1. General information
This Privacy Notice contains information required by the EU General Data Protection Regulation (hereinafter the General Data Protection Regulation) and the national law for data subjects, that is, for the controller's customer, employees and for the supervisory authority.
2. Controller and controller’s contact information
Pohjola Insurance Ltd
Postal address: P.O. Box 308, 00013 OP
Street address: Gebhardinaukio 1, 00510 HELSINKI
The controller’s contact person: OP Financial Group’s Data Protection Team
Phone: 010 253 1333 (in English), 0100 0500 (in Finnish)
3. Data Protection Officer’s contact information
OP Financial Group’s Data Protection Officer
OP Financial Group
Postal address: P.O. Box 308, 00013 OP
4. Name of the personal data file
Pohjola Insurance Ltd customer data file. Private individuals and entities, including entrepreneurs, are data subjects. With respect to an entity, data subjects are persons acting on its behalf.
Previous customers and private individuals and entities deemed potential customers are also data subjects.
The data subjects also include persons who have paid the premium on the policyholder’s behalf, persons who have claimed or received compensation under the insurance contracts, persons otherwise entitled to compensation under the insurance contracts (such as beneficiaries), as well as persons liable to repay the insurance compensation (persons with so-called recourse debt).
5. Purpose of personal data processing and legal basis for processing
Insurance operations require personal data processing. The data subject’s personal data is needed, for example, for concluding an insurance contract and for payment of compensation. Below is more detailed information on the purposes and legal bases of personal data processing.
Purpose of use of personal data
- Customer service and customer relationship management and development, including customer communications
- Providing services and products (insurance business, execution and maintenance of insurance contracts, claims settlement based on insurance contracts), development, automation and quality assurance as well as customer and user modelling
- Monitoring and analysis of product and service use and customer segmentation, for example, in order for the controller to be able to offer personalised product and service content to users
- Ensuring the security of services and investigating abuses
- Risk management
- Training purposes
- Direct marketing, opinion polls and market surveys, distance selling, targeting of marketing and advertising
- Fulfilling statutory obligations and any other official rules and regulations
- Conducting and developing other business
The purposes of using personal data in Pohjola Insurance Ltd are, in addition to the aforementioned, to implement issued statutory insurance (occupational accident and disease insurance, and motor liability insurance).
Automated decision-making and profiling
Automated decision-making means that the decision concerning the data subject is based solely on automatic data processing. Personal data processing within the scope of the data file involves automated decision-making, such as automatic underwriting and claim settlement decisions. The purpose of automated decision-making is to reduce processing times and safeguard equitable claim settlement decisions, for example.
As a result of automated decision-making, the data subject can receive a decision about granting insurance or the coverability of loss, for instance. If a decision has been made on the basis of automated decision-making, a data subject may request reconsideration of the application through manual (non-automated) processing.
Processing of personal data within the scope of the data file includes profiling. Profiling means the automated processing of personal data for evaluating certain personal aspects of an individual. Profiling is utilised, for example, to determine the risk correlation of the price of the insurance, to target advertising and to steer claim decision queuing in order to speed up the service.
General information about automated decision-making and profiling is available in OP's Privacy Statement at op.fi/dataprotection.
Customer due diligence and preventing money laundering and terrorist financing
Know Your Customer information and the data subject’s other personal information may be used in the prevention, uncovering and investigation of money laundering and the financing of terrorism, and in bringing under investigation the money laundering and financing of terrorism as well as the crime committed to obtain the assets or proceeds of crime involved in the financing of the money laundering or financing of terrorism.
The data subject's personal data may be used to investigate whether the person is subject to international sanctions applied by the controller. Further information on OP Financial Group’s sanctions compliance is primarily available in the terms and conditions of the acquired product or service.
Legal basis of processing
We process the data subject’s personal data mainly based on a contractual relationship and the measures preceding it.
Personal data processing can also be based on
- The data subject’s consent, such as consent to acquire patient data from a hospital/clinic,
- The controller’s statutory obligations, such as requirements of Finnish tax legislation and the Insurance Companies Act, or
- The legitimate interests of the controller or a third party, such as use of data for direct marketing, provided that the data subject is aware of it and has not forbidden it, for business development and for preventing misuse and fraud. Disclosure of information between OP Financial Group entities too is often based on legitimate interests.
In most cases, the controller’s legitimate interests are based on the customer relationship or similar relationship between the controller and the customer. The controller ensures that such processing is proportionate to the data subject’s benefits and meets his/her reasonable expectations.
The processing of the data subject’s personal health data in the data file is based on legislation or the data subject’s consent.
The controller has the right to process data on the criminal activity, criminal charges or other criminal consequences of the insured, claimant or tortfeasor that are necessary for the insurance company to determine liability.
6. Categories of personal data
Data subjects are typically subject to processing under the categories of personal data and personal data described below. The data content to be processed depends, for example, on whether it involves the data of a private individual or a person acting on behalf of a company.
|Category of personal data||Data content of the category|
|Basic information||Private person: Data subject’s name and personal identity code
Entity including entrepreneurs: Identification details of persons acting on the behalf of an entity and information on connections to the entity
|Know Your Customer (KYC) information||Statutory KYC information such as the information required to identify the customer and to determine their financial status and political exposure|
|Customer relationship information||Information that uniquely identifies and classifies the customer, such as customer code and policy code|
|Consents||The consents given and withheld by the data subject concerning personal data processing|
|Contract and product information||The controller’s and data subject’s contract information
Information on products and services acquired by the data subject
|Customer activity data||Tasks and transactions related to the management of the customer relationship, such as policy changes and claim handling information|
|Background information||Details of the life situation and financial status of the data subject
For example, information from the Tax Administration on salaries and benefits for implementation of occupational accidents and diseases insurance
|Areas of interest||Information on the data subject’s areas of interest, such as interest in services and products of OP Financial Group entities|
|Behavioural information (incl. information collected using cookies and other such technologies)||Tracking of the data subject’s online behaviour and use of services using, for example, cookies. The collected information may include a website browsed by the user, the device model, unique device and/or cookie ID, channel such as an application, mobile browser or Web browser, browser version, IP address, session ID, session time and duration, and the display resolution and operating system.|
|Recordings and content of messages||Recordings and messages in various formats, in which the data subject is a party, such as call recordings|
|Special categories of personal data||The special categories of personal data laid down in Article 9 of the General Data Protection Regulation that include health, biometric data for the purpose of uniquely identifying a natural person, and trade union membership|
|Location and sensor data||Tracking the data subject’s location and information on the subject collected with sensors|
|Technical verification data||Identifier determined by a device or an application, with which the user of the device or application can be identified, using additional information if necessary|
7. Recipients and recipient groups of personal data
Collected personal data may be distributed within OP Financial Group and other companies of the financial amalgamation as permitted by the law. In addition, personal data may be disclosed, for example, to:
- Finance Finland, in regard to insurance sector claims statistics
- A hospital/clinic, based on the data subject’s consent
- Partners that are used in producing and providing services. These partners may therefore process personal data on the behalf of the controller or as independent controllers.
- for a joint claims and misuse register kept by insurance companies pursuant to Section 10 of this privacy notice.
Personal data may be disclosed to authorities, including enforcement or social welfare authorities, the Finnish Tax Administration or the Finnish Financial Supervisory Authority, only within the limits permitted by law. An annual notification of the controller’s customers is sent to the tax authorities.
8. Transfer of personal data
The controller uses suppliers in data processing, and data may be transferred outside of the EU or EEA to a limited extent. When data is transferred outside of the EU or EEA, the transfer is done using the EU Commission’s standard contractual clauses or some other transfer mechanism in accordance with legislation.
Some of the controller’s suppliers are other OP Financial Group entities. They provide the controller with information system and other support services, among other things.
9. Personal data retention period or criteria for determining the period
The controller determines the retention periods for the personal data taking into account the applicable laws and the functionality and efficiency of the business, for example claims settlement and managing insurance affairs.
For example, in several voluntary insurance lines, information on insurance contracts must be retained for a minimum of 15 years from the date of termination of the contract. Regarding statutory personal injuries and road accidents, the statutory retention period is 100 years from the last processing date.
After the contractual relationship has ended, the controller may process the personal data for direct marketing purposes in accordance with applicable legislation.
10. Personal data sources and updates
Personal data is collected primarily from the data subjects themselves. Personal data may also be collected when the data subject uses certain services of the controller, such as online services.
All calls to and from the controller may be recorded. We may use call recordings to verify customer transactions, assure the quality of customer service and develop our services and for training purposes.
Personal data can also be collected and updated within the limits permitted by law from the personal data files of third parties, such as:
- The Population Information System and the address notification service of the post office
- Personal data files maintained by other authorities, such as the Finnish Tax Administration Incomes Register and Kela (Social Insurance Institution of Finland)
- Credit information register controllers
- The joint claims and misuse register kept by insurance companies
- Hospitals/clinics, based on the data subject’s consent or under law
- Partners involved in managing insurance and losses
- Public information sources through which the data subject can reliably be verified
- Banks for TUPAS authentication
- Parties that maintain databases with information that is necessary to identify political exposure and parties subject to international sanctions followed by the controller
- Other customer data files of OP Financial Group entities
Pohjola Insurance Ltd collects information concerning taxation from the Finnish Tax Administration for the purpose of using it in accordance with the Workers' Compensation Act (to, for example, resolve an insurance matter or fulfil an insurance company’s supervisory obligations).
Claims and misuse register
The controller has access to the joint claims and misuse register kept by insurance companies, in which the insurance companies enter information on claims as well as on crime or suspected crime against them and which information they can use in their insurance and claims processing. The type of information entered in the registers includes the loss event and the data subject, such as the controller’s customer. The purpose of the registers is to prevent and expose crime against insurance companies by sharing information between insurance companies.
Basic details of claims filed with the insurance companies are entered in the claims register. When the insurance company registers the basic details of the claim in the claims register, it receives access to information on possible claims that the claimant has filed with other insurance companies. The purpose of the claims register is to prevent filing a claim with more than one insurance company at the same time on false grounds.
Data on crime and suspected crime against the insurance company’s insurance operations are entered in the misuse register. Making an entry in the register requires that the suspected criminal act has been reported to the police or prosecutor. An entry made due to suspected crime is removed from the register if the data subject is deemed innocent in court or if the legal proceedings are cancelled. Data in the misuse register are used to prevent and expose crime against insurance companies.
11. Data subject’s rights
Data subjects have the right to receive the controller’s confirmation of whether their personal data will be processed or not, or whether they have already been processed.
If the controller processes a data subject’s personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.
The controller may charge a reasonable administrative fee for additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.
The data subject also has the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.
After the application of the General Data Protection Regulation has begun, the data subject will, in certain cases, also have the right to request the controller to restrict the processing of their personal data or to otherwise oppose the processing. In addition, under the General Data Protection Regulation, the data subject may request that the data they have provided themselves be transferred in machine-readable format.
All of the above requests must be submitted to the abovementioned contact person of the controller.
If a data subject considers that his/her personal data is not processed legally, he/she has the right to file a complaint with the supervisory authority.
12. Right to cancel prior consent
If the controller processes the data subject’s personal data on the basis of consent, as is mostly the case in direct marketing using electronic channels, the data subject has the right to cancel such consent. The cancellation of consent does not affect the lawfulness of processing performed based on the consent prior to its cancellation. Such cancellation may, however, have an effect on the usability and functionalities of the service.
13. Protection methods regarding the data file
We process personal data securely in accordance with applicable laws. We have carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.
The controller has protected the data appropriately in technical and organisational terms. The data file is protected using, for example, the following tools:
- Protection of equipment and data files
- Access control
- User identity verification
- Access rights
- Registration of usage events
- Processing guidelines and supervision
The controller also requires of its suppliers the appropriate protection of personal data to be processed.