Privacy notice – Employees
12 January 2024, 12:50 EET
This privacy notice describes how Fortum (Fortum Corporation and its subsidiaries, “Fortum”) processes your personal data. This notice applies to the processing of your personal data in the employment context. We may also provide you with additional privacy information in supplements or other notices regarding a particular system, product or service.
1. What data does Fortum process?
We collect and process various types of personal data, where applicable, such as:
- Personal details - including your contact details (such as your name, address, phone number, and email address), demographic data (such as your gender, age, language, nationality, professional details), and your identification related information where needed (such as national ID number, passport number) but also contact information of others that you provide (such as emergency contact, details of your dependents and other similar information).
- Recruitment information – such as your resumé, previous employments, references from previous employers and other third party references, information about your competences, qualifications, skills, work experience, education, and where applicable, the results of background checks and assessments, as well as credit information.
- Employment administration information – such as employment, work and career history, photographs, absence and leave records, residence and work permit information, accident records, time and attendance management records, skills and competences records, any disciplinary and grievance records, career development, occupational health and wellbeing related data allowed by local law; administrative information about participation in ancillary activities such as participation in internal contests and funding calls, and information about work related equipment and services that you use in connection with work, including e.g. recorded and transcribed phone calls, recordings of trainings and meetings, messaging, and information you publish about yourself in internal and external channels.
- Financial data – such as your bank account information, corporate credit card information, details of your compensation, benefits and pension arrangements, tax codes, insurance information, travel expenses, company car arrangements, trade union deductions and equity and share information.
- Online data & identifiers – data that is collected with cookies or similar technologies about your use of our internal services, your IP address, cookie ID, mobile device ID, details about browser and device, and location.
- Security and IT service management data – data that is used for securing the use of our services and our premises, such as your password and login details, employee ID, security and IT logs, facility entry logs, and camera surveillance recordings (CCTV).
2. How does Fortum collect information about you?
The personal data which we process about you comes from different sources:
- You – We receive information directly from you, during the recruitment process and during your employment at Fortum;
- Third parties – We may receive information from third parties, such as national authorities (such as tax, police, and other enforcement agencies) and pension companies.
- Fortum Group companies – Personal information is provided by your employer company including your colleagues or managers. Fortum Group companies may share information for purposes mentioned below.
3. What are the purposes and legal bases for processing personal data?
We will use your personal data for predefined purposes based on contract, consent, legal obligation and legitimate interest. Typically, the legal basis for data processing in the employment context are employment contract, employment related laws or our legitimate interest as an employer to administer employee information in order to enable employment related processes and practicalities. In addition, we have certain other legal obligations that require us to process employee data. Consent may be used in certain specific situations.
We will use your personal data for the following purposes:
- Employee recruitment and onboarding
We process personal data to manage a professional recruitment process and onboarding with our employees. We review the personal data which you share with us, such as CV and references; we also assess and select applicants in the process. Furthermore, as allowed by local law, we may conduct health tests, drug tests, and background clearances. Read more about privacy in the recruitment process in our Privacy Notice for Job applicants.
- Employment contract management and general administration
We process personal data to manage the relationship with our employees, including management of contracts with employees. This includes, for example, providing you with work related tools, trainings and services, and management of travel and expense claims, working hours, performance evaluation, international assignments, promotions and other development, working orders, payroll, incentives, pension, insurances, and payments, and complaints and grievances.
- Service development & reporting
We process personal data to improve and develop HR and other internal services. Service development is done, for example, by collecting feedback directly from you in surveys and questionnaires; by utilizing the data generated from the use of our services in analytics; and by using recorded or transcribed sales and customer care phone calls for training and service quality improvement. We also have internal reporting processes that utilize employee data. In addition, employee data may be used in limited scenarios for system testing.
Legal obligations
We process personal data to comply with our legal obligations, for example, to comply with tax, accounting, securities, employment, whistleblowing, anti-bribery, anti-money laundering, health and safety rules and other legal obligation placed on Fortum.
Ensuring security, safety and legal rights
We use personal data to ensure the security and safety of our information, facilities, products, services, customers, and personnel. This is done subject to local law, for example by keeping access logs and system backups, preventing attacks, monitoring system use, identifying and authenticating individuals, and monitoring access and facilities (including CCTV) and locating individuals in emergency situations. We also process personal data for defending our legal rights, including preventing and investigating fraud, industrial espionage and other non-compliance.
4. Automated decision-making
If we use automated decision-making with legal or similarly significant effects on you, we will inform you in advance. If such automated decision-making is not authorized by legislation, not necessary for the performance of, or entering into a contract with us, we will ask for your consent.
You can always express your opinion or contest a decision based solely on automated processing, as well as request a manual decision making process instead by using the contact details provided below.
5. How long does Fortum store the personal data?
This varies country by country depending on local regulations. We delete or de-identify personal data when it is no longer necessary for the defined purposes.
For information on how long we store your personal data for, please see our retention period schedule or use the contact details below to request more specific information.
6. Who can access your personal data?
Your personal data may be accessed by our data processing subcontractors or by other third parties as described below to the extent permitted by applicable law.
Data processors – We use data processing subcontractors to provide us services. Such subcontractors may have access to your personal information and process it on our behalf. We ensure that the processing of personal data by our subcontractors is done in accordance with this notice through appropriate contractual arrangements. Typical service providers that process personal data include for example payroll and IT software and service providers.
Where applicable, we may share your personal data with other data controllers based on our legitimate interest, our contract with you, or our legal obligations, including:
Fortum Group companies - Our Group companies may use your personal data for the purposes defined in this notice.
Commercial partners, subcontractors and other authorized third parties – We may share your personal data with authorized third parties, when necessary for example for the fulfillment of a contract, or for limited legitimate interests such as development of services with pseudonymized data. Authorized third parties include, for example, travel agencies, banks, telecom operators, benefit, insurance scheme providers, auditors, professional advisors, external legal counsels, actuaries, medical practitioners, trustees or providers of services.
Mergers and acquisitions – If we sell, merge or otherwise reorganize our businesses, this may involve us sharing personal data with prospective or actual purchasers and their advisers.
Authorities, legal proceedings and law – We will disclose your data to certain competent authorities, such as government agencies responsible for tax collection and statistical information, or to the police other law enforcement agencies, if required by law. We may also disclose your personal data in connection with legal proceedings, a court order, a trial, or an authority process, or as otherwise required or permitted by law.
7. Does Fortum transfer personal data to third countries?
Fortum is a global company that has affiliates, business processes, management structures and technical systems that cross national borders. This means that your data is transferred to countries other than the one where you are employed by Fortum, including also outside of the European Economic Area. We use appropriate safeguards, such as the standard contractual clauses provided by the European Commission, for these transfers to protect your data. You can obtain more information about the transfers by contacting the People function.
8. How does Fortum protect the personal data?
We employ appropriate organizational and technical security measures to protect your data from loss or misuse. We have a cybersecurity governance model which describes roles and responsibilities on the group level, and our instructions give detailed information on how personal data must be handled within our Group. By conducting awareness programs, we engage our employees in privacy and security considerations. Where we contract with third-party suppliers to provide services that may enable them to access your personal data we require them by contract to have similar security controls in place.
9. Cookies and similar technologies
When you use our digital services or visit our websites as a customer or visitor, Fortum can collect data about your devices using cookies and other similar technologies. Our websites and applications may use cookies and other similar technologies set by third parties. You can get more information about how to manage cookies and online data use by reading our cookie and online data policy.
On our internal sites, such as the intranet, we use cookies to enable the functioning of the services, and to collect analytical data about the site usage, for example, to see which content is popular.
10. Your rights and how to exercise them
Below, you can see your rights regarding the personal data that we process about you. If you have any questions about your rights or want to exercise them, please contact our People function. Please note that some of the rights may not be applicable, for example, if the data cannot be connected to you.
- Right to access personal data – You have the right to be informed about the processing that we do and to request a copy of your personal data.
- Right to correct personal data – You can ask for the information about you to be corrected if it is not accurate or if it needs to be updated.
- Right to data portability – You may obtain and reuse the personal data you have once provided us. We can provide a selected set of the data delivered in a machine readable format, where the basis of processing has been either a contract or consent.
- Right to deletion – We will delete the data at your request, if it is no longer legitimately needed.
- Right to withdraw your consent – If you have given a consent for data processing, you are always entitled to withdraw your consent.
Right to object to the processing – You have the right to object to the processing of your personal data based on our legitimate interests, such as developing our products and services, and other purposes explained in section 3 and section 6 above. We may reject your request if there is a compelling reason for us to continue the processing.
- Right to restrict the processing – In certain circumstances you have the right to have the processing restricted.
In specific circumstances, there are limitations to these rights. If we do not take action in accordance with your request, we will inform you of the reasons. If you are not satisfied with our response or with the way we handle personal data, please let us know. You can also always contact your national data protection authority.
11. Changes to this privacy notice
Fortum reserves the right to amend this Privacy Notice. Possible amendments to the Privacy Notice will be notified on this site, or by communicating directly to you.
12. Controller of your personal data and contact details
Fortum has appointed a Data Protection Officer, whom you may contact by using the contact details given in this chapter.
The data controller who is responsible for your data is the local Fortum company you have an employment relationship with and Fortum Corporation. If you want to exercise your rights or have any queries about the processing of your personal data, kindly contact People Services.
You can address any further questions and comments regarding your privacy to our dedicated privacy team by using the privacy contact form or in writing to the address below:
Fortum Corporation
Privacy
Keilalahdentie 2-4, 02150 Espoo
Finland
You may also contact Fortum’s Data Protection Officer through the channels provided above.