Fortum Charge & Drive

One App for All Your Public Charging Needs!

View

December fast charging offer! 🎄Charge at just 4.99 NOK/kWh, 4.99 SEK/kWh, or 0.29 €/kWh this holiday season! 👉 Read more

Fortum Charge & Drive – Data Processing Addendum for Business Users

Valid from 2024-12-10

This Data Processing Addendum (“DPA”) forms part of the General Terms and Conditions for Business Users (“Terms”) regarding Charging Services between the Customer (“Customer”) and the Charge & Drive Entity as defined in the Terms (“Charge & Drive”) and sets out the parties' obligations regarding the processing of personal data under the Terms. The terms used in this DPA shall have the same meaning as in the Terms, unless otherwise defined herein.

1. Scope and Applicability

This DPA applies to the extent that Charge & Drive processes personal data on behalf of Customer as a processor in the course of providing the Services under the Terms. For the purposes of this DPA, all terms shall have the meanings given to them in the GDPR.

This DPA also applies to the Customers’ use of the Business Portal.

2. Roles and Responsibilities

The parties agree that Customer is the controller and Charge & Drive is the processor of the personal data that is subject to this DPA. Customer shall determine the purposes and means of the processing of such personal data, and Charge & Drive shall process such personal data only in accordance with Customer's documented instructions, unless required to do so by applicable law. Customer represents and warrants that it has obtained all necessary consents and authorizations from the data subjects to enable Charge & Drive to process their personal data in accordance with this DPA and the Terms. Charge & Drive ensures that the persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The processed data, for the purpose of providing the service, includes name, email address, charging key reference number, car registration numbers, and payment method of the Customer and its Authorized Users.

For Customers using the Business Portal processed data also includes log data, for the purpose of providing the Business Portal.

During the sign-up flow to the Business Portal, the Customer’s personal identity code (henkilötunnus (FI), personnummer (SE/NO)) is processed to enable strong customer authentication.

3. Data Security

Charge & Drive shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk involved in the processing of personal data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures may include, but are not limited to, pseudonymization, encryption, access control, backup and recovery, logging and monitoring, incident response, and regular testing and evaluation.

4. Data Subject Rights

Charge & Drive shall assist Customer, to the extent reasonably possible and at Customer's expense, in fulfilling Customer's obligations to respond to requests from data subjects exercising their rights under the applicable data protection laws, such as the right to access, rectify, erase, restrict, port or object to the processing of their personal data. Charge & Drive shall notify Customer without undue delay if it receives any such request directly from a data subject.

5. Personal Data Breach Notification

Charge & Drive shall notify Customer without undue delay after becoming aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data processed by Charge & Drive under this DPA (“Data Breach”). Charge & Drive shall provide Customer with sufficient information to enable Customer to meet its obligations to report or inform data subjects or supervisory authorities of the Data Breach under the applicable data protection laws. Charge & Drive shall cooperate with Customer and take reasonable measures to mitigate the effects and minimize the damage resulting from the Data Breach.

6. Transfers of Personal Data

Charge & Drive may transfer personal data processed under this DPA to countries outside the European Economic Area provided that such transfers are made in compliance with the applicable data protection laws and that adequate safeguards are in place to ensure an adequate level of protection for the personal data in the destination country. Such safeguards may include, but are not limited to, Standard Contractual Clauses approved by the European Commission or adequacy decisions. Charge & Drive shall maintain an up-to-date list of transfers, which is made available to Customer upon request.

7. Sub-processors

Charge & Drive has Customer’s general authorization to engage sub-processors to process personal data on behalf of Customer under this DPA, provided that such sub-processors are bound by contractual obligations that are no less protective than those set out in this DPA. Charge & Drive shall remain liable for any breach of this DPA caused by its sub-processors. Charge & Drive shall maintain an up-to-date list of its sub-processors, which is made available to Customer upon request. In the event Customer objects to a sub-processor, Charge & Drive has the right to terminate the Customer relationship in whole by giving 30 days written notice to Customer.

8. Auditing

Charge & Drive shall make available to Customer upon request all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, subject to reasonable notice and confidentiality obligations. Customer shall bear the costs of any such audits.

9. Term and Termination

This DPA shall remain in force for as long as Charge & Drive processes personal data on behalf of Customer under the Terms. Upon termination or expiration of the Customer relationship or this DPA, Charge & Drive shall cease all processing of personal data on behalf of Customer and delete all such personal data in its possession or control, unless required to retain some or all of such personal data by applicable law.