- What data does Fortum process?
- How does Fortum collect information about you?
- What are the bases and purposes for processing personal data?
- Automated decision-making
- How long does Fortum store your personal data?
- Who can access your personal data?
- Does Fortum transfer personal data to third countries?
- How does Fortum protect personal data?
- Your rights and hot to exercise them
- Changes to this Privacy Notice
- Controller of your personal data
1. What data does Fortum process?
Fortum collects and processes various types of personal data, including:
- Personal details: including your contact details (such as your name, address, phone number, and email address), demographic data (such as your gender, age, language and nationality).
- Recruitment information: such as your application and resume, interview information, video interviews, references from previous employers and other third-party references, information about your competencies, qualifications, skills, work experience, and education. As we take steps prior to entering into a possible employment contract, we may also collect results of the necessary health, drug, background, psychometric, and aptitude tests and credit checks depending on the position for which you are applying, and where necessary for the recruitment activities.
- Identification information: such as proof of identity and your national identity number.
- Online data & identifiers: data that is collected with cookies or similar technologies about your use of services, including your IP address, cookie ID and mobile device ID.
- Authentication information: username and password for the recruitment portal, including other details for authenticating and securing our services such as login details and security logs.
2. How does Fortum collect information about you?
The personal data which we process about you comes from different sources:
- You: when you create an account in our recruitment portal, submit us your application or resume or when you otherwise interact with us.
- Third parties: such as recruitment agencies, your references and previous employers, medical or health check providers and authorities or other parties providing background and credit checks. We will obtain your consent for such collection when required by applicable law.
- Fortum Group companies: which share information for purposes mentioned below in chapter 6.
3. What are the bases and purposes for processing personal data?
We will use your personal data for predefined purposes based on legitimate interest and legal obligation. Also, we may use your personal data based on your consent in addition to reliance on a legitimate interest (this especially if additional consents are needed under applicable law).
The main purposes for which we process personal data are listed below:
- Recruitment and resourcing: We use your personal data to contact you, for instance, to inform you about the status of your application or to obtain additional information. We also use your personal data to set up and conduct interviews and assessments, evaluations, reference, credit and background checks as permitted by applicable law.
- Creating an employee record: If Fortum hires you, the personal data you have given during the application process may become part of your employee record and be used to manage your career at Fortum.
- Service development and analytics: We may use your personal data to improve and develop our recruitment processes and other related services, and to create analytics. We endeavour to use de-identified data when possible.
- Security of our services and others: Personal data is used for ensuring the information security of our services, for example, by keeping access logs and system backups, authenticating users, and preventing attacks.
- Legal obligations: We process personal data to comply with our legal obligations, for example, accounting and tax laws.
4. Automated decision-making
When we use automated decision-making with legal or similarly significant effects on you, we will inform you in advance. If such automated decision-making is not authorized by legislation or necessary for the performance or entering into a contract, we will ask for your consent.
5. How long does Fortum store your personal data?
Fortum deletes or de-identifies personal data when it is no longer necessary for the purposes it was collected for. If Fortum hires you, your personal data may become part of your employee record. For information on how long we hold your personal data for, please see our retention schedule or contact our customer service.
6. Who can access your personal data?
Where applicable, we may share your personal data with:
- Fortum Group companies – Our Group companies may use your personal data for the purposes defined in this notice based on a legitimate interest to the extent permitted by applicable law.
- Subcontractors – We use subcontractors to provide services. Such subcontractors may have access to your personal information and are processing it on our behalf but are not allowed to use the personal data for any other purpose than to provide the service agreed with us. We ensure through appropriate contractual arrangements that the processing of personal data is in accordance with this notice. Typical service providers that process personal data include for example recruitment agencies and IT software & service providers
- Third parties – Fortum may share your personal data with authorized third parties who process personal data for Fortum for the purposes described in this Statement. These may include recruitment consultants, test providers, and others who help us fill vacancies and assess the suitability of job applicants. These authorized third parties are not permitted to use your personal data for any other purposes. We require them to act consistently with this Statement and to use appropriate measures to protect your personal data.
- Mergers and acquisitions – Where Fortum decides to sell, or merge or otherwise reorganize its businesses, this may involve disclosing personal data to prospective or actual purchasers and their advisers.
- Authorities, legal proceedings and law – We will disclose your data to competent authorities, such as the police, to the extent required by law. We may also disclose your personal data in relation to legal proceedings or at the request of an authority on the basis of applicable law or court order or in connection with a trial or authority process or as otherwise required or permitted by law
7. Does Fortum transfer personal data to third countries?
Some of our service providers and group companies operate internationally, which means that data is occasionally located outside of the European Economic Area. When personal data is transferred outside the EU or the EEA, Fortum uses appropriate safeguards, such as the standard contractual clauses provided by the European Commission. You can obtain more information about the transfers by contacting our local customer service.
8. How does Fortum protect personal data?
Fortum employs appropriate organizational and technical security measures to protect your data from loss or misuse. We have a cybersecurity governance model which describes roles and responsibilities on the group level, and our instructions give detailed information on how personal data must be handled within Fortum. By conducting awareness programs, we engage Fortum employees in privacy and security considerations. Where we contract with third-party suppliers to provide services that may enable them to access your personal data we require them by contract to have similar security controls in place.
10. Your rights and how to exercise them
You have the following rights regarding personal data that Fortum processes about you. If you have any question about your rights or want to exercise them, please use the privacy request form or contact our local customer service. Some rights may not be applicable for example if the data cannot be connected to you.
- Right to access personal data – You have the right to be informed about the processing that we do and to request a copy of your personal data.
- Right to correct personal data – You can ask information about you to be corrected if it is not accurate or needs to be updated.
- Right to data portability – You are able to take with you the personal data you provided to us. A selected set of the data delivered in a machine-readable format, where the basis of processing has been consent.
- Right to deletion – We will delete the data at your request if it is no longer legitimately needed.
- Right to withdraw your consent – If you have given consent for data processing, you are always entitled to withdraw your consent.
- Right to object to the processing – You have the right to object to the processing of your personal data on Fortum’s legitimate interests such as developing of our recruitment process.
- Right to restrict the processing – In certain circumstances, you have the right to have the processing restricted.
How to lodge a complaint - If we do not take action in accordance with your requests, we will inform you of the reasons. If you are not satisfied with our response, or with the way we handle personal data, please contact us using the privacy request form. Alternatively, you can contact our local customer service. If you are still unhappy, you can contact the national data protection authority.
11. Changes to this privacy notice
Fortum reserves the right to amend this Privacy Notice. Possible amendments to the Privacy Notice will be notified about on our website, or by communicating directly to you.
12. Controller of your personal data
Fortum Corporation and its subsidiaries are the controllers of your personal data. If you want to exercise your rights or have any queries about the processing of your personal data, contact us by using the privacy request form or contact our local customer service listed below.
Further questions and comments regarding your privacy can be addressed to a dedicated privacy team using the privacy request form or in writing to the address below.
Keilalahdentie 2-4, 02150 Espoo
You are also able to reach Fortum’s Data Protection Officer through the channels provided above.