1. General
In this description of the processing of personal data of personnel fund members, we provide information required by the EU’s General Data Protection Regulation ((EU) 2016/679) and other applicable data protection legislation concerning the processing of personal data related to personnel funds.
If you have more specific questions or requests related to this description, the processing of your personal data or your rights as a data subject, you may contact us via the channels mentioned below.
2. The controller and processor of personal data
Each personnel fund acts as the controller for the personal data of its own members.
Mandatum Life Services Ltd (Bulevardi 56, P.O. Box 1210, FI-00101 Helsinki) offers management services to personnel funds, including membership database maintenance, payment of fund units, fund accounting and advisory services for members.
Mandatum Life Services Ltd acts as a processor of personal data on behalf of the personnel fund on the basis of a service agreement with each personnel fund.
3. The contact details of the data protection officer of the personal data processor
Mandatum Group’s Data Protection Officer
Email: dpo@mandatum.fi
Postal address: Mandatum, Data Protection Officer, P.O. Box 627, FI-00101 Helsinki.
4. Personal data to be processed and sources of personal data
Data subjects whose personal data is processed in connection with personnel funds are members of personnel funds that are clients of Mandatum Life Services Ltd. We receive the members’ data from the personnel fund. During the processing, personal data may also be obtained from the data subject themself where applicable.
The personal data of personnel fund members that we process can be categorised into personal data groups. These groups include, for example, the following personal data:
- Members’ basic data, such as name, personal identity code, language, address, phone number and email address.
- Benefit plan information, such as information on the employment relationship, fund membership information, reason for the end of membership, funding notifications and taxation information.
- Information about member-specific fund units, such as tied up and withdrawable fund units, changes in fund units, bonuses granted and valuation dates.
- Information concerning communication and other transactions, such as information related to electronic communication and letters, information about the use of online services, and call recordings, online messages and e-mail messages to which the data subject is a party.
5. Purposes of and legal basis for processing personal data
The purpose of the processing of personal data is to manage personnel fund operations, and related business and customer service, and to produce statistical data on behalf of each data controller, i.e. the personnel fund.
The processing of personal data by Mandatum Life Services Ltd is based on a service agreement under which Mandatum Life Services Ltd produces services for the personnel fund. In terms of personnel funds, the specific provisions of the Finnish Act on Personnel funds (934/2010) apply to the processing.
6. Recipients and transfer of personal data
Disclosure of personal data
The personal data of personnel fund members is not, in principle, disclosed to third parties by Mandatum Life Services Ltd. However, when required by law, personal data can be disclosed to a competent authority, such as a tax or supervisory authority, insofar as there is a legal basis for the disclosure and as separately agreed with the personnel fund.
Processors and data transfers outside the EEA
Depending on what has been agreed with the personnel fund, Mandatum Life Services Ltd may use in its operations, for example, system suppliers and other subcontractors who process personal data as sub-processors of Mandatum Life Services Ltd and to whom personal data may be transferred to the extent required by the service produced by the subcontractor.
The personal data of personnel fund members is not, in principle, transferred outside the European Union or the European Economic Area. If a transfer of personal data is necessary, data may be transferred provided that data transfer has been agreed on with the controller and the conditions laid down in data protection legislation for the transfer of personal data are met. We always base the transfer of personal data on the transfer mechanisms permitted by legislation, such as the European Commission’s determination of whether a recipient country offers an adequate level of data protection (see the latest list of adequacy decisions on the EC’s website) or the European Commission’s standard contractual clauses (see the standard contractual clauses on the EC’s website). We also supplement these as necessary with various additional safeguards, which help appropriately guarantee an adequate level of data protection.
7. Retention periods for personal data
We store the personal data related to personnel funds for as long as the data is necessary in terms of the purposes for which the data was collected or otherwise processed. Data retention periods may vary depending on what has been agreed with each personnel fund, the purpose of the processing, the nature of the personal data and the requirements applicable to their processing.
Below are examples of the retention periods of various personal data of the members of personnel funds that is processed.
- Basic personal information, benefit plan information and member-specific fund share information are stored until the expiry of the statute of limitations based on the employment relationship or for as long as the personnel fund membership is valid.
- Phone call recordings are stored for 10 years.
- Data related to taxation, accounting and reporting obligations are stored for at least 6 years from the end of each tax year.
8. Your rights
Each personnel fund acts as the controller for their own part. Mandatum Life Services Ltd acts as the processor of the personal data. However, some of the data controllers have authorised Mandatum Life Services Ltd to implement on their behalf data subjects’ rights, which we explain in more detail below.
As a personnel fund data subject, you have the right to receive confirmation from the controller as to whether your personal data is being processed, as well as the right to receive a copy of the data concerning you and to inspect the data. If you consider that your personal data that is processed to be incorrect or inaccurate, you have the right to request the rectification of such personal data and to have any incomplete data completed.
You also have the right to request the erasure of your personal data and, to the extent that the processing of your personal data is based on consent, to withdraw your consent. If you request the erasure of your data or withdraw your consent to the processing of your personal data, your personal data will not be processed in that respect unless there is another legal basis for processing the data.
You furthermore have the right to object to the processing of your personal data if the processing is based on the fulfilment of the controller’s or a third party’s legitimate interests. In specifically regulated cases, you may have the right to request restricted processing of your personal data. To the extent that the processing of your personal data is based on consent or a contract, you also have the right to receive the personal data you have provided the controller in a structured and commonly used format and the right to have the data transferred to another controller.
You can exercise your rights described above by contacting Mandatum’s customer service, your personnel fund, or your employer. You can contact our customer service in an online message through Mandatum’s Web Service, by calling +358 200 31100 (lnc/mnc) Mon-Fri 9am–5pm, by mailing Mandatum, Asiakaspalvelu, PL 627, 00101 Helsinki, or by visiting our office nearest you. You can find the contact details and opening hours of our offices on our website.
The right to lodge a complaint with a supervisory authority
In matters related to the processing of your personal data and data protection, and if you have any questions, we ask you to primarily use the contact channels mentioned above. In matters related to the processing of your personal data by Mandatum Life Services Ltd, please contact Mandatum Group’s Data Protection Officer, whose contact details are included above in Section 3 of this description.
If you believe our processing of your personal data does not comply with data protection legislation, you have the right to contact the competent supervisory authority, i.e. the Office of the Data Protection Ombudsman.
Updated 16.9.2024