Data protection

Personal data is only collected and processed for specific, explicit and legal purposes. Ilmarinen collects personal data related to identifying a person (e.g. the person’s name, contact details and identifying information in IT systems) from TyEL or YEL policyholders, i.e. from employers and self-employed persons. In addition, we may collect personal data from pension applicants and pension recipients and from insured persons and trustees. In order to produce pension and rehabilitation services, Ilmarinen also collects information on work history, pension accrual history, preliminary calculations, the earnings-related pension record, benefits history and medical decisions.

We also receive data from legal official registers. Ilmarinen also collects data on the rental seekers and tenants of the flats it rents out. The personal data to be collected may also be needed to fulfil legal obligations, manage the customer relationship and the insurance portfolio and to process appeal and rectification matters. Ilmarinen also collects data for research and statistics. In its customer service, Ilmarinen collects information related to advising and contacting customers, for instance, personal data, record information and recorded phone calls and customer feedback.

Pension and insurance services’ information on policyholders is saved in Ilmarinen’s customer register and may be used to process insurance and appeal applications, make decisions, conclude agreements and transfer insurance policies. In addition, Ilmarinen saves information about the insured and pensioner as it relates to the policyholder as well as calculations concerning insurance policies and the need for insurance. Accounting, payment, invoicing and debt collection data is also saved in the customer register’s information.

Ilmarinen’s customer register also saves grouping and classification data describing a customer account. Ilmarinen also collects recommendations, subscriptions and refusals given to customer relations and marketing communications.

Ilmarinen collects information related to adopting and using online services from the www.ilmarinen.fi website and services that require logging in; this information includes online and mobile services’ user information, information required for online identification and user rights, online identifiers and information on the channels, applications, devices and browsers used.

You can read more about the collection of various personal data in Ilmarinen’s privacy statements.

Ilmarinen’s task pursuant to the Act on Employment Pension Insurance Companies is to engage in statutory pension insurance business, which is part of social security, by taking care of the implementation of statutory pension provision and the assets accruing with the company for this purpose in a manner that secures the benefits covered by the insurance. In connection with these tasks, the processing of personal data is based on statutory requirements. In Ilmarinen’s operations, personal data can be processed also on the basis of consent, an agreement or a legitimate interest. The basis for the marketing targeted at Ilmarinen’s customers is a legitimate interest or consent. The data subject has the right to withdraw his or her consent.

Ilmarinen processes personal data for the following purposes: Producing and developing the services offered by Ilmarinen and its co-operation partners, offering additional and customised services, identifying the customer, managing user rights, ensuring and authenticating service transactions and resolving errors, managing finances and money transactions, and for accounting, incl. payments, invoicing, ledgers and debt collection. Ilmarinen’s customer data may also be processed in customer relationship management and development, in implementing customer service and advice, in analysing customer relationships and operations and in customer relationship and marketing communications, when based on consent.

Ilmarinen processes personal data also to ensure the information security of services, to prevent abuse and problem situations, and to manage risks. Ilmarinen may process personal data also in order to target appropriate advertising to its potential and existing customers in online environments based on the user’s consent.

Ilmarinen speeds up and improves its customer service by using automated decision-making in the processing of insurance and pensions matters when case-specific deliberation is not involved and statutory terms and conditions are met. If the statutory terms are not met, the processing is moved to the manual process. The customer has the right to appeal decisions made by Ilmarinen that apply to him/her. Information on appeals is given in connection with the decision.

Compliance with the obligations stipulated in legislation, regulations and official decisions requires Ilmarinen to process personal data. Statutory obligations are, e.g. the prevention, detection and investigation of money laundering, terrorism funding and fraud; accounting regulations; risk-management-related risks, such as credit and insurance risks; solvency requirements; and legislative requirements related to securities and funds.

Ilmarinen can combine the personal data and online behavioural data in its customer register and marketing register in order to better target its marketing communications at potential and existing customers, based on the individual’s consent.

Ilmarinen receives personal data from data subjects themselves in connection with marketing and use of the service. Ilmarinen also receives data on the insured persons and pension recipients from other pension companies and employers, for example. Personal data is also collected in connection with service transactions and the use of services.

Ilmarinen also regularly receives personal data from the following data sources:

• Finnish Centre for Pensions
• Social Security Institution
• Earnings data broker services
• Doctors, hospitals and health centres
• Labour authorities
• Tax authorities
• Social welfare authorities
• Unemployment funds and employment offices
• Enforcement officers
• Insurance companies
• Banks
• OP Financial Group
• Accountants
• Suomen Asiakastieto Oy
• Population Information System
• Pension Appeal Board
• Insurance Court

Pursuant to law, Ilmarinen may disclose data contained in its filing systems to producers of statutory pension and social security and the Finnish Centre for Pensions, for example. Data is disclosed to authorities pursuant to law. Ilmarinen only discloses personal data in accordance with the right to be informed based on legislation and in accordance with disclosure rights and obligations. In special cases, personal data can be disclosed also with the consent of the data subject. The disclosure parties and grounds are described in the guidelines of the Finnish Centre for Pensions.

The processing of personal data by service providers operating on behalf of Ilmarinen is always based on assignment contracts and instructions, which specify the parties’ rights and obligations in the processing and protection of personal data. We have concluded agreements that include personal data processing on behalf of Ilmarinen with selected suppliers and service providers. Such agreements have been made with, for instance, providers of software development, maintenance, server and IT support services.

Ilmarinen uses its customers’ personal data for customer communications based on Ilmarinen’s statutory obligation to report matters that are significant in terms of the customer relationship or based on Ilmarinen’s legitimate interest. Ilmarinen also uses the personal data of its customers and potential corporate customers for marketing communications, which the customer can always refuse.

Ilmarinen discloses information for scientific and historical research. We may hand over invoices to companies collecting receivables. If we sell, buy, merge or otherwise organise our business, the user’s personal data may be disclosed to the buyer and the buyer’s advisors.

Ilmarinen primarily processes personal data in Finland, the EU/EEA area or in other countries approved by the EU Commission as having a sufficient level of data protection. To ensure a sufficient level of data protection, the standard contractual clauses approved by the European Commission are used.

Facebook

Ilmarinen and Facebook Ireland (hereinafter “Facebook”) are joint controllers, where applicable, for the community pages on Facebook. These pages are, among others, Ilmarinen’s page, https://fi-fi.facebook.com/parempaaelamaa.

For each page, Facebook processes data in accordance with its privacy policy: www.facebook.com/privacy/. Facebook is primarily responsible for ensuring compliance with the data protection legislation and for implementing information security and the rights of the data subject in the service. You can manage Facebook’s data protection settings in Facebook.

Ilmarinen processes the personal data of community pages solely for Ilmarinen’s own purposes, such as to provide information about services and products, to receive feedback, to buy advertising, and to measure pages and ads.

The information we receive from Facebook is the data subject’s name, public profile photo and other information that has been set as public. Essentially, information that is visible to anyone. You might provide us with other personal data in the comments sections of pages or in an instant messaging service, for instance, in a customer service situation. Ilmarinen does not process your personal data outside of Facebook, and the data will not be linked to other registers.

On Ilmarinen’s community pages, personal data is processed based on Ilmarinen’s legitimate interest. A data subject can limit the processing of personal data that Ilmarinen obtains from Facebook by unliking and/or unfollowing the community page.

Ilmarinen and Facebook Ireland (hereinafter “Facebook”) are joint controllers, where applicable, for the community pages on Facebook. These pages are, among others, Ilmarinen’s page, https://fi-fi.facebook.com/parempaaelamaa.

LinkedIn

Ilmarinen and LinkedIn Corporation (hereinafter “LinkedIn”) are joint controllers, where applicable, for the community pages on LinkedIn. These pages are, among others, Ilmarinen’s page, https://www.linkedin.com/company/ilmarinen/

For each page, LinkedIn processes data in accordance with its privacy policy: https://www.linkedin.com/legal/privacy-policy. LinkedIn is primarily responsible for ensuring compliance with the data protection legislation and for implementing information security and the rights of the data subject in the service. You can manage LinkedIn’s data protection settings in LinkedIn.

Ilmarinen processes the personal data of community pages solely for Ilmarinen’s own purposes, such as to provide information about services and products, to receive feedback, to buy advertising, and to measure pages and ads.

The information we receive from LinkedIn is the data subject’s name, public profile photo and other information that has been set as public. Essentially, information that is visible to anyone. You might provide us with other personal data in the comments sections of pages or in an instant messaging service, for instance, in a customer service situation. Ilmarinen does not process your personal data outside of LinkedIn, and the data will not be linked to other registers.

On Ilmarinen’s community pages, personal data is processed based on Ilmarinen’s legitimate interest. A data subject can limit the processing of personal data that Ilmarinen obtains from LinkedIn by unliking and/or unfollowing the community page.

Ilmarinen retains personal data in operations based on its statutory obligation. The retention periods are determined in accordance with earnings-related pension legislation or other applicable legislation:

• Personal data linked to insurance: for the insurance’s period of validity and ten subsequent calendar years
• Personal data linked to pension and rehabilitation matters: the lifetime of the insured and five subsequent calendar years
• Personal data linked to survivors’ pension: survivors’ pension payment period and five subsequent calendar years
• Personal data for the collection of late insurance contributions: up until the end of the collection and five subsequent calendar years
• Personal data linked to appeals: 50 years if they do not need to be retained for a longer period based on the above points

In non-statutory operations, Ilmarinen must retain personal data for as long as any one of the processing grounds presented in section 2.2 of this privacy statement is valid and the personal data is necessary for its purposes.

Personal data shall also be erased, if necessary, when the data subject objects to the processing of personal data based on a legitimate or general interest, and there are no other grounds for the processing.

Access to devices and servers that contain personal data has been limited, through user rights, to those who need them for their duties. The persons processing the data are bound by the statutory non-disclosure obligation. Personal data is stored only for as long as required for handling the matter or until the statutory storage period expires. Ilmarinen’s entire personnel have been trained in personal data protection.

The servers used for processing personal data are located in data centres protected through access control and security systems. The filing systems containing personal data are segregated from public data networks using technical security arrangements. The use of personal data is also monitored through various technical arrangements.

Ilmarinen may use subcontractors in performing its tasks. The same regulations and non-disclosure obligations apply to subcontractors and their employees as to Ilmarinen employees.

At Ilmarinen, information security and the protection of personal data are an integral part of the functionality and architecture of the information systems. Requirements for the information systems’ security and the integrity, confidentiality, availability and continuity of the data processing are always established beforehand when the systems are designed. Ilmarinen processes all personal data securely and in the manner prescribed by legislation and systematically develops and inspects information security.

Right of access

A data subject has the right to access personal data concerning him/her that has been recorded in the register. The data subject must present in the request for access his/her name and identity number so that the data can be found. The response to the request for access will be delivered to the data subject’s verified address contained in the Finnish Population Information System.

Right to data portability

The processing of personal data at Ilmarinen is primarily based on carrying out its statutory obligation, in which case there is no right to data portability. This applies to the processing of personal data linked to earnings-related pension cover provision and the management of investment operations, in addition to Ilmarinen’s activities as an employer and company, even if the processing is specified in more detail through agreements when necessary.

Otherwise, the data subject is entitled to receive as a file the personal data processed by the information systems that applies to him/her, which he/she has supplied to the controller and whose processing is based on the data subject’s consent or an agreement with the data subject. The data subject may also request that the controller transfer the data in question to another controller if this is technically possible.

Right to rectification

The data subject is entitled to require that inaccurate personal data be rectified. The changes in personal data will primarily be made in connection with use of the service following authentication. The request must contain a name and identity number, a specific and justified request for rectification and an explanation of how the information should be rectified.

Right to object

In terms of the processing of personal data based on Ilmarinen’s statutory obligation, the data subject is not entitled to object to the processing of personal data. The data subject is entitled to object to the processing of personal data that applies to him/her when the processing is based on a general or legitimate interest, such as direct marketing. The data subject is entitled to object to the use of his/her personal data for marketing at any time. To do this, the data subject must inform Ilmarinen of a marketing ban or withdraw his/her consent.

Right to restriction of processing

The data subject can request that Ilmarinen restrict the processing of his/her personal data when:

• The accuracy of the personal data is contested by the data subject. However, there is no right of restriction on the part of Ilmarinen’s statutory operations if the request for restriction is manifestly unfounded.
• The processing is verifiably and justifiably unlawful and the data subject opposes the erasure of the personal data.
• When Ilmarinen expresses that it no longer requires the personal data that has been requested to be restricted for the purposes of the processing as specified in the privacy statement, but the data subject requires them for the establishment, exercise or defence of legal claims.
• The data subject has objected to the processing of the personal data, pending verification of whether the legitimate grounds of the controller override those of the data subject. The request must contain a name and identity number, and a specific and justified request for restriction.

Under the data protection regulation, you have the right to access the information we have saved about you. Fill in the access request form.

Ilmarinen will deliver the answer to the request to the address verified in the Population Information System.

Cookies are small, anonymous text files of letters and numbers that are saved to your computer. Ilmarinen’s cookies do not harm your computer. No personal data is disclosed through cookies to third parties without your consent. Cookies are downloaded to your browser when you visit websites that use cookies. They allow us to help you continue where you left off and to remember your preferences, such as language settings. The user cannot be identified through cookies alone, and digital services cannot know the user’s name or email address without the user’s separate permission.

Ilmarinen collects online behavioural data from its website and online services using cookies or other similar technologies (the browser’s small data warehouse, application identifier or device identifier). We use this information to analyse the use of the services, improve the user experience, tailor services and marketing communication content and measure the effectiveness of advertising. We also use cookies to locate and fix technical problems. With the help of cookies we can, for example, see the browsers that have returned to the service and identify from marketing emails whether a message has been opened and whether the user has visited Ilmarinen’s website from the message. Cookie-related information may be, for example, the user’s IP address, browser type, time of visit, pages visited and web address. The cookie also saves information on the page from which the user arrives onto Ilmarinen’s website.

When logging in to Ilmarinen’s online services we can, within the framework of legislation and by virtue of consent, link the behavioural data gained thanks to cookies with the personal data the user has provided. If you do not log in to Ilmarinen’s online services or go to Ilmarinen’s website via customer or marketing communications sent by Ilmarinen, we cannot identify you through cookies alone. We may link your online behavioural data with your customer data also after you have logged out of the online services if you had logged in to use Ilmarinen’s services and gave your consent. We link data so that we can provide direct marketing that is more relevant for you. You can prevent this by refusing cookies in your browser.

Ilmarinen has five cookie categories: strictly necessary cookies, performance cookies, functionality cookies, marketing cookies and social media cookies. Ilmarinen mostly uses session cookies, which means the cookies expire when the user closes the browser. Some cookies are persistent cookies, which remain in the browser for a specific period of time unless the user deletes them. Persistent cookies remain valid from a few months to a few years.

Strictly necessary cookies

These cookies are necessary in order for the website to function properly, and they cannot be disabled. These are generally set only when you use functions that create service requests, such as when adjusting data protection settings, logging in or filling out forms. You can set your browser to prevent these cookies or to alert you about them, but then some functionalities of the website might not work properly.

Performance/Statistics cookies

These cookies help us count the number of visits and traffic sources so that we can measure and improve our website’s performance. They help us know what pages are popular and less popular and how visitors browse the website. All cookie information is collected anonymously. If you do not accept these cookies, we cannot know which websites you have possibly visited.

Functionality cookies

These cookies enable us to offer better and more personalised functions, such as videos and real-time chat. These cookies are set by Ilmarinen or by a third party’s service provider, whose services we have added to our website. If you do not accept these cookies, some or all of these features may not function properly.

Marketing cookies

These cookies are set on Ilmarinen’s website by our advertising partners (section 3.3.). These companies can use cookies to create a profile of areas that interest you and present advertising that you may be interested in on other websites. Cookies identify the browser and device. If you do not accept these cookies, you will not see targeted advertising on different websites.

Social media cookies

These cookies are set by social media platforms (section 3.3.). These cookies enable targeted advertising on social media websites, and make it easy to share and like articles. In addition, we can measure the effectiveness of our advertising on social media. If you do not accept these cookies, you will not see targeted advertising on social media websites.

The cookies set on Ilmarinen’s own website and services are first-party cookies. In addition to these, Ilmarinen’s digital services use third-party cookies, such as the cookies of advertising networks, social media and measuring and tracking services.

Ilmarinen may use so-called social plug-ins on its website, meaning Like/Share buttons. A social plug-in knows when a user who has visited the services has logged in to the social media service in question using the same browser, in which case the contents of the social media page can be personalised based on that information. Plug-in services may collect data on the use of Ilmarinen’s digital services in accordance with their own data protection specifications.

Third party cookies are used, for example, to target and measure advertising on third party sites. Targeting can take place based on the user’s previous internet behaviour on the browsers on which our advertising is most likely to interest the user. In targeting, we may also use data collected from outside of Ilmarinen’s website and online services.

Third parties used by Ilmarinen

Adform.net collects and analyses behavioural data from Ilmarinen’s website in order to target advertising and to measure the effectiveness of the advertising. You can read more about Adform.net’s data protection here.

Facebook collects data in order to analyse users’ movement between Facebook and Ilmarinen and to analyse the effectiveness of advertising. You can read more about Facebook’s data practices here.

Giosg collects and analyses data from the chat discussions that take place on Ilmarinen’s website. The chat discussions are not linked to this data. You can read more about Giosg’s data protection here.

Google Ads analyses the effectiveness of pay-per-click advertising when a user arrives on Ilmarinen’s website. You can read more about Google Ads’ data protection here.

Google Analytics is used to measure the use of Ilmarinen’s website and online services, the effectiveness of marketing campaigns and to produce statistical data. You can read more about Google Analytics’ data protection here.

LinkedIn collects data from the “follow us” feature on Ilmarinen’s website and collects and analyses data to target advertising. You can read more about LinkedIn’s data protection here.

Siteimprove collects and analyses data on the use of Ilmarinen’s website and online services. You can read more about Siteimprove’s data protection here.

Twitter collects and analyses website visit data and content sharing data between Twitter and Ilmarinen. You can read more about Twitter’s data protection here.

YouTube collects and analyses data from video viewings on Ilmarinen’s website and to target advertising. You can read more about YouTube’s data protection here.

You can manage your Ilmarinen cookie preferencies and choose what cookies you accept. You can prevent the cookies that are necessary for the use of our services from being installed on your computer by changing your browser’s information security settings. These cookies are necessary for the designed functioning of our services. Please also note that our login services will not work if you refuse our cookies.

You can also set your browser settings so that you are informed of cookies being saved. Then you can either accept or reject the cookie.

You are able to control the extent to which you agree to the use of cookies and targeted advertising. You can block the use of cookies by changing your browser settings, by using private browsing in our services or by using tracking protection tools. Note that the consequence of disabling cookies is that you might not be able to use some of the functionalities of the services and websites.

If you do not want advertising to be targeted based on your areas of interest, you can block targeted advertising via the link below. After blocking targeted ads, you will be shown the same amount of advertising as before, but it will not be chosen based on your areas of interest. Block targeted advertising here.