure information security?
We do everything we can to keep your data secure. Through continuous and active development we ensure that your data remains secure.
Neste uses the necessary technical and organizational security measures and procedures to protect your personal data from loss, misuse, alteration or destruction.
All Neste employees and contractors are bound by an information security policy that provides more detailed instructions. The systems and applications used to process personal data can only be accessed by persons who need the data in the performance of their duties.
If the electronic data is managed by a third party on behalf of Neste, Neste requires the third party in question to comply with comprehensive information security requirements.
If personal data is processed manually, it is done in premises approved for such purposes. The premises are protected by the necessary physical protection measures, such as access control systems and surveillance cameras.
- ensure that the website is functional
- improve the user experience by personalizing the content and advertisements or providing social media functionalities, for example
- collect information about your visit to the website to analyze data traffic
- provide our media, advertising and analytics partners with information about the way you use our website.
What are cookies?
When you visit a website, it may store or retrieve information about your browser, usually in the form of cookies. This information may concern you or your settings or device, or it may be used to modify the site to work as you expect. The information makes it possible to provide you with a more personalized service experience.
10. Rights related to your personal data and how to use them
You can exercise your rights under the EU’s General Data Protection Regulation (GDPR) by submitting a request using the form on this page or by contacting our customer service. We will respond to your request within 30 days of receiving it. The request must be sufficiently identified. If your request is extensive or complex, the processing time may be extended by up to two months.
We will also notify you if we are unable to comply with your request, such as the deletion of your data, which we are legally obliged or otherwise entitled to retain. We will assess the requests on a case-by-case basis and, if necessary, request additional information from you to process it. You must be prepared to prove your identity. You have the right to exercise your rights free of charge once a year.
If Neste considers the request to be clearly unfounded or unreasonable, Neste may refuse to process the request or charge a fee to cover the administrative costs. Your request, as well as the information you provide, will be stored in our systems.
Right of access to your personal data
You have the right to know what and how we process your personal data and to receive a copy of the data.
Right to request rectification of personal data
We always try to keep your personal data up to date, but if you notice that we are processing outdated or otherwise inaccurate personal data, you always have the right to ask us to rectify your personal data.
Right to request erasure (“right to be forgotten”)
Once we have verified the accuracy of your request, we will erase your data, unless we need to retain it to comply with our legal obligations, such as accounting obligations. Your personal data will be automatically erased from Neste's systems after the storage periods we specify or when there is no legal obligation to retain it.
Right to restrict processing
In certain cases, you have the right to request that we restrict the processing of your personal data. This means that we do nothing to the personal data other than store it in our IT systems. Once we have verified the accuracy of your request, we will stop processing your personal data.
Right to object to processing
You have the right to object to the processing of your personal data in the normal course of our business when the processing is based on Neste’s legitimate interest. When we receive your request, we will carefully evaluate it and stop processing your personal data if our processing has been unreasonable. Neste may reject your request if there are compelling legitimate grounds for the processing of your personal data.
Blocking of electronic direct marketing
You always have the right to refuse direct marketing. The easiest way to do this is to click on the “Unsubscribe from the marketing list” button in our marketing messages. You may still receive some marketing messages after the marketing block has been updated in our systems. This is because we have scheduled the transmission of a message in advance.
Right to data portability
You have the right to ask us to send you – or some other person – a copy of the data you have provided to us in a commonly used machine-readable format. This right applies solely to the personal data you have provided to us when we have collected it on the basis of your consent or an agreement between you and us.
Once we have verified the accuracy of your request, we will send your data to the address specified in your request.
Right to lodge a complaint with a data protection authority
We hope that you will always contact us if you have any questions about how we process your personal data. However, if you believe that we have not complied with data protection legislation when processing your personal data, you have the right to lodge a complaint with the data protection authority (tietosuoja.fi/en/home). You can contact the supervisory authority in your country of residence or work.
11. Send a privacy request to Neste
- Consumer customer - Submit a privacy request
- Corporate customer - Submit a privacy request
- Please add the name of your contact person (who knows you at Neste?) in the form’s “Additional information” field. This allows us to find your personal data more easily.
- You can manage your personal data through Neste’s Career Opportunities portal. You can change, update, or delete your personal data at any time.
- We may use aptitude tests and/or video interviews as part of the recruitment process. You can ask our service provider (RecRight) for further information about the processing of your personal data in connection with aptitude tests and/or video interviews, for example. Video interviews are stored for 12 months. If necessary, you can ask RecRight to delete your video and personal account by sending an email to firstname.lastname@example.org.
- Employee – See Neste’s internal website (Cosmos) for more information
- Former employee – Contact your former manager or HR
12. Updates to the Privacy notice
We will notify you of any changes to the Privacy notice on our website. Questions about data protection?
13. Questions about data protection?
If you have any questions about the processing of your personal data at Neste and you cannot find the answer on these pages, you can submit your questions by using the form below or contact Neste’s customer service. If you wish to exercise your data protection rights, please submit a privacy request here.
Questions about the processing of personal data at Neste? Please submit your questions using this form.
Frequently Asked Questions
- My address data is wrong. How can I update them?
We aim to keep your data up to date. You can inform us of your changed address or other details by contacting our customer service.
- I'm having trouble with card payments or using Neste App. What should I do?
Please contact our customer service.
- I no longer want to use Neste App. How can I delete my data associated with it?
Fill out the GDPR request here. We may delete the personal data we process without delay to the extent that there is no legal obligation to retain it. This applies, among other things, to: user data related to Neste’s electronic services. Please note that if you are using a Neste mobile card, we will contact you to verify your identity. Any data related to payment instruments (such as customer credentials) is stored in accordance with local law.
- I don't want any marketing messages. What should I do?
All of our marketing messages contain the option to withdraw consent by clicking on a link in the message. You can also inform our customer service of your wish to block marketing by calling 0200 80100 (local network charge/mobile phone charge) on weekdays from 8 a.m. to 4 p.m. Users of Neste Mobile app can also manage marketing messages in the settings of the mobile app.
- Could you send me some stickers?
Unfortunately, we no longer distribute stickers.
- I received a message concerning customer due diligence, and I am a little puzzled by the address it was sent from. Is it a phishing message?
Customer due diligence is based on legislation aimed, among other things, at preventing money laundering, terrorist financing and financial crime. Therefore, we ask you to update your data regularly via an electronic form. We send requests to update customer information from the email address noreply(a)markkinointi.neste.com.