Mandatum Life is committed to processing your personal data in accordance with the relevant legislation, including the General Data Protection Regulation, the Data Protection Act, the Information Society Code, the Insurance Companies Act, the Act on Investment Services, the Act on the Protection of Privacy in Working Life and other applicable regulation.
Protecting your data and your privacy and processing your data in a secure manner are very important to Mandatum Life, so whether you are a new or a long-time customer of ours, we recommend that you familiarize yourself with our practices. And in case you have any questions, do not hesitate to contact us!
2. Whose Data Do We?
- Customers of Mandatum Life (for example the insured persons, policyholders, beneficiaries, investment services customers, trading customers and persons associated with corporate customers)
- Members of the institutional customers of Mandatum Life (pension funds and personnel funds)
- Persons in Mandatum Life's marketing target groups
- Users of Mandatum Life's digital services (for example the website and mobile services)
- Customers of Kaleva Mutual Insurance Company (for example insured persons, policyholders and beneficiaries)
- Persons whose personal data is processed due to a legal obligation of Mandatum Life
- Tenants of real estate owned by Mandatum Life
- Employees of Mandatum Life, others working for Mandatum Life and job applicants
Generally we receive personal data from the persons themselves before and during the customer relationship, employment or other contractual relationship. Regarding group insurance plans of employers we also receive data from the employers of the insured persons. Based on the Insurance Companies Act we receive data from other companies of the Sampo Group and from companies that belong to the same conglomerate referred to in the Act on the Supervision of Financial and Insurance Conglomerates. We also receive data from our partners, from the joint claims and abuse registers of insurance companies and from public registers.
3. How and Why We Process Personal Data?
The Customers of Mandatum Life
We process personal data of our insurance, investment service and trading service customers to manage customer relationships and to market and develop our services. We also process personal data to fulfil our legal obligations. The categories of data we process and the details of the processing depend on what group of persons or customers you belong to.
Members of Institutional Customers (Pension Funds and Personnel Funds)
Mandatum Life Services Ltd offers pension funds services for daily operations, such as services related to fund management, pension processing, actuarial services, financial accounting, wealth management and risk management. For personnel funds, Mandatum Life Services Ltd offers services related to management, including maintenance of membership data, payment of the members’ fund shares, financial accounting and advising of members. When providing services to institutional customers and their members, Mandatum Life Services Ltd is the data processor and each pension fund or personnel fund is the data controller.
Customers of Kaleva
Mandatum Life handles the insurance and claim services for the Kaleva Mutual Insurance Company (except for Kaleva’s Primus insurances). For the customers of Kaleva, Mandatum Life is the data processor and Kaleva is the data controller.
Employees, job applicants and others working for Mandatum Life
We process personal data regarding employment or other contractual relationships and for example to fulfil our statutory employer obligations and to pay out salaries, commissions or fees.
Regarding job applicants, we process personal data provided to us by the applicant during the recruiting process in order to fill open positions.
Mandatum Life owns real estate as part of its investment portfolio. Colliers International Finland handles the renting. You can find information about the processing of personal data done by Colliers International Finland from the company’s website.
Profiling refers to automatic processing of personal data which includes for example evaluating or predicting the interests or the behaviour of a person. We use profiling to offer our customers more tailored and individual customer service and more suitable products and services. We also use profiling to target our advertising. You can find more information about profiling and the data used for profiling from the customer register description and the marketing register description. The profiling does not include automated decision-making.
Automated decision-making refers to making decisions solely based on the automatic processing of personal data. We use automated decision-making when processing insurance claims in order to process the claims quickly and to provide better service to our customers. When making automated decisions, we assess whether the policy conditions for paying the claim are met. In addition to the information given by the customer when filing the claim, we use information of the customer, their contracts and claims when making the decisions. The automated decision-making only applies to positive decisions, and decisions rejecting the claim are always processed by a person. If you wish, you can ask for reprocessing of the automated decision. In such a case, your claim is processed by a person.
More specific information
4. How Long Is Personal Data Retained for?
We retain personal data for as long as is necessary for the purposes for which the data is collected or as long as required by law. The retention periods depend on the data and which group of customers or persons you belong to. The retention periods also depend on the statutes of limitations in the Insurance Contracts Act and the anti-money laundering legislation. In cases where different retention periods apply to the same documents, the documents are stored according to the longest period. You can find a more detailed description of the retention periods for in our register descriptions.
5. Is Personal Data Disclosed or Transferred to Others?
Disclosures and Transfers of Personal Data
Personal data can be disclosed to recipients outside Mandatum Life as allowed or as required by law. Data may be disclosed for example to authorities (such as the Tax Administration, the Social Insurance Institution and enforcement authorities) and to the joint claims and abuse registers of insurance companies. Based on the Insurance Companies Act data may also be disclosed to other companies of the Sampo Group and companies belonging to the same conglomerate referred to in the Act on the Supervision of Financial and Insurance Conglomerates. Based on the customer’s consent or an agreement the customer’s data is disclosed to our partners that are involved in the products or services used by the customer. You can read more about the disclosures of personal data in our register descriptions.
Transfer of Personal Data Outside the EU and the EEA
Personal data is mainly stored and processed within the EU and the EEA. If data is transferred outside the EU and the EEA to countries for which the European Commission has not issued a decision of adequacy of data protection, we will take care of protecting the data for example by using the standard contractual clauses approved by the European Commission. Transferred data is processed only on behalf of Mandatum Life.
6. What Rights Do You Have?
You have for example the right to access your data, the right to rectify inaccurate data and the right to erasure as described in more detail below. Please also note that Mandatum Life has legal obligations to store some of the data and Mandatum Life may have an obligation to process your personal data even if you object to the processing or ask for the data to be erased.
You can use your rights described below by contacting our customer service.
If you are a member of a pension or personnel fund that is an institutional customer of Mandatum Life, note that the fund is the data controller. You can find more information on the rights of the members of institutional customers in the processing descriptions in section 11.
The Right of Access by the Data Subject
You have the right to receive confirmation on whether Mandatum Life is processing your personal data. If your personal data is being processed, you have the right to access the data and to receive a copy of the data. The confidentiality obligations set in the legislation applicable to the insurance and finance sector may restrict the use of your right to access information.
The Right to Rectification
You have the right to request that Mandatum Life rectifies any inaccurate personal data and completes any incomplete data.
The Right to Erasure (the Right to Be Forgotten)
You have the right to request the erasure of your data and if the processing is based on your consent, the right to withdraw your consent. If you request the erasure of your data or withdraw your consent, we will delete the data unless there are other legal grounds for the processing or unless we have a legal obligation to store the data. In any case, we will delete your data after the retention period has ended.
The Right to Restriction of Processing
You have the right to request that we restrict the processing of your personal data when the conditions set in legislation are met. Please also note that the right to restriction of processing does not apply to the processing of personal data carried out to fulfil the legal obligations of Mandatum Life.
The Right to Data Portability
If the processing of your personal data is based on your consent or the performance of a contract, you have the right to receive the personal data you have provided us in a structured and commonly used format and the right to have the data transferred to another data controller.
The Right to Object
You have the right to object to the processing of your personal data if the processing is based on the legitimate interests of Mandatum Life or a third party.
The Right to Lodge a Complaint
If you find the processing of your personal data to be in conflict with the applicable legislation, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman.
We use personal data for marketing our services and products for the current and potential customers of Mandatum Life. The marketing is carried out online, by mail and by telephone. We also contact our current customers with customer communications (for example newsletters, event invites and feedback surveys). Our online marketing consists of for example e-mails and advertisements on websites and in our mobile apps. You can find more information in our marketing register description.
Opting Out of Marketing
You can manage your e-mail subscriptions through our web service. In addition, each e-mail message includes a link through which you can unsubscribe from similar e-mails. You can also opt out of direct marketing by contacting our customer service.
We obey the marketing bans in the population register maintained by the Population Register Centre and in the Robinson Register maintained by the Data & Marketing Association of Finland, unless you have separately allowed marketing by Mandatum Life.
9. Terms Applicable to Mobile Applications and Biometric Authentication
10. How is Personal Data Protected and What Kinds of Risks Are Involved?
We use necessary and appropriate technological and administrative security methods in accordance with the best practices to protect personal and other data. These methods include the use of firewalls, strong encryption techniques and secure facilities, access controls and the limited granting of rights, staff training as well as the careful selection of subcontractors. In addition to complying with the applicable legislation, the subcontractors are contractually bound to comply with the data protection principles and guidelines of Mandatum Life.
The processing of personal data is only allowed for employees who need to access the data to carry out their tasks. The systems containing personal data have individual user accounts and the use of the systems is monitored. In addition to a statutory confidentiality obligation, employees of Mandatum Life who process personal data are bound by a separate confidentiality agreement. Personal data that is no longer necessary is deleted securely.
Despite careful and appropriate security measures, data processing always includes a risk. If a security breach that is likely to result in a high risk to your privacy or other rights takes place despite the security measures, we will contact you as soon as possible.
11. Register Descriptions of Mandatum Life
Mandatum Life Services
Description of Data Processing regarding the members of personnel funds »
Description of Data Processing regarding pension compensation »
Description of Data Processing regarding the member registers of pension funds »
Description of Data Processing regarding supplementary pension liability calculations »
Description of Data Processing regarding statutory pension liability calculations »
Description of Data Processing regarding IFRS calculations »
Register Descriptions for Kaleva are available at Kaleva’s website
12. Who Can I Contact?
If you have questions about data protection, you can contact the customer service of Mandatum Life.
Last updated on June 11, 2019.
Our Customer Service number