You are also able to reach Fortum’s Data Protection Officer through the channels provided above.
Last updated: 31.1.2024
This privacy notice describes how Fortum (Fortum Corporation and its subsidiaries, "Fortum”) processes your personal data. The notice applies when you use our products and services or otherwise interact with us. This notice also applies if you are a business customer or lead.
We may give you additional product or service specific privacy information in the product or service specific terms or supplementary notices that you may see while using our product or service.
We collect and process various types of personal data, where applicable and depending on your relationship with us, such as:
The personal data which we process about you comes from different sources:
We will use your personal data for predefined purposes based on contract, consent, legal obligation, and legitimate interest. Data from online and offline sources may be combined for these purposes, to the extent you have not opted out when applicable. We will use your personal data for the following purposes:
We collect and use personal data about you to process orders, deliver products and services, to provide customer service and to manage payments, contracts, and transactions.
The data needed for delivering services varies depending on the product or service in question, and whether you are a consumer or a business customer. For example, online services may require the user to authenticate, whereas electricity contracts require us to keep the measurement. Our customer service handles your requests and messages to serve you or your organization. Customer service may also offer you the optimal contract or service based on information we have about you. We may communicate with you in contract related matters via phone, mail, email, SMS, chat, automated calls, and other digital channels including social media. In email messages, we use email tracking pixels which you can choose to enable upon the receipt of an email message. The tracking pixel informs us if our email has reached you and if you have clicked on its links.
The legal basis for processing your data for service delivery and customer service is typically the contract; in business relationships legitimate interest. When required by law, we may ask for your consent to deliver certain services, for example, location-based services.
We may contact you through marketing even if you are not our customer. We will ask for your consent to contact you when required by law, otherwise our contacting is based on legitimate interest. Without consent, we can send automated electronic marketing messages that relate to your customer relationship or professional role, and use traditional marketing channels (e.g. post, telephone, door-to-door), when allowed by local law. We use email tracking pixels which you can choose to enable upon the receipt of an email message. The tracking pixel informs us if our email has reached you and if you have clicked on the links.
We also conduct lotteries and contests.
In addition to our own marketing and sales, we use sales and marketing partners who may contact you about our products and services based on their own customer lists or sell our products and services at their own premises.
Below you can read more about the different types of marketing. You can read in section 10 how to control your marketing preferences.
Customer marketing is electronic automated marketing that is sent without consent to existing customers and business customers in those countries where such practice is allowed.
To our consumer customers, who are currently ordering our products and services, we send regular offers and information about products and services that are relevant for the customer relationship. We send these communications to the contact address (phone or email) that you have given in connection with your relationship.
To our business customers (employees of our current and prospective customer companies and business partners, other stakeholders) we send offers and information about products, services, promotional events, and services that are relevant for their professional role. We send these communications to the work contact address which we have received from the customer, their organization, or a public source.
We send you automated electronic marketing and newsletters if you have agreed to subscribe to them. This marketing can contain information about any Fortum Group company products and services or about partner products and services. We may also collect marketing consents on behalf of our partners.
We may use traditional marketing channels (post, telephone, door-to-door) to contact you about our products or services and our partners’ products or services, unless you have blocked the use of your contact details.
We advertise our products and services online to users who visit our websites or our partners’ websites, by placing retargeting cookies or pixels on the sites that enable us (or a third party acting on our behalf) to show Fortum’s ad to the same user in other websites. To target you or other audiences, often called as "lookalike" audiences, in social media, we may use your phone number or email address unless you have objected to this. For targeting in mobile applications, we may use data collected about your use of the application, and your customer relationship data. We also buy advertising services from external companies that target audiences relevant for Fortum, with advertisements of Fortum products and services, in which case Fortum itself does not process the data. Read more about online advertising practices in our cookie and online data policy.
For marketing and advertising, we use and combine data that is collected during the customer relationship and from customer surveys; online behavioural data; data provided by third parties (for further information, please see section 2); and derived data that for example predicts the users’ interests. Based on this data, we can make marketing more relevant and effective, and send you more personalized offers. An example of derived data is a segment that tells us that the user is likely to live in a suburban area or a row house. You may also receive a targeted offer, for example, because you have moved recently.
We manage stakeholder relationships by communicating about relevant topics and promoting events which we arrange. Communications are sent directly by email to the contact addresses received from the stakeholders or their organization.
We process personal data to improve and develop better services for our customers, to support our business decision-making, and to consider our customers’ feedback and needs. The basis for processing data for product and service development is legitimate interest or consent. This is done, for example, by collecting feedback directly from users using surveys, test panels, interviews, questionnaires and other forms of market research; by utilizing the data generated from the use of our services in analytics; by using recorded or transcribed phone calls for training and service quality improvement; and by testing system functionality with temporary sample data that is collected during normal service use.
Data processing for our product and service development happens with pseudonymized data to the extent possible. In the case that the customer’s real contact details are collected in connection to the survey, or if we conduct interviews personally with the customer, we may inform you specifically about the use of the contact details in connection to the survey or interview.
In analytics, we aggregate large volumes of service use data to create statistical models, reports, predictions and trend analyses for the support of business decision-making; create analyses about service or feature performance; and calculate customer segments that are used to improve our sales and marketing as described in section 3.2.5.
We process personal data to comply with our legal requirements, for example, accounting and tax laws, anti-money laundering, and whistleblowing laws.
We use personal data to ensure the security and safety of our information, facilities, products, services, customers, and personnel. We have a standard ‘know your counterparty’ process, to conduct due diligence on business partners. The basis for processing data for the defence of legal claims, debt collection, credit checking, information security, and prevention of fraud and misconduct is typically legitimate interest. Personal data is used to ensure the security of our products and services, for example, by keeping access logs and system backups, authenticating users, and preventing attacks.
If we use automated decision-making with legal or similarly significant effects on you, we will inform you in advance. If such automated decision-making is not authorized by legislation, necessary for the performance of or entering into a contract with us, we will ask for your consent.
You can always express your opinion or contest a decision based solely on automated processing, as well as request a manual decision-making process instead by contacting us using the contact details given below.
Your personal data may be accessed by our data processing subcontractors or by other third parties as described below to the extent permitted by applicable law.
Data processors – We use data processing subcontractors to provide us with services. Such subcontractors may have access to your personal information and process it on our behalf. We ensure that the processing of personal data by our subcontractors is done in accordance with this notice through appropriate contractual arrangements. Typical service providers that process personal data include, for example, sales and customer service partners, payment and invoicing partners, and IT software and service providers.
Where applicable, we may share your personal data with other data controllers based on our legitimate interest, our contract with you, or our legal obligations, including:
Fortum Group companies – Our Group companies may use your personal data for the purposes defined in this notice.
Commercial partners, subcontractors & other authorized third parties – We may share personal data with our commercial partners when necessary, for example, for contractual reasons or for limited legitimate interests such as developing services with pseudonymized data.
Our commercial partners include, for example, electricity grid companies, debt recovery agencies, insurance companies, mailing service partners, consumer electronics retailers, electric charging station operators, car manufacturers and online advertising partners, as explained in the cookie and online data policy and other service providers.
Examples of data sharing with commercial partners include:
Some of our products and services also allow you to share your personal data with other parties.
Mergers & acquisitions – If we decide to sell, merge, or otherwise reorganize our businesses, this may involve us disclosing personal data to prospective or actual purchasers and their advisers.
Authorities, legal proceedings & law – We will disclose your data to competent authorities, such as the police, if required by law. We may also disclose your personal data in connection with legal proceedings, a court order, a trial, or an authority process, or as otherwise required or permitted by law.
Fortum is a global company that has affiliates, business processes, management structures and technical systems that cross national borders. This means that your data may be transferred to countries other than the one where you are located, including also outside of the European Economic Area. We rely on appropriate safeguards, such as the European Commission’s adequacy decisions and the EU-US Data Privacy Framework or standard contractual clauses issued by the European Commission, to protect your data when transferring it. You can obtain more information about the transfers by contacting us using the contact details listed below.
We employ appropriate organizational and technical security measures to protect your data from loss or misuse. We have a cybersecurity governance model which describes roles and responsibilities on the group level, and our instructions give detailed information on how personal data must be handled within our Group. By conducting awareness programs, we engage our employees in privacy and security considerations. Where we contract with third party suppliers to provide services that may enable them to access your personal data, we require them by contract to have similar security controls in place.
When you use our digital services or visit our websites, we can collect data from your devices using cookies and other similar technologies. Our websites and applications may use cookies and other similar technologies set by third parties. You can get more information about how to manage cookies and online data use reading our cookie and online data policy.
Below, you can see your rights regarding the personal data that we process about you. If you have any question about your rights or want to exercise them, please contact our customer service. You can also order a copy of the personal data we have about you by logging in here using your online banking identification details or a mobile certificate. Some rights may not be applicable for example if the data cannot be connected to you.
Please note that you may still receive marketing messages for a short period after opting out while we update our systems. Also, we sometimes use marketing partners, who may display our products and services to you, but who have not received any personal data about you from us. To opt-out from such marketing or to exercise your other rights, please contact the specific marketing partner directly.
In specific circumstances, there are limitations to these rights. If we do not act in accordance with your requests, we will inform you of the reasons. If you are not satisfied with our response, or with the way we handle personal data, please contact us using the contact form. Alternatively you can contact our customer service. If you are still not pleased with the handling, you can contact your national data protection authority.
Fortum reserves the right to amend this Privacy Notice. Possible amendments to the Privacy Notice will be notified about on our website, or by communicating directly to you
Fortum has appointed a Data Protection Officer, whom you may contact by using the contact details given in this section.
The data controller who is responsible for your data is typically the Fortum company, with whom you have contracted or otherwise interacted. See the list of Fortum group companies.
If you have any questions or want to exercise any of your rights, please see section 10.
You can address any further questions and comments regarding your privacy to our dedicated privacy team by using the contact form or in writing to the address below:
Fortum Oyj
Privacy
Keilalahdentie 2-4, 02150 Espoo
Finland
You can also reach Fortum’s Data Protection Officer through the abovementioned channels.
If you have any question or want to exercise any of your rights, please see chapter 10.
If you want to order a copy of the personal data that Fortum has about you, you can make the request by logging in using your online banking identification details or a mobile certificate.
Further questions and comment regarding your privacy can be addressed to our dedicated privacy team using the contact form.
You are also able to reach Fortum’s Data Protection Officer through the channels provided above.