Privacy notice – Customers

We collect and process various types of personal data, where applicable and depending on your relationship with us, such as:

• Personal details – including your contact details (such as your name, address, phone number, and email address), demographic data (such as your gender, age, language, nationality, professional details, and additional details such as your interests or a segment group), and your national identity number when required for verifying your identity.
• Contract & transaction data – such as information about your contracts, orders, purchases, payment status, and invoices; recorded and transcribed phone calls; subscriptions and opt-outs; and your other transactions with us such as service requests and messaging with our customer service.
• Payment & credit data – such as your payment card information and bank account information that are needed for verifying purchases or returning funds, creditworthiness.
• Online data & identifiers – data that is collected with cookies or similar technologies about your use of our services, such as your browsing activities and segments, your IP address, cookie ID, mobile device ID, details about browser and device, and location.
• Security & IT service management data – data that is used for securing the use of our services and our premises, such as your password and login details, security logs, camera surveillance recordings, and background clearance data related to the 'know your counterparty' checks.
• Technical & consumption data – such as data related to the operation of a device, vehicle or application, including the measurement of consumption and production of electricity and other utilities, and data from charging stations and smart devices, including data from any sensors (e.g. temperature).

The personal data which we process about you comes from different sources:

• You and your organization (if you are a B2B customer or a lead), when you order or use our services, when you fill in a form of interest, participate in a survey or competition, create an account, browse our website, or otherwise interact with us.
• Third parties, such as public address registers, credit reference agencies, debt collection agencies, installation partners, marketing partners, electricity and insurance companies, and other data providers.
• Fortum Group companies, which share information for purposes mentioned in this notice.

We will use your personal data for predefined purposes based on contract, consent, legal obligation, and legitimate interest. Data from online and offline sources may be combined for these purposes, to the extent you have not opted out when applicable. We will use your personal data for the following purposes:

3.1 Service delivery & customer service

We collect and use personal data about you to process orders, deliver products and services, to provide customer service and to manage payments, contracts, and transactions.

The data needed for delivering services varies depending on the product or service in question, and whether you are a consumer or a business customer. For example, online services may require the user to authenticate, whereas electricity contracts require us to keep the measurement. Our customer service handles your requests and messages to serve you or your organization. Customer service may also offer you the optimal contract or service based on information we have about you. We may communicate with you in contract related matters via phone, mail, email, SMS, chat, automated calls, and other digital channels including social media. In email messages, we use email tracking pixels which you can choose to enable upon the receipt of an email message. The tracking pixel informs us if our email has reached you and if you have clicked on its links.

The legal basis for processing your data for service delivery and customer service is typically the contract; in business relationships legitimate interest. When required by law, we may ask for your consent to deliver certain services, for example, location-based services.

3.2 Sales, marketing & stakeholder communications

We may contact you through marketing even if you are not our customer. We will ask for your consent to contact you when required by law, otherwise our contacting is based on legitimate interest. Without consent, we can send automated electronic marketing messages that relate to your customer relationship or professional role, and use traditional marketing channels (e.g. post, telephone, door-to-door), when allowed by local law. We use email tracking pixels which you can choose to enable upon the receipt of an email message. The tracking pixel informs us if our email has reached you and if you have clicked on the links.

We also conduct lotteries and contests.

In addition to our own marketing and sales, we use sales and marketing partners who may contact you about our products and services based on their own customer lists or sell our products and services at their own premises.

Below you can read more about the different types of marketing. You can read in section 10 how to control your marketing preferences.

3.2.1 Customer marketing

Customer marketing is electronic automated marketing that is sent without consent to existing customers and business customers in those countries where such practice is allowed.

To our consumer customers, who are currently ordering our products and services, we send regular offers and information about products and services that are relevant for the customer relationship. We send these communications to the contact address (phone or email) that you have given in connection with your relationship.

To our business customers (employees of our current and prospective customer companies and business partners, other stakeholders) we send offers and information about products, services, promotional events, and services that are relevant for their professional role. We send these communications to the work contact address which we have received from the customer, their organization, or a public source.

3.2.2 Consent based marketing

We send you automated electronic marketing and newsletters if you have agreed to subscribe to them. This marketing can contain information about any Fortum Group company products and services or about partner products and services. We may also collect marketing consents on behalf of our partners.

3.2.3 Traditional marketing channels

We may use traditional marketing channels (post, telephone, door-to-door) to contact you about our products or services and our partners’ products or services, unless you have blocked the use of your contact details.

3.2.4 Online advertising

We advertise our products and services online to users who visit our websites or our partners’ websites, by placing retargeting cookies or pixels on the sites that enable us (or a third party acting on our behalf) to show Fortum’s ad to the same user in other websites. To target you or other audiences, often called as "lookalike" audiences, in social media, we may use your phone number or email address unless you have objected to this. For targeting in mobile applications, we may use data collected about your use of the application, and your customer relationship data. We also buy advertising services from external companies that target audiences relevant for Fortum, with advertisements of Fortum products and services, in which case Fortum itself does not process the data. Read more about online advertising practices in our cookie and online data policy.

3.2.5 What data is used to optimize sales & marketing (“Profiling”)

For marketing and advertising, we use and combine data that is collected during the customer relationship and from customer surveys; online behavioural data; data provided by third parties (for further information, please see section 2); and derived data that for example predicts the users’ interests. Based on this data, we can make marketing more relevant and effective, and send you more personalized offers. An example of derived data is a segment that tells us that the user is likely to live in a suburban area or a row house. You may also receive a targeted offer, for example, because you have moved recently.

3.2.6 Stakeholder relations

We manage stakeholder relationships by communicating about relevant topics and promoting events which we arrange. Communications are sent directly by email to the contact addresses received from the stakeholders or their organization.

3.3 Product & service development

We process personal data to improve and develop better services for our customers, to support our business decision-making, and to consider our customers’ feedback and needs. The basis for processing data for product and service development is legitimate interest or consent. This is done, for example, by collecting feedback directly from users using surveys, test panels, interviews, questionnaires and other forms of market research; by utilizing the data generated from the use of our services in analytics; by using recorded or transcribed phone calls for training and service quality improvement; and by testing system functionality with temporary sample data that is collected during normal service use.

Data processing for our product and service development happens with pseudonymized data to the extent possible. In the case that the customer’s real contact details are collected in connection to the survey, or if we conduct interviews personally with the customer, we may inform you specifically about the use of the contact details in connection to the survey or interview.

In analytics, we aggregate large volumes of service use data to create statistical models, reports, predictions and trend analyses for the support of business decision-making; create analyses about service or feature performance; and calculate customer segments that are used to improve our sales and marketing as described in section 3.2.5.

3.4 Legal obligations

We process personal data to comply with our legal requirements, for example, accounting and tax laws, anti-money laundering, and whistleblowing laws.

3.5 Defence of legal rights & ensuring security of our services and customers

We use personal data to ensure the security and safety of our information, facilities, products, services, customers, and personnel. We have a standard ‘know your counterparty’ process, to conduct due diligence on business partners. The basis for processing data for the defence of legal claims, debt collection, credit checking, information security, and prevention of fraud and misconduct is typically legitimate interest. Personal data is used to ensure the security of our products and services, for example, by keeping access logs and system backups, authenticating users, and preventing attacks.

If we use automated decision-making with legal or similarly significant effects on you, we will inform you in advance. If such automated decision-making is not authorized by legislation, necessary for the performance of or entering into a contract with us, we will ask for your consent.

You can always express your opinion or contest a decision based solely on automated processing, as well as request a manual decision-making process instead by contacting us using the contact details given below.

We delete or de-identify personal data when it is no longer necessary for the defined purposes. For information on how long we store your personal data for, please see the attached retention period schedule or contact us by using the contact details below to request more specific information.

Your personal data may be accessed by our data processing subcontractors or by other third parties as described below to the extent permitted by applicable law.

Data processors – We use data processing subcontractors to provide us with services. Such subcontractors may have access to your personal information and process it on our behalf. We ensure that the processing of personal data by our subcontractors is done in accordance with this notice through appropriate contractual arrangements. Typical service providers that process personal data include, for example, sales and customer service partners, payment and invoicing partners, and IT software and service providers.

Where applicable, we may share your personal data with other data controllers based on our legitimate interest, our contract with you, or our legal obligations, including:

Fortum Group companies – Our Group companies may use your personal data for the purposes defined in this notice.

Commercial partners, subcontractors & other authorized third parties – We may share personal data with our commercial partners when necessary, for example, for contractual reasons or for limited legitimate interests such as developing services with pseudonymized data.

Our commercial partners include, for example, electricity grid companies, debt recovery agencies, insurance companies, mailing service partners, consumer electronics retailers, electric charging station operators, car manufacturers and online advertising partners, as explained in the cookie and online data policy and other service providers.

Examples of data sharing with commercial partners include:

• When you have purchased our products and services from a commercial partner, we often need to exchange data about you as part of managing that relationship and your purchase, for example to identify your order and for us be able to pay them.
• When you buy our commercial partner’s product or service through us, you make a contract for it with the commercial partner selling that product or service, and we may pass on your personal data to provide you with the service.
• When delivering a product or a service which you have ordered, we may share your contact details with the mailing, courier, or installation partner for service delivery.
• For limited collaboration in marketing and sales activities.

Some of our products and services also allow you to share your personal data with other parties.

Mergers & acquisitions – If we decide to sell, merge, or otherwise reorganize our businesses, this may involve us disclosing personal data to prospective or actual purchasers and their advisers.

Authorities, legal proceedings & law – We will disclose your data to competent authorities, such as the police, if required by law. We may also disclose your personal data in connection with legal proceedings, a court order, a trial, or an authority process, or as otherwise required or permitted by law.

Fortum is a global company that has affiliates, business processes, management structures and technical systems that cross national borders. This means that your data may be transferred to countries other than the one where you are located, including also outside of the European Economic Area. We rely on appropriate safeguards, such as the European Commission’s adequacy decisions and the EU-US Data Privacy Framework or standard contractual clauses issued by the European Commission, to protect your data when transferring it. You can obtain more information about the transfers by contacting us using the contact details listed below.

We employ appropriate organizational and technical security measures to protect your data from loss or misuse. We have a cybersecurity governance model which describes roles and responsibilities on the group level, and our instructions give detailed information on how personal data must be handled within our Group. By conducting awareness programs, we engage our employees in privacy and security considerations. Where we contract with third party suppliers to provide services that may enable them to access your personal data, we require them by contract to have similar security controls in place.

When you use our digital services or visit our websites, we can collect data from your devices using cookies and other similar technologies. Our websites and applications may use cookies and other similar technologies set by third parties. You can get more information about how to manage cookies and online data use reading our cookie and online data policy.

Below, you can see your rights regarding the personal data that we process about you. If you have any question about your rights or want to exercise them, please contact our customer service. You can also order a copy of the personal data we have about you by logging in here  using your online banking identification details or a mobile certificate. Some rights may not be applicable for example if the data cannot be connected to you.

• Right to access personal data – You have the right to be informed about the processing that we do and to request a copy of your personal data.
• Right to correct personal data – You can ask for the information about you to be corrected if it is not accurate or if it needs to be updated.
• Right to data portability – You can obtain and reuse the personal data you have provided us. We can provide a selected set of the data delivered in a machine-readable format, where the basis of processing has been either contract or consent.
• Right to deletion – We will delete the data at your request if it is no longer legitimately needed.
• Right to withdraw your consent – If you have given a consent for data processing, you are always entitled to withdraw your consent.
• Right to object to the processing – You have the right to object to the processing of your personal data on our legitimate interests, such as developing our products and services, and other purposes explained above in sections 3 and 6. We may reject your request if there is a compelling reason for continuing the processing.
• Right to restrict the processing – In certain circumstances you have the right to have the processing restricted.
• To opt-out from electronic marketing communications & customer surveys – If you no longer want to receive marketing messages from us, you can choose to opt-out at any time. The easiest way is to click the link at the end of the message.
• To opt-out from telephone & postal marketing – If you no longer want to receive marketing calls or postal marketing from us, you can contact our customer service or inform the customer service representatives during the marketing call. In addition, you can manage your choices through the national opt-out register.
• To manage cookies – If you want to manage cookies on our websites, use the controls set out in our cookie and online data policy.

Please note that you may still receive marketing messages for a short period after opting out while we update our systems. Also, we sometimes use marketing partners, who may display our products and services to you, but who have not received any personal data about you from us. To opt-out from such marketing or to exercise your other rights, please contact the specific marketing partner directly.

In specific circumstances, there are limitations to these rights. If we do not act in accordance with your requests, we will inform you of the reasons. If you are not satisfied with our response, or with the way we handle personal data, please contact us using the contact form. Alternatively you can contact our customer service. If you are still not pleased with the handling, you can contact your national data protection authority.

Fortum reserves the right to amend this Privacy Notice. Possible amendments to the Privacy Notice will be notified about on our website, or by communicating directly to you

Fortum has appointed a Data Protection Officer, whom you may contact by using the contact details given in this section.

The data controller who is responsible for your data is typically the Fortum company, with whom you have contracted or otherwise interacted. See the list of Fortum group companies.

If you have any questions or want to exercise any of your rights, please see section 10.

You can address any further questions and comments regarding your privacy to our dedicated privacy team by using the contact form or in writing to the address below:

Fortum Oyj 
Privacy 
Keilalahdentie 2-4, 02150 Espoo 
Finland

You can also reach Fortum’s Data Protection Officer through the abovementioned channels.