Privacy & Security
Fortum takes data security and privacy very seriously. We view it as an excellent opportunity to demonstrate our commitment and develop trust with our customers and clients.
Steps Fortum Charge & Drive has taken for GDPR compliancy
Update of Privacy Notice
Collection of Personal Data
With CDMC, Fortum Charge & Drive will only collect personal data which is required to provide the service to the user in an efficient and customer friendly way. The number of data points collected upon registration is minimized. Data is only collected if the user uses a specific feature that requires that particular data collection. Examples include credit card details to allow payments, address information for sending our RFID keys, and so on.
Sub-Processor Agreement Amendments
To provide the service to end-users, Fortum Charge & Drive relies on a number of external systems, provided by so-called sub-processors. Examples include AWS (Amazon Web Services) and Stripe (for payment). We have gone to great lengths to ensure that our sub-processors process personal data belonging to Fortum Charge & Drive users in a safe way. To ensure this, we have amended all agreements with sub-processors to include a Data Processing Agreement, specifying which data the sub-processor may process on behalf of Fortum Charge & Drive, and for what purpose.
Sub-processors include all system vendors whose systems are used to provide our service, as well as external parties which may be given access to Fortum Charge & Drive systems. This latter category includes support partners and consultants. All sub-processors used by Fortum Charge & Drive are thoroughly vetted; only sub-processors passing background checks and with the ability to abide by DPA are accepted.
Personal Data Deletion
In accordance with GDPR it should be simple for a user to request a service provider to be "forgotten", i.e. that its personal data should be deleted or anonymized. Fortum Charge & Drive has implemented both technical tools as well as processes to manage these requests in an efficient and timely manner. An end-user simply has to contact Customer Support with their registered e-mail, and soon thereafter the data will be removed from Fortum Charge & Drive systems. Fortum Charge & Drive will, however, store charging transaction details to comply with legal requirements, but this data will be anonymized.
Personal Data Portability
GDPR allows the user to request to have their data extracted so that they can change service provider in a simple way. Fortum Charge & Drive has implemented tools and processes to meet these requests in an efficient and timely manner. Similar to the deletion process, the user can contact Customer Support at any time with their registered e-mail address and ask to have their data extracted. Fortum Charge & Drive will process the request and deliver the data to the customer in a .csv file. The user can then request a new service provider to have this data imported.
Another core part of GDPR is to ensure that no unlawful access to personal data takes place, either by internal employees working at Fortum Charge & Drive or by external parties who has access to CDMC. Personal data access is limited to a set of specific user roles in CDMC, which allows Fortum Charge & Drive to minimize the number of employees who have access to personal data. If an external party is given access to personal data, for example for support purposes, this party will be considered a sub-processor subject to DPA. Each system user, regardless of whether they have access to personal data or not, is also subject to Terms & Conditions which control how the user can use the system.
Furthermore, Fortum Charge & Drive has implemented a rigorous process for managing access to CDMC, in particular in terms of accounts with access to personal data. Each time such access is provided it is logged and subject to verification by the employee's Manager. User accounts with these privileges are restricted to a small group of people, in which each one has a clear and required purpose of access. CDMC also provides tools to manage access in an efficient way; a clear overview of which employees have access and what roles they have, and efficient restriction of access if required.
Breach and Incident Management
Fortum Charge & Drive has implemented a breach management process that ensures that required measures are taken in the unlikely event of a data breach. Escalation paths are in place, and Fortum is required to notify both users and relevant authorities of a potential breach within 72 hours of discovery. This also applies to potential sub-processor breach incidents.
CDMC now has support for activity logging. All activity, whether it is to add a charger, change its configuration or change information about a user, is logged. This provides a clear overview of activities performed in the system and allows rapid detection of unlawful or erroneous behaviour. Apart from security, this feature also allows Fortum Charge & Drive to provide a better service in general since it enables, for example, support personnel to have transparency on actions performed by their colleagues.
Personal Data encryption
Personal data is encrypted and stored in a safe way to allow efficient handling of data subject requests and decrease the risk of breach incidents. The system is based on the latest authentication technology, allowing safe authentication, registration and log-in.
Personal Data Retention
All personal data now has a clearly defined retention period in the system. If a user has not been active during a certain period of time, the system will automatically consider that user's account to be inactive. The user will be notified of this change of account status. If the account is not re-activated by the user, either by logging into the app or using another identifier to access one of Fortum Charge & Drive's chargers, the user account will automatically be terminated. The user will be forgotten, and all their data will be deleted or anonymized. This is to ensure that users who may have registered but forgotten that they did so are not required to take any action in order to have their account deleted if the account remains inactive for a sufficiently long period.
In our updated privacy notice, you can read more about how we treat your personal data. This, together with any other documents referred to within, sets out the basis on which we will process any personal data that we collect from you, or that you provide to us. Please read the privacy notice carefully to understand our views and practices regarding your personal data and how we will treat it.