Data protection means protecting personal data and safeguarding appropriate data processing. Personal data is data related to an identified or identifiable person. In the following, “Mandatum” and “we” will refer to the processing of personal data within the Mandatum Group companies, as applicable (see section 1). In this privacy notice, we provide information about the processing of personal data at Mandatum, what personal data we process, how we use your data and what rights you have regarding the processing of your data. This is a general description of personal data processing at Mandatum, and it is shared between the Mandatum Group companies. You will receive more detailed information about the processing of personal data when you use our services.
When using Mandatum’s services, you entrust us with your data. Mandatum is committed to protecting individuals’ rights and to keeping your personal data safe. When you share information with us, we will be able to serve you better by, for example, offering you products and services that best suit your needs and by helping you do business with us. The principles and ways of operating emanating from this notice are applied to all of Mandatum’s activities involving the processing of personal data. Examples of application situations are the use of our web and mobile services, applying for insurance or claiming compensation and the use of our wealth management services. The privacy notice is also applied to the processing of the personal data of our employees and job applicants, as well as to the processing of the personal data of the personnel of Mandatum’s representatives and other partners.
This privacy notice includes the following areas:
- Processing of personal data within the Mandatum Group companies
- Whose personal data does Mandatum process?
- What personal data does Mandatum collect?
- How can Mandatum use your personal data and on what legal bases?
- Automated decision-making and profiling
- To whom can Mandatum disclose personal data?
- How does Mandatum protect personal data and what kind of risks are involved in the processing of personal data?
- Institutional customers’ members
- What rights do you have?
- For how long does Mandatum retain your personal data?
- Contacting Mandatum or the data protection authority
1. Processing of personal data within the Mandatum Group companies
The data controller at the Mandatum Group is Mandatum Life Insurance Company Limited and/or the Group company you are dealing with. This privacy notice covers the following companies or undertakings part of the Mandatum Group or managed by the Mandatum Group:
Mandatum Life Insurance Company Ltd (Mandatum Life)
Bulevardi 56, 00120 Helsinki
P.O. Box 627, 00101 Helsinki
Mandatum Incentives Ltd
c/o Mandatum Life Insurance Company Ltd
P.O. Box 627, 00101 Helsinki
Mandatum Life Services Ltd
P.O. Box 1210, 00101 Helsinki
Mandatum Asset Management Ltd
P.O. Box 1221, 00101 Helsinki
Mandatum AM AIFM Ltd
c/o Mandatum Asset Management Ltd
P.O. Box 1221, 00101 Helsinki
Mandatum Life SICAV-UCITS (fund company)
Mandatum Fund Management S.A. (fund management company)
26-28 Rue Edward Steichen
L-2540 Luxembourg, Luxembourg
Mandatum Life Services Ltd acts as a personal data processor when providing services to institutional customers and their members (see section 8). Each pension fund, pension foundation or personnel fund acts as a controller.
The Mandatum Trader service’s trading platform is provided by Saxo Bank A/S, whose privacy notice is available on Saxo’s website. To familiarise yourself with the Trader service, go to Trader’s website.
2. Whose personal data does Mandatum process?
Mandatum processes in its business operations the following groups of data subjects:
- Mandatum’s customers (for example insured persons, policyholders, beneficiaries, investment service customers, trading customers and persons related to corporate customer accounts)
- Members of Mandatum’s institutional customers (personnel funds, pension funds and pension foundations)
- Persons subject to reward and compensation services provided by Mandatum
- Mandatum Trader customers
- Persons belonging to Mandatum’s marketing target groups
- Users of Mandatum’s digital services (for example the website and mobile service)
- Kaleva Mutual Insurance Company’s customers (for example insured persons, policyholders and beneficiaries)
- Persons for whom the processing of personal data is related due to a statutory obligation concerning Mandatum
- Board members of companies on the main market listings of Stockholm and Helsinki stock exchanges
- Tenants of the real estate owned or managed by Mandatum
- Mandatum’s employees, other persons working for Mandatum and job applicants
- Contact and responsible persons of institutions closely related to Mandatum’s operations
3. What personal data does Mandatum collect?
Personal data is usually collected directly from you, or it is obtained from the use of Mandatum’s products or services. Sometimes we may also require additional information to keep the data up to date or to ensure that the information we receive is correct.
The personal data collected by us can be divided as follows:
Basic information, such as the customer’s, institutional customer’s representative’s or insured person’s name, personal identity code, contact details, language, nationality, information concerning membership entitling to benefits, information on guardianship, know-your-customer information, taxation information and information required for fulfilling our statutory obligations.
Interaction information, such as communications related to the customer relationship, co-operation, or job application, for example, orders, information on the website and application users, web service event logs, contacts with other customers, customer satisfaction survey responses and, for trading customers, trading information.
Contract information, such as employment contract, co-operation contract or, for customers, insurance type and cover information, information concerning the contract and the insurance, special categories of personal data (such as health-related information or trade union membership information), position in the contract (insured person, policyholder, or beneficiary), the number and type of securities to be held in custody.
Financial information, such as payments made, invoices, savings, collection information and information related to insurance compensations.
Personal data that we collect from you
From new customers, for example, we collect their name, personal identity code, email address and telephone number to be able to provide the customer with the relevant product or service. In insurance operations, the provision of services requires, for example, insurance need surveys, taxation information, medical examinations and statements and occupation and hobby information that impacts risk. For investment operations, we need the investment line and class, information on the fund and an investment plan. For an employment relationship, we need, for example, contact information and a tax card.
We also collect information from messages, such as feedback or requests, that you have sent us through our digital channels. We can also record and save phone calls and chats to confirm orders or for documentation, quality monitoring and development purposes. For security reasons, we have surveillance cameras on our premises and outside them.
Personal data that we can collect from sources other than the person him/herself
We collect personal data from publicly available sources, such as registers maintained by authorities (e.g. Population Register, the Tax Administration’s registers, company registers and supervisory authorities’ registers) and stock exchange releases, sanctions lists (e.g. the national sanctions list maintained by the National Bureau of Investigation, the list maintained by the EU and the UN and the United States’ Office of Foreign Assets Control, OFAC), the credit information register, and from commercial information providers who provide information on beneficial owners and politically exposed persons.
We obtain information from the employer for providing employees’ group insurance and for the provision of reward and compensation services. We also receive information from companies belonging to the same financial consortium with which we co-operate. In addition, we process data collected from the insurance companies’ joint abuse register. We also receive possible personal data in the reports submitted to our whistleblowing channel or via investigation to be performed related to such reports.
4. How can Mandatum use your personal data and on what legal bases?
We use your personal data to fulfill our contractual and statutory obligations and to make you offers and provide you with advice and services:
Concluding and managing service and product agreements (performance of a contract)
The primary purpose of personal data processing is to collect, process and verify the personal data before making an offer and concluding an agreement and to document, manage and carry out the tasks specified in the contract.
Examples of tasks related to the performance of a contract:
- performance of, e.g., a co-operation agreement, an employment contract, an insurance policy, a custodial agreement, a wealth management contract or an agreement concerning the transmission of orders and the performance of its terms and conditions
- customer service during the contractual period
Compliance with requirements and obligations laid down in the law, regulations or decisions of authorities and supervisory authorities (statutory obligation)
In addition to the performance of a contract, compliance with the obligations laid down in the law, regulations and decisions issued by authorities requires us to process personal data.
Examples of statutory obligations that require the processing of personal data:
- obligation to know your customer (KYC)
- prevention, detection and investigation of money laundering, terrorist financing and fraud
- sanctions list verifications
- accounting and tax regulations
- regulatory reporting
- obligations related to risk management, such as insurance risks and solvency requirements
- customer communications in connection with legal obligations, such as the submission of annual calculations of insurance products and the notification of significant changes in the insurance terms and conditions or the content of the insurance
- reports on possible breaches of European union law and domestic law under the applicable whistleblowing act
- other obligations related to service- or product-specific legislation, such as legislation governing insurance and investment services.
Customer communications, marketing, product and customer analyses (legitimate interest)
Mandatum has a legitimate interest to process personal data for customer communications and in connection with marketing, product and customer analyses. This allows us to improve our product range and optimise the services offered to customers. We market, for example, our products and services to Mandatum’s existing and potential customers electronically, by post and by phone. We also send customer communications (e.g. market outlooks, newsletters and feedback surveys) to our existing customers. The tag used in the email links we send can be used to associate the email sent to you with the customer information we hold on you. The use of the tag allows you to manage your personal communication settings through the links in the emails sent to you. We carry out digital marketing through, for example, online advertising that can be targeted using, for instance, Facebook’s or LinkedIn’s adapted target groups. You can object to targeting here. Marketing may also involve profiling, which we describe in more detail in section 5.
In certain situations, we ask for your consent to process your personal data. Such situations include, for example, consent to electronic direct marketing or the processing of data belonging to special categories. The consent request contains information on the processing of such data. If you have given your consent to the processing of your personal data, you also have the right to withdraw your consent. For example, you can withdraw your consent to electronic direct marketing by logging in our web service or by managing your subscriptions here. You can also manage this and other consents by contacting our customer service.
5. Automated decision-making and profiling
Automated decision-making means making decisions based solely on automated processing of personal data. We use automated decision-making in claims processing to speed up the processing of applications and to offer our customers better service. In connection with automated decision-making, we assess, based on the information provided in the application, whether the conditions for granting compensation specified in the insurance terms and conditions are met. In addition to the information provided in the application, we use information related to the customer relationship, contracts and compensations in the decision-making process. Automated decision-making only applies to positive claims decisions, and negative decisions are always processed by a natural person. If you wish, you can request the re-processing of a decision resulting from automated decision-making, in which case your application will be processed by a natural person.
Profiling means automated processing of personal data, involving, for example, the assessment or anticipation of a person’s areas of interest or behaviour. We use profiling to target direct marketing and online marketing in an effort to offer each person the products and services that are most suited and relevant for him/her. In targeting direct marketing, we use customer information, information obtained from our co-operation partners and from public registers, as well as information provided by the customer about his/her areas of interests, for example. The targeting of online advertising is based on website visitor data: visitors can be shown, for example, advertisements on products and services related to pages they have visited earlier. Section 10 of this notice provides more information on cookies. The profiling carried out in connection with marketing does not include automated decision-making that has significant legal effects.
6. To whom can Mandatum disclose personal data?
Personal data can be disclosed outside of Mandatum when this is allowed or required by legislation. Information may be disclosed to, for example:
- the authorities (such as the police, tax administration, the Social Insurance Institution and enforcement officers),
- the insurance companies’ joint abuse register
- reinsurance companies
- companies belonging to the same financial consortium.
We may also disclose data, based on the customer’s consent or an agreement, to our partners that are related to the products or services chosen by customers.
Data transfer to third countries
In some cases, Mandatum can also transfer personal data to organisations operating outside the European Economic Area, i.e. in so-called third countries.
Such data transfers can be carried out if one of the following conditions is met:
- The EU Commission has decided that the level of data protection in the country in question is adequate.
- Other necessary protection measures have been introduced by, for example, following the standard contractual clauses approved by the EU Commission or by ensuring that the company processing the data has in place valid binding rules concerning the company.
7. How does Mandatum protect personal data and what kind of risks are involved in the processing of personal data?
We use technical and administrative information security means that are necessary, appropriate and in line with the best practices to protect personal data and other information. Such means include, for instance, the use of firewalls, strong encryption technologies and safe IT areas, access control, restricted granting of user rights, providing instructions and training to personnel participating in personal data processing and careful selection of subcontractors. In addition to applicable legislation, the subcontractors commit to complying with Mandatum’s data protection principles and guidelines.
The processing of personal data is only allowed for work-related reasons. The user rights for accessing systems that contain personal data are personal, and the use of the rights is monitored. Mandatum’s employees that process personal data are bound by, in addition to the statutory non-disclosure obligation, also by a separate non-disclosure agreement. Personal data that is no longer needed is erased in secure manner.
Despite careful protection and appropriate information security, data processing always involves a risk. If, despite our measures, a data protection breach occurs that is likely to result in a high risk for your privacy or your other rights, we will contact you as soon as possible.
8. Institutional customers’ members
Mandatum Life Services Ltd offers pension funds and foundations services related to, for example, daily activities, such as fund management services, pension processing, actuarial operations, accounting, asset management and risk management. To personnel funds, Mandatum Life Services Ltd offers management services, including membership database maintenance, payment of fund units, fund accounting and advisory services for members. Mandatum Life Services Ltd acts as a personal data processor when providing services to institutional customers and their members. Each pension fund, pension foundation or personnel fund acts as a controller. More information on the processing of personal data of institutional customers can be found in the following descriptions:
Description of data processing regarding the members of personnel funds
Description of data processing regarding pension compensation
Description of data processing regarding the member registers of pension funds
Description of data processing regarding supplementary pension liability calculations
Description of data processing regarding statutory pension liability calculations
Description of data processing regarding IFRS calculations
9. What rights do you have?
You have, for example, the right to access your data and the right to have your incomplete or inaccurate data rectified as described in further detail below. Please also note that Mandatum’s operations entail statutory obligations to retain the data, and Mandatum may have the obligation to process your personal data even if you request the restriction of processing or erasure of the data.
As far as the members of institutional customers (pension funds and foundations and personnel funds) are concerned, each institutional customer acts as the controller. More information on the use of the rights of the members of institutional customers is available in the data processing descriptions which can be found in section 8 of this privacy notice.
You can exercise your rights described below by contacting our customer service.
The right of access
You have the right to receive confirmation from Mandatum of whether we process your personal data. If your personal data is processed, you have the right to receive a copy of the data and to inspect the data. The non-disclosure obligations laid down in the special legislation governing the insurance and finance sector or the applicable whistleblowing act may restrict your right of access to information.
The right to rectification
You have the right to request Mandatum to rectify any inaccurate personal data and to complete any incomplete data.
The right to erasure (right to be forgotten)
You have the right to request the erasure of your personal data and, to the extent that the processing of your personal data is based on consent, to withdraw your consent. If you request the erasure of your data or withdraw your consent to the processing of your personal data, we will erase the data from our systems unless there is another legal basis for the processing of the data or unless we have a statutory obligation to retain the data. In any case, we will erase your data once the retention period as specified by us or provided for by law has lapsed.
The right to restriction of processing
Under specific conditions provided for in legislation, you have the right to request us to restrict the processing of your personal data. However, the right to request restriction of personal data processing does not apply to personal data processing resulting from Mandatum’s statutory obligations.
The right to data portability
To the extent that the processing of your personal data is based on consent or a contract, you have the right to receive the personal data you have provided us in a structured and commonly used format and the right to have the data transferred to another data controller.
The right to object
You have the right to object to the processing of your personal data to the extent that the processing is based on the fulfilment of legitimate interests of Mandatum or a third party.
You also have the right to object to the processing of your personal data for direct marketing purposes. You can find more information on opting out of direct marketing in section 4 of this privacy notice.
The right to lodge a complaint
If you find the processing of your personal data to conflict with the applicable legislation, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman.
Cookies are small text files that are stored on the visitor’s computer or other device when visiting Mandatum’s websites. When we refer to cookies in this privacy notice, this also includes other similar technologies and tools that collect and store information in your browser and, in some cases, transmit such information to third parties in the manner of cookies.
On Mandatum’s websites and web services, cookies are used to maintain the session after the user logs in to the web service and to remember the selections made by the user when moving from one page to another. Cookies also allow us to individualise website visitors and to compile statistics on the visitors to our website. Cookies are also used in the chat service of Mandatum’s websites and to target marketing. Both session cookies and persistent cookies set by Mandatum and third parties are used on Mandatum’s websites and web services. You can read more about cookies in our cookie notice.
11. For how long does Mandatum retain personal data?
We will only retain your data as long as is necessary for the performance of the contract and as long as required by the provisions laid down by laws and regulations concerning the retention of the data. If we retain your data for purposes other than the performance of a contract, such as preventing money laundering, accounting and the fulfilment of the solvency requirements, we will retain the data only if it is necessary for that purpose and/or provided for by law and regulations.
Examples of our main retention periods:
- We retain the data of potential customers for a maximum of 3 years since the date of last personal communication with the potential customer. Should an offer made have not resulted in a contract, we will retain its data for a maximum of 3 years since the date of its issuance.
- If a person has subscribed to a newsletter or printed magazine from us or granted a marketing permission, the information will be kept for as long as the subscription / permission is valid.
- For life insurance contracts, we retain customer data for the duration of the customer relationship and no longer than 13 years since the termination of the latest contract or the payment of the latest benefit. For investment contracts, we retain customer data for a maximum of 10 years since the termination of the contract.
- We retain the know-your-customer data for 5 years since the termination of the latest contract.
- We retain the recordings of phone calls related to the management of contracts for 10 years.
- We retain customer satisfaction survey data for 5 years.
- In the customer community operations, we retain personal data for one year since the membership has ended.
- We retain data related to taxation, accounting and reporting obligations (e.g. obligations resulting from the international FATCA/CRS agreements) for 6 years from the end of each tax year.
- For the retention periods for data of institutional customers’ members, see the personal data processing descriptions in section 8.
- The data processed in connection with job applications is retained for 2 years at most.
- The information received via reports submitted to the whistleblowing channel shall be retained for 5 years unless it is necessary to retain information longer to perform rights and obligation under the law or to prepare, present or defend a legal claim. Personal data which is clearly not relevant for handling and investigation a specific report shall be delated without undue delay.
12. How can I get in touch?
If you have questions about data protection, we ask you to primarily contact Mandatum’s customer service.
You can reach the data protection officer of Mandatum Life, Mandatum Life Services Ltd and Mandatum Incentive Ltd at dpo(at)mandatumlife.fi.
You can reach the data protection officer of Mandatum Asset Management Ltd and Mandatum AM AIFM Ltd at dpo(at)mandatumam.com.
You can reach the data protection officer of Mandatum Life SICAV-UCITS funds and Mandatum Fund Management S.A. at dpo(at)mandatumlife.lu.
You can reach the data protection officer of Mandatum Group at dpo(at)mandatumlife.fi.
The previous version is available here