Privacy notice YES-EU camera surveillance »
Privacy notice YES-EU recruitment »
Privacy Notice
This is the privacy notice of YES-EU Ltd in accordance with the EU General Data Protection Regulation (EU) 2016/679 regarding the processing of personal data.
This notice describes how YES-EU Ltd processes personal data of its customers, suppliers, partners, and other stakeholders’ contact persons (“data subjects”).
YES-EU Ltd operates in the import, sales, installation, and maintenance of electric buses, commercial vehicles, and related electrification equipment.
Prepared: 10 May 2023. Last updated: 25 June 2026.
1. Controller
YES-EU Oy
Address: Perintötie 8 C, 01510 Vantaa
Business ID: FI31985228
2. Contact details for data protection matters
Contact: Tietosuoja@YES-EU.com
3. Purpose of processing and legal basis
The controller processes personal data of data subjects for the following purposes:
a) Customer relationship management and maintenance
Processing of contact details of current and potential customers’ representatives for handling offers, contracts, orders, deliveries, invoicing, and maintaining customer relationships. The legal basis for processing is a contract (Art. 6(1)(b)) and legitimate interest (Art. 6(1)(f)).
b) Supplier and procurement management
Processing of contact details of suppliers and subcontractors’ representatives for procurement activities, contract management, and cooperation. The legal basis is a contract (Art. 6(1)(b)) and legitimate interest (Art. 6(1)(f)).
c) Stakeholder and partner communication
Processing of contact details of stakeholders (e.g. authorities, financiers, industry associations) and partners for cooperation and communication purposes. The legal basis is legitimate interest (Art. 6(1)(f)).
d) Direct marketing and electronic marketing
Sending newsletters, product information, and event invitations via email or other electronic channels. The legal basis is consent (Art. 6(1)(a)) or legitimate interest (Art. 6(1)(f)).
Where processing is based on consent, the data subject has the right to withdraw it at any time without affecting the lawfulness of prior processing. Where processing is based on legitimate interest, the data subject has the right to object to the processing of personal data for direct marketing at any time.
e) Website technical functionality and security
IP addresses of website visitors and cookies necessary for the functioning of the service are processed to ensure information security. The legal basis is legitimate interest (Art. 6(1)(f)). If analytics or third-party cookies are used, consent is requested separately.
4. Legitimate interest of the controller
The controller has a legitimate interest in maintaining customer, supplier, stakeholder, and partner relationships, ensuring the technical security of its website, and marketing its services.
Processing is necessary for the purposes described above, and these objectives cannot be achieved by other means. The data processed is limited to professional contact details and organizational roles.
The scope of processing is limited, does not involve special categories of personal data, and has minimal impact on data subjects’ rights and freedoms.
Data subjects can reasonably expect their contact details to be used in a professional context, and the processing does not exceed what is typical in a business relationship.
Data subjects have the right to object to processing based on legitimate interest at any time and to object to direct marketing unconditionally.
Personal data is not used for automated decision-making with significant legal effects. Profiling used for marketing does not have significant impact.
In the overall assessment, the controller’s legitimate interest is not overridden by the rights and freedoms of data subjects.
5. Categories of personal data
The personal data processed includes:
– Name and position in the organization
– Contact details (phone number, email address, business address)
– Information related to services and products ordered, changes, invoicing details, and other data related to customer, supplier, or stakeholder relationships
– Data collected via cookies (such as IP address)
6. Sources of personal data
Personal data is primarily collected directly from the data subject, e.g. via website forms, email, phone, social media services, contracts, meetings, and other situations where the data subject provides their information.
Contact details may also be collected from public sources such as websites, directories, and other companies.
7. Disclosure and transfer of data
Personal data is not regularly disclosed to third parties. Data may be published if agreed with the customer.
The controller may use trusted subcontractors (e.g. IT service providers and CRM providers) for processing personal data, and appropriate data processing agreements have been concluded with them.
Data may be transferred outside the EU/EEA where necessary for business operations, maintaining customer or stakeholder relationships, or fulfilling contracts. Such transfers are carried out using European Commission standard contractual clauses or another lawful safeguard.
8. Principles of data protection
Personal data is processed with due care, and data processed via information systems is adequately protected.
When personal data is stored on internet servers, appropriate physical and digital security measures are implemented.
The controller ensures that stored data and access rights are handled confidentially and only by employees whose duties require it.
9. Retention periods
Personal data is stored only as long as necessary for the purpose of processing.
Contract-related data is generally retained for 6 years after the end of the contractual relationship due to accounting requirements.
Stakeholder and partner contact details are retained as long as the relationship is active or the data is necessary, with necessity reviewed every two years.
Data used for direct marketing is retained for a maximum of two years from the last active contact or consent.
Data collected via website cookies is generally processed only for the duration of the session.
10. Data subject rights
You have the following rights regarding the processing of your personal data:
– Right of access
– Right to rectification
– Right to erasure
– Right to restriction of processing
– Right to object to processing
– Right to withdraw consent
– Right to data portability
Requests should be submitted in writing to the e-mail address mentioned in section 2. We will respond to requests within one month in principle. Additional information may be requested to verify identity.
Data subjects also have the right to lodge a complaint with the supervisory authority if they believe their rights have been violated. The contact details of the Data Protection Ombudsman can be found here: Contact information | Data Protection Ombudsman’s Office