Privacy Notice - customer

Fortum’s updated privacy notice provides additional information on the processing of personal data. To understand Fortum’s position on personal data processing and the processing methods used, please read this notice carefully.

Who are the controllers?

The data controllers referred to in the European Union’s general data protection regulation (GDPR) are:

Fortum Markets Oy

Business ID: 1852328-0
Street address: Keilalahdentie 2-4, Espoo
Postal address: P.O. Box 100, FI-00048 Fortum, Finland
Tel. +358 10 4511
Network service: www.fortum.fi

Fortum Power and Heat Oy

Business ID: 0109160-2
Street address: Keilalahdentie 2-4, 02150 Espoo
Postal address: P.O. Box 100, FI-00048 Fortum, Finland

Fortum Waste Solutions Oy

Business ID: 0350017-4
Street address: Kuulojankatu 1, 11120 Riihimäki
Postal address: PL 181, FI-11101 Riihimäki, Finland

Ekopartnerit Turku Oy

Business ID: 1568601-7
Street address: Ravurinkatu 40, 20380 Turku
Postal address: Ravurinkatu 40, FI-20380 Turku, Finland

Fortum Environmental Construction Oy

Business ID: 1604947-4
Street address: Kuulojankatu 1, 11120 Riihimäki
Postal address: PL 181, FI-11101 Riihimäki, Finland

How does Fortum handle personal data?

We process personal data for many different purposes and in many different ways. All processing of personal data is carried out with appropriate safeguards and in compliance with data protection legislation.

In these materials, we describe the various types of personal data we process, the purposes of processing, and the legal grounds for data collection and processing. If we make any significant changes to this information concerning the collection and use of personal data, we will notify you of these in the manner described at the end of this text.

 

Processing of personal data by Fortum

What data does Fortum collect?

Fortum collects and processes different types of personal data, such as:

  • Contact details including your name, address, phone number, username, customer number, password and photo, if necessary
  • Contract and service information, such as information on your use of our services, contract period, notice of termination and other contract-related information
  • Payment and consumption data, including information on how you purchase our products and use our services
  • Financial and invoicing information, including your invoicing address, term of payment, credit card number, and bank account details
  • Work order information, such as information on your communication with Fortum’s customer services, installations, orders for supplementary work, complaints, etc.
  • Behaviour and consumption data, such as a customer segment, your response to offers we made to you, and the way in which you use our products, services and website
  • Device data, such as IP address, and other data from cookies
  • Permit information, e.g. marketing permits.

Fortum collects the information that is necessary through the course of your customer relationship with us and for fulfilling the purposes for which your personal data is used. All aspects of personal data processing have a legal basis.

What are the sources of personal data?

The personal data about you that we process comes from different sources:

  • From you when you subscribe to our services, fill out contact forms, or send us personal information. In these cases, we will inform you of the information we need in order to be able to provide you with the service in question.
  • From our customer relationship with you, such as energy consumption data, work order processing, device information, or behaviour data.
  • From publicly available sources, such as address registers or from third parties we work with, such as credit information providers, debt recovery services, installation partners and marketing partners.
     

For what purposes is personal data processed?

Personal data is processed only for purposes that are specified in advance. We process personal data for the following purposes:

  • Customer relationship management and customer satisfaction surveys. Fortum needs personal data to maintain customer relationships, and for providing telephone, email and customer services through our digital channels, for example. We handle customer complaints by collecting the necessary data and providing responses. We notify our customers in matters relating to customer relationships through email, telephone and digital channels.
  • Management of contracts and products, service provision and maintenance, and reporting on usage. With every customer, Fortum must enter into a contract for the fulfilment of our contractual obligations with the customer. For this reason, we collect the personal data needed for the preparation and management of contracts and delivery of products and services. We keep our customers informed of these matters in various ways, for example, through notifications related to the contract. In order to be able to offer our customers the best possible solutions, we keep our customer data updated and collect data on consumption and related services.
  • Invoicing and debt recovery. We process personal data in order to be able to charge our customers for energy use and the other products, goods and services we provide. We produce invoices based on customer data, contract information, and the energy, goods and services that have been provided. We process payments by our customers, respond to requests for changes to invoices, and file invoices and contracts.
  • We continually develop our sales and marketing, products and services. We use customers’ email addresses for sending notices, newsletters and for marketing communications, and to inform our customers about our customer benefits, our services and their use, and our new products and other topical matters. With regard to potential new customers, we process the personal data we receive from e.g. events, competitions and surveys on our websites and via other measures. We perform an automatic transcription of our customer service’s recordings which we analyse to improve the quality of our services.
  • Internal reporting and reporting to the authorities

What is the legal basis for processing personal data?

We process your personal data on a number of legal grounds:

  • Your explicit and freely given consent. If the processing of your personal data is based on your consent, you can withdraw your consent at any time.
  • Data processing is necessary for fulfilling the contract made between you and us, and for making such a contract in the first place.
  • Data processing is necessary to meet our legal obligations (for example, we are required by law to store data for a certain period of time) and/or legal requirements or complaints, and for enforcing them or defending Fortum from them.
  • Data processing is also necessary with regard to the legitimate interests of Fortum or associated third parties, taking into account the interests of the data subject and their fundamental rights and freedoms. In other words, data processing is necessary for maintaining a balance of interests. Our legitimate interests with regard to such data processing are:
    • To maintain proper, meaningful and consistent files and tasks
    • To develop, improve and sell our products and services, to foster good customer relationships, for example with the aid of customer feedback and customer surveys
    • To conduct cost-effective and meaningful business operations
    • To ensure that customer relationships are properly managed, for example in the processing of guarantees and authorisations
    • To provide meaningful and effective direct marketing to existing customers, such as profiling and segmentation for marketing purposes (see below for details)
    • To obtain payment for products and services rendered or delivered, for example in the event of debt recovery
    • To provide effective customer support and case management, such as saving calls in order to ensure customer service quality and fulfilment of orders.

How we handle your data for marketing purposes?

We at Fortum feel that it is important that our marketing is carried out transparently and is useful to our customers Processing of personal data for marketing is necessary for our legitimate interests in developing, improving and selling our products and services, and for maintaining good customer relationships.

In all communication between us, we give you the opportunity to reject and prohibit all future marketing messages through the various channels.

For example, we carry out market analyses, collect statistics, and evaluate and develop our services and products and inform you about them. Unless you specifically prohibit such communication, you may receive monthly newsletters or general information, such as information on customer benefits. We may also send you targeted benefits and offers based on your purchases, the services or products you are using, and/or your communication behaviour. Such targeted offers are aimed at improving the customer experience, and provide you with relevant offers related to products and services we believe you will be interested in. To be able to make targeted offers, we must divide our customers into different segments or customer profiles based on their interaction with us.
 

Automatic decision-making

We can make decisions related to you through automated decision-making, for example by carrying out automatic credit checks when the contract is being made and during the contract period. This may affect your possibilities for using our services. We use automated decisions to ensure that our decision-making and business processes are effective, digitalised, predictable and legally well founded. We will usually provide you with more detailed and precise information on such automated decision-making processes when an application is being launched or in connection with decision-making. Such information may concern, for example, the underlying logic of the new application and its consequences.

If automated decision-making is not necessary for making a contract between us, we will ask you in advance for your consent to automatic decision-making.

If we have made a decision affecting you solely on the basis of automatic processing (such as auto-profiling), and if such a decision affects your ability to use our services, or otherwise significantly affects you, you can request that this decision is not applied to you unless we can prove to you that the decision in question is necessary for making and completing the contract between Fortum and you.
 

How long is personal data stored?

We only retain personal information for the period of time that is necessary for that type of data and for fulfilling the purpose for which that personal data is processed.
In general, personal data is stored for the entire duration of the customer relationship, and for a further six years after the customer relationship has ended. Personal data related to measurement data (such as data on energy consumption and production) is kept for 10 years from the date on which the measurement data was received. Storage times may in certain cases vary depending on the categories to which the data belongs. Fortum regularly sets and evaluates storage periods for each specific type of personal data that it holds. When an item of personal data is no longer needed, Fortum will remove it or render it unrecognisable as soon as possible.

 

Who processes personal data?

As a matter of principle, we do not sell or trade your personal data or grant third parties access to it. Companies belonging to Fortum Group can process personal data in accordance with the applicable privacy protection legislation. We may disclose personal information to authorised employees or subsidiaries if this is necessary for processing purposes. Personal data is never made available to all employees, only to those who need it for their work. We also use third parties as data processors to help us in processing personal data. When a third party processes personal data on our behalf, we always ensure that the data is always processed securely and in accordance with best practices in privacy and data processing.

The following types of third party are involved in personal data personal data on our behalf:

  • Service providers such as printing services, debt recovery services, installation partners, credit information providers, and consultancy service providers
  • IT service providers, cloud services
  • Sales and marketing partners

Personal data may also be submitted to the authorities for processing.

Does Fortum transfer personal data to third countries?

As a rule, Fortum does not transfer personal data outside the European Union or the European Economic Area. However, if we do transfer personal data outside the EU or EEA, we will use the appropriate safeguards in accordance with current data protection legislation, such as the standard contractual clauses approved by the European Commission.

How does Fortum protect personal data?

Fortum will implement the necessary technical and organisational measures to ensure and be able to demonstrate that data protection legislation is applied to processing of personal data.

Among these measures are access to personal data, use of firewalls, making data unidentifiable (pseudonymisation), detailed instructions and training for employees in the protection of personal data, and careful assessment of service providers who are involved in processing personal data on Fortum’s behalf.
 

How does Fortum process personal data from IP addresses, cookies, and similar technologies?

When you use Fortum’s services or websites, we can collect information about your devices using cookies and other tracking methods.

Cookies are small text files that we use for tracking and calculations relating to web browsers and devices that connect to our websites. Fortum or associated third parties may use this information for marketing purposes.

The use of cookies varies depending on which Fortum website you use. More information on the cookies we use on each particular website is provided in the special information about cookies that is provided on that site.


What are your rights concerning your personal data?

As a data subject, you have several rights that are guaranteed by law:

  • The right to your own information. The right to determine whether Fortum is processing your personal data, and, if so, to receive a copy of the personal data processed by us and further information about Fortum’s processing of your data.
  • The right to data transferability. You have the right to transfer data, which means that in certain circumstances you may have the right to transfer your personal data to another controller.
  • The right to have data corrected. You are entitled to correct any inaccuracies in the personal data about you, and to supplement the data where required.
  • The right to have data deleted. You have the right to have your personal data deleted if 
    • The data is no longer needed for the purposes for which it was processed
    • You withdraw your consent to some particular method of data processing, and Fortum then no longer has legal grounds for processing your personal data
    • Personal data about you has been processed illegally
  • Processing of your data is not necessary for compliance with the applicable statutory requirements in order for it to be possible to determine, enforce or legally defend statutory requirements, and/or for archival, research or statistical purposes.
  • The right to withdraw consent. If you have given your explicit consent to a specific type of data processing, you always have the right to withdraw this consent. 
  • The right to object to the processing of your personal data. When personal data is processed on the basis of the legitimate interests of Fortum or of a third part acting on Fortum’s behalf, you have the right at any time to object to the processing of your personal data. Unless Fortum can reasonably justify the data processing in question, we will then cease the processing of your personal data.
  • The right to object to direct marketing. You are at any time entitled to object to your personal data being processed for direct marketing purposes. In this case, we will then cease processing of your personal data for the purposes in question.
  • The right to restrict processing of personal data. You are entitled to restrict the processing of your personal data, and this restriction will be applied while your request is being investigated and evaluated.
  • The right to refuse to allow automated decisions to be made about you. If we have made a decision with regard to you solely by an automated decision-making procedure and this decision has legal or otherwise significant consequences for you, you can request that we review the decision by making a new and individualised assessment. This applies if we cannot demonstrate that an automatic decision is sufficient for making a contract between you and Fortum, or for implementing a contract that has been made.
  • The right to file a complaint with a regulatory authority. You have the right to appeal to the Office of the Data Protection Ombudsman or any other competent regulatory authority if you believe we are processing your personal data in violation of current data protection legislation.

Changes to Fortum’s Privacy Notice

Fortum reserves the right to make changes to this privacy notice. If any changes are made to this privacy notice, notification of this will be provided on our website.
Such changes may be necessary in relation to the development of our services, for example, or due to changes in applicable legislation.

Contact information

If you have any questions, comments and requests relating to this privacy notice, you can send them to us, using the email address below or by post.


Fortum Corporation
Privacy protection
privacy@fortum.com
Keilalahdentie 2-4, CD building
FI-02150 Espoo, Finland