Fortum Group Privacy Policy

Fortum takes privacy seriously and complies with the privacy laws. Customers, employees and other stakeholders can trust that we manage data privacy in a correct and transparent way. Ensuring the individual's right to data protection is embedded in Fortum's shared corporate values of curiosity, responsibility, respect and integrity, which form the ethical basis for all work at Fortum.

Our Privacy Policy is to be followed by all Fortum divisions and functions, as well as by suppliers and external persons working for Fortum.

The Fortum Group Policy for Privacy is defined in this document, which is endorsed by Fortum's Board of Directors, and is to be followed by all Fortum divisions and functions and by suppliers and external persons working for Fortum.

This policy is reviewed on an as-needed basis by the Fortum Executive Management (FEM). Any amendments to this policy are approved by the Board of Directors.

Requirements set in local data protection laws and regulations shall be duly complied with. The data protection principles and rights of the individual that Fortum endorses in the area of privacy are further explained at Fortum's website www.fortum.com.

Privacy at Fortum

Fortum ensures that all customers, employees and other stakeholders can trust that Fortum takes privacy seriously and complies with the privacy laws. Ensuring the individual's right to data protection is embedded in Fortum's shared corporate values of curiosity, responsibility, respect and integrity, which form the ethical basis for all work at Fortum.

Fortum processes personal data only for specified, explicit and legitimate purposes, and only when there are valid legal grounds for it. When acting as a controller and selecting new suppliers and other partners, Fortum pays special attention to the suppliers' ability to comply with the data protection laws. When acting as a processor, Fortum is committed to processing personal data in accordance with the data protection laws and the documented instructions of the controller.

Fortum processes personal data transparently

For Fortum, transparency regarding the processing of any personal data is part of our business conduct. Fortum runs its business with a high ethical manner and provides transparent information about the purposes of data processing to customers, employees and other stakeholders. Fortum offers all stakeholders the opportunity to influence the processing of their personal data.

Fortum respects the rights of the individuals in terms of personal data processing and by providing information transparently; individuals are able to exercise control over their personal data. Fortum does not process individual's personal data in ways that have not been communicated to the individual, nor collects unnecessary data not needed for providing and developing our services.

At all times, Fortum processes personal data in a manner which ensures information security. Personal data is always bound to confidentiality and the access is limited only to authorized persons within Fortum and its partners.

Fortum demonstrates its compliance

Fortum is committed to demonstrating its compliance with the data protection laws, during the whole data processing cycle. Fortum takes actions to show compliance with the data protection laws by documenting and processing personal data systematically.

Privacy embedded in Fortum´s business operations

Excellence in data privacy is incorporated in our strategy and is an essential part of business operations. Fortum is committed to constantly improve compliance and business processes, when exploring new data-driven opportunities to serve our customers.

Responsibilities

Fortum has a line responsibility in privacy compliance governance. The management of the divisions and the Group functions, and ultimately the President and CEO and the Board of Directors, are accountable for privacy compliance at Fortum.

Fortum’s Board of Directors approves the Privacy Policy and reviews Group's annual privacy performance and reporting.

The President and CEO is responsible for privacy in Fortum and approving the Group Instructions for Privacy.

The division heads are responsible that appropriate processes are in place and adequate resources are available to fulfil and monitor privacy compliance requirements.

Corporate Privacy Office is responsible for managing and monitoring privacy at the Group level. This includes the Privacy Policy and related Group-level instructions and manuals. Corporate Privacy Office is also responsible for monitoring the policy implementation and for performance reporting on a monthly, quarterly and annual basis.

All Fortum employees and external persons working for Fortum have the responsibility to comply with privacy related laws, regulations and all Fortum's instructions.

Latest updated: 1 May, 2018