1. General
In this description of the processing of personal data of members of pension foundations and funds, we provide information required by the EU’s General Data Protection Regulation ((EU) 2016/679) and other applicable data protection legislation concerning the processing of personal data carried out by Mandatum Life Services Ltd on behalf of pension foundations and funds.
If you have more specific questions or requests related to this description, the processing of your personal data or your rights as a data subject, you may contact us via the channels mentioned below.
2. The controller and processor of personal data
Each pension fund or pension foundation acts as the controller for the personal data of its own members.
Mandatum Life Services Ltd (Bulevardi 56, PL 1210, FI-00101 Helsinki) offers pension funds and foundations services related to, for example, daily activities, such as fund management services, pension processing, actuarial operations, accounting, wealth management and risk management.
Mandatum Life Services Ltd acts as a processor of the personal data on behalf of the controller on the basis of a service agreement with each pension fund and foundation.
3. The contact details of the data protection officer of the personal data processor
Mandatum Group’s Data Protection Officer
Email: dpo@mandatum.fi
Postal address: Mandatum, Data Protection Officer, P.O. Box 627, FI-00101 Helsinki.
4. Personal data to be processed and sources of personal data
Data subjects whose personal data is processed are members of pension funds and foundations that are clients of Mandatum Life Services Ltd. We receive the members’ data from the controller. During the processing, personal data may also be obtained from the data subject themself where applicable.
The personal data that we process can be categorised into the following personal data groups. Examples of personal data for these groups are given below. The personal data processed for each member may depend, for example, on which pension insurance the data subject is covered by.
Examples of personal data that is processed include:
- Basic personal information, such as name, personal identity code, date of birth, language, address, phone number and email address, as well as the data subject’s employer.
- Information concerning supplementary pension cover, which is needed in the processing of pensions according to supplementary pension insurance, such as information on the retirement age and pension start date, pension amount, liability distribution, calculation and the decision concerning disability pension.
- Information concerning the payment of supplementary pension, which is needed for the payment of pensions according to the supplementary pension insurance, such as account number and information related to taxation.
- Other benefit plan information that is necessary to provide services to the insured and beneficiaries covered by supplementary pension, such as the policy number, date of joining the policy, employment start date, information regarding pension fund or foundation membership and its duration, benefit earning information, refund date of returned membership fees and accrued interest, information on paid-up policies and salary information.
- Information concerning the payment of the statutory pension that is needed to arrange pension cover and calculate the pension liability, such as information on the retirement age and the pension start date, benefit earnings information, and salary information.
- Information concerning communication and other transactions, such as information related to electronic communication and letters, information about the use of online services, and call recordings, online messages and e-mail messages to which the data subject is a party.
5. Purposes of and legal basis for processing personal data
The purpose of processing personal data is to produce and provide services related to supplementary pension insurance and/or statutory pension insurance organized by the employer of a pension fund or foundation member for its employees.
As part of providing the services, personal data is processed in particular for the following purposes:
- Processing and payment of pensions under supplementary pension insurance
- As regards the pension fund or foundation membership register, checking the information concerning the membership and benefit plan of the insured and beneficiaries of supplementary pensions
- Arranging supplementary or statutory pension insurance and obtaining and updating related information
- Calculating supplementary or statutory pension liabilities
- Providing customer service and other services related to arranging pension cover to the insured and beneficiaries.
The processing of personal data by Mandatum Life Services Ltd is based on a service agreement under which Mandatum Life Services Ltd produces services for the pension fund or foundation. In terms of pension cover, the specific provisions of the Finnish Pension Fund Act (946/2021), the Employee Benefit Funds Act (948/2021) or the Employees Pensions Act (395/2006) apply to the processing.
6. Recipients and transfer of personal data
Disclosure of personal data
The personal data of pension fund or foundation members is not, in principle, disclosed to third parties by Mandatum Life Services Ltd. However, when required by law, personal data can be disclosed to a competent authority, such as a tax or supervisory authority, insofar as there is a legal basis for the disclosure and as separately agreed with the controller.
Processors and data transfers outside the EEA
Depending on what has been agreed with the pension fund or foundation, Mandatum Life Services Ltd may use in its operations, for example, system suppliers and other subcontractors who process personal data as sub-processors of Mandatum Life Services Ltd and to whom personal data may be transferred to the extent required by the service produced by the subcontractor.
The personal data of pension fund or foundation members is not, in principle, transferred outside the European Union or the European Economic Area. If a transfer of personal data is necessary, data may be transferred provided that data transfer has been agreed on with the controller and the conditions laid down in data protection legislation for the transfer of personal data are met. We always base the transfer of personal data on the transfer mechanisms permitted by legislation, such as the European Commission’s determination of whether a recipient country offers an adequate level of data protection (see the latest list of adequacy decisions on the EC’s website) or the European Commission’s standard contractual clauses (see the standard contractual clauses on the EC’s website). We also supplement these as necessary with various additional safeguards, which help appropriately guarantee an adequate level of data protection.
7. Retention periods for personal data
We store the personal data of members of pension funds and foundations as agreed with each controller and as required by applicable legislation or for as long as the data is otherwise necessary in terms of the purposes for which the data was collected. Data retention periods may vary depending on the purpose of the processing, the nature of the personal data and the requirements applicable to their processing.
Below are examples of the retention periods of various personal data of the members of pension funds and foundations that is processed.
- We store information related to the membership and benefit plans of the insured and beneficiaries of the pension fund or foundation for 13 years after the payment of the last supplementary pension compensation.
- We store information regarding insurance, supplementary pension cover and payment of supplementary pension for 13 years after the last compensation payment.
- We store information regarding payment of compensation under supplementary pension for 13 years after the last compensation payment.
- We store pension recipients’ basic data related to the statutory pension liability calculation and information related to pension payments in accordance with the storage periods specified in the Employees Pensions Act.
- We store phone call recordings for 10 years.
- We retain data related to taxation, accounting and reporting obligations for at least 6 years from the end of each tax year.
8. Your rights
Each pension fund or pension foundation acts as the controller for the personal data of its own members. Mandatum Life Services Ltd acts as the processor of the personal data. However, some of the data controllers have authorised Mandatum Life Services Ltd to implement on their behalf data subjects’ rights, which we explain in more detail below.
As a data subject, you have the right to receive confirmation from the controller as to whether your personal data is being processed, as well as the right to receive a copy of the data concerning you and to inspect the data. If you consider that your personal data that is processed to be incorrect or inaccurate, you have the right to request the rectification of such personal data and to have any incomplete data completed.
You also have the right to request the erasure of your personal data and, to the extent that the processing of your personal data is based on consent, to withdraw your consent. If you request the erasure of your data or withdraw your consent to the processing of your personal data, your personal data will not be processed in that respect unless there is another legal basis for processing the data.
You furthermore have the right to object to the processing of your personal data if the processing is based on the fulfilment of the controller’s or a third party’s legitimate interests. In specifically regulated cases, you may have the right to request restricted processing of your personal data. To the extent that the processing of your personal data is based on consent or a contract, you also have the right to receive the personal data you have provided the data controller in a structured and commonly used format and the right to have the data transferred to another controller.
You can exercise your rights described above by contacting Mandatum’s customer service, your pension fund or foundation, or your employer. You can contact our customer service in an online message through Mandatum’s Web Service, by calling +358 200 31100 (lnc/mnc) Mon-Fri 9am–5pm, by mailing Mandatum, Asiakaspalvelu, PL 627, 00101 Helsinki, or by visiting our office nearest you. You can find the contact details and opening hours of our offices on our website.
The right to lodge a complaint with a supervisory authority
In matters related to the processing of your personal data and data protection, and if you have any questions, we ask you to primarily use the contact channels mentioned above. In matters related to the processing of your personal data by Mandatum Life Services Ltd, please contact Mandatum Group’s Data Protection Officer, whose contact details are included above in Section 3 of this description.
If you believe our processing of your personal data does not comply with data protection legislation, you have the right to contact the competent supervisory authority, i.e. the Office of the Data Protection Ombudsman.
Updated 16.9.2024