Skip to content

Personal Data and Cookies Charter

Welcome to the website https://nordic.totalenergies.com/  (hereinafter the “Website”).

The Personal Data and Cookies Charter (hereinafter “Charter”) aims to inform you about your rights that you can exercise regarding the processing of your data and describes the measures that we take to protect these data.

TotalEnergies Marketing Finland A/S is the “data controller” with responsibility for personal data processing on the Website. These processing operations are carried out in accordance with the applicable law.

 

1. Purpose of processing, legal basis, the period of storage and types of data collected

When visiting the Website, you may need to provide us with personal data.

Purpose

Categories of personal data

Legal basis

Retention period

Respond to your questions to customer service, technical support or sales.

Identification data (first name, last name, company name, email, phone number)

The processing of your data is based on consent.

Your data will be kept for a maximum of 5 years.

Sending of product and service information, invitations to events and sales campaigns relevant to the receiver.

Identification data (name, first name, company name, email, phone number)

The processing of your data is based on consent.

Your data will be kept for the duration of your subscription to the requested email alerts. You have the right to unsubscribe at any time.

Statistics

Connection data (IPs, Logs), Navigation

You authorize us to process your data. This information is necessary to enable your request to be processed, otherwise it cannot be processed. You can withdraw your consent at any time without jeopardizing any processing operations that have already been completed, by writing to the following address: contact form

Your data is kept for a maximum of 13 months. For more information, please refer to article 5, Cookie management.

 

 

2. Recipients of the data

In order to process your personal data according to the Charter, your personal data may be communicated to one or more of the data controller's departments or to another entity or entities of the TotalEnergies company (the “Company”)5 and one or more partners, independent distributors or subcontractors: marketing service providers, software service providers.

 

3. Data transfers

Any transfer of data to a country outside the European Economic Area shall be carried out in accordance with the applicable regulations and in such a way as to protect your data appropriately. 

For the purposes of the services provided on this Website and in order to respond to your requests, your data, such as your first name, last name and email address, may be transferred to other entities within the Company located outside the European Union.

In order to ensure an adequate level of protection of the personal data originating from the European Economic Area that may be transferred to other entities within the Company located outsaid the European Economic Area, Binding Corporate Rules (“BCR”) have been adopted.

For transfers of personal data not covered by BCR (i.e. to other entities which are not part of the Company) to countries outside the European Economic Area, other measures are put in place to ensure adequate data protection.

If you would like more information on our BCRs please see “Summarized version of TotalEnergies’ Binding Corporate Rules”. For information on the other measures in place to ensure adequate protection, please write to the contact address indicated at the end of this page.

 

4. Data security and confidentiality

The data controller takes appropriate steps to preserve the security and confidentiality of your personal data, including to prevent them from being distorted, damaged or disclosed to unauthorized third parties.

 

5. Cookies management 

A cookie is a file which enables a website to save information relating to your computer’s browsing of the website to make your visits to the website smoother.

Cookies are text files that are stored on your computer’s browser. They allow access to various information about you. Some of them belong to the publisher of the website (first party) and some to third parties.

The table below details each cookie on the Website.

We enable cookies once you have given your consent, except for technical cookies that are necessary to provide the service you request on the Website.

 

Categories of cookies and trackers 

Name of the cookies and trackers

Objective of the cookies and trackers

Editor

Retention period of the cookies and trackers

Statistics

atuserid

Analysis of the traffic on the Website

AT Internet

13 months

Statistics

Atauthority

Analysis of the traffic on the Website

AT Internet

13 months

Statistics

Idirxvr

Analysis of the traffic on the Website

AT Internet

13 months

Statistics

Atidx

Analysis of the traffic on the Website

AT Internet

13 months

Statistics

Atid

Analysis of the traffic on the Website

AT Internet

13 months

Statistics

Atreman

Analysis of the traffic on the Website

AT Internet

30 days

Statistics

Atsession

Analysis of the traffic on the Website

AT Internet

30 days

Statistics

_ga, _gid

Analysis of the traffic on the Website

Google Analytics

2 years

Statistics

_lfa

Analysis of the traffic on the Website

Leadfeeder

2 years

Technical and functional

Site (has_js)

Contains information on the browsing session and allows the user to access the site.

Drupal

Deleted at the end of navigation

Technical and functional

Drupal.tableDrag.showWeight

Drupal’s cookie configuration

Drupal

1 year

Technical and functional

 Authorized_config

To find out which services have been refused or accepted by the user.

 Drupal

1 year

Technical and functional

 utag_main, utag_main_, Tealium_segment, utag_env_

Used by the Tealium Tag management system

Tealium

13 months

Technical and functional

 getaquote

 In a Find My Product form, saves the user’s entries

Drupal

1 year

Technical and functional

webform

For form submission

Drupal

1 year

Technical and functional

Welcome-popup_display

Created at the closing of the welcome popup

Drupal

Deleted at the end of navigation

Technical and functional

Splash_screen

Created at the closing of the splash screen popup

Drupal

Time of session

Technical and functional

preferred-language

Records the language chosen by the user

Drupal

1 year

Technical cookies

SNS, _sn_m, _sn_n, _sn_a

Implements pop-up advertisement on the website

Sleeknote

1 year

Social media cookies

_fbp

Allows the display of advertising products

Facebook

3 months

 

 

How to withdraw your consent

On your first connection to the Website, you will be asked to give your consent to the use of non-essential cookies and/or to make settings. If you subsequently wish to reconsider your choices, you can manage your cookies settings by going to the section at the bottom of the page of the Website and clicking on “Cookies.”

To delete cookies already stored, please refer to the procedure provided by your operating system (Windows, OS X, etc.).

 

6. Your rights / Contact

In accordance with current regulations, you have the right to access and correct your data. Regarding processing based on the performance of a contract or the implementation of pre-contractual measures, you also have the right to delete your data and to data portability and you can request a restriction of processing.

To exercise your rights you can contact Customer Service, TotalEnergies Marketing Denmark, Amerika Plads 29, 2100 Copenhagen, Denmark, [email protected], and/or Data Privacy Liaison, Legal Department, Amerika Plads 29, 2100 Copenhagen, Denmark, [email protected].

If you feel, after contacting us, that your rights have not been respected, you can lodge a complaint with the competent supervisory authority.

 

Summarized version of TotalEnergies’ Binding Corporate Rules

1. Introduction

The TotalEnergies company (the “Company”)1 promotes a culture and practices regarding the protection of personal data,2 in accordance with the applicable laws. To this end, the Company has implemented Binding Corporate Rules (“BCR”). 

This document summarizes the data protection principles that apply under the BCR and the rights granted by them.

 

2. Purpose

Our BCR are a set of internal binding rules, which are applicable to all of the Company subsidiaries that have adopted them. They have been approved by the European data protection authorities.

They allow Company subsidiaries to transfer personal data originating from the European Economic Area (“EEA”)3 to other Company subsidiaries located outside of the EEA in compliance with the applicable law.

 

3. Implementation scope

The BCR apply to all EEA-originating personal data processed by Company subsidiaries including data relating to former and current employees, job applicants, clients and prospective clients, suppliers and sub-contractors and the staff of third companies acting on behalf of the Company subsidiaries as well as shareholders (hereafter “Data Subjects”). 

 

4. Protection principles

The following principles set out in the BCR must be respected.

 

Lawfulness

Any processing4 operation carried out has a legal basis, provided by the applicable law.

Personal data must only be processed for lawful, determined and legitimate purposes. The data must not be further processed in a way which is incompatible with those purposes.

 

Relevance

Personal data must be accurate and proportionate, in terms of quality and quantity, in relation to the purpose of the processing.

 

Transparency

Personal data must be obtained lawfully and loyally. Data Subjects must be informed about the characteristics of the processing of their personal data and about their rights, unless this proves impossible or would involve disproportionate efforts.

 

Security

Personal data must be protected by appropriate security measures to limit the risks of unauthorized access, destruction, alteration or loss.

To do so, a set of internal norms apply, ensuring the security and the confidentiality of personal data:

  • the usage charters for the IT and communication resources, that requires to act in accordance with applicable law and with the confidentiality rules;
  • the Information Systems Security policy, that defines the governance mode of the security of information systems;
  • the Information Systems Security Reference System, that enumerates, through 19 detailed themes, the different requirements of the Company in terms of security of information systems;
  • the Information Protection policy, that presents the requirements relative to the protection of confidentiality, integrity and of the availability of the information held and exchanged within the Company

When calling upon the services of a third party to process personal data, the Company subsidiary makes sure that the latter offers sufficient guarantees as regards the security and confidentiality of data.

 

Retention

Personal data must be retained only for a reasonable and not excessive period of time with regard to the purpose of the processing. 

When the retention period expires, the data is destroyed, anonymized or archived.

 

International transfers5 of personal data

The Company does not transfer personal data originating from the EEA directly to a Company subsidiary located in a third country which does not provide an adequate level of protection, unless such subsidiary has formally subscribed to the BCR or uses another legal instrument recognized by the European Commission.

The Company (whether acting as a data controller or processor) does not transfer personal data originating from the EEA directly to a company that is not a Company subsidiary located in a country which does not provide an adequate level of data protection without a legal basis under applicable law and instruments providing for sufficient safeguards, such as the standard contractual clauses.

Similarly, where a data importer (data controller or processor located in a third country outside of the EU that receives personal data from the data exporter) further transfers personal data originating from the EEA to a company that is not a Company subsidiary located in a country which does not provide an adequate level of data protection, the data importer shall enter into an agreement with this company whereby it commits to observe the principles of the BCR.

 

5. Data Subject rights

Under the BCR, Data Subjects whose personal data are processed have the following rights:

  • right of access to the data,
  • right to rectify, erase and lock data,
  • right to object to the processing, and
  • right to limit the processing.

[A comprehensive list of the rights granted by the BCR is detailed in APPENDIX 1 hereafter].

 

Data Subjects may exercise these rights by submitting a request using the contact details provided in the legal notice concerning the processing of their data. The Company subsidiaries undertake to reply within the legal deadline about queries concerning the processing outside the EEA.

 

Moreover, if Data Subjects believe that a Company subsidiary has failed to observe the BCR, they have the right to lodge a complaint by sending:

or

  • a letter to TotalEnergies – DATA PROTECTION, Tour Coupole, 2 place Jean Millier, Arche Nord Coupole/Regnault, 92078 PARIS LA DEFENSE CEDEX.

Data Subjects will be informed about the status of their complaint and of any further steps.

The internal complaint procedure is described in APPENDIX 2 hereafter.

The fact that Data Subjects may file a complaint with the Company does not affect their rights to lodge a complaint with the competent EEA data protection authorities or to bring an action before the courts of the EEA country where the Company subsidiary responsible for exporting the personal data is established.

 

6. Governance

An internal “personal data protection network” is in charge of monitoring and controlling the implementation of the BCR within the Company. It is composed of:

  • a Corporate Data Privacy Lead who monitors and follows compliance actions at the Company level;
  • Branch Data Privacy Leads who lead and coordinate compliance actions at the Branch level;
  • Data Privacy Liaisons who lead and coordinate compliance actions at the affiliate level.

7. Internal control and audit

To ensure the proper application of the BCR, some internal control and audit mechanisms have been implemented.

An annual internal control plan is defined by the personal data protection network to assess the level of compliance of the Company’s processing regarding the BCR. A reporting is also set up to report regularly on the actions plans that have been drawn up after evaluations.

Furthermore, the Company Internal Audit Direction also integrates the control of the personal data protection pattern into its periodic audit plan.

 

8. Changes to TotalEnergies’ rules

If necessary, the BCR may be completed or updated.

 

9. More information

A copy of the comprehensive version of the BCR as well as a list of Company subsidiaries that adopted them can be obtained by sending an e-mail at: [email protected]

 

1 The terms “Company” or “TotalEnergies company” refer collectively to the company TotalEnergies SE and the companies it controls directly or indirectly. Such terms are used solely for the sake of convenience for purposes of the present communication.

2 Personal data means any information enabling the direct or indirect identification of a natural person.

3 EEA means Member States of the European Union plus Iceland, Liechtenstein and Norway.

4 Processing means any operation which is performed upon personal data, whether or not by automatic means (e.g: collection, recording, storage, destruction…).

5 Transfer means all virtual and physical exchanges of EEA-originating personal data from one country to another.

 

 

APPENDIX 1
THIRD PARTY BENEFICIARY RIGHTS

The BCR grant rights to Data Subjects as third-party beneficiaries.

 

More specifically, they may enforce the following principles according to the terms and conditions set out in the BCR:

  • that any processing operation carried out within the Company must have a legal basis as provided for by applicable law;
  • that the Company must collect and process personal data for legitimate, specified and explicit purposes and must not further process any personal data in a way incompatible with the purpose for which they were collected;
  • that the Company must process personal data that are relevant and not excessive in relation to the purposes for which they are collected, and that these data must be accurate and, where necessary, kept up to date;
  • that Data Subjects must be provided with easy and permanent access to the information relating to their rights under the BCR;
  • that Data Subjects whose personal pata originate from the EEA must have a right of access, of rectification and of objection to the processing of their personal data in accordance with applicable law;
  • that Data Subjects whose personal data originate from the EEA must not be subject to a decision that produces legal effects concerning them or significantly affects them and that is based solely on automated processing of personal data intended to evaluate certain personal aspects relating to them, unless that decision:
    • is taken in the course of the entering into or performance of a contract, provided the request for the entering into or the performance of the contract, lodged by the Data Subject, has been satisfied or that there are suitable measures to safeguard his/her legitimate interests, such as arrangements allowing him/her to express his/her point of view; or
    • Is authorized by applicable law, which also lays down measures to safeguard the Data Subject’s legitimate interests;
  • that the Company must implement appropriate measures to guarantee the security and confidentiality of the personal data, having regard to the state of art and the cost of their implementation;
  • that the Company must conclude a written processing agreement with any service provider used to process personal data, specifying that the service provider shall act only under the Company’s instructions and shall implement appropriate security and confidentiality measures;
  • that the Company must not transfer personal data from a member state of the EEA or originating from the EEA to a company not belonging to the Company and located in a third country which does not provide an adequate level of data protection (either an external data controller or processor) without a legal basis under applicable law and instruments providing for sufficient safeguards;
  • that a Company subsidiary must immediately inform the data exporter if this Company subsidiary deems that the legislation applicable in its jurisdiction is likely to prevent it from fulfilling its obligations pursuant to the BCR, and have a detrimental effect on the guarantees offered by the BCR, unless where prohibited by a law enforcement authority, in particular as a result of a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
  • that any Data Subject may lodge a complaint with the Company through the internal complaint mechanism in accordance with the terms set out in the chapter “Complaint handling”;
  • that any Company subsidiaries that have subscribed to the BCR must cooperate with the competent supervisory authorities, follow their recommendations regarding the international transfers of data in the event of a complaint or of a particular request from such authorities and accept to be audited by the supervisory authority of their country of establishment; and
  • that any Data Subject may lodge a complaint with the national supervisory authorities or bring an action before the court of the EEA member state where the data exporter is established in order to enforce the above principles, and, where appropriate, to receive compensation for the damage suffered as a result of a breach of the BCR. If, in the course of a transfer of personal data outside the EEA, the data importer fails to observe the BCR, the data exporter will defend any claim, establish that the data importer has not violated the BCR, and pay compensation to the Data Subject for the damage suffered as a result of that violation.

 

APPENDIX 2
INTERNAL COMPLAINT HANDLING PROCEDURE

If a Data Subject believes that a Company subsidiary has not complied with the BCR, he/she may file a complaint in accordance with the complaint procedure set forth in the relevant privacy policy or contract or pursuant to the procedure described below.

 

1. How to make a complaint

Data Subjects may file a complaint by sending:

or

  • a letter to TotalEnergies – DATA PROTECTION, Tour Coupole, 2 place Jean Millier, Arche Nord Coupole/Regnault, 92078 PARIS LA DEFENSE CEDEX.

The complaint should clearly provide as much detail as possible about the issue raised, including:

  • the country and the Company subsidiary concerned, the Data Subject’s understanding of the violation of the BCR, the redress requested;
  • the Data Subject’s full name and contact details as well as a copy of his/her identity card or any other identifying document; and
  • any previous correspondence on this specific issue.

2. TotalEnergies’ response

Within three months of the Company receiving a complaint, the appropriate Branch Data Privacy Lead (“BDPL”) shall inform the Data Subject in writing of the admissibility of the complaint; and if the latter is admissible, of the corrective actions that the Company has taken or will take in response. The appropriate BDPL shall ensure that, if necessary, appropriate corrective actions are taken to achieve compliance with the BCR.

The appropriate BDPL shall send a copy of the complaint and any written reply to the Corporate Data Privacy Lead (“CDPL”).

 

3. Recourse process

If the Data Subject is not satisfied with the response from the appropriate BDPL (e.g., the complaint has been rejected), he/she may refer to the CDPL by sending an e-mail or letter as indicated above. The CDPL will review the complaint and reach a decision within three months of the data the request was received. Following this period, the CDPL will inform the Data Subject whether the initial response has been upheld or communicate a new response.

The fact that Data Subjects may file a complaint with the Company does not affect their right to lodge a complaint with the competent national supervisory authority or bring an action before the court of the EEA member state where the data exporter is established.

OCTOBER 2022