Privacy Notice for Mandatum Group’s customer register

1. General

In this Privacy Notice for Mandatum Group’s customer register, we describe the information required by the EU’s General Data Protection Regulation (EU) 2016/679 (hereinafter “GDPR”) and other applicable data protection legislation concerning the processing of personal data carried out by the Group companies.

We explain, among other things, the personal data that Mandatum Group companies (hereinafter also “Mandatum”) process on you, the sources of the data, the purposes for which personal data can be processed and to whom we can disclose and distribute this data. The principles and practices deriving from this Privacy Notice apply to all personal data processing related to Mandatum’s customers. Examples of application situations are applying for insurance or making an insurance claim, using our wealth management services and using of our web and mobile services.

We update this Privacy Notice from time to time as needed, because we continuously develop our operations and as a result there may also be changes in our processing of personal data.

If you have more specific questions or requests related to this Privacy Notice, the processing of your personal data or your rights as a data subject, you may contact us via the channels mentioned below.

2. Controllers and contact details of the controllers

The controller in Mandatum Group is the Group company whose products or services you use. This Privacy Notice applies to the following companies belonging to Mandatum Group or to the organisations the Group manages:

Mandatum Life Insurance Company Limited (Mandatum Life)
Bulevardi 56, FI-00120 Helsinki
P.O. Box 627, FI-00101 Helsink

Mandatum Life Services Ltd
Bulevardi 56, FI-00120 Helsinki
P.O. Box 1210, FI-00101 HELSINKI

Mandatum Incentives Oy
C/O Mandatum Life Insurance Company Limited
P.O. Box 627, FI-00101 Helsinki

Mandatum Asset Management Ltd
Bulevardi 56, FI-00120 Helsinki
P.O. Box 1221, FI-00101 Helsinki

Mandatum AM AIFM Ltd
C/O Mandatum Asset Management Ltd
P.O. Box 1221, FI-00101 Helsinki

Mandatum Life SICAV-UCITS (fund company)

Mandatum Fund Management S.A. (fund management company)
53, Boulevard Royal
Luxembourg L-2449, Luxembourg

Mandatum Asset Management Palvelut Oy
C/O Mandatum Asset Management Ltd
P.O. Box 1221, FI-00101 Helsinki

Mandatum Group companies also act as processors for certain other controllers, such as Kaleva Mutual Insurance Company, Saxo Bank A/S, pension funds and foundations, as well as personnel funds to which the Group companies provide services. Processing carried out by Mandatum as a processor of personal data is described later in Section 12.

3. Contact details of the Data Protection Officer

Mandatum Group’s Data Protection Officer

Email: dpo@mandatum.fi
Postal address: Mandatum, Data Protection Officer, P.O. Box 627, FI-00101 Helsinki.

4. Whose personal data does Mandatum process?

Data subject refers to a natural person whose personal data is subject to the processing. In the context of its customer register, Mandatum processes in its business operations the following groups of data subjects:

Mandatum’s customers, such as the insured, policyholders, beneficiaries, investment and fund services customers and trading customers
Persons associated with Mandatum’s corporate and institutional accounts, such as an authorised representative, responsible person/persons and beneficial owners
Persons who are the target of the reward & compensation comparison services and other reward services produced by Mandatum
Third parties, such as beneficiaries, guardians, insurance payers, pledge givers and guarantors associated with Mandatum’s customer accounts
Mandatum’s potential customers and other persons belonging to the target marketing group
The members of the boards of organisations and companies, persons responsible and key persons, corporate decision-makers and shareholders
Users of Mandatum’s digital services (e.g. the website and mobile service)
Lessees of properties owned or managed by Mandatum
Members of Mandatum’s institutional customers (personnel funds, pension funds and pension foundations)
Mandatum Trader customers
Customers of Kaleva Mutual Insurance Company

5. What personal data does Mandatum process?

The personal data that we collect and otherwise process in the context of our customer register can be categorised into the following personal data groups. Examples of personal data are given for these groups. The examples are not exhaustive, as the data to be processed depends on, among other things, the nature of the customer account or other relationship, as well as on the products and services used by the customer.

Basic information, such as a data subject’s name, personal identity code, date of birth, contact details, language, citizenship, country of residence, information about a membership entitling to benefits, information about guardianship, and information about a guardian, representative, proxy or other similar person in a customer relationship.

Information related to statutory requirements and taxation, which legislation requires us to collect, such as information necessary to identify a customer and verify a customer’s identity and to ascertain their financial position and whether they are politically exposed; information necessary to assess a customer’s insurance needs and the suitability and appropriateness of investment services and financial instruments; information related to taxation and tax obligation; and other information necessary for us to fulfil our statutory obligations.

Special categories of personal data, such as information about the health of the insurance applicant or the insured processed in connection with a health examination related to certain insurance products or during the lifecycle of the insurance, as well as information about trade union membership.

Contract and product information, such as information about the customer’s insurance or investment service contract and insurance cover, information about a co-operation agreement, position in the agreement, filed and paid insurance claims, amount and type of securities kept.

Interaction and client event information, such as communications related to the customer relationship or collaboration, orders, information on the website and application users, web service event logs, contacts with other customers, customer satisfaction survey responses and, for trading customers, trading information.

Background information, such as information about the customer’s life situation, areas of interest and factors related to their financial situation.

Financial information, such as insurance payments made, invoices, savings, collection information and information related to insurance compensations.

Recordings and message contents, such as phone call recordings, online messages and emails to which the data subject is a party.

Behavioural information, such as information collected through the use of cookies and other similar technologies, e.g. about the websites a user browses, the model of the device used for browsing, the unique device identifier, IP address and session.

Information about consents and refusals, i.e. information about consents and refusals given by a data subject, e.g. for direct marketing or other communication based on consent or a legitimate interest.

Shareholder and company decision-maker information, such as basic information about the shareholders of listed companies and information related to ownership of financial instruments, as well as basic information about a company’s decision-makers and key personnel, including contact information and position in the company.

6. Sources of personal data

Personal data that we can collect from you
We collect personal data that pertains to you primarily from you. Such information is, e.g. your basic personal information such as your name and contact details, which we need to offer you the product or service in question at any given time. In addition, we collect identification and other information required from you by law, including information about your tax obligation and information necessary to assess your insurance needs or the suitability and appropriateness of investment services, so that we can make sure that our statutory obligations are met before and during the customer relationship.

In insurance operations, in order to provide services, we may also require, for example, patient reports, medical examinations and statements, as well as information about professions and hobbies that affect the insurance risk. In order to offer investment services, we may require information, e.g. about your investment experience, financial situation and your investment goals. We may also collect background information on you, e.g. about your life situation and areas of interest, to be able to offer you the most suitable products and services in our offering at any given time.

We also collect and store information on your business interactions and contacts with us that take place by phone and via our digital communication and business channels. We record our phone calls and save our communications with customers in order to, among other things, confirm and document orders, perform quality control and develop our services. In regard to your other online activity, we may collect information, e.g. on the websites you browse in order to target contents and marketing that is most interesting to you.

Personal data that we may collect from sources other than you
We collect and update personal data within the framework permitted by law from third-party registers, such as registers maintained by authorities (e.g. the population information system, the Tax Administration’s registers, company registers and registers of supervisory authorities), the central securities depository and public stock exchange releases, international and national sanctions and freeze lists (e.g. sanctions lists maintained by the EU, the UN and the United States Office of Foreign Assets Control, and the list of decisions to freeze funds maintained by the Finland’s National Bureau of Investigation), from credit information registers and commercial data brokers who provide information on, e.g. beneficial owners, politically exposed persons, and the decision-makers, key personnel and shareholders of companies and organisations. Data can also be collected for marketing purposes.

For employee group pension insurance and reward services, we receive the personal data necessary for implementing the services from the employer companies acquiring those services from us.

We also receive information from companies belonging to the same financial consortium and from other parties with which we co-operate. The latter may include, e.g. organisations and other partners to whose members we offer member benefits on Mandatum’s products and services.

In addition, we process data collected from the insurance companies’ joint abuse register.

7. Purposes of and legal basis for processing personal data

In this section of the Privacy Notice, we explain the purposes for which Mandatum can process your personal data by virtue of each legal basis of data protection regulation.

We process your personal data primarily in order to meet our contractual and statutory obligations. However, in certain situations, we can also process your data based on a legitimate interest or your explicit consent, e.g. in order to market our products and services to you.

Contractual relationship or measures prior to concluding a contract
In order to implement an agreement, the primary purpose of the personal data processing performed by us is to collect, process and verify a person’s data before making an offer and concluding an agreement, and to manage, implement and document the tasks specified in the agreement during the lifecycle of the contractual relationship.

Examples of tasks related to implementing an agreement:

Implementation of an insurance policy, custody agreement, asset management agreement, order brokerage agreement or other service or product agreement or co-operation agreement and its terms, including measures prior to the conclusion of the agreement
Customer service and communication during the contractual period.

Legal obligation
In addition to implementing an agreement, Mandatum’s operations are subject to a wide range of obligations arising from legislation, compliance with which, together with the regulations and decisions of authorities, requires us to process personal data. In order to comply with these legal obligations, we may process personal data for, e.g. the following purposes:

Knowing the customer and verification of identity
Preventing, detecting and investigating money laundering, terrorist financing and other financial crimes as well as such crimes as were committed as their predicate offences
Compliance with sanctions regulations and fund-freezing decisions
Compliance with accounting and tax regulations
Regulatory reporting
Compliance with risk-management-related obligations, such as managing solvency requirements and insurance risks
Statutory communication related to insurance products, such as the delivery of annual calculations on insurance products and information about key changes to insurance terms and conditions or the contents of the insurance
Assessment of the need for insurance and of the suitability and appropriateness of the investment services and financial instruments
Verifying orders, transactions and other services offered to the customer
Other obligations that are based on legislation governing, e.g. insurance or investment services or other services and products.

The legitimate interest of the controller or a third party

Marketing and communication
Mandatum has a legitimate interest to process personal data in order to offer, produce, develop and market, including direct marketing, the services of our Group companies. We may market our products and services without separately asking for consent, to the extent permitted by legislation, by phone, mail and electronically to Mandatum’s current and potential customers, including companies’ key persons, decision-makers and owners.

We process personal data on the basis of a legitimate interest also in order to target contents and in conjunction with marketing, product and customer analyses. The processing may include, e.g. information the customer provides regarding the customer’s life situation and factors affecting their financial position. This allows us to optimise the services offered to customers and improve our range of products and services. We additionally carry out targeted digital marketing and communication e.g. through our own digital service channels (online and mobile services), as well as through online advertising that can be targeted using, for instance, Facebook’s or LinkedIn’s adapted target groups. Marketing may also involve profiling, which we describe in more detail in Section 8 of this Privacy Notice.

We may also send customer communication to our current customers on the basis of a legitimate interest insofar as it is not for the purpose of implementing a contract or for compliance with our legal obligations on required communication. Through an identifier in the email links we send, an email that is sent to you may be linked to your customer data. The use of an identifier allows you to manage your personal communication settings using the links in the emails sent to you.

You can object to marketing, targeting and customer communication that are based on a legitimate interest by managing your consent and refusal choices in Mandatum’s online service, through the messages you receive or by contacting our customer service.

Other processing based on a legitimate interest
A legitimate interest is also the basis for the processing of personal data in connection with the remuneration comparisons offered by Mandatum, the purpose of which is to compare the salary and remuneration of the management and employees of our corporate customers who purchase the service, to create comparison materials and draw up salary comparison reports. The personal data subject to processing is mainly in pseudonymised form. Our legitimate interest with respect to the data processing in question is to provide services related to rewards and compensation to employer companies based on comprehensive reference material that enables a sufficient level of accuracy.

On the basis of a legitimate interest, we can process personal data for, among other things, developing and ensuring the functionality of our business and systems; for quality control and assurance and risk management; to prevent, detect and investigate misconduct; for defending ourselves against complaints, legal cases and other legal claims; and for preparing, presenting or defending a legal claim. We record phone calls and electronic communication for, among other things, confirming orders, documentation purposes, and monitoring the quality of and developing customer service. Video footage from the surveillance cameras inside and outside our premises may be recorded to ensure the safety of the people visiting our offices and our premises.

Consent
In certain situations, we ask for your consent to process your personal data. Such situations include, e.g. consent to the processing of data belonging to special categories or to electronic direct marketing when required by legislation. Based on your consent, we can also process certain other information about you, such as information about your interests, so that we can offer you the most suitable services and content at any given time. We will provide you with more information about the intended processing of your personal data when we request your consent to the processing in question.

If you have given your consent to the processing of your personal data, you also have the right to withdraw your consent at any time. You can manage your consent regarding e.g. electronic direct marketing by logging into Mandatum’s Web Service or when you receive a marketing message. You can also manage your consent by contacting our customer service.

8. Automated decision-making and profiling

Automated decision-making means making decisions based solely on automated processing of personal data. We use automated decision-making in claims processing to speed up the processing of applications and to offer our customers better service. In connection with automated decision-making, we assess, based on the information provided in the claim application, whether the conditions for granting compensation specified in the insurance terms and conditions are met. In addition to the information provided in the application, we use information related to the customer relationship, contracts and compensations in the decision-making process. Automated decision-making only applies to positive claims decisions, and negative decisions are always processed by a natural person. In all cases you have the option to request the re-processing of a decision resulting from automated decision-making, in which case your application will be processed by a natural person. You also have the right to express your point of view and contest the decision.

Profiling means automated processing of personal data, involving, for example, the assessment or anticipation of a person’s areas of interest or behaviour. We use profiling to target direct marketing and online marketing in an effort to offer each person the products and services that are most suited and relevant to them. In order to target direct marketing, we may use customer data, data provided by the customer, e.g. about their areas of interest, as well as data we receive from our partners, public registers and other sources as described in Section 6 of this Privacy Notice. The targeting of online advertising is based on website visitor data: visitors can be shown, for example, advertisements on products and services related to pages they have visited earlier.

The profiling carried out in connection with marketing does not include automated decision-making that would have significant legal effects or other similar significant effects. You have the right to object to targeting and the marketing based thereon either immediately when you receive the marketing in the case of direct electronic or telephone marketing, or by contacting our customer service.

9. Recipients and transfer of personal data

Disclosure of personal data

Personal data may be disclosed to third parties by Mandatum Group companies when this is allowed or required by legislation. Before disclosing data, we always make sure that there is a legal basis for the disclosure, and that the disclosure takes place in compliance with the applicable obligations of secrecy and other regulatory obligations.

Information may be disclosed to, for example:

authorities, such as supervisory authorities, tax authorities, the Social Insurance Institution of Finland, the police and enforcement authorities
companies within our Group
other companies belonging to the same financial consortium
our external co-operation and business partners, which we use to produce or provide services, or which are otherwise closely associated with your chosen products or services
reinsurance companies
medical institutions and healthcare units in connection with clarifications requested in relation to processing an insurance or claim application
the insurance companies’ joint abuse register.

Processors and data transfers outside the EEA

In our operations, we also use subcontractors, who may process personal data on behalf of Mandatum to the extent necessary to produce the service provided by the subcontractor. Such subcontractors are, for instance, our co-operation partners, which we use e.g. to produce our IT services.

In that context, personal data can also be transferred outside the European Union or the European Economic Area, provided that the conditions laid down in data protection legislation for a data transfer are met. We base the transfer of personal data on the transfer mechanisms permitted by legislation, such as the European Commission’s determination of whether a recipient country offers an adequate level of data protection (see the latest list of adequacy decisions on the EC’s website) or the European Commission’s standard contractual clauses (see the standard contractual clauses on the EC’s website). We also supplement these as necessary with various additional safeguards, which help appropriately guarantee an adequate level of data protection.

10. Retention periods for personal data

We store your personal data for as long as is necessary to implement a contract with you or to comply with our statutory obligations, or for as long as the data is otherwise necessary in relation to the purposes for which the data was collected or otherwise processed. Data retention periods may vary depending on the purpose of the processing, the nature of the personal data and the requirements applicable to their processing. We erase or anonymise the data when their retention period expires.

Below are examples of the retention periods of various personal data that is processed in accordance with this Privacy Notice.

For life insurance contracts, we retain personal data for 13 years after the expiry of the latest contract or the payment of the latest compensation, and in wealth management and fund contracts, for 10 years after the expiry of the contract.
We retain the data of potential customers for a maximum of 3 years from the last personal contact. We retain information about offers that do not lead to a contract for 3 years from when the offer was made.
If a person has subscribed to our newsletter or printed magazine or given marketing permission, the data will be stored for as long as the subscription/permission is valid.
We retain the know-your-customer data for at least 5 years after the expiry of the latest contract or completion of a business transaction.
We retain data related to taxation, accounting and reporting obligations (e.g. obligations resulting from the international FATCA/CRS agreements) for at least 6 years from the end of each tax year.
We retain remuneration-related personal data that is processed in connection with reward & compensation comparison services for a maximum of 5 years.
We retain the recordings of phone calls related to the management of contracts for 10 years.
We retain customer satisfaction survey data for 5 years.
In the customer community operations, we retain personal data for 1 year after the membership has ended.
For the storage periods for data of institutional customers’ members, see the personal data processing descriptions in Section 12.

11. Protection and security of personal data

We use technical and administrative information security means that are necessary, appropriate and in line with the best practices to protect personal data and other information. Such means include, for instance, the use of firewalls, strong encryption technologies and secure IT hardware areas, access control, restricted granting of user rights, providing instructions and training to personnel participating in personal data processing and careful selection of subcontractors. In addition to applicable legislation, the subcontractors commit to comply with Mandatum’s data protection principles and guidelines.

The processing of personal data within Mandatum is permitted only for work-related reasons. The user rights for accessing systems that contain personal data are personal, and the use of the rights is monitored. Mandatum’s employees that process personal data are bound by, in addition to the statutory obligation of secrecy, a separate non-disclosure agreement. Personal data that is no longer needed is erased in a secure manner.

Despite careful protection and appropriate information security, data processing always involves a risk. If, in spite of our measures, a personal data breach occurs that is likely to result in a high risk to your privacy or your other rights, we will contact you as soon as possible.

We also recommend that you familiarise yourself with the terms of use of Mandatum’s online services and website and the information security guidelines for the users of the mobile service and to ensure that the information security of your devices and connections is up to date. More information and general information security tips can also be found, for example, on the National Cyber Security Centre’s website.

12. Mandatum as a processor of personal data

Mandatum Group’s companies also act as service providers for certain parties outside the Group, on whose behalf Mandatum processes the personal data of the customers or members of these organisations, i.e. controllers. In this case, Mandatum acts as the processor for the personal data by virtue of the contract concluded with the controller and as instructed by the controller.

Mandatum Life Insurance Company Limited and Mandatum Life Services Ltd act as processors on behalf of Kaleva Mutual Insurance Company (hereinafter “Kaleva”) in producing for Kaleva the Optimi and certain other insurance-related services as well as other services. In this context, Mandatum processes the personal data of Kaleva’s customers, for instance the insured, policyholders and beneficiaries, as well as the personal data of persons associated with customer accounts, such as customers’ guardians and trustees. Kaleva is the controller of its own customer data. You can read about Kaleva’s privacy practices on its website at https://www.kalevavakuutus.fi/ehdot/henkilotietojen-kasittely.

Mandatum Life Services Ltd acts as the processor of personal data also for the Mandatum Trader securities trading service offered by Saxo Bank A/S (hereinafter “Saxo”). Mandatum Life Services Ltd acts as Saxo’s tied agent and is responsible for Trader’s Finnish-language customer service, client identification and service marketing. In Trader, customer accounts are created in Saxo Bank, who is responsible for trading within the service, regulatory reporting and custodial services for securities. Saxo’s privacy policy is available on Saxo’s website.

In addition, Mandatum Life Services Ltd offers pension funds and foundations services related to, e.g. daily activities, such as fund management services, pension processing, actuarial operations, accounting, asset management and risk management. For personnel funds, Mandatum Life Services Ltd offers management services, including membership database maintenance, payment of fund units, fund accounting and advisory services for members. Mandatum Life Services Ltd acts as a processor when providing services to the aforementioned institutional customers and their members. Each pension fund, pension foundation or personnel fund acts as a controller. More information on the processing of personal data of institutional customers can be found in the following descriptions:

13. Your rights

You have the right to receive confirmation from Mandatum as to whether we process your personal data. If your personal data is processed, you have the right to receive a copy of the data and to inspect the data. If you make the request electronically, we will provide you the data in a commonly used electronic format unless you request otherwise. Legislation, the rights and freedoms of other individuals and other special grounds may limit your right to access some of the data that pertains to you.

If you consider your personal data that we process to be incorrect or inaccurate, you have the right to request Mandatum for rectification of such personal data and to have incomplete personal data completed.

You also have the right to request Mandatum for the erasure of your personal data and, insofar as the processing of your personal data is based on consent, to withdraw your consent. If you request the erasure of your data or withdraw your consent to the processing of your personal data, we will no longer process your personal data in that respect, and we will erase the data from our systems unless there is another legal basis for processing the data. Please note, however, that Mandatum’s operations entail numerous statutory obligations to store data, and Mandatum may be under obligation to continue to process your personal data even if you request the erasure of the data. In any case, we will erase your data once the statutory storage period or other retention period specified by us has elapsed.

Where the conditions set in legislation are met, you have the right to request that we restrict the processing of your personal data. You also have the right to object to the processing of your personal data for direct marketing and otherwise insofar as the processing is based on the fulfilment of Mandatum’s or a third party’s legitimate interests. More information about refusing communication based on a legitimate interest is in Section 7 of this Privacy Notice.

Insofar as the processing of your personal data is based on consent or a contract, you have the right to receive the personal data you have provided us in a structured and commonly used format and the right to have the data transferred to another controller.

You can exercise your rights described above by contacting our customer service in an online message through Mandatum’s Web Service, by calling +358 200 31100 (lnc/mnc) Mon-Fri 9am–5pm, by mailing Mandatum, Asiakaspalvelu, PL 627, 00101 Helsinki, or by visiting our office nearest you. You can find the contact details and opening hours of our offices on our website.

14. Right to lodge a complaint with a supervisory authority

In matters related to the processing and protection of your personal data, and if you have any questions, please first contact Mandatum’s customer service or Mandatum Group’s Data Protection Officer, whose contact details are included above in Section 3 of this Privacy Notice.

If you are dissatisfied with a response you received from us, or if you believe our processing of your personal data does not comply with data protection legislation, you can contact the competent supervisory authority, i.e. the Office of the Data Protection Ombudsman.

Updated 16.9.2024