1. General information
In this Privacy Notice for Mandatum Group’s (hereinafter also “Mandatum” or “Group”) lease administration, we describe the information required by the EU’s General Data Protection Regulation (EU) 2016/679 (hereinafter “GDPR”) and other applicable data protection legislation concerning the processing of personal data carried out by the Group companies in connection with the leasing of residential and commercial premises owned by the companies.
We update this privacy policy from time to time as needed.
If you have more specific questions or requests related to this privacy policy, the processing of your personal data or your rights as a data subject, you may contact us via the channels mentioned below.
2. Controllers and contact details of the controllers
The controller for data processing related to Mandatum Group’s lease administration is each company belonging to the Group or the real estate investment fund managed by such a company which owns and leases residential or commercial premises.
This privacy policy applies to the following companies belonging to Mandatum Group or to the organisations the Group manages:
Mandatum Life Insurance Company Limited (Mandatum Life)
Bulevardi 56, FI-00120 Helsinki
PL 627, 00101 Helsinki
Special Investment Fund Mandatum AM Finland Properties II
C/O Mandatum Asset Management Ltd
P.O. Box 1221, FI-00101 Helsinki
Mandatum AM AIFM Ltd
C/O Mandatum Asset Management Ltd
P.O. Box 1221, FI-00101 Helsinki
Mandatum Life Vuokratontit I Ky
C/O Mandatum Asset Management Ltd
P.O. Box 1221, FI-00101 Helsinki
Mandatum Life Vuokratontit II Oy
C/O Mandatum Asset Management Ltd
P.O. Box 1221, FI-00101 Helsinki
3. Contact details of the data protection officer
Mandatum Group’s Data Protection Officer
Email: dpo@mandatum.fi
Postal address: Mandatum, Data Protection Officer, P.O. Box 627, FI-00101 Helsinki.
4. Categories of data subjects
The processing of personal data related to lease administration involves the following categories of data subjects:
- Lease applicants, meaning natural persons who have submitted a lease application on their own behalf or on behalf of an organisation they represent, or who have otherwise expressed an interest in leasing residential or commercial premises owned by the controller.
- Lessees, meaning natural persons who are or have been tenants in residential premises owned by the controller.
- Lessee representatives, such as authorised representatives, guardians and other natural persons who act or have acted on behalf of a party that is or has been a lease applicant or a lessee in a property owned by the controller.
- Persons responsible in a company, such as beneficial owners and parties exercising control in a company, who are or have been a lease applicant or a lessee in a property owned by the controller.
5. Personal data to be processed
The personal data that we process in the context of our lease administration’s register can be divided into the following personal data categories. Examples of personal data are given for these groups. The example lists are not exhaustive, and the data to be processed may vary between different customer relationships.
Basic data, such as a data subject’s name, personal identity code, date of birth, contact details, information about guardianship or curatorship, and information about a guardian, representative, proxy or other similar person in a customer relationship.
Data related to statutory requirements and taxation, which legislation requires us to collect, such as nationality, country of birth and other information related to tax residency, information necessary for knowing and identifying the data subject and for verifying their identity, information on the origin of funds, financial status and political exposure, and information on beneficial owners.
Financial data, such as credit and payment default data, security deposit data, data related to rent payment and invoicing, bank account data for the purpose of returning the security deposit, as well as debt collection data.
Agreement information, such as information related to the creation, content and terms of the lease agreement.
Customer transaction information, such as transactions related to the management of the lease.
Recordings and message contents, such as email messages, to which the data subject is a party.
Information related to housing, such as key and access information related to electronic locking systems, as well as user information related to other services of the leased premises.
Camera surveillance data and recordings, which are necessary to ensure the safety of the people in Mandatum’s premises and the protection of property and other physical assets, as well as to prevent and investigate criminal damage or other vandalism, threatening situations and crimes against the aforementioned, as well as other harmful activities.
Behavioural information, such as data collected through the use of cookies and other similar technologies, e.g. about the controller’s websites a user browses, the model of the device used for browsing, the unique device identifier, IP address and session.
6. Sources of personal data
The data processed in the lease administration’s register is primarily collected from the data subject or the data subject’s representative, who is in contact with Mandatum, the rental agent, or another party acting on behalf of Mandatum regarding the premises to be leased or who submits a lease application or signs a lease agreement concerning such premises.
We collect and update personal data within the framework permitted by law also from third-party registers, such as registers maintained by authorities (e.g. the population information system, the Tax Administration’s registers, company registers and registers of supervisory authorities), international and national sanctions and freeze lists (e.g. sanctions lists maintained by the EU, the UN and the United States Office of Foreign Assets Control, and the list of decisions to freeze funds maintained by the Finland’s National Bureau of Investigation), credit information registers and commercial data brokers who provide information on, e.g. beneficial owners, politically exposed persons, and the decision-makers of companies and organisations.
7. Purposes of and legal basis for processing personal data
The purpose of processing personal data related to the lease administration’s register is to enable the leasing of residential and commercial premises and the implementation of leases, as well as communication with the data subjects related to the leases.
The next section describes in more detail the purposes for which Mandatum can process your personal data by virtue of each legal basis of data protection regulation.
Contractual relationship or measures prior to concluding a contract
Personal data processing related to the lease administration’s register is mainly necessary for implementing the lease agreement or the measures prior to the signing of the lease agreement.
The purpose of processing carried out before the lease agreement is concluded is to collect, process and verify the data of the data subject. Processing may also be necessary to carry out other measures prior to the signing of the agreement, such as processing lease applications and other communications related to the lease.
In addition, the purpose of personal data processing is to manage, implement and document the tasks specified in the lease agreement during the life of the contractual relationship. This processing also includes, for example, measures related to rent invoicing and debt collection, managing the contractual relationship, as well as to customer service and other communication related to the leases.
Legal obligation
In addition to processing personal data to implement agreements, Mandatum’s operations are subject to a wide range of obligations arising from legislation. Complying with these obligations and with official regulations and decisions requires us to process personal data. In order to comply with these legal obligations, we may process personal data for, e.g. the following purposes:
- Informing lessees about events that affect their housing or daily life, such as repairs and maintenance to the property, planned water or electricity outages, and changes related to the lease.
- Knowing the customer and verification of identity.
- Preventing, detecting and investigating money laundering, terrorist financing and other financial crimes as well as such crimes as were committed as their predicate offences.
- Compliance with sanctions regulations and fund-freezing decisions.
- Compliance with accounting and tax regulations.
- Regulatory reporting.
- Compliance with risk-management-related obligations, such as managing solvency requirements and insurance risks.
Legitimate interest
Mandatum has a legitimate interest to process personal data in order to offer, produce and develop the services of our Group companies. On the basis of a legitimate interest, data may also be disclosed within the Mandatum Group, for example, for customer service and other management of the contractual relationship, as well as for the Group’s risk management, within the limits permitted by law.
On the basis of a legitimate interest, we can process personal data for, among other things, developing our business and systems and ensuring their functionality; for quality control and assurance; for preventing, detecting and investigating misconduct; for defending ourselves against complaints, legal cases and other legal claims; and for preparing and presenting a legal claim.
We may record telephone calls and electronic communications based on a legitimate interest, for example, to confirm and document discussions and agreements with the customer, as well as to monitor and develop the quality of customer service. Video footage from the surveillance cameras inside and outside our premises may be recorded to ensure the safety of the people visiting our offices, as well as the safety of our premises, properties and other physical assets.
Based on a legitimate interest, we will send regular tenant satisfaction surveys using a variable sample as part of the quality control of lease administration and the functionality of the premises. We may also contact the lessees as the lease term approaches its end to negotiate the use of the premises after the agreed lease period.
Consent
In certain situations, we ask for your explicit consent to process your personal data. These situations may include, for example, consent to electronic direct marketing or processing using non-essential cookies. We will provide you with more information about the intended processing of your personal data when we request your consent to the processing in question.
If you have given your consent to the processing of your personal data, you also have the right to withdraw your consent at any time. You can manage, for example, the consent you have given to Mandatum for electronic direct marketing through Mandatum’s online service or in connection with a marketing message you receive. You can also manage your consent by contacting our customer service.
8. Automated decision-making and profiling
The processing of personal data carried out in connection with the lease administration’s register does not involve automatic decision-making that would have significant legal effects or other similar significant effects, or profiling based on personal data.
9. Recipients and transfer of personal data
Disclosure of personal data
Mandatum Group companies may, in certain situations, disclose personal data to third parties as independent controllers, if this is necessary e.g. for compliance with obligations arising from legislation or regulatory requirements, or to exercise a legitimate interest. Before disclosing data, we always make sure that there is a legal basis for the disclosure, and that the disclosure takes place in compliance with the applicable non-disclosure obligations and other regulatory obligations.
Data may be disclosed to, for example:
- real estate companies owned by the real estate fund.
- those responsible for the management, property management and building maintenance of the leased premises.
- debt collection companies for the purpose of collecting rent receivables.
- authorities, such as the Social Insurance Institution of Finland (Kela), supervisory authorities, tax authorities, the police and enforcement authorities.
- a third party to whom the controller sells the property, residential or commercial premises where the data subject is a lessee.
- companies within our Group which belong to Mandatum Group.
Personal data processors and data transfers outside the EEA
In their activities, Mandatum Group companies may use subcontractors who process personal data on behalf of a Mandatum Group company acting as the controller and to whom personal data can be transferred to the extent required by the service produced by the subcontractor.
Such subcontractors may include, for instance, lease management service providers, such as those offering real estate brokerage services for residential and commercial properties, parties responsible for property management and maintenance when acting on behalf of Mandatum, as well as our other co-operation partners, which we use e.g. to produce our IT services.
Personal data processed in connection with the lease administration’s register may, in the context of using subcontractors, also be transferred outside the EEA, provided that the conditions laid down in data protection legislation for a data transfer are met. We always base the transfer of personal data on the transfer mechanisms permitted by legislation, such as the European Commission’s determination of whether a recipient country offers an adequate level of data protection (see the latest list of adequacy decisions on the EC’s website) or the European Commission’s standard contractual clauses (see the standard contractual clauses on the EC’s website). We also supplement these as necessary with various additional safeguards, which help appropriately guarantee an adequate level of data protection.
10. Storage periods for personal data
We store your personal data for as long as the data is necessary in terms of the purposes for which the data was collected or otherwise processed. Data storage periods may vary depending on the purpose of the processing, the nature of the personal data and the requirements applicable to their processing. We delete or anonymise the data when their storage period expires.
We retain data related to lease agreements and our lessees, lessee representatives, and persons responsible for the duration of the lease and, as a rule, for a maximum of six (6) years from the termination of the lease agreement.
We retain data related to lease applications that have not resulted in the signing of a lease agreement for a maximum of two (2) years from the receipt of the most recent application.
11. Personal data protection and security
We use technical and administrative information security means that are necessary, appropriate and in line with the best practices to protect personal data and other information. Such means include, for instance, the use of firewalls, strong encryption technologies and secure IT hardware areas, access control, restricted granting of user rights, providing instructions and training to personnel participating in personal data processing and careful selection of subcontractors. In addition to applicable legislation, subcontractors commit to comply with the instructions and binding contractual terms and conditions provided by Mandatum regarding the permitted processing of personal data.
The processing of personal data within Mandatum is permitted only for work-related reasons. User rights for accessing systems that contain personal data are personal, and the use of the rights is monitored. Mandatum’s employees that process personal data are bound by, in addition to the statutory non-disclosure obligation, a separate non-disclosure agreement. Personal data that is no longer needed is erased in a secure manner.
Despite careful protection and appropriate information security, data processing always involves a risk. If, in spite of our measures, a personal data breach occurs that is likely to result in a high risk to your privacy or your other rights, we will contact you as soon as possible.
12. Your rights
You have the right to receive confirmation from Mandatum as to whether we process your personal data. If your personal data is processed, you have the right to receive a copy of the data and to inspect the data. If you make the request electronically, we will send you the data in a commonly used electronic format unless you request otherwise. Legislation, the rights and freedoms of other individuals and other special grounds may limit your right to inspect some of the data that pertains to you.
If you consider your personal data that we process to be incorrect or inaccurate, you have the right to request that Mandatum rectify such personal data and complete any incomplete data.
You also have the right to request that Mandatum erase your personal data and, insofar as the processing of your personal data is based on consent, to withdraw your consent. If you request the erasure of your data or withdraw your consent to the processing of your personal data, we will no longer process your personal data in that respect, and we will erase the data from our systems unless there is another legal basis for processing the data. In any case, we will erase your data once the legal storage period or other storage period specified by us has elapsed.
You furthermore have the right to object to the processing of your personal data if the processing is based on the fulfilment of Mandatum’s or a third party’s legitimate interest.
In specifically regulated cases, you may have the right to request that we restrict the processing of your personal data. Insofar as the processing of your personal data is based on consent or a contract, you also have the right to receive the personal data you have provided us in a structured and commonly used format and the right to have the data transferred to another controller.
You can exercise your rights described above by contacting our customer service in an online message through Mandatum’s Web Service, by calling +358 200 31100 (lnc/mnc) Mon-Fri 9am–5pm, by mailing Mandatum, Asiakaspalvelu, PL 627, 00101 Helsinki, or by visiting our office nearest you. You can find the contact details and opening hours of our offices on our website.
The right to lodge a complaint with a supervisory authority
In matters related to the processing and protection of your personal data, and if you have any questions, please first contact Mandatum’s customer service or Mandatum Group’s Data Protection Officer, whose contact details are included above in section 3 of this Privacy Notice.
If you are dissatisfied with a response you received from us, or if you believe our processing of your personal data does not comply with data protection legislation, you can contact the competent supervisory authority, i.e. the Office of the Data Protection Ombudsman.
Updated on 27.5.2025.