Privacy notice - Consumers

In our updated privacy notice, you can read more on how we treat your personal data. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

Privacy notice content

  • The data controller
  • How does Fortum process your personal data?
  • What kind of data does Fortum collect?
  • What sources are the personal data obtained from?
  • What are the purposes for processing personal data?
  • On what legal basis do we process your personal data?
  • How do we treat your data for marketing purposes?
  • Automated decision-making
  • How long do we store the personal data?
  • Who processes your personal data?
  • Does Fortum transfer personal data to third countries?
  • How does Fortum protect the personal data?
  • How do we handle personal data from IP addresses, cookies and similar technologies?
  • What rights do you have in respect of your personal data?
  • Changes to our privacy notice
  • Contact

The data controller

For the purpose of the EU General Data Protection Regulation 2016 (GDPR), the data controller is Fortum Corporation and its subsidiaries ("Fortum"). Information about the local/country specific controllers can be found in the Privacy notices of each country, see section "Contact" at the end of this document.

How does Fortum process your personal data?

We need to treat your personal data for many different purposes and in several ways. Common for all our personal data processing is that it is carried out with appropriate safeguards taken into account and in accordance with the fundamental principles in data protection legislation.

In this information, we have compiled the different data types, purposes and legal bases on which we rely for our data processing. In case of significant changes, we will inform you appropriately, see below at the end of the information text.

What kind of data does Fortum collect?

Fortum collects and process personal data in various categories, including:

  • Contact data - such as your name, address, phone number, user name, customer number, password and if appropriate your image
  • Agreement and service data - such as information about our services which you are using, agreement period, termination notice, and other information related to your agreement with us.
  • Transactional and consumption data - such as data about your purchase of our products and consumption of our services
  • Financial and invoicing data - such as your invoice address, payment terms, credit card number, bank account information
  • Ticket data - such as information about your contacts with Fortum's customer service, information about installations, support tickets, complaints etc.
  • Behavioural data - such as customer segment, how you react to our offerings to you and how you use our products, services and web sites
  • Device data - such as IP number and other information from cookies
  • Permission data - such as marketing permissions.

Fortum collects data that is necessary for the relationship you have with us and the purposes for which the data are used. All our data processing of personal data has legal basis.

What sources are the personal data obtained from?

The personal data which we process about you comes from different sources:

  1. From yourself, when you order our services, when you fill in a form of interest or send in your personal data to us. We will then inform about the necessary and mandatory data which is needed for us to provide you that service.
  2. Information as part of our relationship with you as our customer, such as consumption data, ticket handling, device data or behavioral information.
  3. Information which we receive from public sources, such as public address registers or from third parties, which we are cooperating with, such as credit information provider, debt collection services, installation partners, marketing partners.

What are the purposes for processing personal data?

We process personal data only for predefined purposes. The purposes for which we process personal data are:

  • Customer relationship management and Customer satisfaction surveys
    To be able to manage a professional relationship with our customers, and to for example, provide customer service by phone, email and through our digital channels, we need your personal data. We deal with customer complaints by collecting information and preparing answers. We communicate with customers via email, phone and our digital channels regarding the relationship we have with our customers.
  • Contract and product management, Delivering and Maintaining service and Consumption reporting
    We need a contract with all our customers to fulfil our contractual obligations to you. Therefore, we collect personal data to create and manage contracts, and to deliver our products and services. We communicate with our customers, e.g. contract related notifications. We update our customer data, collect data of customers’ consumption and of the related services, to offer our customers the best solution.
  • Billing and debt collection
    We process personal data to be able to invoice our customers for the energy consumption, for our products, goods or services. We create invoices based on customer data, contract information and information on delivered energy/goods/services. We handle payments made by our customers, respond to change requests and we archive invoices and contracts.
  • Sales and Marketing and Product and Service development
    In order for us to communicate with our current customers about our services, new products or other topical issues, we use our customers ́ email addresses for newsletters, and marketing messages. For prospective customers, we process personal data, which we receive through online surveys and activities, in events, etc.
  • Public authority reporting

On what legal basis do we process your personal data?

We rely on several legal bases when processing your personal information:

  • Your specific and freely given consent. If we rely on your consent as the legal basis for processing your data, you may withdraw your consent at any time,
  • The processing is necessary to fulfill an agreement between us and you or necessary to conclude such an agreement,
  • The processing is necessary to fulfill a legal obligation that is owed to us (for example, we are required by law to store certain data for a certain period of time) and / or to determine, enforce or defend Fortum against legal claims or claims,
  • The processing is necessary for purposes pertaining to the legitimate interests of our or third parties, which consider the registrant's interests and fundamental rights and freedoms (ie, balance of interests). Our legitimate interests in such treatments are:
    • Conduct cost-effective and relevant business activities
    • Develop, improve and sell our products and services as well as to maintain a good customer contact, including customer feedback and customer surveys
    • Maintain correct, relevant and unified records and tasks
    • Receive payment for completed or delivered products and services
    • Provide effective support and case management to customers
    • Provide relevant and effective direct marketing in relation to existing customers, including profiling and segmentation for marketing purposes (see further information below)

How do we treat your data for marketing purposes?

Within Fortum, we value effective and transparent marketing towards you as our customer. Processing your personal data for marketing purposes is necessary for our legitimate interest in developing, improving and selling our products and services, and maintaining a good customer relationship.

In all our communication, you are given the opportunity to oppose and to refuse any further marketing outlets.

We will for example conduct market analyzes, compile statistics and evaluating, develop and inform you about our services and products. You can receive monthly newsletters or general information about customer benefit for example, unless you actively oppose such communication. We can also send you targeted offers based on your purchases, your service / product holdings and / or your behavior in communicating with us. Such targeted offers aim to offer you relevant offers for products and services that we believe you are interested in. Targeted offers assume that we divide our customers into different groups (eg segmentation or profiling) based on your interactions with us.

Automated decision-making

We may make decisions about you through automated decision making e.g. automated credit checks during contract period, which may affect your ability to use our services. We use automated decisions to have efficient, digital, predictable and legally secure decision and business processes. We will normally give you more detailed and specific information about such automated decision making processes in connection to the start of the application/decision, including information about the logic behind as well as the consequences of the handling.

If an automated decision is not necessary for entering an agreement between you and us, we will collect your consent to an automated decision making in advance.

If we have made a decision about you solely on the basis of an automated process (e.g. through automatic profiling) and that affects your ability to use the services or has another significant effect on you, you can ask to not to be subject to such a decision unless we can demonstrate to you that such decision is necessary for entering into, or the performance of, a contract between you and us.

How long do we store the personal data?

Fortum seeks to limit the period for which the personal data are stored to a minimum. Thus, Fortum processes your personal data only to the extent and as long as is necessary to meet the purposes of the data processing.

As a general rule, your personal data are stored for the duration of the customer relationship as well as for a period of 6 years from the end of the customer relationship. Personal data relating to metering data (including energy consumption and production data) will be retained for 10 years from

the date that the metering date was obtained. The specific retention periods may be different depending on the categories of data. Fortum sets out and regularly re-evaluates data type specific retention periods for the personal data it holds. Once personal data is no longer necessary, Fortum will delete it or anonymise it as soon as possible.

Who processes your personal data?

Principally, we do not sell, trade or license any personal data to third parties. Companies belonging to the Fortum group of companies may process personal data in accordance with existing privacy laws. Personal data may be disclosed to our authorized employees or affiliates to the extent necessary for the purpose of processing. The data will never be available to all employees but to a limited number of authorized persons.

We also use third parties as our data processors to help process personal data on our behalf. When a third party processes personal data on our behalf, we always ensure via contractual arrangements that the processing of personal data is always conducted safely and in accordance with privacy laws and data processing best practices.

List of categories of the third parties processing data (=data processors):

  • Service providers, such as printing services, debt collection services, installation partners , credit information provider,
  • IT service providers, Cloud service
  • Sales and marketing partners

In addition, personal data may be disclosed to authorities when we are required to do so by law, based on demands made by competent authorities in accordance with existing privacy laws.

Does Fortum transfer personal data to third countries?

Principally, Fortum does not transfer personal data outside the European Union or the European Economic Area (EEA). However, if personal data is transferred outside the EU or the EEA, Fortum uses appropriate safeguards in accordance with existing privacy legislation, such as the standard contractual clauses provided by the European Commission.

How does Fortum protect the personal data?

Fortum fulfils the necessary technical and organizational measures, which ensure and demonstrate that privacy laws are being followed in the processing of personal data.

These measures include the monitoring of access rights so that only the authorized persons have access to the personal data, using firewalls, pseudonymisation of data, detailed instructions and training for personnel on protection of personal data and careful consideration when selecting our service providers that are involved in the processing of personal data on our behalf.

How do we handle personal data from IP addresses, cookies and similar technologies?

When you use our services or visit our websites, Fortum can collect data about your devices through cookies and other tracking techniques.

Cookies are a small text file that we use to Identify and count the browsers and devices that visit our websites. This information may then be used by us or third parties for marketing purposes.

Our use of cookies differs depending on which of Fortum's websites you visit. You can get more information about which cookies we use on a particular website by reading the specific information about cookies on the current site.

What are your rights when it comes to your personal data?

You have as registered a number of rights by law:

  • Right of access - You have the right to access your personal data, which means that you have the right to confirm whether your personal data are processed and, if so, also receive a copy of the personal data that is processed by Fortum (so-called registry extracts) and further information about the processing carried out by Fortum.
  • Data Portability Right - You are entitled to data transfer, which means that you may, under certain circumstances, have the right to have the personal data transmitted to another controller.
  • Right to rectification - You are entitled to receive incorrect information about you corrected or supplemented.
  • Right to erasure - You have the right to have your data erased, if
    • the data are no longer necessary for the purposes for which they are processed,
    • you revoke your consent for some treatment and thereafter there is no legal basis for Fortum to process the data,
    • your data has been processed illegally, or
    • the processing of your data is not necessary to comply with applicable legal requirements in order to determine, enforce or defend legal claims and / or for archival, research or statistical purposes.
  • Right to revoke consent - If you have given special consent to certain treatment, you are always entitled to withdraw your consent.
  • Right to object to processing of personal data - When processing is carried out on the basis of the legitimate interests pursued by Fortum or by a third party, you have the right to object at any time to processing of personal data concerning you. Unless Fortum can demonstrate compelling legitimate grounds for the processing, Fortum shall no longer process the personal data.
  • Right to object to direct marketing - You are entitled to object to the processing of personal data pertaining to you for direct marketing at any time. Then we will no longer process personal data for such purposes.
  • Right to restriction - You are entitled to limit your data during the time we investigate and check your request.
  • Right not to be subject to automated decision - If we have made a decision about you based entirely on an automated process and the decision has legal consequences or otherwise significantly affects you, you may request that the decision be reviewed by us through renewed and individual assessment. This applies if we cannot prove that an automated decision is necessary to conclude or implement an agreement between you and us.
  • Right to complain to the supervisory authority - You are entitled to complain to the Data Inspection Authority or other competent regulatory authority if you believe that we treat your personal data in violation of applicable data protection legislation.

If you wish to exercise any of your rights above, please send a written and self-signed request to the address stated at the end of this information text.

Changes to our privacy notice

Fortum reserves the right to amend this Privacy Notice. Possible amendments to the Privacy Notice will be notified about on our website.

Amendments may be necessary due to the development of our services or, for example, changes in the relevant laws.

Contact

Questions, comment and requests regarding this privacy notice are welcomed and should be addressed dataprotectionofficer@fortum.com or in writing to the address below.

Fortum Oyj
Privacy
Keilalahdentie 2-4, 02150 Espoo
Finland