Privacy & Security

Fortum takes data security and privacy very seriously. We view it as an excellent opportunity to demonstrate our commitment to, and develop trust with, our customers and clients.

Whitepaper on information security and data privacy in electric vehicle charging service infrastructure

Read more

Steps Fortum Charge & Drive has taken for GDPR compliancy

Update of Privacy Notice

Privacy Notice has been separated from Terms of Use as to allow users full transparency on how their personal data is being collected, processed and for what purpose. Terms of Use have been will reflect how the new system (released in Q2, 2018) works.  

Any future changes in both Privacy Notice and Terms of Use will be shared with full transparency to users, and a user who does not accept such changes is free to terminate their account at any time.  

Collection of Personal Data

With CDMC, Fortum Charge & Drive will only collect personal data which is required to provide the service to the user in an efficient and customer friendly way. The number of data points collected upon registration is minimized. Data is only collected if the user uses a specific feature which requires that particular data collection. Examples include credit card details to allow payments, address information for sending our RFID keys, and so on. 

Sub-Processor Agreement Amendments

To provide the service to end-users, Fortum Charge & Drive relies on a number of external systems, provided by so called sub-processors. Examples includes AWS (Amazon Web Services) and Stripe (for payment). We have gone great lengths to ensure that our sub-processors process personal data belonging to Fortum Charge & Drive users in a safe way. To ensure this, we have amended all agreements with sub-processors to include a Data Processing Agreement, specifying which data the sub-processor may process on behalf of Fortum Charge & Drive, and for what purpose.  

Sub-processors include all system vendors whose systems are used to provide our service, as well as external parties which may be given access to Fortum Charge & Drive systems. This latter category includes support partners and consultants. All sub-processors used by Fortum Charge & Drive are thoroughly vetted; only sub-processors passing background checks and with the ability to abide to DPA are accepted.  

Personal Data Deletion

In accordance with GDPR it should be simple for a user to request to a service provide to be "forgotten", i.e. that its personal data should be deleted or anonymized. Fortum Charge & Drive has implemented both technical tools as well as processes to manage these requests in an efficient and timely manner. An end user simply has to contact Customer Support with their registered e-mail, and soon thereafter the data will be removed from Fortum Charge & Drive systems. Fortum Charge & Drive will, however, store charging transaction details to comply with legal requirements, but this data will be anonymized. 

Personal Data Portability

GDPR allows the user to request to have their data extracted so that they can change service provider in a simple way. Fortum Charge & Drive has implemented tools and processes to meet these requests in an efficient and timely manner. Similar to the deletion process, the user can contact Customer Support at any time with their registered e-mail address and ask to have their data extracted. Fortum Charge & Drive will process the request and deliver the data to the customer in a .csv file. The user can then request a new service provider to have this data imported.  

Access Management

Another core part of GDPR is to ensure that no unlawful access to personal data takes place, either by internal employees working at Fortum Charge & Drive or by external parties who has access to CDMC. Personal data access is limited to a set of specific user roles in CDMC, which allows Fortum Charge & Drive to minimize the number of employees who have access to personal data. If an external party is given access to personal data, for example for support purposes, this party will be considered a sub-processor subject to DPA. Each system user, regardless of whether they have access to personal data or not, are also subject to Terms & Conditions which control how the user can use the system.  

Furthermore, Fortum Charge & Drive has implemented a rigorous process for managing access to CDMC, in particular in terms of accounts with access to personal data. Each time such access is provided it is logged and subject to verification by the employee's Manager. User accounts with these privileges are restricted to a small group of people, in which each one has a clear and required purpose of access. CDMC also provides tools to manage access in an efficient way; clear overview of which employees have access and what roles they have, and efficient restriction of access if required.

Breach and Incident Management

Fortum Charge & Drive has implemented a breach management process which ensures that required measures are taken in the unlikely event of a data breach. Escalation paths are in place, and Fortum is required to notify both users and relevant authorities of a potential breach within 72 hours of discovery. This also applies for potential sub-processor breach incidents.  

Activity Logging

CDMC now has support for activity logging. All activity, whether it is to add a charger, change its configuration or change information about a user is logged. This provides clear overview of activities performed in the system, and allows rapid detection of unlawful or erroneous behaviour. Apart from security, this feature also allows Fortum Charge & Drive to provide a better service in general since it enables for example support personnel to have transparency on actions performed by their colleagues.

Personal Data encryption

Personal data is encrypted and stored in a safe way as to allow efficient handling of data subject requests and decrease risk of breach incidents. System is based on latest authentication technology, allowing safe authentication, registration and log-in.  

Personal Data Retention

All personal data now has a clearly defined retention period in the system. If a user has not been active during a certain period of time, the system will automatically consider that user's account to be inactive. The user will be notified of this change of account status. If the account is not re-activated by the user, either by logging into the app or using another identifier to access one of Fortum Charge & Drive's chargers, the user account will automatically be terminated. The user will be forgotten, and all their data will be deleted or anonymized. This is to ensure that users who may have registered but forgotten that they did so is not required to take any action in order to have their account deleted, if the account remains inactive for a sufficiently long period. 

Fortum Charge & Drive Privacy Notice

In our updated privacy notice, you can read more on how we treat your personal data. This, together with any other documents referred to within, sets out the basis on which we will process any personal data that we collect from you, or that you provide to us. Please read the privacy notice carefully to understand our views and practices regarding your personal data and how we will treat it.

Fortum Charge & Drive Privacy Notice (pdf)

CS12

Contact Fortum Charge & Drive

VC8

Subscribe to the Fortum Charge & Drive Newsletter