Privacy & Security

Fortum takes data security and privacy very seriously. We view it as an excellent opportunity to demonstrate our commitment and develop trust with our customers and clients.

Steps Fortum Charge & Drive has taken for GDPR compliancy

Update of Privacy Notice
Chevron down

Privacy Notice has been separated from Terms of Use to allow users full transparency on how their personal data is being collected, processed and for what purpose. Terms of Use have been will reflect how the new system (released in Q2, 2018) works.

Any future changes in both Privacy Notice and Terms of Use will be shared with full transparency to users, and a user who does not accept such changes is free to terminate their account at any time.

Collection of Personal Data
Chevron down

With CDMC, Fortum Charge & Drive will only collect personal data which is required to provide the service to the user in an efficient and customer friendly way. The number of data points collected upon registration is minimized. Data is only collected if the user uses a specific feature that requires that particular data collection. Examples include credit card details to allow payments, address information for sending our RFID keys, and so on.

Sub-Processor Agreement Amendments
Chevron down

To provide the service to end-users, Fortum Charge & Drive relies on a number of external systems, provided by so-called sub-processors. Examples include AWS (Amazon Web Services) and Stripe (for payment). We have gone to great lengths to ensure that our sub-processors process personal data belonging to Fortum Charge & Drive users in a safe way. To ensure this, we have amended all agreements with sub-processors to include a Data Processing Agreement, specifying which data the sub-processor may process on behalf of Fortum Charge & Drive, and for what purpose.

Sub-processors include all system vendors whose systems are used to provide our service, as well as external parties which may be given access to Fortum Charge & Drive systems. This latter category includes support partners and consultants. All sub-processors used by Fortum Charge & Drive are thoroughly vetted; only sub-processors passing background checks and with the ability to abide by DPA are accepted.

Personal Data Deletion
Chevron down

In accordance with GDPR it should be simple for a user to request a service provider to be "forgotten", i.e. that its personal data should be deleted or anonymized. Fortum Charge & Drive has implemented both technical tools as well as processes to manage these requests in an efficient and timely manner. An end-user simply has to contact Customer Support with their registered e-mail, and soon thereafter the data will be removed from Fortum Charge & Drive systems. Fortum Charge & Drive will, however, store charging transaction details to comply with legal requirements, but this data will be anonymized.

Personal Data Portability
Chevron down

GDPR allows the user to request to have their data extracted so that they can change service provider in a simple way. Fortum Charge & Drive has implemented tools and processes to meet these requests in an efficient and timely manner. Similar to the deletion process, the user can contact Customer Support at any time with their registered e-mail address and ask to have their data extracted. Fortum Charge & Drive will process the request and deliver the data to the customer in a .csv file. The user can then request a new service provider to have this data imported.

Access Management
Chevron down

Another core part of GDPR is to ensure that no unlawful access to personal data takes place, either by internal employees working at Fortum Charge & Drive or by external parties who has access to CDMC. Personal data access is limited to a set of specific user roles in CDMC, which allows Fortum Charge & Drive to minimize the number of employees who have access to personal data. If an external party is given access to personal data, for example for support purposes, this party will be considered a sub-processor subject to DPA. Each system user, regardless of whether they have access to personal data or not, is also subject to Terms & Conditions which control how the user can use the system.

Furthermore, Fortum Charge & Drive has implemented a rigorous process for managing access to CDMC, in particular in terms of accounts with access to personal data. Each time such access is provided it is logged and subject to verification by the employee's Manager. User accounts with these privileges are restricted to a small group of people, in which each one has a clear and required purpose of access. CDMC also provides tools to manage access in an efficient way; a clear overview of which employees have access and what roles they have, and efficient restriction of access if required.

Breach and Incident Management
Chevron down

Fortum Charge & Drive has implemented a breach management process that ensures that required measures are taken in the unlikely event of a data breach. Escalation paths are in place, and Fortum is required to notify both users and relevant authorities of a potential breach within 72 hours of discovery. This also applies to potential sub-processor breach incidents.

Activity Logging
Chevron down

CDMC now has support for activity logging. All activity, whether it is to add a charger, change its configuration or change information about a user, is logged. This provides a clear overview of activities performed in the system and allows rapid detection of unlawful or erroneous behaviour. Apart from security, this feature also allows Fortum Charge & Drive to provide a better service in general since it enables, for example, support personnel to have transparency on actions performed by their colleagues.

Personal Data encryption
Chevron down

Personal data is encrypted and stored in a safe way to allow efficient handling of data subject requests and decrease the risk of breach incidents. The system is based on the latest authentication technology, allowing safe authentication, registration and log-in.

Personal Data Retention
Chevron down

All personal data now has a clearly defined retention period in the system. If a user has not been active during a certain period of time, the system will automatically consider that user's account to be inactive. The user will be notified of this change of account status. If the account is not re-activated by the user, either by logging into the app or using another identifier to access one of Fortum Charge & Drive's chargers, the user account will automatically be terminated. The user will be forgotten, and all their data will be deleted or anonymized. This is to ensure that users who may have registered but forgotten that they did so are not required to take any action in order to have their account deleted if the account remains inactive for a sufficiently long period.

Privacy notice

In our updated privacy notice, you can read more about how we treat your personal data. This, together with any other documents referred to within, sets out the basis on which we will process any personal data that we collect from you, or that you provide to us. Please read the privacy notice carefully to understand our views and practices regarding your personal data and how we will treat it.

Fortum Privacy Notice


Contact Fortum Charge & Drive

Get in touch to learn more

Subscribe to the Fortum Charge & Drive Newsletter

Sign up here