Privacy statement of the personal data register of Ilmarinen’s investment operations

In accordance with the European Union’s General Data Protection Regulation (GDPR) 679/2016, articles 12–14.

1. Name of personal data register

Personal data register of Ilmarinen’s investment operations

2. Controller

Ilmarinen Mutual Pension Insurance Company
Porkkalankatu 1
FI-00018 Ilmarinen

Contact person for matters related to the register:
Data Protection Officer
Anttipekka Murhu
Tel: +358 10 284 2249

3. Forwarding of data subject’s requests

Written requests concerning the rights of the data subject, in accordance with sections 10–15, shall be addressed to:

Ilmarinen Mutual Pension Insurance Company
Porkkalankatu 1, FI-00018 ILMARINEN

4. Grounds for processing of personal data

Ilmarinen’s task pursuant to the Act on Earnings-Related Pension Insurance Companies is to take care of the assets accruing with the company for the purpose of pension insurance operations in a manner that secures the benefits covered by the insurance. A pension insurance company’s assets must be invested in a profitable and sustainable manner.  This does not entail, however, a statutory obligation to process personal data. Thus, the grounds for processing personal data are legitimate interest, contract and consent given by the data subject.

The grounds for processing personal data in connection with customer due diligence and preventing money laundering and terrorism are based on law.

5. Purposes

The personal data included in the register is processed for purposes required by the investment operations, such as

  • Loan administration
  • Tasks related to real estate ownership and real estate investments
  • Brokering and managing of real estate and rental properties
  • Planning, steering and developing services, operations and IT systems
  • Cash management and accounting, incl. payments, invoicing, ledgers and debt collection
  • Managing and developing customer, tenant and stakeholder relationships in the form of for example
    • providing customer service
    • analysing, categorising and reporting of customer relationships and the service offering
    • customer relationship communication
  • Information security, and preventing and investigating abuse suspects
  • Preventing money laundering and terrorist financing

Personal data is processed in services related to the real estate maintenance for the following purposes:

  • providing, developing and monitoring services related to real estate and rental activities
  • implementing and monitoring real estate projects, development and maintenance
  • ensuring and monitoring real estate, business premises and residential safety and security, such as CCTV monitoring and access control

Ilmarinen’s service providers may record calls in order to substantiate service transactions, develop customer services, fulfil rights and obligations and ensure security.

6. Categories of personal data

The categories of data subjects are:

  • Tenants, and representatives and contact persons of tenant organisations
  • Representatives, contact persons and guarantors of debtors
  • Representatives and contact persons of investment counterparties
  • Beneficial owners of tenants, debtors and investment counterparties
  • Persons involved in organising and providing real estate services
  • Persons in charge and contact persons of real estate projects

Personal data such as the following is contained in the register:

  • Basic information of the data subject:
    • name, identity number, contact information, payment contact information, information on identity verification, information on politically exposed persons (PEP), position and authorisation to sign for the company, nationality, and screenings against sanctions lists
  • Resident information required by the real estate maintenance services
  • Information required by the real estate services provided by Ilmarinen such as
    • parking and parking control
    • visitor management, including lobby services and automated reception systems
    • CCTV recordings to ensure security and protect property as well as to prevent and investigate incidents that compromise security and property
    • real estate security, such as access control and security services
  • Data collected while using the services and on the online services

The service providers may also have their own personal data registers. Information on these is available from the respective controllers.

7. Use of cookies

The cookies and other internet identifiers used in Ilmarinen’s online service enable the offering of online service and improve the security and user-friendliness of the services.

Based on the data collected in the online service, Ilmarinen can analyse and develop its services, knowing what information contents interest users and how the online service is used. The data can also be used for Ilmarinen’s and its marketing partners’ communications, targeting of marketing and for optimising marketing measures.

The online service user can give their consent or refuse the use of cookies in their browser settings or use a service designed for the purpose. If cookies are disabled, some of the services on Ilmarinen’s website may not be available.

8. Regular data sources

Ilmarinen receives personal data from the data subject during the use of the services. Ilmarinen also regularly receives personal data from trustworthy external sources, such as:

  • The Population Information System
  • Suomen Asiakastieto Oy
  • The Official Journal
  • Dow Jones Database
  • The Finnish Patent and Registration Office (extract from the trade register)
  • The Business Information System (
  • Co-operation partners

9. Disclosures and transfers

In conjunction with business operations, personal data may be disclosed to co-operation partners who have a right to receive the information in order to meet Ilmarinen’s or its co-operation partners’ legal obligations. Ilmarinen only discloses personal data in accordance with the right to receive information based on legislation and in accordance with disclosure rights and obligations. In special cases, personal data can be disclosed also with the consent of the data subject.

Personal data can be transferred to Ilmarinen’s service providers acting on behalf of Ilmarinen. The processing of the personal data on behalf of Ilmarinen is always based on assignments and instructions specifying the rights and obligations in the processing and protection of personal data.

Ilmarinen primarily processes personal data in Finland, the EU/EEA area or in other countries approved by the EU Commission as having an adequate level of data protection. If personal data is disclosed or transferred outside these countries, the standard contractual clauses approved by the European Commission are used to ensure an adequate level of data protection.

Personal data is transferred from Ilmarinen’s investment operations register to Ilmarinen’s marketing register for marketing purposes. The marketing register’s information content and the processing of personal data are described in more detail in the privacy statement of Ilmarinen’s marketing register.

10. Right of access

A data subject has the right to access personal data concerning them contained in the register.

In the request for access the data subject must disclose their name and identity number. The response to the request will be delivered to the data subject’s verified address.

11. Right to data portability

When personal data is processed in order to fulfil a legal obligation or based on Ilmarinen’s legitimate interest, there is no right to data portability.

Otherwise, the data subject is entitled to receive as a file the personal data they have supplied to the controller and whose processing is based on the data subject’s consent or a contract with the data subject. The data subject may also request that the controller transfers the data to another controller if this is technically possible.

12. Right to rectification

The data subject is entitled to require that incorrect and inaccurate personal data be rectified. The changes in personal data will primarily be made in connection with use of services following authentication.

The request must contain a name and identity number, a specific and justified request for rectification and an explanation of how the information should be rectified.

13. Right to object

In terms of the processing of personal data based on Ilmarinen’s statutory obligation, the data subject does not have the right to object to the processing of personal data.

The data subject has the right to object to the processing of personal data that applies to them when the processing is based on a legitimate interest. Legitimate interest is used as grounds for processing when the processing is not based on contract or consent and personal data is not processed to meet obligations in accordance with the Act on detecting and preventing money laundering and terrorist financing.

14. Right to restriction of processing

The data subject can request that Ilmarinen restrict the processing of their personal data when:

  • The accuracy of the personal data is contested by the data subject. However, there is no right of restriction on the part of Ilmarinen’s statutory operations if the request for restriction is manifestly unfounded.
  • The processing is verifiably and justifiably unlawful and the data subject opposes the erasure of the personal data
  • When Ilmarinen expresses that it no longer requires the personal data that has been requested to be restricted for the purposes of the processing as specified in the privacy statement, but the data subject requires it for the establishment, exercise or defence of legal claims.
  • The data subject has objected to the processing of the personal data, pending verification of whether the legitimate grounds of the controller override those of the data subject.

The request must contain a name and identity number, and a specific and justified request for restriction.

15. Retention periods and data erasure rights

Ilmarinen retains personal data in accordance with the retaining periods laid down by applicable legislation or for as long as any one of the processing grounds presented in section 4 of this privacy statement is valid and the personal data is necessary for its purposes. Once the retaining period of personal data has expired and there are no grounds for retaining it within the limits allowed by data protection legislation, the data will be erased.

Personal data shall also be erased when the data subject objects to the processing of personal data based on a legitimate interest, and there are no other grounds for the processing.

16. Right to appeal to a supervisory authority

The data subject is entitled to bring the matter before the Data Protection Ombudsman if the data subject considers that the processing of their personal data breaches the relevant legislation.

17. Principles of register protection

At Ilmarinen, information security and the protection of personal data are an integral part of the information systems’ functionality and data architecture. Requirements for the information systems’ security and the integrity, confidentiality, availability and continuity of the data processing are always established beforehand when the systems are designed. Ilmarinen processes all personal data securely and in the manner prescribed by legislation and systematically develops and inspects information security.


Privacy statement of the personal data register of Ilmarinen’s investment operations updated on 10 July 2023.