Privacy statement

28 Feb, 2023

Respect for privacy and personal data protection is part of Statkraft’s corporate culture. This enables us to maintain an environment where our customers, vendors and other stakeholders can trust Statkraft to process their personal data.

As a customer, vendor or stakeholder, your privacy is important to us. We constantly strive to ensure compliance with all applicable data protection laws and regulations and our privacy and data protection policies.

This privacy statement explains how, why and for how long Statkraft processes your personal data.

The personal data we process

Statkraft collects personal data to operate effectively and provide you with the necessary services. We process customer and vendor data, including:

  • contact information of the relevant persons involved
  • information relating to accounts
  • spend thresholds, spending and spending patterns
  • details on what you are empowered to do on behalf of the organisation you represent (customers and vendors)

We also process environmental and social management data, including information about local stakeholders such as information on livelihood, health, contact information and other similar information.

Additionally, we process other partner and stakeholder data, including information about politicians, press contacts and journalists as well as relevant interest groups.

Why we process your personal data

Statkraft processes your personal data to provide or procure goods or services to or from you or your organization. For example, we will process your personal data:

  • to ensure good communication lines with our vendors and customers
  • to ensure the security and availability of our services
  • to improve our services and communication channels
  • for marketing and other customer relation and management purposes
  • for contract management purposes
  • to manage trading services
  • for communication and social media purposes
  • for audit, control and review purposes
  • for emergency response purposes
  • for due diligence purposes
  • for procurement purposes
  • for recruitment purposes

How we collect your personal data

We collect your personal data from different sources. You provide some of this data directly through a customer or vendor relationship. Other data is collected from your activities as a customer, vendor or other stakeholder. We also obtain data from other sources.

Here are some situations where we process your personal data:

Information provided by you, such as:

  • when you enter into contracts or agreements with us
  • when you submit forms to us
  • when you access our webpages or use our social media platforms
  • when you establish a customer or vendor account with us
  • when you send us emails or contact us through other means

Information we receive from your activities as a customer, vendor or other stakeholder, such as:

  • your use of our trading portals
  • your use of our webpages
  • when you order goods or services from us

Information we receive from your activities as a customer, vendor or other stakeholder, such as:

  • public authorities
  • credit institutions
  • other publicly available information

Retention of your personal data

Statkraft retains personal data for as long as necessary to fulfil the purposes for collection. Your personal data will be stored and deleted in accordance with applicable laws.

Reasons we share your personal data

We share your personal data with:

Other companies in the Statkraft group
To the extent it is necessary for fulfilling any of the purposes above, your data is shared with other companies in the Statkraft group.

Statkraft is currently implementing Binding Corporate Rules (BCR). The BCR will establish a legal basis for intra-group transfer of personal data outside the EU/EEA and will be binding for the entire Statkraft group.

We use a number of vendors who provide services such as IT services and support, cloud services, etc. We may allow such vendors to access/receive your personal data to the extent relevant to deliver these services.

We will ensure adequate data processing agreements with our suppliers for the purpose of protecting your privacy. When processors outside of the EU/EEA are used, we will ensure that a legal basis for the transfer of personal data exists.

Public authorities
We will also disclose your personal data where required by law, by order or requirement of a court, administrative agency or government tribunal or in response to legal process.

How we secure your personal data

Statkraft is committed to protecting the security of your personal data.

  • We manage information so it is accurate, readily available and handled in accordance with its sensitivity.
  • We use a variety of security technologies and information security procedures to help protect your personal data from unauthorized access, use or disclosure.
  • We limit access to your personal data to only personnel or third parties who are tasked with processing this data on Statkraft’s behalf. These parties are subject to strict requirements regarding confidentiality and Statkraft can implement disciplinary actions or terminate the agreement if these conditions are not met.

Who is responsible for your personal data

Statkraft AS is the controller and is responsible for the main decisions about the purposes and means of the processing of your personal data. The various Statkraft subsidiaries are responsible for selected processing activities within their sphere of control.

Legal basis for processing your personal data

Statkraft processes personal data only if, and to the extent, that at least one of the following applies:

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • processing is necessary for compliance with a legal obligation to which the controller is subject
  • processing is necessary in order to protect the vital interests of the data subject or of another natural person
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data

Your rights

At any time, you have the right to ask us to:

  • provide you with further details on how we use your personal data
  • provide you with a copy of the information that you have provided to us
  • update/correct your personal data
  • provide information about the logic involved in the automatic processing of your personal data in the case of the automated decision-making
  • delete any personal information that we no longer have legal grounds to process
  • provide you with your personal data in a structured, commonly used and machine-readable format or transmit the data to another controller
  • stop particular processing where this is based on legitimate interests unless our reasons for processing the information outweigh any prejudice to your data protection rights
  • restrict how we use your information whilst a complaint is under investigation
  • lodge a complaint through the contact details in this privacy statement or to the relevant regulatory authority

How to contact us

If you have any requests, questions or complaints about how we process your personal data, please contact us at

About this privacy statement

This privacy statement is based on the transparency requirements in Regulation (EU) 2016/679 (General Data Protection Regulation). This privacy statement will be updated when necessary. Any changes will be published on this page.