Privacy statement of Ilmarinen's customer register

According to the European Union’s General Data Protection Regulation (GDPR) 679/2016, articles 12–14.

1. Name of personal data register

Ilmarinen’s customer register

2. Controller

Ilmarinen Mutual Pension Insurance
Company
Porkkalankatu 1
00018 Ilmarinen
Helsinki

Contact person for matters related to the register:
Data Protection Officer
Anttipekka Murhu
anttipekka.murhu@ilmarinen.fi
Tel. +358 10 284 2249

3. Forwarding of data subject’s requests

Written requests applying to the rights of the data subject, in accordance
with sections 11–16, shall be addressed to:

Henkilötietoasiat
Ilmarinen Mutual Pension Insurance
Company
Porkkalankatu 1, FI-00018 ILMARINEN

4. Grounds for processing of personal data

Ilmarinen’s task pursuant to the Act on Employment Pension Insurance
Companies is to practice statutory pension insurance which is part of social security by taking care of the implementation of statutory pension security and the assets accruing with the company for this purpose in a manner that secures the benefits covered by the insurance. In connection with these tasks, the processing of personal data is based on statutory requirements. Ilmarinen can also offer its customers other services based on the execution the statutory task and on consent and agreement.

The secondary grounds for the processing of personal data is legitimate interest.

The basis for the marketing targeted at Ilmarinen’s customers is
legitimate interest or consent.

Data subjects have the right to withdraw their consent.

5. Purposes

The personal data in Ilmarinen’s customer register is processed for the
following purposes:

Provision of services

  • Offering and production of services provided by Ilmarinen and its cooperation partners, such as
    • Tasks related to earnings-related pension insurance and
      managing the insurance portfolio
    • Taking care of pension and rehabilitation services, such as
      processing applications, decision-making and payments
    • Offering additional services and customising services
  • Customer identification, managing user rights, securing and
    substantiating service transactions and resolving error situations
  • Managing finances and money transactions and accounting, incl.
    payments, invoicing, ledgers and debt collection

Developing services and operations

  • Planning and developing services, operations and IT systems
  • Steering of services and operations and quality assurance

Customer account management and customer service

  • Managing and developing customer and stakeholder relationships
  • Customer guidance and the implementation and development of customer
    services
  • Co-operation and marketing of Ilmarinen’s economic interest grouping
  • Monitoring and development of the customer experience

Ilmarinen records calls in order to substantiate service transactions, develop customer services, fulfil rights and obligations and ensure security.

Analysis of customer relationships and operations

  • Analysis, statistics creation and reporting of Ilmarinen’s operations and
    services
  • Analysis, grouping and reporting of customer relationships and service
    offering
  • Development and management of total customer relationships and service concepts

Customer relationship and marketing communications

  • Targeting of customer communications and marketing
  • Implementation and monitoring of communications and campaigns

Information security

  • Ensuring the availability, integrity and reliability of services and
    information
  • Prevention, detection and resolving of misconduct and problem situations and starting up and implementation of follow-up measures
  • Risk management

6. Information content

The following personal data are recorded in Ilmarinen’s customer register:

Data related to persons in the policyholders’ pension and insurance
services

  • Data required for identifying and contacting policyholders’ (TyEL and
    YEL) representatives and companies’ owners, such as
    • Name and position in company
    • Contact details
    • Identity number
    • Identifiers in information systems
  • Personal data processed in connection with insurance and appeal
    application processing, decision-making, agreements and insurance
    transfers
  • Personal data related to offering services and insurance and
    service transaction and usage data
  • Personal data required for managing the customer relationship and insurance portfolio
  • Calculations concerning insurance and need for insurance
  • Data on links to other customers
  • Insured persons and pension recipients linked to policyholder

Personal data linked to insured person’s customer account

  • Insured person’s basic and contact details, such as
    • Name, address, telephone, email
    • Identity number
    • Identifiers in information systems
  • Insured’s contact persons and trustees and their identification
    information and contact details
  • Personal data related to offering services and insurance and
    service transaction and usage data
  • Work history and pension accrual data and advance
    calculation and earnings-related pension record data
  • Personal data required and collected for the management of the customer relationship and customer service and telephone recordings
  • Personal data required and collected in connection with customer
    relationship and marketing communications and campaigns
  • Consent and refusal and customer communication subscriptions
  • Grouping and classification data describing a customer account and
    additional identifying data given by the customer
  • Data linked to the processing of appeal and rectification matters

Data concerning pension and rehabilitation customers’ customer accounts

  • Basic and contact details of pension and rehabilitation benefit applicants and persons who have received decisions and their contact persons and trustees, such as
    • Name, address, telephone, email, nationality and mother tongue
    • Identity number
    • Identifiers in information systems
    • Pension recipient’s account number
    • Employment information
  • Data required for offering pension and rehabilitation services,
    managing, controlling and monitoring pension security, such as
    • Data linked to pension and rehabilitation applications,
      resolution and decision and requests for rectification
    • Data concerning the use of the services and service transactions
    • Data on pension amount, payments, payment recipients and
      taxation
    • Benefit history and medical data
    • Data linked to the management and transfers of the pension portfolio

General personal data related to service production

  • Data subject’s basic and contact details, such as
    • Name, address, telephone, email
    • Identity number
    • Identifiers in information systems
  • Personal data related to offering services and service transaction and
    usage data
  • Personal data required and collected for the management of the customer relationship and customer service and telephone recordings
  • Data recorded in connection with customer advice and contacts and
    customer feedback
  • Personal data required and collected in connection with customer
    relationship and marketing communications and campaigns
  • Consent and refusal given by the customer and customer communication subscriptions
  • Grouping and classification data describing a customer account and
    additional identifying data given by the customer
  • Data collected for research and statistics
  • Accounting, payment, invoicing and debt collection data

Data required and created in electronic service production

  • Data required by the online service for identification and user rights,
    such as
    • User ID and password
    • Other identifiers identifying the online service user
  • Web and mobile services usage data, such as
    • Browsing, log and service transaction data and data on the
      website from which Ilmarinen’s service has been accessed
  • Online identifiers and data on the used channel, application, device
    and browser, such as
    • The device’s model
    • Data on the used application
    • Data on the used browser and operating system
    • Online identifiers, such as cookies and IP addresses, calculated
      identifier
    • Session identifiers: time and duration
  • Location data (GPS, WLAN or location data formed using a mobile
    network base station) based on the customer’s consent
  • Data linked to the processing of data in the information systems

7. Use of cookies

The cookies used in Ilmarinen’s online service and any other internet identifiers enable the implementation of the online service and improve the security and userfriendliness of the services.

Based on the data collected in the online service, Ilmarinen can analyse and develop its services, knowing what information contents interest users and how the online service is used. The data can also be used for Ilmarinen’s and its marketing partners’ communications, targeting of marketing and for optimising marketing measures.

The online service user can giver his/her consent or refuse the use of cookies in his/her browser settings or use a service designed for the purpose. If cookies are disabled, some of the services on Ilmarinen’s website may not be available.

8. Regular data sources

Ilmarinen receives in its customer register personal data from the data subject during use of the service. Ilmarinen also receives data on the insured persons and pension recipients from other pension companies and employers, for example. Personal data is also collected in connection with service transactions and the use of services.

Ilmarinen also regularly receives personal data from the following data sources:

  • Finnish Centre for Pensions
  • Social Security Institution
  • Earnings data forwarding services
  • Doctors, hospitals and health centres
  • Labour authorities
  • Tax authorities
  • Social welfare authorities
  • Unemployment funds and employment offices
  • Enforcement officers
  • Insurance companies
  • Banks
  • OP Financial Group
  • Accountants
  • Suomen Asiakastieto Oy
  • Population Register Centre
  • Pension Appeal Board
  • Insurance Court

9. Disclosures and transfers

Ilmarinen only discloses personal data in accordance with the right to be
informed based on legislation and in accordance with disclosure rights and
obligations. In special cases, personal data can be disclosed also with the
consent of the data subject. The disclosure parties and grounds are
described in the guidelines of the Finnish Centre for Pensions.

The processing of the personal data of people operating on behalf of Ilmarinen is always based on order contracts and instructions, which specify the parties’ rights and obligations in the processing and protection of personal data.

Ilmarinen primarily processes personal data in Finland, the EU/EEA area or in other countries approved by the EU Commission as having a sufficient level of data protection. To ensure a sufficient level of data protection, the standard contractual clauses approved by the European Commission are used.

Personal data is transferred from Ilmarinen’s customer register to Ilmarinen’s marketing register for marketing purposes. The privacy statement of Ilmarinen’s marketing register contains more details on the marketing register’s information content and the processing of personal data.

10. Automatic decisionmaking

Ilmarinen speeds up and improves its services to customers by using automatic decision-making when assessing whether statutory terms are met in the processing of insurance and pensions matters. If the statutory terms are not met, the processing is moved to the manual process.

The customer has the right to appeal decisions made by Ilmarinen
that apply to him/her. Information on appeals is given in connection
with the decision.

11. Right of access

A data subject is entitled to access the data that has been recorded in the register on him/her.

The data subject must present in the request for access his/her name and
personal identity code so that the data can be found. The response to the request for access will be delivered to the data subject’s verified address.

12. Right to data portability

The processing of personal data at Ilmarinen is primarily based on carrying out its statutory obligation, in which case there is no right to data portability. This applies to the processing of personal data linked to earnings-related pension cover provision and the management of investment operations, in addition to Ilmarinen’s activities as an employer and company, even if the processing is specified in more detail through agreements when necessary.

Otherwise, the data subject is entitled to receive as a file the personal data
processed by the information systems that applies to him/her, which he/she has supplied to the controller and whose processing is based on the data subject’s consent or an agreement with the data subject. The data subject may also request that the controller transfer the data in question to another controller, if this is technically possible.

13. Right to rectification

The data subject is entitled to require that inaccurate personal data be
rectified. The changes in personal data will primarily be made in connection
with use of the service following authentication.

The request must contain the name and identity number, specific and
justified request for rectification and an explanation of how the information
should be rectified.

14. Right to object

In terms of the processing of personal data based on Ilmarinen’s statutory
obligation, the data subject is not entitled to object to the processing of personal data.

The data subject is entitled to object to the processing of personal data that applies to him/her when the processing is based on a general or legitimate interest, such as direct marketing. Instructions for objecting to marketing can be found in the privacy statement for Ilmarinen’s marketing register.

15. Right to restriction of processing

The data subject can request that Ilmarinen restrict the processing of his/her personal data when:

  • The accuracy of the personal data is contested by the data subject.
    However, there is no right of restriction on the part of Ilmarinen’s statutory operations if the request for restriction is manifestly unfounded.
  • The processing is verifiably and justifiably unlawful and the data
    subject opposes the erasure of the personal data.
  • When Ilmarinen expresses that it no longer requires the personal data
    that has been requested to be restricted for the purposes of the
    processing as specified in the privacy statement, but the data subject
    requires them for the establishment, exercise or defence of legal claims.
  • The data subject has objected to the processing of the personal data,
    pending the verification whether the legitimate grounds of the controller
    override those of the data subject.

The request must contain the name and identity number, specific and justified request for restriction.

16. Retention periods and data erasure rights

Ilmarinen retains personal data in operations based on its statutory
obligation. The retention periods are determined in accordance with
earnings-related pension legislation or other applicable legislation:

  • Personal data linked to insurance: validity of the insurance and ten
    subsequent calendar years
  • Personal data linked to pension and rehabilitation matters: the lifetime of the insured and five subsequent calendar years
  • Personal data linked to survivors’ pension: survivors’ pension payment
    period and five subsequent calendar years
  • Personal data for the collection of late insurance contributions: up until the end of the collection and five subsequent calendar years
  • Personal data linked to appeals: 50 years if they do not need to be
    retained for a longer period based on the above points.

In non-statutory operations, Ilmarinen must retain personal data for as long as any one of the processing grounds presented in section 4 of this privacy
statement is valid and the personal data is necessary for its purposes.

Personal data shall also be erased, if necessary, when the data subject
objects to the processing of personal data based on a legitimate or general
interest, and there are no other grounds for the processing.

17. Right to appeal to a supervisory authority

The data subject is entitled to bring the matter before the Data Protection
Ombudsman, if the data subject considers that the processing of the personal data that apply to him/her breach the relevant legislation.

18. Principles of register protection

At Ilmarinen, information security and the protection of personal data are an integral part of the information systems’ functionality and data architecture. Requirements for the information systems’ security and the integrity, confidentiality, availability and continuity of the data processing are always established beforehand when the systems are designed. Ilmarinen processes all personal data securely and pursuant to legislation and develops and inspects information security systematically.

 

Privacy statement of Ilmarinen’s customer register 25 May 2018