Privacy notice - Vendors

In our privacy notice below, you can find information about how we collect, process and use the personal data. 

For the purpose of the EU General Data Protection Regulation 2016 (GDPR), the data controller is Fortum Corporation and its subsidiaries (“Fortum”). Information about the local/country specific controllers can be found in the Privacy notices of each country, see section “Contact information” at the end of this page.

How does Fortum process your personal data?

How does Fortum process your personal data?

We need to treat your personal data for many different purposes and in several ways. Common for all our personal data processing is that it is carried out with appropriate safeguards taken into account and in accordance with the fundamental principles in data protection legislation.

In this information, we have compiled the different data types, purposes and legal bases on which we rely for our data processing. In case of significant changes, we will inform you appropriately, see below at the end of the information text.

What kind of data does Fortum collect?

Fortum collects and processes personal data in various categories, including:

  • Identifying data - such as email address, company name, name, supplier number, national ID/social security number, date of birth, metering point identification
  • Contact data - such as your name, address, phone number, user name, customer number, password and if appropriate your image
  • Security and safety data - such as facility and system surveillance information, passwords, personal radiation dose values
  • Behavioural data - such as log in details, energy/electricity consumption data
  • Preference data - such as pricing reference
  • Agreement and service datasuch as information about our services which you are using, service/product contract details
  • Transactional and consumption data - such as data about your purchase of our products and consumption of our services
  • Financial and invoicing data - such as your invoice address, payment terms, bank account information, creditworthiness information
  • HR data - such as job position data, background clearance, education and training records, performance and development, CV
  • Device data - such as IP number and other information from cookies

Fortum collects data that is necessary for the relationship you have with us and the purposes for which the data are used. All our data processing of personal data has legal basis.

What sources are the personal data obtained from?

The personal data which we process about you comes from different sources:

  • We receive information from yourself, when you order our services, when you fill in a form of interest or send in your personal data to us. We will then inform about the necessary and mandatory data which is needed for us to provide you that service.
  • We receive information as part of our relationship with you as our business client or vendor, such as consumption data, behavioral information or the information created when you use our IT systems.
  • We receive information from public sources, such as public address registers or from third parties, which we are cooperating with, such as credit information provider, debt collection services, installation partners, surveillance providers and providers of global news databases.

What are the purposes for processing personal data?

We process personal data only for predefined purposes. The purposes for which we process personal data are:

  • Customer relationship management and communication  
    To be able to manage a professional relationship with our business clients, and to provide efficient customer service, we need your personal data. We handle our relationships with our business clients and vendors, via email, phone and online channels. We send contract related notifications and give guidance to our customers.
  • Contract and product management, Delivering and Maintaining service and Consumption reporting
    We need a contract with all our customers to fulfil our contractual obligations to you. Therefore, we  collect personal data to create and manage contracts, and to deliver our products and services. We provide energy services according to previously agreed volumes and price. We also provide financial trading service, e.g. power and electricity certificates. We update our customer data, collect data of customers’ consumption and of the related services, to offer our customers the best solution.
  • Billing and debt collection
    We process personal data to be able to invoice our customers for the energy consumption, for our products, goods or services. We create invoices based on customer data, contract information and information on delivered energy/goods/services. We handle payments made by our customers, respond to change requests and we archive invoices and contracts.
  • Partner/vendor management and communication  
    In order for us to have a professional and efficient management and communication with our vendors and partners, we process different kind of personal data. We review suppliers´ credit information; we evaluate and verify suppliers´ capacity and potential to become a supplier. Additionally, we communicate with our vendors as part of our business relationship.
  • Security and safety control
    We process personal data to be able to protect our assets and to prevent unauthorized access to our facilities, systems and devices.  We are using  physical, technical and administrative methods to achieve this,  such as access control and camera surveillance.
  • Public authority reporting.

On what legal basis do we process your personal data?

We rely on several legal bases when processing your personal information:

  • Your specific and freely given consent. If we rely on your consent as the legal basis for processing your data, you may withdraw your consent at any time.
  • The processing is necessary to fulfill an agreement between us and you or necessary to conclude such an agreement.
  • The processing is necessary to fulfill a legal obligation that is owed to us (for example, we are required by law to store certain data for a certain period of time) and / or to determine, enforce or defend Fortum against legal claims or claims.
  • The processing is necessary for purposes pertaining to the legitimate interests of our or third parties, which consider the registrant's interests and fundamental rights and freedoms (ie, balance of interests). Our legitimate interests in such treatments are:
    - Conduct cost-effective and relevant business activities
    - Develop, improve and sell our products and services as well as to maintain a good customer contact, including customer feedback and customer surveys
    - Maintain correct, relevant and unified records and tasks
    - Receive payment for completed or delivered products and services
    - Provide effective support and case management to customers
    - Provide relevant and effective direct marketing in relation to existing customers, including profiling and segmentation for marketing purposes (see further information below)

How do we treat your data for marketing purposes?

Within Fortum, we value effective and transparent marketing towards you as our customer. Processing your personal data for marketing purposes is necessary for our legitimate interest in developing, improving and selling our products and services, and maintaining a good customer relationship.

In all our communication, you are given the opportunity to oppose and to refuse any further marketing outlets.

We will for example conduct market analyzes, compile statistics and evaluating, develop and inform you about our services and products. You can receive monthly newsletters or general information about customer benefits for example, unless you actively oppose such communication. We can also send you targeted offers based on your purchases, your service / product holdings and / or your behavior in communicating with us. Such targeted offers aim to offer you relevant offers for products and services that we believe you are interested in. Targeted offers assume that we divide our customers into different groups (eg segmentation or profiling) based on your interactions with us.

Does Fortum use your personal data in automated decision-making?

We may make decisions about you through automated decision making e.g. automated credit checks during contract period, which may affect your ability to use our services. We use automated decisions to have efficient, digital, predictable and legally secure decision and business processes. We will normally give you more detailed and specific information about such automated decision making processes in connection to the start of the application/decision, including information about the logic behind as well as the consequences of the handling.

If we have made a decision about you solely on the basis of an automated process (e.g. through automatic profiling) and that affects your ability to use the services or has another significant effect on you, you can ask to not to be subject to such a decision unless we can demonstrate to you that such decision is necessary for entering into, or the performance of, a contract between you and us.

How long do we store the personal data?

Fortum seeks to limit the period for which the personal data are stored to a minimum. Thus, Fortum processes your personal data only to the extent and as long as it is necessary to meet the purposes of the data processing.

As a general rule, your personal data are stored for the duration of the business relationship as well as for a period of 6 years from the end of the business relationship or from the date of the last invoice. Personal data relating to invoices and accounting material will be stored for 10 years from the end of the fiscal year. The specific retention periods may be different depending on the categories of data. Fortum sets out and regularly re-evaluates data type specific retention periods for the personal data it holds. Once personal data is no longer necessary, Fortum will delete it or anonymise it as soon as possible.

Who process your personal data?

Principally, we do not sell, trade or license any personal data to third parties. Companies belonging to the Fortum group of companies may process personal data in accordance with existing privacy laws. Personal data may be disclosed to our authorized employees or affiliates to the extent necessary for the purpose of processing. The data will never be available to all employees but to a limited number of authorized persons.

We also use third parties as our data processors to help process personal data on our behalf. When a third party processes personal data on our behalf, we always ensure via contractual arrangements that the processing of personal data is always conducted safely and in accordance with privacy laws and data processing best practices.

List of categories of the third parties processing data (=data processors):

  • Service providers, such as printing services, debt collection services, installation partners, credit information provider consultant service providers
  • IT service providers, Cloud service
  • Sales and marketing partners 

In addition, personal data may be disclosed to authorities when we are required to do so by law, based on demands made by competent authorities in accordance with existing privacy laws.

Does Fortum transfer personal data to third countries?

Principally, Fortum does not transfer personal data outside the European Union or the European Economic Area (EEA). However, if personal data is transferred outside the EU or the EEA, Fortum uses appropriate safeguards in accordance with existing privacy legislation, such as the standard contractual clauses provided by the European Commission.

How does Fortum protect the personal data?

Fortum fulfils the necessary technical and organizational measures, which ensure and demonstrate that privacy laws are being followed in the processing of personal data.

These measures include the monitoring of access rights so that only the authorized persons have access to the personal data, using firewalls, pseudonymisation of data, detailed instructions and training for personnel on protection of personal data and careful consideration when selecting our service providers that are involved  in the processing of personal data on our behalf.

About cookies and your rights when it comes to personal data

Cookies used on websites

When you use our services or visit our websites, Fortum can collect data about your devices through cookies and other tracking techniques.

Cookies are a small text file that we use to Identify and count the browsers and devices that visit our websites. This information may then be used by us or third parties for marketing purposes.

Our use of cookies differs depending on which of Fortum's websites you visit. You can get more information about which cookies we use on a particular website by reading the specific information about cookies on the current site.

Click here to read more about cookies and how to manage them on our site

What rights do you have in respect of your personal data?

You have as registered a number of rights by law:

  • Right of access - You have the right to access your personal data, which means that you have the right to confirm whether your personal data are processed and, if so, also receive a copy of the personal data that is processed by Fortum (so-called registry extracts) and further information about the processing carried out by Fortum.
  • Data Portability Right - You are entitled to data transfer, which means that you may, under certain circumstances, have the right to have the personal data transmitted to another controller.  
  • Right to rectification - You are entitled to receive incorrect information about you corrected or supplemented.
  • Right to erasure - You have the right to have your data erased, if
    - the data are no longer necessary for the purposes for which they are processed,
    - you revoke your consent for some treatment and thereafter there is no legal basis for Fortum to process the data,
    - your data has been processed illegally, or
    - the processing of your data is not necessary to comply with applicable legal requirements in order to determine, enforce or defend legal claims and / or for archival, research or statistical purposes.
  • Right to revoke consent - If you have given special consent to certain treatment, you are always entitled to withdraw your consent.
  • Right to object to processing of personal data – When processing is carried out on the basis of the legitimate interests pursued by Fortum or by a third party, you have the right to object at any time to processing of personal data concerning you. Unless Fortum can demonstrate compelling legitimate grounds for the processing, Fortum shall no longer process the personal data.
  • Right to object to direct marketing - You are entitled to object to the processing of personal data pertaining to you for direct marketing at any time. Then we will no longer process personal data for such purposes.
  • Right to restriction - You are entitled to limit your data during the time we investigate and check your request.
  • Right not to be subject to automated decision - If we have made a decision about you based entirely on an automated process and the decision has legal consequences or otherwise significantly affects you, you may request that the decision should be reviewed by us through renewed and individual assessment. This applies if we cannot prove that an automated decision is necessary to conclude or implement an agreement between you and us.
  • Right to complain to the supervisory authority - You are entitled to complain to the Data Inspection Authority or other competent regulatory authority if you believe that we treat your personal data in violation of applicable data protection legislation.

If you wish to exercise any of your rights above, please go to our local markets, where we offer various services and products. You find the information in the Contact information section below.  

Changes to our notice and contact information

Changes to our privacy notice

Fortum reserves the right to amend this Privacy Notice. Possible amendments to the Privacy Notice will be notified about on our website.

Amendments may be necessary due to the development of our services or, for example, changes in the relevant laws.

Contact information

Questions and comment regarding this privacy notice are welcomed and can be addressed to our dedicated privacy team by using the contact form or to the address below.

Send your questions with this form

Fortum Corporation
Keilalahdentie 2-4
02150 Espoo

Please, note that requests for exercising your rights regarding your personal data (such as accessing your personal data) will not be handled through email, but through request forms online or via customer services in our local markets. See links to our local web sites below.