Data Protection and Privacy Policy

At Wind Estate we are committed to protecting our stakeholders’ privacy and personal data. This Data Protection and Privacy Policy outlines how we collect, use, store, and manage personal information in compliance with applicable data protection laws and regulations, including the General Data Protection Regulation (GDPR), the Danish Data Protection Act, and the UK GDPR.

This policy applies to all personal data processed by our organisation, including data collected through our website, services, and interactions with customers, employees, and other stakeholders.

Wind Estate A/S
Læsøvej 1, 8940 Randers SV
CVR: 26271886
Contact information: compliance@windestate.com

We are not required to have a Data Protection Officer (DPO), so any inquiries regarding our use of your personal data should be directed to the contact details provided above.

In day-to-day operations, we collect and use a variety of information about identifiable individuals, including data about:

• Former and current employees
• Wind turbine co-owners
• Authorities
• Interest organisations / associations
• Landowners
• Stakeholders in co-ownership of projects
• Suppliers and partners, including but not limited to lawyers and surveyors
• Potential customers / Leads

Wind Estate stores and uses data such as:

• Name of landowner, leaseholder, business manager, or other contact person
• Address
• Telephone number
• E-mail address
• Business registration number
• Date of birth and CPR number for identification
• Cadastral number
• Ownership code
• Bank details
• Minutes of meetings

Through the collection and use of this data (called data processing), Wind Estate is subject to a number of different laws governing how such activities can be carried out and the security measures that must be in place.

1.   Basic definitions in GDPR

The most basic definitions for the purposes of this policy are as follows:

• Personal data is defined as: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental and psychological, economic, cultural or social identity of that natural person
• Data processing is defined as: any operation or set of operations which is performed on personal data or on a set of personal data, whether or not by automatic means, such as collection, recording, organisation, organising, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure and publication by transmission, dissemination or otherwise making available, alignment or combination, restriction, adaptation, erasure or destruction of data
• Data Controller is defined as: a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be determined by Union or Member State law
• Data Protection Coordinator is defined as: an individual within an organisation responsible for managing and overseeing the implementation of data protection policies and practices, including ensuring compliance with data protection regulations, handling data-related inquiries, coordinating responses to data breaches, and providing guidance and training to staff on data protection issues

2.   Principles for processing personal data

There are a number of fundamental principles on which the GDPR is based.

1.  Personal data must be:

a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)

b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with GDPR shall not be considered incompatible with the original purposes (‘purpose limitation’)

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)

d) concise, accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data which are inaccurate with regards to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be kept for longer periods if the personal data are processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with GDPR, provided that appropriate technical and organisational measures are implemented as required by this Regulation to safeguard the rights and freedoms of data subjects (‘storage limitation’)

f) processed in a manner that ensures appropriate security of the personal data concerned, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

2. The Data Controller is responsible for complying with and must be able to demonstrate compliance with the above (‘accountability’).

Wind Estate will ensure that it complies with all these principles both in the processing currently carried out and as part of the introduction of new methods of processing, such as new IT systems.

3.   Rights of the individual

The data subject also has rights under the GDPR. These consist of:

• Right to be informed
• Right of access to documents
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability / have data transferred to another provider
• Right to object to processing
• Rights in relation to automated decision-making and profiling

Each of these rights is supported by appropriate procedures at Wind Estate that set out necessary measures and deadlines to be complied with. These timeframes are shown below.

4.   Lawful processing / Legal basis

Under the GDPR, there are six alternative ways to obtain a legal basis for data processing. It is Wind Estate’s policy to identify the legal basis for each data processing operation and to document it. The options are described in brief in the following sections.

4.1.  Consent

Unless a legal basis can be found otherwise, Wind Estate will always seek to obtain explicit consent from data subjects to collect and process their data.

The consent is based on transparent information about our use of personal data. In addition, we provide information about the data subjects’ rights, such as the right to withdraw consent. This information will be provided in an accessible format, written in plain language, at the time consent is obtained.

If personal data is not obtained directly from the data subject and the processing is to be based on consent, the information must be provided to the data subject within a reasonable period after receipt of the data, preferably within one month.

4.2.  Performance of an agreement/contract

If processing is necessary for the fulfilment of a contract to which the data subject is party or if processing is necessary for the implementation of measures taken at the request of the data subject prior to entering into a contract, explicit consent is not required.

This option will often be used as a legal basis when the contract/agreement cannot be performed without the personal data in question – for example, it is clear that a delivery cannot be performed without an address to deliver to.

Wind Estate utilises this legal basis extensively, as projects last up to 40 years, corresponding to the lifetime of wind turbines. Therefore, it is necessary to store both e-mail communication and project documents in order to document what has been agreed with whom. These records contain only minimal common personal data (such as name and address), which is also often publicly available online. No sensitive personal data is processed.

Likewise, employee data is processed on the basis of contract fulfilment.

4.3.  Legal obligation

If personal data is collected and processed to comply with the law, explicit consent is not required. This may be the case where data relates to employment and taxation, and for many areas within the public sector.

Wind Estate is legally obliged to keep shareholder registers and owner books, as well as to report certain information about employees to the authorities.

4.4. Vital interests of the data subject

In cases where processing of personal data is required to protect the vital interests of the data subject or other natural person, explicit consent is not required. Vital interests mean first and foremost the interests of life and health. Wind Estate provides reasonable and documented evidence that this is the case when this is used as a legal basis for processing. As an example, this can be used in connection with social care, especially in the public sector.

Wind Estate has no vital interest data processing as a legal basis.

4.5.  Task in the public interest

If Wind Estate needs to perform a task that it believes is in the public interest or as part of an official duty, consent is not required. Wind Estate will provide reasonable and documented evidence that this is the case.

Wind Estate has no data processing with public interest as a legal basis.

4.6.  Legitimate interests / Balancing of interests

If the processing of personal data is considered to be in the legitimate interest of Wind Estate and if the processing is not deemed to significantly affect the rights and freedoms of the data subject, explicit consent is not required.

Wind Estate has a legitimate interest in storing email communication and project documents indefinitely. Wind Estate has prepared reasonable and documented evidence that this is the case.

Furthermore, Wind Estate has a legitimate interest in processing various types of information about employees, as well as in processing data collected in connection with reasonable security measures in the company.

5.   Data security by design

Wind Estate has adopted the principle of data security and privacy by design in all new and significantly changed systems or processes.

6.   Contracts regarding processing of personal data

Wind Estate will ensure that all relationships involving the processing of personal data are subject to a documented contract containing the specific information and terms required by GDPR.

7.   International transfers of personal data

Transfers of personal data outside the EU and UK will be carefully scrutinized prior to the transfer taking place to ensure that they fall within the boundaries of the GDPR. This depends in part on the European Commission’s assessment of the adequacy of safeguards for personal data in the receiving country, which may change over time.

8.   Data protection responsibility

As Wind Estate’s primary core activities do not involve the processing of personal data, or involve only minimal processing, there is no requirement to appoint a Data Protection Officer. The overall responsibility for data protection, compliance and data protection policies therefore lies with Wind Estate as Data Controller, supported by a dedicated Data Protection Coordinator who ensures ongoing adherence to regulatory requirements and best practices.

9.   Security breach

A security breach is an incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data.

It is the policy of Wind Estate to strike a fair and appropriate balance when considering measures to inform affected parties about personal data breaches. The balance should include whether there is a risk of physical, material or moral harm to the data subjects, the amount of data, and the level of risk.

If a breach is discovered to have occurred that is likely to result in a risk to data subjects, the Data Protection Authority (or other relevant supervisory authority) must be notified within 72 hours.

This will be handled in accordance with the Data Breach Response Procedure, which sets out the overall process for handling data security incidents.

10. Measures for GDPR compliance

The following measures are in place to ensure that Wind Estate at all times complies with the principle of accountability under the GDPR:

• The legal basis for processing personal data is clear and unambiguous and documented in the document ‘Registration of processing activities’[1]
• Consent rules are followed
• Guidance is available to data subjects wishing to exercise their rights regarding requests for access to personal data and such requests are processed effectively
• Reassessment of procedures involving personal data is carried out regularly (annually)
• Data protection by design is adopted for all new or modified systems and processes
• Documentation of processing activities and data flows is completed with regards to
  • Purpose of data processing
  • Data erasure and retention plan is adopted
  • Relevant technical and organisational controls are in place

These measures are regularly reassessed by our Data Protection Coordinator as part of the ongoing commitment to data protection. The policy will be reviewed and updated annually, or as needed, to ensure it remains relevant and effective.

If you wish to complain about our use of your data, we prefer that you contact us directly in the first instance (compliance@windestate.com), so we can address your complaint. However, you may also contact the Danish Data Protection Agency via their website at www.datatilsynet.dk.

Version: 3.0
Date: September 2024