1. General
In this Privacy Notice for Mandatum Group’s camera surveillance, we describe the information required by the EU’s General Data Protection Regulation (EU) 2016/679 (hereinafter “GDPR”) and other applicable data protection legislation concerning the processing of personal data carried out by the Group companies in connection with camera surveillance.
We update this Privacy Notice from time to time as needed.
If you have more specific questions or requests related to this Privacy Notice, the processing of your personal data or your rights as a data subject, you may contact us via the channels mentioned below.
2. Controllers and contact details of the controllers
The controller for Mandatum Group’s (hereinafter also “Mandatum”) camera surveillance is each company belonging to the Group for their part. This Privacy Notice applies to the following companies belonging to Mandatum Group or to the organisations the Group manages:
Mandatum plc
Bulevardi 56, FI-00120 Helsinki
P.O. Box 627, FI-00101 Helsinki
Mandatum Life Insurance Company Limited (Mandatum Life)
Bulevardi 56, FI-00120 Helsinki
P.O. Box 627, FI-00101 Helsinki
Mandatum Life Services Ltd
Bulevardi 56, FI-00120 Helsinki
P.O. Box 1210, FI-00101 HELSINKI
Mandatum Incentives Oy
c/o Mandatum Life Insurance Company Limited
P.O. Box 627, FI-00101 Helsinki
Mandatum Asset Management Ltd
Bulevardi 56, FI-00120 Helsinki
P.O. Box 1221, FI-00101 Helsinki
Mandatum AM AIFM Ltd
c/o Mandatum Asset Management Ltd
P.O. Box 1221, FI-00101 Helsinki
Mandatum Life SICAV-UCITS (fund company)
Mandatum Fund Management S.A. (fund management company)
53, Boulevard Royal
Luxembourg L-2449, Luxembourg
Mandatum Asset Management Palvelut Oy
c/o Mandatum Asset Management Ltd
P.O. Box 1221, FI-00101 Helsinki
3. Contact details of the Data Protection Officer
Mandatum Group’s Data Protection Officer
Email: dpo@mandatum.fi
Postal address: Mandatum, Data Protection Officer, P.O. Box 627, FI-00101 Helsinki.
4. Personal data to be processed and sources of personal data
The data subjects whose personal data is processed in connection with camera surveillance are the people working on Mandatum Group’s premises and other persons in the camera surveillance area, for instance, the controller’s customers, potential customers and the representatives of co-operation partners.
The camera surveillance register consists of camera recordings that include video images of data subjects and information about when the video was recorded. The personal data to be processed originates from the surveillance cameras that are located in the surveillance area that the data subject has entered.
5. Purposes of and legal basis for processing personal data
The purpose of the processing of personal data related to camera surveillance is to ensure the safety of the employees of the Mandatum Group companies, other people working and doing business on the premises of the Mandatum Group companies, and of the office premises.
Personal data is processed to ensure the safety of the people entering Mandatum’s premises, and the protection of the property, other physical assets, personal data and trade secrets, as well as to prevent and investigate criminal damage or other vandalism, threatening situations and crimes against the aforementioned, as well as other harmful activities. The recordings may also be used to investigate, among other things, workplace accidents or harassment, taking into account the requirements of the Finnish Act on the Protection of Privacy in Working Life (759/2004).
The legal basis for the processing of personal data is the legitimate interest of a company belonging to the Mandatum Group. The legitimate interest is to ensure the safety of the employees of the Group companies, other people working and doing business on the premises of the Mandatum Group companies, and the business premises, as well as to protect the controller’s assets as described above.
6. Automated decision-making and profiling
The processing of personal data carried out in connection with camera surveillance does not involve automatic decision-making that would have significant legal effects or other similar significant effects, or profiling based on personal data.
7. Recipients and transfer of personal data
Disclosure of personal data
Personal data is not regularly disclosed to third parties. Data may, based on a specific and justified request, be disclosed to the police or other competent authority in specific cases provided for by law, for instance, to investigate crimes.
Processors and data transfers outside the EEA
In Mandatum Group, the processor of personal data related to camera surveillance for the Group companies is Mandatum Life Services Ltd (2614680-9).
Besides the companies belonging to Mandatum Group, the Group companies can use in their operations subcontractors who process personal data on behalf of a Mandatum Group company acting as the controller and to whom personal data can be transferred to the extent required by the service produced by the subcontractor.
Personal data processed in connection with camera surveillance is not, in principle, transferred outside the European Union or the European Economic Area. If a transfer of personal data is necessary, this can only take place if the conditions laid down in data protection legislation for the transfer of personal data have been met. We always base the transfer of personal data on the transfer mechanisms permitted by legislation, such as the European Commission’s determination of whether a recipient country offers an adequate level of data protection (see the latest list of adequacy decisions on the EC’s website) or the European Commission’s standard contractual clauses (see the standard contractual clauses on the EC’s website). We also supplement these as necessary with various additional safeguards, which help appropriately guarantee an adequate level of data protection.
8. Retention periods for personal data
We store personal data collected in connection with camera surveillance, as a rule, for 30 days. However, for a special reason, e.g. for investigating a suspected crime, personal data may be kept longer than this, in which case the data will be erased, depending on the case, when the possible preliminary investigation, period of limitation or legal process ends.
9. Protection and security of personal data
We use technical and administrative information security means that are necessary, appropriate and in line with the best practices to protect personal data and other information. Such means include, for instance, the use of firewalls, strong encryption technologies and secure IT hardware areas, access control, restricted granting of user rights, providing instructions and training to personnel participating in personal data processing and careful selection of subcontractors. In addition to applicable legislation, the subcontractors commit to comply with Mandatum’s data protection principles and guidelines.
The processing of personal data within Mandatum is permitted only for work-related reasons. The user rights for accessing systems that contain personal data are personal, and the use of the rights is monitored. Mandatum’s employees that process personal data are bound by, in addition to the statutory obligation of secrecy, a separate non-disclosure agreement. Personal data that is no longer needed is erased in a secure manner.
Despite careful protection and appropriate information security, data processing always involves a risk. If, in spite of our measures, a personal data breach occurs that is likely to result in a high risk to your privacy or your other rights, we will contact you as soon as possible.
10. Your rights
You have the right to receive confirmation from Mandatum as to whether we process your personal data. If your personal data is processed, you have the right to receive a copy of the data and to inspect the data. If you make the request electronically, we will provide you the data in a commonly used electronic format unless you request otherwise. Legislation, the rights and freedoms of other individuals and other special grounds may limit your right to access some of the data that pertains to you.
If you consider your personal data that we process to be incorrect or inaccurate, you have the right to request Mandatum for rectification of such personal data and to have incomplete personal data completed.
You also have the right to request Mandatum to erase your personal data and, insofar as the processing of your personal data is based on consent, to withdraw your consent. If you request the erasure of your data or withdraw your consent to the processing of your personal data, we will no longer process your personal data in that respect, and we will erase the data from our systems unless there is another legal basis for processing the data. In any case, we will erase your data once the statutory storage period or other retention period specified by us has elapsed.
You furthermore have the right to object to the processing of your personal data if the processing is based on the fulfilment of Mandatum’s or a third party’s legitimate interests.
In specifically regulated cases, you may have the right to request that we restrict the processing of your personal data. Insofar as the processing of your personal data is based on consent or a contract, you also have the right to receive the personal data you have provided us in a structured and commonly used format and the right to have the data transferred to another data controller.
You can exercise your rights described above by contacting our customer service in an online message through Mandatum’s Web Service, by calling +358 200 31100 (lnc/mnc) Mon-Fri 9am–5pm, by mailing Mandatum, Asiakaspalvelu, PL 627, 00101 Helsinki, or by visiting our office nearest you. You can find the contact details and opening hours of our offices on our website.
The right to lodge a complaint with a supervisory authority
In matters related to the processing and protection of your personal data, and if you have any questions, please first contact Mandatum’s customer service or Mandatum Group’s Data Protection Officer, whose contact details are included above in Section 3 of this Privacy Notice.
If you are dissatisfied with a response you received from us, or if you believe our processing of your personal data does not comply with data protection legislation, you can contact the competent supervisory authority, i.e. the Office of the Data Protection Ombudsman.
Updated 16.9.2024