Privacy Notice (Customers)

Last update: August 26, 2024.

This privacy notice describes how Fortum Corporation "Fortum” and its subsidiary “Escandinava de Electricidad”, with commercial brand “Nordy”, processes your personal data. The notice applies when you use our products and services or otherwise interact with us. This notice also applies if you are a business customer or lead.

We may give you additional product or service specific privacy information in the product or service specific terms or supplementary notices that you may see while using our product or service.

 

1. What data do we process?

We collect and process various types of personal data, where applicable and depending on your relationship with us, such as:


  • Contact information and personal details  - including your contact details (such as your name, address, phone number, and email address), demographic data (such as your gender, age, language, nationality, professional details, and additional details such as your interests or a segment group), and your national identity number when required for verifying your identity.
  • Contract & transaction data - such as information about your contracts, orders, purchases, payment status, and invoices; recorded and transcribed phone calls; subscriptions and opt-outs; and your other transactions with us such as service requests and messaging with our customer service.
  • Payment & credit data - such as your payment card information and bank account information that are needed for verifying purchases or returning funds, creditworthiness.
  • Online data & identifiers - data that is collected with cookies or similar technologies about your use of our services, such as your browsing activities and segments, your IP address, cookie ID, mobile device ID, details about browser and device, and location.
  • Security & IT service management data - data that is used for securing the use of our services and our premises, such as your password and login details, security logs, camera surveillance recordings, and background clearance data related to the 'know your counterparty' checks.
  • Technical & consumption data - such as data related to the operation of a device, vehicle or application, including the measurement of consumption and production of electricity and other utilities, and data from charging stations and smart devices, including data from any sensors (e.g. temperature).

 

2. How do we collect information about you?

The personal data which we process about you comes from different sources:

 

  • You and your organization (if you are a B2B customer or a lead), when you order or use our services, when you fill in a form of interest, participate in a survey or competition, create an account, browse our website, or otherwise interact with us.
  • Third parties, such as public address registers, credit reference agencies, debt collection agencies, installation partners, marketing partners, electricity and insurance companies, and other data providers.
  • Fortum Group companies, which share information for purposes mentioned in this notice.

 

3. What are the purposes and legal bases for processing personal data?

We will use your personal data for predefined purposes based on contract, consent, legal obligation, and legitimate interest. Data from online and offline sources may be combined for these purposes, to the extent you have not opted out when applicable. We will use your personal data for the following purposes:

3.1. Service delivery & customer service

We collect and use personal data about you to process orders, deliver products and services, to provide customer service and to manage payments, contracts, and transactions.

The data needed for delivering services varies depending on the product or service, and whether you are a consumer or a business customer. For example, online services may require the user to authenticate, whereas electricity contracts require us to keep the measurement. Our customer service handles your requests and messages to serve you or your organization. Customer service may also offer you the optimal contract or service based on information we have about you. We may communicate with you in contract related matters via phone, mail, email, SMS, chat, automated calls, and other digital channels including social media. In email messages, we use email tracking pixels which you can choose to enable upon the receipt of an email message. The tracking pixel informs us if our email has reached you and if you have clicked on its links.

The legal basis for processing your data for service delivery and customer service is typically the contract; in business relationships, it is a legitimate interest. When required by law, we may ask for your consent to deliver certain services, such as location-based services. 

3.2. Sales, marketing & stakeholder communications 

We may contact you through marketing even if you are not our customer. We will ask for your consent to contact you when required by law, otherwise our contacting is based on legitimate interest. Without consent, we can send automated electronic marketing messages that relate to your customer relationship or professional role, and use traditional marketing channels (e.g. post, telephone, door-to-door), when allowed by local law. We use email tracking pixels which you can choose to enable upon the receipt of an email message. The tracking pixel informs us if our email has reached you and if you have clicked on the links.

We also conduct lotteries and contests.

In addition to our own marketing and sales, we use sales and marketing partners who may contact you about our products and services based on their own customer lists or sell our products and services at their own premises.

Below you can read more about the different types of marketing. You can read in section 10 how to control your marketing preferences.

3.2.1. Customer marketing

Customer marketing is electronic automated marketing that is sent without consent to existing customers and business customers in those countries where such practice is allowed.

To our consumer customers, who are currently ordering our products and services, we send regular offers and information about products and services that are relevant for the customer relationship. We send these communications to the contact address (phone or email) that you have given in connection with your relationship.

To our consumer customers, who are currently ordering our products and services, we send regular offers and information about products and services that are relevant for the customer relationship. We send these communications to the contact address (phone or email) that you have given in connection with your relationship.

3.2.2. Consent based marketing

We send you automated electronic marketing and newsletters if you have agreed to subscribe to them. This marketing can contain information about any Fortum group company products and services or about partner products and services. We may also collect marketing consents on behalf of our partners.

3.2.3 Traditional marketing channels

We may use traditional marketing channels (post, telephone, door-to-door) to contact you about our products or services and our partners’ products or services, unless you have blocked the use of your contact details.

3.2.4. Online advertising

We advertise our products and services online to users who visit our websites or our partners’ websites, by placing retargeting cookies or pixels on the sites that enable us (or a third party acting on our behalf) to show Fortum’s ad to the same user in other websites. To target you or other audiences, often called as “lookalike” audiences, in social media, we may use your phone number or email address unless you have objected to this. For targeting in mobile applications, we may use data collected about your use of the application, and your customer relationship data. We also buy advertising services from external companies that target audiences relevant for Fortum, with advertisements of Fortum products and services, in which case Fortum itself does not process the data. Read more about online advertising practices in our  cookie and online data policy.

3.2.5. What data is used to optimize sales & marketing (“Profiling”) 

or marketing and advertising, we use and combine data that is collected during the customer relationship and from customer surveys; online behavioural data; data provided by third parties (for further information, please see section 2); and derived data that for example predicts the users’ interests. Based on these data, we can make marketing more relevant and effective, and send you more personalized offers. An example of derived data is a segment that tells us that the user is likely to live in a suburban area or a row house. You may also receive a targeted offer, for example because you have moved recently. 

3.2.6. Stakeholder relations

We manage stakeholder relationships by communicating about relevant topics and promoting events that we arrange. Communications are sent directly by email to the contact addresses received from the stakeholders or their organization. 

 

3.3. Product & service development

We process personal data to improve and develop better services for our customers, to support our business decision making, and to consider our customers’ feedback and needs. The basis for processing data for product and service development is legitimate interest or consent. This is done, for example, by collecting feedback directly from users using surveys, test panels, interviews, questionnaires and other forms of market research; by utilizing the data generated from the use of our services in analytics; by using recorded or transcribed phone calls for training and service quality improvement; and by testing system functionality with temporary sample data that is collected during normal service use. 

Data processing for our product and service development happens with pseudonymized data to the extent possible. In the case that the customer’s real contact details are collected in connection to the survey, or if we conduct interviews personally with the customer, we may inform you specifically about the use of the contact details in connection to the survey or interview. 

In analytics, we aggregate large volumes of service use data to create statistical models, reports, predictions and trend analyses for the support of business decision making; create analyses about service or feature performance; and calculate customer segments that are used to improve our sales and marketing as described in section 3.2.5. 



3.4. Legal obligations

We process personal data to comply with our legal requirements, for example, accounting and tax laws, anti-money laundering, and whistleblowing laws.

 

3.5. Defense of legal rights & ensuring security of our services and customers

We use personal data to ensure the security and safety of our information, facilities, products, services, customers, and personnel. We have a standard ‘know your counterparty’ process, to conduct due diligence on business partners. The basis for processing data for the defense of legal claims, debt collection, credit checking, information security, and prevention of fraud and misconduct is typically legitimate interest. Personal data is used for ensuring the security of our products and services, for example, by keeping access logs and system backups, authenticating users, and preventing attacks.


4. Automated decision-making 

If we use automated decision-making with legal or similarly significant effects on you, we will inform you in advance. If such automated decision-making is not authorized by legislation, necessary for the performance of or entering into a contract with us, we will ask for your consent.

You can always express your opinion or contest a decision based solely on automated processing, as well as to request a manual decision making process instead by contacting us by using the contact details given below.

 

5. How long do we store the personal data? 

We delete or de-identify personal data when it is no longer necessary for the defined purposes. For information on how long we store your personal data for, please see the attached retention period schedule or contact us by using the contact details below to request more specific information.

5.1. Schedule of personal data retention periods

The periods mentioned are maximum periods, unless otherwise indicated. It is possible that the data may be deleted earlier. Please note that this list is a summary of the most common retention periods. There may be variations and specific details for each country that are not covered here. These rules take into account the relevant legal obligations for the retention of data, such as accounting and regulations related to the electricity market. In general, the periods apply from the end of the year in which the event occurred. Pseudonymized and aggregated data may be retained for a longer period, for the purpose of reporting and analysis..

5.2. Time period for the conservation of personal data

 

Type of data

Retention period

Basic CRM data (name, contact details, contact history, invoices, consumption data, transaction details, contract details). 10 years from the end of the customer relationship.
Data necessary for legal defense. During the statute of limitations periods established by the applicable law, depending on the matter in question. In the case of an ongoing claim, the data will be retained until they are no longer necessary.
Recorded telephone calls. In the case of contracts made via telephone, for 5 years from the end of the contractual relationship. Recorded calls for quality control will be retained for 5 years.
Session data. 2 years from the last login session.
Data related to IT service management and other temporary data, for example, survey responses, participation in campaigns. 2 years from collection.
Marketing preferences and contact data for marketing, basic data used for client segmentation. Contact data may be used for marketing until the client withdraws their previously granted consent or decides that they no longer wish to receive commercial information, unless that data is necessary for other purposes.
Cookie data and other data collected via similar technologies. Refer to more details about our cookie settings in our Cookie Policy.

 

6. Who can access your personal data?

Your personal data may be accessed by our data processing subcontractors or by other third parties as described below to the extent permitted by applicable law.

Data processors : We use data processing subcontractors to provide us services. Such subcontractors may have access to your personal information and process it on our behalf. We ensure that the processing of personal data by our subcontractors is done in accordance with this notice through appropriate contractual arrangements. Typical service providers that process personal data include for example sales and customer service partners, payment and invoicing partners, and IT software and service providers.

Where applicable, we may share your personal data with other data controllers based on our legitimate interest, our contract with you, or our legal obligations, including:

Fortum Group companies: Our Group companies may use your personal data for the purposes defined in this notice. 

Commercial partners, subcontractors & other authorized third parties: We may share personal data with our commercial partners when necessary, for example for contractual reasons, or for limited  legitimate interests such as development of services with pseudonymized data.

Our commercial partners include, for example electricity grid companies, debt recovery agencies, insurance companies, mailing service partners, consumer electronics retailers, electric charging station operators, car manufacturers and online advertising partners as explained in the cookie and online data policy and other service providers.

Examples of data sharing with commercial partners include:

  • When you have purchased our products and services from a commercial partner, we often need to exchange data about you as part of managing that relationship and your purchase, for example to identify your order and for us be able to pay them.
  • When you buy our commercial partner’s product or service through us, you make a contract for it with the commercial partner selling that product or service, and we may pass on your personal data to provide you with the service.
  • When delivering a product or a service which you have ordered, we may share your contact details with the mailing, courier, or installation partner for service delivery.
  • For limited collaboration in marketing and sales activities.

Some of our products and services also allow you to share your personal data with other parties.

Mergers & acquisitions: If we decide to sell, merge, or otherwise reorganize our businesses, this may involve us disclosing personal data to prospective or actual purchasers and their advisers.

Authorities, legal proceedings & law: We will disclose your data to competent authorities, such as the police, if required by law. We may also disclose your personal data in connection with legal proceedings, a court order, a trial, or an authority process, or as otherwise required or permitted by law.

 

7. Do we transfer personal data to third countries?

Fortum is a global company that has affiliates, business processes, management structures and technical systems that cross national borders. This means that your data may be transferred to countries other than the one where you are located, including also outside of the European Economic Area. We rely on appropriate safeguards, such as the European Commission’s adequacy decisions and the EU-US Data Privacy Framework or standard contractual clauses issued by the European Commission, to protect your data when transferring it. You can obtain more information about the transfers by contacting us using the contact details listed below. 

 

8. How do we protect the personal data?

We employ appropriate organizational and technical security measures to protect your data from loss or misuse. We have a cybersecurity governance model which describes roles and responsibilities on the group level, and our instructions give detailed information on how personal data must be handled within our Group. By conducting awareness programs, we engage our employees in privacy and security considerations. Where we contract with third party suppliers to provide services that may enable them to access your personal data, we require them by contract to have similar security controls in place.

 

9. Cookies and similar technologies

When you use our digital services or visit our websites, we can collect data from your devices using cookies and other similar technologies. Our websites and applications may use cookies and other similar technologies set by third parties. You can get more information about how to manage cookies and online data use reading our cookie and online data policy.

 

10. Your rights and how to exercise them    

Below, you can see your rights regarding the personal data that we process about you. If you have any questions about your rights or want to exercise them, you can contact us in writing, addressed to the Company's Data Protection Officer at the following address: Av. Diagonal 463 bis, 8B, 08036 Barcelona, or via email at dpd@nordy.es, or by reaching out to our customer service team. Some of the rights listed below may not apply to your specific case.

 

  • Right to access personal data: You have the right to be informed about the processing that we do and to request a copy of your personal data.
  • Right to rectification of personal data: You can ask for the information about you to be corrected if it is not accurate or if it needs to be updated.
  • Right to data portability: You can obtain and reuse the personal data you have provided us. We can provide a selected set of the data delivered in a machine-readable format, where the basis of processing has been either contract or consent.
  • Right to erasure: We will delete the data at your request if it is no longer legitimately needed.
  • Right to withdraw your consent: If you have given a consent for data processing, you are always entitled to withdraw your consent.
  • Right to object to the processing: You have the right to object to the processing of your personal data on our legitimate interests, such as developing our products and services, and other purposes explained above in sections 3 and 6. We may reject your request if there is a compelling reason for continuing the processing.
  • Right to restrict the processing: Under certain circumstances,  you have the right to restrict the processing of your data that we conduct.
  • To opt-out from electronic marketing communications & customer surveys: If you no longer want to receive marketing messages from us, you can choose to opt out at any time. The easiest way is to click the link at the end of the message.
  • To opt-out from telephone & postal marketing:  If you no longer want to receive marketing calls or postal marketing from us, you can contact our customer service or inform the customer service representatives during the marketing call. Additionally, you can manage your preferences regarding receiving commercial information through the Robinson List. 
  • To manage cookies: If you want to manage cookies on our websites, use the controls set out in our cookie and online data policy.

Please note that you may still receive marketing messages for a short period after opting out while we update our systems. Also, we sometimes use marketing partners, who may display our products and services to you, but who have not received any personal data about you from us. To opt out from such marketing or to exercise your other rights, please contact the specific marketing partner directly.

In specific circumstances, there are limitations to these rights. If we do not act in accordance with your requests, we will inform you of the reasons. If you are not satisfied with our response, or with the way we handle personal data, please contact us via email at dpd@nordy.es. Alternatively you can contact our customer service. If you are still not pleased with the handling, you can contact your national data protection authority.

 

11. Changes to this privacy notice

Nordy reserves the right to amend this Privacy Notice. Possible amendments to the Privacy Notice will be notified about on our website, or by communicating directly to you.

 

12. Controller of your personal data & contact details

Nordy has appointed a Data Protection Officer, whom you may contact by using the contact details given in this section.

The data controller who is responsible for your data is typically the Fortum Corporation and its subsidiary “Escandinava de Electricidad”, with commercial brand “Nordy”, with whom you have contracted or otherwise interacted. The list of main Fortum group companies are available here.

If you have any question or want to exercise any of your rights, please see section 10. 

You can address any further questions and comments regarding your privacy to our dedicated privacy team by contacting us via email at dpd@nordy.es or in writing to the address below:

 

  • Fortum: OyjPrivacy
    Keilalahdentie 2-4, 02150 Espoo Finlandia
  • Nordy: Avda Diagonal 463 bis 8º, 08036, Barcelona (España)

    You are also able to reach Fortum’s Data Protection Officer through the channels provided above.