Consultant and Vendor Privacy Notice

12/6/2020

In our privacy notice below, you can find information about how we collect, process and use the personal data. For the purpose of the EU General Data Protection Regulation 2016 (GDPR), the data controller is Fortum Corporation and its subsidiaries (“Fortum”). Information about the local country-specific controllers can be found in the Privacy notices of each country, see section “Contact information” at the end of this page.

1. Introduction

This privacy notice describes how Fortum (Fortum Corporation and its subsidiaries, “Fortum”) processes your personal data. This notice applies to the processing of your personal data in the context of supplier and consultant relationships. We may also provide you with additional privacy information in supplements or other notices regarding a particular system, product or service.

The provisions here are supplemented by applicable mandatory law that prevails to the extent that there is a conflict with this Notice.

2. What data does Fortum process?

Fortum collects and processes various types of personal data, where applicable, such as:

  • Personal details - including your contact details (e.g. your name, phone number, and email address), demographic data (e.g. your gender, age, language, nationality, professional details), and your identification-related information where needed (e.g. national ID number, passport number).
  • Administrative information – such as your resumé and competences, information about previous assignments or projects where you have been involved, where applicable, the results of background checks, credit information, photographs, accident records, project time and attendance management and information about work-related equipment and services that you use in connection with working with us, including, e.g. recorded and transcribed phone calls, recordings of trainings, messaging, and information you publish about yourself in internal and external channels.
  • Financial data – such as your bank account information, travel and other expenses, insurance information, tax numbers.
  • Online data & identifiers – data that is collected with cookies or similar technologies about your use of our internal services, your IP address, cookie ID, mobile device ID, details about browser and device, and location.
  • Security data – data that is used for securing the use of our services and our premises, such as your password and login details, employee ID, security logs, facility entry logs, and CCTV camera recordings.

3. How does Fortum collect information about you?

The personal data which we process about you comes from different sources:

  • You and your employer– We receive information directly from you and the company with which you are working;
  • Third parties – We may receive information from third parties, such as national authorities (e.g. police and other enforcement agencies).
  • Fortum Group companies, which share information for purposes mentioned below in section 7.

4. What are the purposes and legal bases for processing personal data?

We will use your personal data for predefined purposes based on contract, consent, legal obligation and legitimate interest. Typically, the legal basis for data processing in the supplier relationship context is our legitimate interest to administer our contact persons’, project workers’ or consultants’ information for work-related matters. In addition, we have certain legal and contractual obligations that require us to process personal data. Consent may be used in certain specific situations.

We will use your personal data for the following purposes:

  • Supplier & consultant relationship management
    We process personal data to manage a professional relationship with our business partners. This involves contacting our stakeholders and arranging events.
  • Managing work orders and assignments, evaluation, and general administration
    We process personal data of consultants in order to administer their work and assignments. We provide consultants with work-related tools, training and services, manage travel and expense claims and project hours, conduct contract performance evaluation, and manage insurances and payments. Personal data is also processed in supplier contract management, for example when signing non-disclosure agreements.
  • Service development & reporting
    We process personal data to improve and develop our internal services. Service development is done, for example, by collecting feedback directly from you in surveys and questionnaires; by utilizing the data generated from the use of our services in analytics; and by using recorded or transcribed phone calls in certain operations for training and service quality improvement. We also have internal reporting processes that utilize personal data.
  • Legal obligations
    We process personal data to comply with our legal obligations, for example, to comply with tax, accounting, securities, anti-bribery, anti-money laundering, health and safety rules and other legal obligation placed on Fortum.
  • Ensuring security, safety and legal rights
    We use personal data to ensure the security and safety of our information, facilities, products, services, and personnel. This is done subject to local law, for example by keeping access logs and system backups, preventing attacks, monitoring system use, identifying and authenticating individuals, and monitoring access and facilities (including CCTV) and locating individuals in emergency situations. We also process personal data for defending legal rights, including preventing and investigating fraud, industrial espionage and other crime.

5. Automated decision-making

If we use automated decision-making with legal or similarly significant effects on you, we will inform you about it in advance. If such automated decision-making is not authorized by legislation, not necessary for the performance of or entering into a contract with us, we will ask for your consent.

You may always express your opinion or contest a decision based solely on automated processing, as well as request a manual decision-making process instead of by contacting us (see section 12).

6. How long does Fortum store the personal data?

This varies country by country depending on the local laws. We delete or de-identify personal data when it is no longer necessary for the purposes it was collected for. For information on how long we hold your personal data for, please contact us (see section 12) for more information on the specific retention times.

7. Who can access your personal data?

Where applicable, we may share your personal data with:

Fortum Group companies – Our Group companies may use your personal data for the purposes defined in this notice, based on our legitimate interest, to the extent permitted by applicable law.

Your employer – We may share your personal data for the purposes defined in this notice with the company with which you are legally employed by, based on our legitimate interest, to the extent permitted by applicable law.

Authorized third parties – We may share your personal data with authorized third parties, based on our legitimate interest, to the extent permitted by applicable law. In such cases, Fortum will ensure there is a genuine need to share your personal data. Authorized third parties include, for example, Fortum’s customers, travel agencies, banks, telecom operators, insurance scheme providers, auditors, professional advisors, external legal counsels, actuaries, medical practitioners, trustees or other third-party suppliers.

Our subcontractors – We use subcontractors to provide services to us. Such subcontractors may have access to your personal information and process it on our behalf, but they are not allowed to use the personal data for any other purpose than to provide the service agreed with us. We ensure that the processing of personal data by our subcontractors is done in accordance with this notice through appropriate contractual arrangements. Typical service providers that process personal data include for example IT software and service providers.

Mergers and acquisitions – If we decide to sell, merge or otherwise reorganize our businesses, this may involve us disclosing personal data to prospective or actual purchasers and their advisers.

Authorities, legal proceedings and law – We will disclose your data to certain competent authorities, such as government agencies responsible for tax collection, statistical information or to the police other law enforcement agencies, to the extent required under mandatory law. We may also disclose your personal data in relation to legal proceedings or at the request of an authority on the basis of applicable law, or court order or in connection with a trial or authority process, or as otherwise required or permitted by law.

8. Does Fortum transfer personal data to third countries?

Fortum is a global company that has affiliates, business processes, management structures and technical systems that cross national borders. This means that your data may be transferred to countries other than the one where you are located, including also outside of the European Economic Area. We use appropriate safeguards, such as the standard contractual clauses provided by the European Commission, for these transfers to protect your data. You can obtain more information about the transfers by contacting us (see section 12).

9. Cookies

Fortum Cookie policy describes the use of cookies on our external websites. On our internal sites, such as the intranet, we use cookies to enable the functioning of the services, and to collect analytical data about the site usage, for example, to see which content is popular.

10. Your rights and how to exercise them

Below you can see the list of your rights regarding personal data that we process about you. If you have any questions about your rights or want to exercise them, please contact us (see section 12). Please note that some of the rights may not be applicable, for example, if the data cannot be connected to you.

  • Right to access personal data – You have the right to be informed about the processing that we do and to request a copy of your personal data.
  • Right to correct personal data – You can ask for the information about you to be corrected if it is not accurate or if it needs to be updated.
  • Right to data portability – You may obtain and reuse the personal data you have once provided us. We can provide a selected set of the data delivered in a machine-readable format, where the basis of processing has been either a contract or consent.
  • Right to deletion - We will delete the data at your request if it is no longer legitimately needed.
  • Right to withdraw your consent – If you have given consent for data processing, you are always entitled to withdraw your consent.
  • Right to object to the processing – You have the right to object to the processing of your personal data based on Fortum’s legitimate interests, such as developing our products and services, and other purposes explained in section 3 and section 7. We may reject your request if there is a compelling reason for us to continue the processing.
  • Right to restrict the processing – In certain circumstances, you have the right to have the processing restricted.

If we do not take action in accordance with your request, we will inform you of the reasons. If you are not satisfied with our response or with the way we handle personal data, please let us know. You can also always contact your national data protection authority.

11. Changes to this privacy notice

Fortum reserves the right to amend this Privacy Notice. Possible amendments to the Privacy Notice will be notified on this site, or by communicating directly to you.

12. Controller of your personal data and contact details

The controller of your personal data is typically the local Fortum company with which the company you work for is conducting business. You may find the contact details to Fortum companies below. If you want to exercise your rights or have any queries about the processing of your personal data, kindly contact the customer service of the local company.

Finland

Sweden

Norway

Denmark

Poland

Estonia

Latvia

Lithuania

Germany

You can address any further questions and comments regarding your privacy to our dedicated privacy team at privacy@fortum.com or in writing to the address below:

Fortum Corporation
Privacy
Keilalahdentie 2-4, 02150 Espoo
Finland

You may also contact Fortum’s Data Protection Officer through the channels provided above.