Mandatum Life Privacy Policy

Data protection means protecting personal data and safeguarding appropriate data processing. Personal data is data related to an identified or identifiable person. In this Privacy Policy, we provide information about the processing of personal data at Mandatum Life, what personal data we process, how we use your data and what rights you have regarding the processing of your data. This is a general description of personal data processing at Mandatum Life. You will receive more detailed information about the processing of personal data when you use our services.

When using Mandatum Life’s services, you entrust us with your data. Mandatum Life is committed to protecting individuals’ rights and to keeping your personal data safe. When you share information with us, we will be able to serve you better by, for example, offering you products and services that best suit your needs and by helping you do business with us. The principles and ways of operating emanating from this policy are applied to all of Mandatum Life’s activities involving the processing of personal data. Examples of application situations are the use of our web and mobile services, applying for insurance or claiming compensation and the use of our wealth management services. The Privacy Policy is also applied to the processing of the personal data of our employees and job applicants, as well as to the processing of the personal data of the personnel of Mandatum Life’s representatives and other partners.

The data controller at the Mandatum Life Group is Mandatum Life Insurance Company Limited and/or the Group company you are dealing with. The Privacy Policy covers the entire Mandatum Life Group.

Mandatum Life Services Ltd acts as a personal data processor when providing services to institutional customers and their members (see section 6). Each pension fund, pension foundation or personnel fund acts as a controller.

The Mandatum Trader service’s trading platform is provided by Saxo Bank A/S, whose privacy policy is available on Saxo’s website. To familiarise yourself with the Trader service, go to Trader’s website.

This Privacy Policy includes the following areas:

  • Whose personal data does Mandatum Life process?
  • What personal data does Mandatum Life collect?
  • How can Mandatum Life use your personal data and on what legal bases?
  • Automated decision-making and profiling
  • To whom can Mandatum Life disclose personal data?
  • How does Mandatum Life protect personal data and what kind of risks are involved in the processing of personal data?
  • Institutional customers’ members
  • What rights do you have?
  • Cookies
  • For how long does Mandatum Life retain your personal data?
  • Contacting Mandatum Life or the data protection authority

1. Whose personal data does Mandatum Life process?

Mandatum Life processes in its business operations the following groups of data subjects:

  • Mandatum Life’s customers (for example insured persons, policyholders, beneficiaries, investment service customers, trading customers and persons related to corporate customer accounts)
  • Members of Mandatum Life’s institutional customers (personnel funds, pension funds and pension foundations)
  • Mandatum Trader customers
  • Persons belonging to Mandatum Life’s marketing target groups
  • Users of Mandatum Life’s digital services (for example the website and mobile service)
  • Kaleva Mutual Insurance Company’s customers (for example insured persons, policyholders and beneficiaries)
  • Persons for whom the processing of personal data is related to a statutory obligation concerning Mandatum Life
  • Tenants of the real estate owned by Mandatum Life
  • Mandatum Life’s employees, other persons working for Mandatum Life and job applicants
  • Contact persons of institutions closely related to Mandatum Life’s operations

2. What personal data does Mandatum Life collect?

Personal data is usually collected directly from you or it is obtained from the use of Mandatum Life’s products or services. Sometimes we may also require additional information to keep the data up to date or to ensure that the information we receive is correct.

The personal data collected by us can be divided as follows:

Basic information, such as the customer’s, institutional customer’s representative’s or insured person’s name, personal identity code, contact details, language, nationality, information concerning membership entitling to benefits, information on guardianship, know-your-customer (KYC) information and taxation information.

Interaction information, such as communications related to the customer relationship, co-operation or job application, for example, orders, information on the website and application users, web service event logs, contacts with other customers, customer satisfaction survey responses and, for trading customers, trading information.

Contract information, such as employment contract, co-operation contract or, for customers, insurance type and cover information, information concerning the contract and the insurance, special categories of personal data (such as health-related information or trade union membership information), position in the contract (insured person, policyholder or beneficiary), the number and type of securities to be held in custody.

Financial information, such as payments made, invoices, savings, collection information and information related to insurance compensations.

Personal data that we collect from you

From new customers, for example, we collect their name, personal identity code, email address and telephone number to be able to provide the customer with the relevant product or service. In insurance operations, the provision of services requires, for example, insurance need surveys, taxation information, medical examinations and statements and occupation and hobby information that impacts risk. For investment operations, we need the investment line and class, information on the fund and an investment plan. For an employment relationship, we need, for example, contact information and a tax card.

We also collect information from messages, such as feedback or requests, that you have sent us through our digital channels. We can also record and save phone calls and chats to confirm orders or for documentation, quality monitoring and development purposes. For security reasons, we have surveillance cameras on our premises and outside them.

Personal data that we can collect from sources other than the person him/herself

We collect personal data from publicly available sources, such as registers maintained by authorities (e.g. Population Register, the Tax Administration’s registers, company registers and supervisory authorities’ registers), sanctions lists (e.g. the national sanctions list maintained by the National Bureau of Investigation, the list maintained by the EU and the UN and the United States’ Office of Foreign Assets Control, OFAC), the credit information register, and from commercial information providers who provide information on beneficial owners and politically exposed persons.
We obtain information from the employer for employees’ group insurance. We also receive information from companies belonging to the same financial consortium with which we cooperate. In addition, we process data collected from the insurance companies’ joint abuse register.

3. How can Mandatum Life use your personal data and on what legal bases?

We use your personal data to fulfill our contractual and statutory obligations and to make you offers and provide you with advice and services:

Concluding and managing service and product agreements (performance of a contract)

The primary purpose of personal data processing is to collect, process and verify the personal data before making an offer and concluding an agreement and to document, manage and carry out the tasks specified in the contract.

Examples of tasks related to the performance of a contract:

  • performance of, e.g., a co-operation agreement, an employment contract, an insurance policy, a custodial agreement, a wealth management contract or an agreement concerning the transmission of orders and the performance of its terms and conditions
  • customer service during the contractual period

Compliance with requirements and obligations laid down in the law, regulations or decisions of authorities and supervisory authorities (statutory obligation)

In addition to the performance of a contract, compliance with the obligations laid down in the law, regulations and decisions issued by authorities requires us to process personal data.

Examples of statutory obligations that require the processing of personal data:

  • obligation to know your customer (KYC)
  • prevention, detection and investigation of money laundering, terrorist financing and fraud
  • sanctions list verifications
  • accounting and tax regulations
  • regulatory reporting
  • obligations related to risk management, such as insurance risks and solvency requirements
  • customer communications in connection with legal obligations, such as the submission of annual calculations of
  • insurance products and the notification of significant changes in the insurance terms and conditions or the content of the insurance.
  • other obligations related to service- or product-specific legislation, such as legislation governing insurance and investment services.

Customer communications, marketing, product and customer analyses (legitimate interest)

Mandatum Life has a legitimate interest to process personal data for customer communications and in connection with marketing, product and customer analyses. This allows us to improve our product range and optimise the services offered to customers. We market, for example, our products and services to Mandatum Life’s existing and potential customers electronically, by post and by phone. We also send customer communications (e.g. market outlooks, newsletters and feedback surveys) to our existing customers. The tag used in the email links we send can be used to associate the email sent to you with the customer information we hold on you. The use of the tag allows you to manage your personal communication settings through the links in the emails sent to you. We carry out digital marketing through, for example, online advertising that can be targeted using, for instance, Facebook’s or LinkedIn’s custom audience groups. You can object to targeting here.  Marketing may also involve profiling, which we describe in more detail in section 4.

Consent

In certain situations, we ask for your consent to process your personal data. Such situations include, for example, consent to electronic direct marketing or the processing of data belonging to special categories. The consent request contains information on the processing of such data. If you have given your consent to the processing of your personal data, you also have the right to withdraw your consent. For example, you can withdraw your consent to electronic direct marketing by logging in our web service or by managing your subscriptions here. You can also manage this and other consents by contacting our customer service.

4. Automated decision-making and profiling

Automated decision-making means making decisions based solely on automated processing of personal data. We use automated decision-making in claims processing to speed up the processing of applications and to offer our customers better service. In connection with automated decision-making, we assess, based on the information provided in the application, whether the conditions for granting compensation specified in the insurance terms and conditions are met. In addition to the information provided in the application, we use information related to the customer relationship, contracts and compensations in the decision-making process. Automated decision-making only applies to positive claims decisions, and negative decisions are always processed by a natural person. If you wish, you can request the re-processing of a decision resulting from automated decision-making, in which case your application will be processed by a natural person.

Profiling means automated processing of personal data, involving, for example, the assessment or anticipation of a person’s areas of interest or behaviour. We use profiling to target direct market-ing and online marketing in an effort to offer each person the products and services that are most suited and relevant for him/her. In targeting direct marketing, we use customer information, information obtained from our co-operation partners and from public registers, as well as information provided by the customer about his/her areas of interests, for example. The targeting of online advertising is based on website visitor data: visitors can be shown, for example, advertisements on products and services related to pages they have visited earlier. In the Cookies section, you can read more about Mandatum Life’s cookie policy. The profiling carried out in connection with marketing does not include automated decision-making that has significant legal effects.

5. To whom can Mandatum Life disclose personal data?

Personal data can be disclosed outside of Mandatum Life when this is allowed or required by legislation. Information may be disclosed to, for example:

  • the authorities (such as the police, tax administration, the Social Insurance Institution and enforcement officers)
  • the insurance companies’ joint abuse register
  • reinsurance companies
  • companies belonging to the same financial consortium

We may also disclose data, based on the customer’s consent or an agreement, to our partners that are related to the products or services chosen by customers.

Data transfer to third countries

In some cases, Mandatum Life can also transfer personal data to organisations operating outside the European Economic Area, i.e. in so-called third countries.

Such data transfers can be carried out if one of the following conditions is met:

  • The EU Commission has decided that the level of data protection in the country in question is adequate.
  • Other necessary protection measures have been introduced by, for example, following the standard contractual clauses approved by the EU Commission or by ensuring that the company processing the data has in place valid binding rules concerning the company.

6. How does Mandatum Life protect personal data and what kind of risks are in-volved in the processing of personal data?

We use technical and administrative information security means that are necessary, appropriate and in line with the best practices to protect personal data and other information. Such means include, for instance, the use of firewalls, strong encryption technologies and safe IT areas, access control, restricted granting of user rights, providing instructions and training to personnel participating in personal data processing and careful selection of subcontractors. In addition to applica-ble legislation, the subcontractors commit to complying with Mandatum Life’s data protection principles and guidelines.

The processing of personal data is only allowed for work-related reasons. The user rights for accessing systems that contain personal data are personal, and the use of the rights is monitored. Mandatum Life’s employees that process personal data are bound by, in addition to the statutory non-disclosure obligation, also by a separate non-disclosure agreement. Personal data that is no longer needed is erased in secure manner.

Despite careful protection and appropriate information security, data processing always involves a risk. If, in spite of our measures, a data protection breach occurs that is likely to result in a high risk for your privacy or your other rights, we will contact you as soon as possible.

We also recommend that you familiarise yourself with the terms of use of Mandatum Life’s web services and website and the information security guidelines for the users of the mobile service to ensure that the information security of your devices and connections is up to date. More information and general information security tips can also be found, for example, on the National Cyber Security Centre’s website.

7. Institutional customers’ members

Mandatum Life Services Ltd offers pension funds and foundations services related to, for example, daily activities, such as fund management services, pension processing, actuarial operations, accounting, asset management and risk management. To personnel funds, Mandatum Life Services Ltd offers management services, including membership database maintenance, payment of fund units, fund accounting and advisory services for members. Mandatum Life Services Ltd acts as a personal data processor when providing services to institutional customers and their members. Each pension fund, pension foundation or personnel fund acts as a controller. More information on the processing of personal data of institutional customers can be found in the following descriptions:


Description of Data Processing regarding the members of personnel funds
Description of Data Processing regarding pension compensation
Description of Data Processing regarding the member registers of pension funds
Description of Data Processing regarding supplementary pension liability calculations
Description of Data Processing regarding statutory pension liability calculations
Description of Data Processing regarding IFRS calculations

8. What rights do you have?

You have, for example, the right to access your data and the right to have your incomplete or inaccurate data rectified as described in further detail below. Please also note that Mandatum Life’s operations entail statutory obligations to retain the data, and Mandatum Life may have the obligation to process your personal data even if you request the restriction of processing or erasure of the data.

As far as the members of institutional customers (pension funds and foundations and personnel funds) are concerned, each institutional customer acts as the controller. More information on the use of the rights of the members of institutional customers is available in the data processing descriptions which can be found in section 7.

You can exercise your rights described below by contacting our customer service.

The right of access

You have the right to receive confirmation from Mandatum Life of whether we process your personal data. If your personal data is processed, you have the right to receive a copy of the data and to inspect the data. The non-disclosure obligations laid down in the special legislation governing the insurance and finance sector may restrict your right of access to information.

The right to rectification

You have the right to request Mandatum Life to rectify any inaccurate personal data and to com-plete any incomplete data.

The right to erasure (right to be forgotten)

You have the right to request the erasure of your personal data and, to the extent that the processing of your personal data is based on consent, to withdraw your consent. If you request the erasure of your data or withdraw your consent to the processing of your personal data, we will erase the data from our systems unless there is another legal basis for the processing of the data or unless we have a statutory obligation to retain the data. In any case, we will erase your data once the retention period as specified by us or provided for by law has lapsed.

The right to restriction of processing

Under specific conditions provided for in legislation, you have the right to request us to restrict the processing of your personal data. However, the right to request restriction of personal data processing does not apply to personal data processing resulting from Mandatum Life’s statutory obligations.

The right to data portability

To the extent that the processing of your personal data is based on consent or a contract, you have the right to receive the personal data you have provided us in a structured and commonly used format and the right to have the data transferred to another data controller.

The right to object

You have the right to object to the processing of your personal data to the extent that the pro-cessing is based on the fulfilment of legitimate interests of Mandatum Life or a third party.

You also have the right to object to the processing of your personal data for direct marketing purposes. You can find more information on opting out of direct marketing in section 8 of the Privacy Policy.

The right to lodge a complaint

If you find the processing of your personal data to be in conflict with the applicable legislation, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman.

9. Cookies

Cookies are small text files that are stored on the visitor’s computer or other device when visiting the website of Mandatum Life. When we refer to cookies in this privacy policy, this also includes other similar technologies and tools that collect and store information in your browser and, in some cases, transmit such information to third parties in the manner of cookies. 

On Mandatum Life’s website and web service, cookies are used to maintain the session after the user logs in to the web service and to remember the selections made by the user when moving from one page to another. Cookies also allow us to individualise website visitors and to compile statistics on the visitors to our website. Cookies are also used in the chat service of Mandatum Life’s website and to target marketing. Both session cookies and persistent cookies set by Mandatum Life and third parties are used on Mandatum Life’s website and web service. You can read more about cookies in our cookie policy.

10. For how long does Mandatum Life retain personal data?

We will only retain your data as long as is necessary for the performance of the contract and as long as required by the provisions laid down by laws and regulations concerning the retention of the data. If we retain your data for purposes other than the performance of a contract, such as preventing money laundering, accounting and the fulfilment of the solvency requirements, we will retain the data only if it is necessary for that purpose and/or provided for by law and regulations.

Examples of our main retention periods:

  • The data concerning persons who have received an offer is retained for 3 years from the offer. We retain the data of other potential customers for a maximum of 3 years.
  • If a person has subscribed to a newsletter or printed magazine from us or granted a marketing permission, the information will be kept for as long as the subscription / permission is valid.
  • As a rule, we retain a customer’s data for the duration of the customer relationship and no longer than 13 years after the expiry of the latest contract or the payment of the latest benefit.
  • We retain the know-your-customer (KYC) data for 5 years after the expiry of the latest contract.
  • We retain the recordings of phone calls related to the management of contracts for 10 years.
  • We retain customer satisfaction survey data for 5 years.
  • In the customer community operations, we retain personal data for one year after the membership has ended.
  • We retain data related to taxation, accounting and reporting obligations (e.g. obligations resulting form the international FATCA/CRS agreements) for 6 years from the end of each tax year.
  • For the retention periods for data of institutional customers’ members, see the personal data processing descriptions in section 6.
  • The data processed in connection with job applications is retained for two years at most.

11. How can I get in touch?

If you have questions about data protection, we ask you to primarily contact Mandatum Life’s customer service. You can reach Mandatum Life’s data protection officer at tietosuoja@mandatumlife.fi.

Updated 24th March 2021