Mandatum Life Services Ltd acts as a personal data processor when providing services to institutional customers and their members (see section 6). Each pension fund, pension foundation or personnel fund acts as a controller.
- Whose personal data does Mandatum process?
- What personal data does Mandatum collect?
- How can Mandatum use your personal data and on what legal bases?
- Automated decision-making and profiling
- To whom can Mandatum disclose personal data?
- How does Mandatum protect personal data and what kind of risks are involved in the processing of personal data?
- Institutional customers’ members
- What rights do you have?
- For how long does Mandatum retain your personal data?
- Contacting Mandatum or the data protection authority
1. Whose personal data does Mandatum process?
Mandatum processes in its business operations the following groups of data subjects:
- Mandatum’s customers (for example insured persons, policyholders, beneficiaries, investment service customers, trading customers and persons related to corporate customer accounts)
- Members of Mandatum’s institutional customers (personnel funds, pension funds and pension foundations)
- Mandatum Trader customers
- Persons belonging to Mandatum’s marketing target groups
- Users of Mandatum’s digital services (for example the website and mobile service)
- Kaleva Mutual Insurance Company’s customers (for example insured persons, policyholders and beneficiaries)
- Persons for whom the processing of personal data is related to a statutory obligation concerning Mandatum
- Tenants of the real estate owned by Mandatum
- Mandatum’s employees, other persons working for Mandatum and job applicants
- Contact persons of institutions closely related to Mandatum’s operations
2. What personal data does Mandatum collect?
Personal data is usually collected directly from you or it is obtained from the use of Mandatum’s products or services. Sometimes we may also require additional information to keep the data up to date or to ensure that the information we receive is correct.
The personal data collected by us can be divided as follows:
Basic information, such as the customer’s, institutional customer’s representative’s or insured person’s name, personal identity code, contact details, language, nationality, information concerning membership entitling to benefits, information on guardianship, know-your-customer (KYC) information and taxation information.
Interaction information, such as communications related to the customer relationship, co-operation or job application, for example, orders, information on the website and application users, web service event logs, contacts with other customers, customer satisfaction survey responses and, for trading customers, trading information.
Contract information, such as employment contract, co-operation contract or, for customers, insurance type and cover information, information concerning the contract and the insurance, special categories of personal data (such as health-related information or trade union membership information), position in the contract (insured person, policyholder or beneficiary), the number and type of securities to be held in custody.
Financial information, such as payments made, invoices, savings, collection information and information related to insurance compensations.
Personal data that we collect from you
From new customers, for example, we collect their name, personal identity code, email address and telephone number to be able to provide the customer with the relevant product or service. In insurance operations, the provision of services requires, for example, insurance need surveys, taxation information, medical examinations and statements and occupation and hobby information that impacts risk. For investment operations, we need the investment line and class, information on the fund and an investment plan. For an employment relationship, we need, for example, contact information and a tax card.
We also collect information from messages, such as feedback or requests, that you have sent us through our digital channels. We can also record and save phone calls and chats to confirm orders or for documentation, quality monitoring and development purposes. For security reasons, we have surveillance cameras on our premises and outside them.
Personal data that we can collect from sources other than the person him/herself
We collect personal data from publicly available sources, such as registers maintained by authorities (e.g. Population Register, the Tax Administration’s registers, company registers and supervisory authorities’ registers), sanctions lists (e.g. the national sanctions list maintained by the National Bureau of Investigation, the list maintained by the EU and the UN and the United States’ Office of Foreign Assets Control, OFAC), the credit information register, and from commercial information providers who provide information on beneficial owners and politically exposed persons.
We obtain information from the employer for employees’ group insurance. We also receive information from companies belonging to the same financial consortium with which we cooperate. In addition, we process data collected from the insurance companies’ joint abuse register.
3. How can Mandatum use your personal data and on what legal bases?
We use your personal data to fulfill our contractual and statutory obligations and to make you offers and provide you with advice and services:
Concluding and managing service and product agreements (performance of a contract)
The primary purpose of personal data processing is to collect, process and verify the personal data before making an offer and concluding an agreement and to document, manage and carry out the tasks specified in the contract.
Examples of tasks related to the performance of a contract:
- performance of, e.g., a co-operation agreement, an employment contract, an insurance policy, a custodial agreement, a wealth management contract or an agreement concerning the transmission of orders and the performance of its terms and conditions
- customer service during the contractual period
Compliance with requirements and obligations laid down in the law, regulations or decisions of authorities and supervisory authorities (statutory obligation)
In addition to the performance of a contract, compliance with the obligations laid down in the law, regulations and decisions issued by authorities requires us to process personal data.
Examples of statutory obligations that require the processing of personal data:
- obligation to know your customer (KYC)
- prevention, detection and investigation of money laundering, terrorist financing and fraud
- sanctions list verifications
- accounting and tax regulations
- regulatory reporting
- obligations related to risk management, such as insurance risks and solvency requirements
- customer communications in connection with legal obligations, such as the submission of annual calculations of
- insurance products and the notification of significant changes in the insurance terms and conditions or the content of the insurance.
- other obligations related to service- or product-specific legislation, such as legislation governing insurance and investment services.
Customer communications, marketing, product and customer analyses (legitimate interest)
Mandatum has a legitimate interest to process personal data for customer communications and in connection with marketing, product and customer analyses. This allows us to improve our product range and optimise the services offered to customers. We market, for example, our products and services to Mandatum’s existing and potential customers electronically, by post and by phone. We also send customer communications (e.g. market outlooks, newsletters and feedback surveys) to our existing customers. The tag used in the email links we send can be used to associate the email sent to you with the customer information we hold on you. The use of the tag allows you to manage your personal communication settings through the links in the emails sent to you. We carry out digital marketing through, for example, online advertising that can be targeted using, for instance, Facebook’s or LinkedIn’s custom audience groups. You can object to targeting here. Marketing may also involve profiling, which we describe in more detail in section 4.
In certain situations, we ask for your consent to process your personal data. Such situations include, for example, consent to electronic direct marketing or the processing of data belonging to special categories. The consent request contains information on the processing of such data. If you have given your consent to the processing of your personal data, you also have the right to withdraw your consent. For example, you can withdraw your consent to electronic direct marketing by logging in our web service or by managing your subscriptions here. You can also manage this and other consents by contacting our customer service.
4. Automated decision-making and profiling
Automated decision-making means making decisions based solely on automated processing of personal data. We use automated decision-making in claims processing to speed up the processing of applications and to offer our customers better service. In connection with automated decision-making, we assess, based on the information provided in the application, whether the conditions for granting compensation specified in the insurance terms and conditions are met. In addition to the information provided in the application, we use information related to the customer relationship, contracts and compensations in the decision-making process. Automated decision-making only applies to positive claims decisions, and negative decisions are always processed by a natural person. If you wish, you can request the re-processing of a decision resulting from automated decision-making, in which case your application will be processed by a natural person.
5. To whom can Mandatum disclose personal data?
Personal data can be disclosed outside of Mandatum when this is allowed or required by legislation. Information may be disclosed to, for example:
- the authorities (such as the police, tax administration, the Social Insurance Institution and enforcement officers)
- the insurance companies’ joint abuse register
- reinsurance companies
- companies belonging to the same financial consortium
We may also disclose data, based on the customer’s consent or an agreement, to our partners that are related to the products or services chosen by customers.
Data transfer to third countries
In some cases, Mandatum can also transfer personal data to organisations operating outside the European Economic Area, i.e. in so-called third countries.
Such data transfers can be carried out if one of the following conditions is met:
- The EU Commission has decided that the level of data protection in the country in question is adequate.
- Other necessary protection measures have been introduced by, for example, following the standard contractual clauses approved by the EU Commission or by ensuring that the company processing the data has in place valid binding rules concerning the company.
6. How does Mandatum protect personal data and what kind of risks are in-volved in the processing of personal data?
We use technical and administrative information security means that are necessary, appropriate and in line with the best practices to protect personal data and other information. Such means include, for instance, the use of firewalls, strong encryption technologies and safe IT areas, access control, restricted granting of user rights, providing instructions and training to personnel participating in personal data processing and careful selection of subcontractors. In addition to applicable legislation, the subcontractors commit to complying with Mandatum’s data protection principles and guidelines.
The processing of personal data is only allowed for work-related reasons. The user rights for accessing systems that contain personal data are personal, and the use of the rights is monitored. Mandatum’s employees that process personal data are bound by, in addition to the statutory non-disclosure obligation, also by a separate non-disclosure agreement. Personal data that is no longer needed is erased in secure manner.
Despite careful protection and appropriate information security, data processing always involves a risk. If, in spite of our measures, a data protection breach occurs that is likely to result in a high risk for your privacy or your other rights, we will contact you as soon as possible.
7. Institutional customers’ members
Mandatum Life Services Ltd offers pension funds and foundations services related to, for example, daily activities, such as fund management services, pension processing, actuarial operations, accounting, asset management and risk management. To personnel funds, Mandatum Life Services Ltd offers management services, including membership database maintenance, payment of fund units, fund accounting and advisory services for members. Mandatum Life Services Ltd acts as a personal data processor when providing services to institutional customers and their members. Each pension fund, pension foundation or personnel fund acts as a controller. More information on the processing of personal data of institutional customers can be found in the following descriptions:
Description of Data Processing regarding the members of personnel funds
Description of Data Processing regarding pension compensation
Description of Data Processing regarding the member registers of pension funds
Description of Data Processing regarding supplementary pension liability calculations
Description of Data Processing regarding statutory pension liability calculations
Description of Data Processing regarding IFRS calculations
8. What rights do you have?
You have, for example, the right to access your data and the right to have your incomplete or inaccurate data rectified as described in further detail below. Please also note that Mandatum’s operations entail statutory obligations to retain the data, and Mandatum may have the obligation to process your personal data even if you request the restriction of processing or erasure of the data.
As far as the members of institutional customers (pension funds and foundations and personnel funds) are concerned, each institutional customer acts as the controller. More information on the use of the rights of the members of institutional customers is available in the data processing descriptions which can be found in section 7.
You can exercise your rights described below by contacting our customer service.
The right of access
You have the right to receive confirmation from Mandatum of whether we process your personal data. If your personal data is processed, you have the right to receive a copy of the data and to inspect the data. The non-disclosure obligations laid down in the special legislation governing the insurance and finance sector may restrict your right of access to information.
The right to rectification
You have the right to request Mandatum to rectify any inaccurate personal data and to complete any incomplete data.
The right to erasure (right to be forgotten)
You have the right to request the erasure of your personal data and, to the extent that the processing of your personal data is based on consent, to withdraw your consent. If you request the erasure of your data or withdraw your consent to the processing of your personal data, we will erase the data from our systems unless there is another legal basis for the processing of the data or unless we have a statutory obligation to retain the data. In any case, we will erase your data once the retention period as specified by us or provided for by law has lapsed.
The right to restriction of processing
Under specific conditions provided for in legislation, you have the right to request us to restrict the processing of your personal data. However, the right to request restriction of personal data processing does not apply to personal data processing resulting from Mandatum's statutory obligations.
The right to data portability
To the extent that the processing of your personal data is based on consent or a contract, you have the right to receive the personal data you have provided us in a structured and commonly used format and the right to have the data transferred to another data controller.
The right to object
You have the right to object to the processing of your personal data to the extent that the pro-cessing is based on the fulfilment of legitimate interests of Mandatum or a third party.
The right to lodge a complaint
If you find the processing of your personal data to be in conflict with the applicable legislation, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman.
10. For how long does Mandatum retain personal data?
We will only retain your data as long as is necessary for the performance of the contract and as long as required by the provisions laid down by laws and regulations concerning the retention of the data. If we retain your data for purposes other than the performance of a contract, such as preventing money laundering, accounting and the fulfilment of the solvency requirements, we will retain the data only if it is necessary for that purpose and/or provided for by law and regulations.
Examples of our main retention periods:
- The data concerning persons who have received an offer is retained for 3 years from the offer. We retain the data of other potential customers for a maximum of 3 years.
- If a person has subscribed to a newsletter or printed magazine from us or granted a marketing permission, the information will be kept for as long as the subscription / permission is valid.
- As a rule, we retain a customer’s data for the duration of the customer relationship and no longer than 13 years after the expiry of the latest contract or the payment of the latest benefit.
- We retain the know-your-customer (KYC) data for 5 years after the expiry of the latest contract.
- We retain the recordings of phone calls related to the management of contracts for 10 years.
- We retain customer satisfaction survey data for 5 years.
- In the customer community operations, we retain personal data for one year after the membership has ended.
- We retain data related to taxation, accounting and reporting obligations (e.g. obligations resulting form the international FATCA/CRS agreements) for 6 years from the end of each tax year.
- For the retention periods for data of institutional customers’ members, see the personal data processing descriptions in section 6.
- The data processed in connection with job applications is retained for two years at most.
11. How can I get in touch?
If you have questions about data protection, we ask you to primarily contact Mandatum Life’s customer service. You can reach Mandatum's data protection officer at firstname.lastname@example.org.
Updated 21st October 2021