1. What data does Fortum process?
Fortum collects and processes various types of personal data, where applicable, such as:
- Personal details – including your contact details (such as your name, address, phone number, and email address), demographic data (such as your gender, age, language, nationality, professional details, and additional details such as your interests or a segment group), and your national identity number when required for verifying your identity.
- Agreement & transaction data – such as information about your agreements, orders, purchases, payment status, and invoices; recorded and transcribed phone calls; subscriptions and opt-outs; and your other transactions with us such as service requests and messaging with our customer service.
- Payment & credit data – such as your payment card information and bank account information that are needed for verifying purchases or returning funds, creditworthiness.
- Online data & identifiers – data that is collected with cookies or similar technologies about your use of our services, such as your browsing activities and segments, your IP address, cookie ID, mobile device ID, details about browser and device, and location.
- Security data – data that is used for securing the use of our services and our premises, such as your password and login details, security logs, and camera surveillance recordings.
- Technical and consumption data – such as data related to the operation of a device or application, including the measurement of consumption and production of electricity and other utilities, and data from charging stations and smart devices, including data from any sensors (e.g. temperature).
2. How does Fortum collect information about you?
The personal data which we process about you comes from different sources:
- You: when you order or use our services, when you fill in a form of interest, participate in a survey or competition, create an account, browse our website, or otherwise interact with us.
- Third parties, such as public address registers, credit reference agencies, debt collection agencies, installation partners, marketing partners, electricity and insurance companies, and other data providers.
- Fortum Group companies, which share information for purposes mentioned below in section 6.
3. What are the purposes and legal bases for processing personal data?
We will use your personal data for predefined purposes based on contract, consent, legal obligation and legitimate interest. We will use your personal data for the following purposes:
3.1 Service delivery & customer service
We collect and use personal data about you to process orders, deliver products and services, to provide customer service and to manage payments, contracts and transactions.
The data needed for delivering services vary depending on the product or service in question. For example, online services may require the user to authenticate, whereas electricity contracts require us to measure the consumption. Our customer service handles your requests and messages to serve you. Customer service may also offer you the optimal contract type that we calculate for you. We may communicate with you in contract-related matters via phone, mail, email, SMS, chat, automated calls, and other digital channels including social media.
The basis for processing your data for service delivery and customer service is typically the contract. When required by law, we may ask for your consent to deliver certain services, for example, location-based services.
3.2 Sales, marketing and stakeholder communications
We may contact you through marketing even if you are not our customer. We will ask for your consent to contact you when required by law, otherwise, our contacting is based on legitimate interest. Without consent, we can send automated electronic marketing messages that relate to your customer or business relationship with us, and use traditional marketing channels (e.g. post, telephone, door-to-door), when allowed by law. We also conduct lotteries and contests.
In addition to our own marketing and sales, we use sales and marketing partners who may contact you about our products and services based on their own customer lists, or sell our products and services at their own premises.
Below you can read more about the different types of marketing. You can read here how to control your marketing preferences.
- 3.2.5 What data is used to optimize sales & marketing (“Profiling”)
For marketing and advertising, we use data that is collected during the customer relationship and from customer surveys; online behavioural data; and derived data that for example predicts the users’ interests. Based on these data, we are able to make marketing more relevant and effective, and send you more personalized offers. An example of derived data is a segment that tells us that the user is likely to live in a suburban area or a row house. You may also receive a targeted offer, for example, because you have moved recently.
- 3.2.6 Stakeholder relations
We manage stakeholder relationships by communicating about relevant topics and promoting events which we arrange. Communications are sent directly by email to the contact addresses received from the stakeholders or their company.
3.3 Product and service development
We process personal data to improve and develop better services for our customers, to support our business decision making, and to consider our customers’ feedback and needs. The basis for processing data for product and service development is legitimate interest. This is done, for example, by collecting feedback directly from users using surveys, test panels, interviews, questionnaires and other forms of market research; by utilizing the data generated from the use of our services in analytics; by using recorded or transcribed phone calls for training and service quality improvement; and by testing system functionality with temporary sample data that is collected during normal service use.
Data processing for our product and service development generally happens with de-identified data to the extent possible. In the case that the customer’s real contact details are collected in connection to the survey, or if we conduct interviews personally with the customer, we may inform you specifically about the use of the contact details in connection to the survey or interview. We may occasionally use samples of real data, for example, to test the functioning of our systems.
In analytics, we do not process identifying data, but we aggregate large volumes of service use data in order to create statistical models, reports, predictions and trend analyses for the support of business decision making; create analyses about service / feature performance; and calculate customer segments that are used to improve our sales and marketing as described in Chapter 3.2.5.
3.4 Legal obligations
We process personal data to comply with our legal requirements, for example, accounting and tax laws, and anti-money laundering laws.
3.5 Defense of legal rights & ensuring the security of our services and customers
We use personal data to defend and secure our own rights and our customers’ rights. The basis for processing data for the defence of legal claims, debt collection, credit checking, information security, and prevention of fraud and misconduct is typically legitimate interest. Personal data is used for ensuring the security of our products and services, for example, by keeping access logs and system backups, authenticating users, and preventing attacks.
4. Automated decision-making
If we use automated decision-making with legal or similarly significant effects on you, we will inform you in advance. If such automated decision-making is not authorized by legislation, necessary for the performance of or entering into a contract with us, we will ask for your consent.
You can always express your opinion or contest a decision based solely on automated processing, as well as to request a manual decision-making process instead of by contacting customer service in your local market.
5. How long does Fortum store the personal data?
Fortum deletes or de-identifies personal data when it is no longer necessary for the purposes it was collected for. For information on how long we hold your personal data for, please see your local company’s privacy notice.
6. Who can access your personal data?
Where applicable, we may share your personal data with:
Fortum Group companies – Our Group companies may use your personal data for the purposes defined in this notice, based on a legitimate interest to the extent permitted by applicable law, including for marketing their products and services to you.
Commercial partners – We disclose personal data to our commercial partners based on a legitimate interest to the extent permitted by applicable law. Examples of such situations include:
- Where you have purchased our products and services from a commercial partner, we may need to exchange data about you as part of managing that relationship and your purchase – for example, to identify your order and for us be able to pay them.
- Where you buy our commercial partner’s product or service through us, you make a contract for it with the commercial partner selling that product or service. Fortum is only charging the amount directly to your bill as part of the arrangement with the seller. Fortum may pass your personal data to such a commercial partner to complete your purchase and for us to be able to pay them.
Consent, contract or request – We may share your personal data if we have your consent to do so. Some of our products and services allow you to share your personal data with others. We may also share your personal data with a third party when this is required to fulfil our obligations under a contract with you or to fulfil a request by you. As an example, we will disclose your address to the postal, courier or installation service to be able to deliver a product or service which you have ordered.
Our subcontractors – We use subcontractors to provide services. Such subcontractors may have access to your personal information and are processing it on our behalf but they are not allowed to use the personal data for any other purpose than to provide the service agreed with us. We ensure through appropriate contractual arrangements that the processing of personal data is in accordance with this notice. Typical service providers that process personal data include for example telemarketing and sales partners, payment and invoicing partners, and IT software & service providers.
Mergers and acquisitions – If we decide to sell, merge or otherwise reorganize our businesses, this may involve us disclosing personal data to prospective or actual purchasers and their advisers.
Authorities, legal proceedings and law. We will disclose your data to competent authorities, such as the police, to the extent required by law. We may also disclose your personal data in relation to legal proceedings or at the request of an authority on the basis of applicable law, or court order or in connection with a trial or authority process, or as otherwise required or permitted by law.
7. Does Fortum transfer personal data to third countries?
Some of our service providers and group companies operate internationally, which means that data is occasionally located outside of the European Economic Area. When personal data is transferred outside the EU or the EEA, Fortum uses appropriate safeguards, such as the standard contractual clauses provided by the European Commission. You can obtain more information about the transfers by contacting your local market’s customer service.
8. How does Fortum protect personal data?
Fortum employs appropriate organizational and technical security measures to protect your data from loss or misuse. We have a cybersecurity governance model which describes roles and responsibilities on the group level, and our instructions give detailed information on how personal data must be handled within Fortum. By conducting awareness programs, we engage Fortum employees in privacy and security considerations. Where we contract with third-party suppliers to provide services that may enable them to access your personal data, we require them by contract to have similar security controls in place.
10. Your rights and how to exercise them
Below, you can see your rights regarding personal data that Fortum processes about you. If you have any question about your rights or want to exercise them, please contact your local company. Some rights may not be applicable for example if the data cannot be connected to you.
- Right to access personal data – You have the right to be informed about the processing that we do and to request a copy of your personal data.
- Right to correct personal data – You can ask for the information about you to be corrected, if it is not accurate or if it needs to be updated.
- Right to data portability – You are able to obtain and reuse the personal data you have provided us. We can provide a selected set of the data delivered in a machine-readable format, where the basis of processing has been either contract or consent.
- Right to deletion – We will delete the data at your request if it is no longer legitimately needed.
- Right to withdraw your consent – If you have given consent for data processing, you are always entitled to withdraw your consent.
- Right to object to the processing – You have the right to object to the processing of your personal data on Fortum’s legitimate interests, such as developing our products and services, and other purposes explained above in sections 3 and 6 above. Fortum may reject your request if there is a compelling reason for continuing the processing.
- Right to restrict the processing – In certain circumstances, you have the right to have the processing restricted.
- To opt-out from electronic marketing communications and customer surveys: If you no longer want to receive marketing messages from Fortum, you can choose to opt-out at any time. The easiest way is to click the link at the end of the marketing message.
- To opt-out from telephone and postal marketing: If you no longer want to receive marketing calls or postal marketing from Fortum, you can contact your local market’s customer service] or inform the customer service representatives during the marketing call.
Please note that you may still receive marketing messages for a short period after opting out while we update our systems. Also, we sometimes use marketing partners, who may display our products and services to you, but who have not received any personal data about you from us. To opt-out from such marketing or to exercise your other rights, you will need to contact the specific marketing partner directly.
How to lodge a complaint: If we do not take action in accordance with your requests, we will inform you of the reasons. If you are not satisfied with our response, or with the way we handle personal data, please contact your local market’s customer service. If you are still not pleased with the handling, you can contact your national data protection authority.
11. Changes to this privacy notice
Fortum reserves the right to amend this Privacy Notice. Possible amendments to the Privacy Notice will be notified about on our website, or by communicating directly to you.
12. Controller of your personal data
If you have any question or want to exercise any of your rights, please contact your local company.
The data controller who is responsible for your data is typically the Fortum company, with whom you have contracted.
Further questions and comment regarding your privacy can be addressed to our dedicated privacy team using the request form or in writing to the address below.
Feedback form to Privacy Office
You are also able to reach Fortum’s Data Protection Officer through the channels provided above.