Privacy Notice for Suppliers and Externals
17 January 2024, 9:00 EET
This privacy notice describes how Fortum (Fortum Corporation and its subsidiaries, “Fortum”) processes your personal data. This notice applies to the processing of your personal data in the context of supplier and consultant relationships or when otherwise working with us as an external person. We may also provide you with additional privacy information in supplements or other notices regarding a particular system, product or service.
Contents
1.What data does Fortum process?
We collect and process various types of personal data, where applicable, such as:
- Personal details – including your contact details (such as your name, phone number, and email address), demographic data (such as your gender, age, language, nationality, professional details), and your identification related information where needed (such as national ID number, passport number).
- Administrative & work related information – such as your CV and competences, information about previous assignments or projects where you have been involved, where applicable, the results of background checks and other clearance information including ‘Know Your Counterparty’ checks, credit information, photographs, accident records, radiation measurements, drug and alcohol test results and health certificates, project time and attendance management and information about work related equipment and services that you use in connection with working with us, including, e.g. recorded and transcribed phone calls, recordings of trainings and meetings, messaging, and information you publish about yourself in internal and external channels.
- Financial data – such as your bank account information, travel and other expenses, insurance information, tax numbers.
- Online data & identifiers – data that is collected with cookies or similar technologies about your use of our internal services, your IP address, cookie ID, mobile device ID, details about browser and device, and location.
- Security and IT service management data – data that is used for securing the use of our services and our premises, such as your password and login details, employee ID, security logs, facility entry logs, and CCTV camera recordings.
2. How does Fortum collect information about you?
The personal data which we process about you comes from different sources:
- You and your employer – We receive information directly from you and the company with which you are working.
- Third parties – We may receive information from third parties, such as national authorities (e.g. police and other enforcement agencies).
- Fortum Group companies – Personal information is collected by the Fortum company with which you are working. Fortum Group companies may share information for purposes mentioned in this notice.
3. vWhat are the purposes and legal bases for processing personal data?
We will use your personal data for predefined purposes based on contract, consent, legal obligation and legitimate interest. Typically, the legal basis for processing your data is our legitimate interest to administer our contact persons’, external persons’ or consultants’ information for business operations related matters. In addition, we have certain legal and contractual obligations that require us to process personal data. Consent may be used in certain specific situations.
We will use your personal data for the following purposes:
- Supplier & stakeholder relationship management
We process personal data to manage the professional relationship with our potential business partners. This involves contacting our stakeholders and arranging events. We also process personal data in our corporate relations for transparency and lobbying purposes.
Managing work orders and assignments, evaluation, and general administration
We process personal data of external persons in order to administer their work and assignments. We provide them with work related tools, trainings and services, manage travel and expense claims and project hours, conduct contract performance evaluation, and manage insurances and payments. Personal data is also processed in contract management, for example when signing non-disclosure agreements.
- Service development & reporting
We process personal data to improve and develop our internal services. Service development is done, for example, by collecting feedback directly from you in surveys and questionnaires; by utilizing the data generated from the use of our services in analytics; and by using recorded or transcribed phone calls in certain operations for training and service quality improvement. We also have internal reporting processes that utilize personal data.
Legal obligations
We process personal data to comply with our legal obligations, for example, to comply with tax, accounting, whistleblowing, securities, anti-bribery, anti-money laundering, health and safety rules and other legal obligation placed on Fortum.
Ensuring security, safety and legal rights
We use personal data to ensure the security and safety of our information, facilities, products, services, customers, and personnel. This is done subject to local law, for example by keeping access logs and system backups, preventing attacks, monitoring system use, identifying and authenticating individuals, and monitoring access and facilities (including CCTV) and locating individuals in emergency situations. In certain business areas, external workers are subject to drug and alcohol tests and medical checks. We have a standard ‘know your counterparty’- process, to conduct due diligence on business partners. We also process personal data for defending our legal rights, including preventing and investigating fraud, industrial espionage and other non-compliance.
4. Automated decision-making
If we use automated decision-making with legal or similarly significant effects on you, we will inform you in advance. If such automated decision-making is not authorized by legislation, not necessary for the performance of or entering into a contract with us, we will ask for your consent.
You can always express your opinion or contest a decision based solely on automated processing, as well as request a manual decision making process instead by contacting us using the contact details provided below.
5. How long does Fortum store the personal data?
This varies country by country depending on local regulations. We delete or de-identify personal data when it is no longer necessary for the defined purposes.
For information on how long we hold your personal data for, please see our retention period schedule or use the contact details below to request more specific information.
6. Who can access your personal data?
Your personal data may be accessed by our data processing subcontractors or by other third parties as described below to the extent permitted by applicable law.
Data processors – We use data processing subcontractors to provide us services. Such subcontractors may have access to your personal information and process it on our behalf. We ensure that the processing of personal data by our subcontractors is done in accordance with this notice through appropriate contractual arrangements. Typical service providers that process personal data include for example IT software and service providers.
Where applicable, we may share your personal data with other data controllers based on our legitimate interest, our contract with you, or our legal obligations, including:
Fortum Group companies – Our Group companies may use your personal data for the purposes defined in this notice.
Your employer – We may share your personal data for the purposes defined in this notice with the company with which you are legally employed by, when required e.g. for invoicing purposes.
Commercial partners, subcontractors and other authorized third parties – We may share your personal data with authorized third parties, when necessary for example for contractual reasons, or for limited legitimate interests such as development of services with pseudonymized data. Authorized third parties include, for example, Fortum’s customers, travel agencies, banks, telecom operators, insurance scheme providers, auditors, professional advisors, external legal counsels, actuaries, medical practitioners, trustees or other providers of services.
Mergers and acquisitions – If we decide to sell, merge or otherwise reorganize our businesses, this may involve us disclosing personal data to prospective or actual purchasers and their advisers.
Authorities, legal proceedings and law – We will disclose your data to certain competent authorities, such as government agencies responsible for tax collection and statistical information, or to the police other law enforcement agencies, to the extent required under mandatory law. We may also disclose your personal data in connection with legal proceedings, a court order, a trial, or an authority process, or as otherwise required or permitted by law.
7. Does Fortum transfer personal data to third countries?
Fortum is a global company that has affiliates, business processes, management structures and technical systems that cross national borders. This means that your data may be transferred to countries other than the one where you are working with Fortum, including also outside of the European Economic Area. We rely on appropriate safeguards, such as the European Commission’s adequacy decisions and the EU-US Data Privacy Framework or standard contractual clauses issued by the European Commission, to protect your data when transferring it. You can obtain more information about the international transfers by using the contact details listed below.
8. How does Fortum protect personal data?
We employ appropriate organizational and technical security measures to protect your data from loss or misuse. We have a cybersecurity governance model which describes roles and responsibilities on the group level, and our instructions give detailed information on how personal data must be handled within our Group. By conducting awareness programs, we engage our employees in privacy and security considerations. Where we contract with third-party suppliers to provide services that may enable them to access your personal data we require them by contract to have similar security controls in place.
9. Cookies and similar technologies
When you use our digital services or visit our websites as a customer or visitor, Fortum can collect data about your devices using cookies and other similar technologies. Our websites and applications may use cookies and other similar technologies set by third parties. You can get more information about how to manage cookies and online data use by reading our cookie and online data collection policy.
On our internal sites, such as the intranet, we use cookies to enable the functioning of the services, and to collect analytical data about the site usage, for example, to see which content is popular.
10. Your rights and how to exercise them
Below you can see your rights regarding the personal data that we process about you. If you have any questions about your rights or want to exercise them, please contact us using the contact details provided below. Please note that some of the rights may not be applicable, for example, if the data cannot be connected to you.
- Right to access personal data – You have the right to be informed about the processing that we do and to request a copy of your personal data.
- Right to correct personal data – You can ask for the information about you to be corrected if it is not accurate or if it needs to be updated.
- Right to data portability – You may obtain and reuse the personal data you have once provided us. We can provide a selected set of the data delivered in a machine readable format, where the basis of processing has been either a contract or consent.
- Right to deletion – We will delete the data at your request, if it is no longer legitimately needed.
- Right to withdraw your consent – If you have given a consent for data processing, you are always entitled to withdraw your consent.
- Right to object to the processing – You have the right to object to the processing of your personal data based on Fortum’s legitimate interests, such as developing our products and services, and other purposes explained in sections 3 and 6 above. We may reject your request if there is a compelling reason for us to continue the processing.
- Right to restrict the processing – In certain circumstances you have the right to have the processing restricted.
In specific circumstances, there are limitations to these rights. If we do not take action in accordance with your request, we will inform you of the reasons. If you are not satisfied with our response or with the way we handle personal data, please let us know. You can also always contact your national data protection authority.
11. Changes to this privacy notice
Fortum reserves the right to amend this Privacy Notice. Possible amendments to the Privacy Notice will be notified on this site, or by communicating directly to you.
12. Controller of your personal data and contact details
Fortum has appointed a Data Protection Officer, whom you may contact by using the contact details given in this chapter.
The data controller who is responsible for your data is typically the local Fortum company with which the company you work for is conducting business. If you want to exercise your rights or have any queries about the processing of your personal data, kindly contact us by using the contact request form.
You can address any further questions and comments regarding your privacy to our dedicated privacy team by using the contact request form or in writing to the address below:
Fortum Corporation
Privacy
Keilalahdentie 2-4, 02150 Espoo
Finland
You may also contact Fortum’s Data Protection Officer through the channels provided above.