Data protection

The data subjects are the customers of LocalTapiola Group companies, such as insurance and claims customers and investor customers. In the case of institutional customers, the data subjects are their affiliated persons, such as beneficial owners. Data subjects also include customers who have previously been our customers as well as potential customers and their affiliated persons. Persons related to the customer, such as guardians and attorneys-in-fact, are also data subjects.

We only process personal data that is necessary for our purposes, such as:

We process personal data only for predefined purposes, such as:

We process personal data mainly on the basis of a contractual relationship and the measures preceding it. The performance of a contract is the primary basis for processing, in cases such as when we process the policyholder's personal data for the purpose of giving an insurance quote and later when the insurance contract is in force.

The processing of personal data may also be based on the consent of the data subject or on the legal obligations or legitimate interests of the LocalTapiola Group company acting as the controller of the data. We may disclose information to our service provider partners on the basis of consent, whereas the Anti-Money Laundering Act obligates us to collect and store certain identifying personal data on our customers. Data processing is based on legitimate interest for example when we process personal data for marketing purposes, including for the purposes of targeting of advertising, targeted online marketing or direct marketing, for combating abuse and fraud or to pay a claim to a victim outside the customer relationship.

We mainly collect your personal data directly from you. You provide us with your data when you interact with us, such as when you enter into an insurance or investment service contract, claim compensation, log in to our online service, call our customer service or participate in our competitions. We may also collect data about you by observing how you use our services, especially through cookies. Our use of cookies is described in more detail in the section on cookies.

We also collect your data from third parties, such as parties authorised by you, registers maintained by the authorities, credit information registers, joint registers of insurance companies, medical institutions and other insurance companies. We retrieve the vehicle details from Traficom’s Transport Register.

We update addresses from Posti's address service and cross-check with the Population Information System to ensure that the information is accurate and up-to-date.

Your data will only be processed by LocalTapiola Group companies and employees who need access to the data to perform their duties. Most of our employees are bound by a statutory obligation of secrecy, and each employee must also sign a non-disclosure agreement in which they pledge to keep customer information confidential.

In producing and providing our services, we use partners to whom we transfer personal data for processing. These partners act as our sub-processors and process personal data in accordance with our instructions. We require our sub-processors to protect personal data appropriately and we inspect and audit their operations.

We disclose personal data between the LocalTapiola Group companies insofar as permitted by law. We disclose personal data to parties external to LocalTapiola Group only with your consent or when there is a legal ground or some other legitimate purpose for the disclosure of data. Based on your consent, we may disclose your data for example when issuing a medical institution an authorisation for direct billing or when sending SOK information on your premiums to accrue S Bonus. On the basis of the law, we may disclose your data for example to public authorities, including the tax, prosecution and investigating authorities, and to other insurers. In addition, we may disclose limited amounts of personal data to advertising platform service providers for our marketing purposes, including for the targeting of advertising or for implementing targeted online marketing.

Read more about Targeted paid online marketing and joint controllership with advertising platform service providers.

The disclosure of personal data refers to situations where personal data is given to another controller to process. We also transfer personal data for processing purposes to our partners, who process personal data on our behalf and thus act as our sub-processors.

We have defined retention periods for the personal data we collect, taking into account the requirements of legislation and the effectiveness and fluency of business operations, such as insurance and investment services. Occasionally, we may be required by law to retain data for a certain period of time. This is not always the case, in which case we retain the data for as long as it is necessary for us.

We store data necessary for the customer relationship at least for the duration of the customer relationship. In general, it is necessary for us to continue storing data even after the customer relationship has ended. The retention period of your personal data varies depending on the type of service transactions you have or have had. For example:

We record phone calls, audio recordings of online meetings, chat conversations and online messages. They are used for verifying transactions, ensuring the quality of customer service and development and training purposes.

We use automated decision-making. Automated decision-making means that a decision is made entirely on the basis of automated personal data processing without the input of a human. We use automated decision-making to improve the efficiency of our insurance and claims processing and other services we provide, for example.

The data used in automated decision-making include information provided by you and information already in our systems. We may also use personal data obtained from third parties, such as a credit information register, and information about insurance terms and conditions and our internal guidelines.

We will notify you of automated decision-making separately in connection with each service that uses automated decision-making and, if necessary, ask for your consent to its use.

Once you have received the automated decision, you have the right to appeal against and request that the matter be reviewed by a human employee.

We use automated decision-making in non-life insurance operations in the following contexts, among others:

We may use automated decision-making to decide whether or not to grant an insurance purchased online. The automated system may decide to either grant the insurance or forward the matter to an employee for further processing. Automated decisions are based on information provided by the customer, existing information in our systems and information obtained from third parties, such as a credit information register.

We may use automated decision-making to settle claims and as part of other activities related to claims processing. The automated system may decide to either pay the claim or forward the matter to an employee for manual processing. Automated decisions are based on information provided by you, existing information in our systems, and information obtained from third parties, such as the claims register, as well as insurance terms and conditions.

We also make use of profiling. Profiling means the automated processing of personal data where we evaluate certain personal characteristics by combining and analysing data.

We use profiling for the following purposes, among others:

We may transfer your personal data outside the EU and EEA within the limits of data protection legislation.

Some external service providers or other recipients of personal data may be located or process personal data outside the EU or EEA. We use the necessary transfer mechanisms and complementary safeguards permitted by law to ensure that the level of protection of personal data is not compromised in situations where the data is transferred outside the EU or EEA. Such transfer mechanisms include, for example, adequacy decisions by the European Commission and the use of standard contractual clauses with recipients of data located outside the EU or EEA.

The standard contractual clauses we use are available on the EU legislative and justice website:

Commission Implementing Decision (2021/914) (eur-lex.europa.eu)

You can also request a copy of the standard contractual clauses by contacting our Data Protection Officer.

We may use your customer due diligence information and other personal data for the prevention, uncovering and investigation of money laundering and the financing of terrorism as prescribed in the Anti-Money Laundering Act, and in bringing under investigation money laundering and financing of terrorism as well as the crime committed to obtain the assets or proceeds of crime involved in the financing of money laundering or the financing of terrorism.

We may use your personal data to determine whether you are subject to international sanctions we are required to comply with.

Finnish insurance companies maintain shared registers about insurance claims and fraudulent claims. Insurance companies disclose information on claims and crimes and suspected crimes against the company to the registers. Insurance companies use the information in the registers when granting insurance and processing claims. The purpose of the registers is to prevent and detect insurance fraud and crime by sharing information between insurance companies. LocalTapiola Group’s insurance companies also disclose information to registers and use the information in the registers.

We register information about claims reported to us in the insurance companies' joint claims register. The register collects information on the claim and the insured person. When the insurance company submits the basic information in the claim to the claims register, the company receives information about claims filed by the applicant at other insurance companies. Based on the information in the claims register, we may also exchange more detailed information about claims between other insurance companies. We use the information in the claims register to prevent fraud against insurance companies, with the purpose to prevent a person from filing false claims at several insurance companies.

We register information on crimes and suspected offences against our insurance operations in the insurance companies' common fraudulent claims register. The register collects information on the claim and the insured person. In addition, we check the information entered in the register. Entering information in the fraudulent claims register requires that a suspected criminal act has been reported to the police or prosecutor. Entries made on the basis of a suspected crime are erased from the register if the person in question is found innocent of the act in a court of law or the case is dropped. We use the information in the fraudulent claims register in insurance handling and claims settlement to prevent and detect crime against insurance companies.

We use the necessary and best-practice technical and organisational data security methods to safeguard personal data. We protect personal data so that it cannot be accessed without authorisation or lost, destroyed or altered without a basis.

We ensure the protection of personal data with firewalls, separation of environments and various encryption and protection technologies, among other measures. We continuously monitor our data security. We make sure that our data centres are secure and access control is at an appropriate level.

Access to personal data is restricted with suitable access rights restrictions, and we apply access rights management processes. Access rights are always based on work duties. Personal data can only be accessed by employees who have a need to do so for the performance of their duties. We monitor to ensure that access rights are necessary at all times and remove expired access rights.

We collect logs on the processing of personal data. Logs indicate what, why and when a processing activity occurred. We use logs to monitor the processing of personal data, ensure that no errors have occurred and investigate possible errors.

Our employees involved in processing personal data are regularly trained and provided with instructions.

We also require our sub-processors to safeguard the data appropriately, and inspect and audit their operations.

The following LocalTapiola Group companies belonging act as the controllers:

Our Group consists of several companies that operate in different lines of business. Each of the companies in our Group acts as the controller of personal data it collects in its own operations.

For more information on companies that belong to LocalTapiola Group, see the Companies section on our website .

In questions and matters related to the processing of personal data, you can contact our Data Protection Officer by email or post.

Contact details of the Data Protection Officer:

Email:
tietosuoja(at)lahitapiola.fi

Mailing address:
LähiTapiola-ryhmä
Lakiasiat ja compliance / tietosuojavastaava
02010 LÄHITAPIOLA

If you feel that our processing of personal data violates the law, you have the right to lodge a complaint with the supervisory authority. In Finland, the supervisory authority is the Data Protection Ombudsman. However, we recommend that you first contact us using the contact details of our Data Protection Officer.

Contact information of the Office of the Data Protection Ombudsman :

Email: tietosuoja@om.fi

Mailing address: PO Box 800, FI-00531 Helsinki

Phone: 029 566 6700

LocalTapiola Group companies have a strong presence in various social media channels. Where applicable, we act as joint controllers of personal data with social media service providers (Meta, LinkedIn and Twitter) for LocalTapiola community pages, messaging services, tracking pixels and visitor data in these channels. This information applies to persons who have interacted with one of the social media community pages managed by LocalTapiola or have accepted social media cookies on the LocalTapiola website.

We process the data subject's personal data on the basis of our legitimate interest. In the case of tracking pixels, the processing is based on the consent given by the data subject. We use the data to maintain community pages, market LocalTapiola Group services, products and offers, carry out competitions and raffles, receive feedback, purchase advertising from social media channels, measure the availability of pages or advertisements, and to provide customer service on social media. We only process data for our own purposes. Social media service providers process data in accordance with their own data protection principles and are generally responsible for compliance with data protection legislation and the implementation of data security and the rights of data subjects. You can manage your privacy settings in the service in question.

We obtain information that a data subject has made public in the service, such as username and profile picture. In addition, the data subject may provide other information on their own initiative through comments, publications or messaging services. We also receive anonymised statistical data about visitors to our community pages and how visitors interact with the page content (Meta Page Insights, LinkedIn Page Analytics and Twitter Analytics). The data we store in the data file is not transferred outside the European Union or European Economic Area.

The controller determines the retention period of personal data, taking into account applicable legislation as well as the needs and efficiency of business operations. The purpose of the retention periods is to secure the rights of both the data subjects and LocalTapiola. We may process comments, posts and messages on community pages until the data subject deletes the comment or post. We may also delete a comment or post earlier if we deem it necessary to ensure the appropriateness of comments and posts, for example. Data subjects may request the deletion of a conversation in the messaging service from the owner of the community page in the service. You can also restrict the processing of your personal data by unliking and/or unfollowing the community page.

Where applicable, we act as joint controllers with Meta Platforms Ireland Ltd. (Meta) with respect to LocalTapiola’s community pages, messaging service, insights and tracking pixel in the service.

We have signed an addendum on joint controllership, which defines the responsibilities of both controllers regarding compliance with obligations under the EU General Data Protection Regulation (GDPR) and the joint processing of personal data. For more information, please visit: https://www.facebook.com/legal/controller_addendum .

For Facebook Insights (Page Insights), the controllers' responsibilities for complying with their obligations under the GDPR are described in the Page Insights Controller addendum. For more information, please visit: https://www.facebook.com/legal/terms/page_controller_addendum .

Meta processes personal data in accordance with its own privacy policies. For more information about the purposes, legal bases and privacy policies of Meta's processing of personal data as well as the information required by the joint controllership and Articles 13(1)(a) and (b) of the GDPR, please see Facebook's Privacy Policy at www.facebook.com/privacy/policy

Where applicable, we act as joint controllers with LinkedIn Ireland Unlimited Company (LinkedIn) with respect to LocalTapiola’s community pages, messaging service, insights and tracking pixel in the service.

We have signed an addendum on joint controllership for the processing of visitor data (Page Insights), which defines the responsibilities of both controllers regarding compliance with obligations under the EU General Data Protection Regulation (GDPR) and the joint processing of personal data. For more information, please visit: https://legal.linkedin.com/pages-joint-controller-addendum .

For more information about the purposes, legal bases and privacy policies of LinkedIn's processing of personal data as well as the information required by the joint controllership and Articles 13(1)(a) and (b) of the GDPR, please see LinkedIn's Privacy Policy at https://www.linkedin.com/legal/privacy-policy .

Where applicable, we act as joint controllers with Twitter International Unlimited Company (Twitter) with respect to LocalTapiola's community pages, messaging service, insights and tracking pixel in the service.

For more information about the purposes, legal bases and privacy policies of Twitter's processing of personal data as well as the information required by the joint controllership and Articles 13(1)(a) and (b) of the GDPR, please see Twitter's Privacy Policy at https://twitter.com/en/privacy .

Our websites and services may contain links to third-party sites and services and embedded content from third parties, such as Google Maps and YouTube videos.

We use analytics and customer experience cookies to manage the visibility and use of third-party embedded third-party content on our sites and services. Embedded content from third parties will only appear on our website if you have given your consent to the use of such cookies.

Providers of embedded content may place cookies on your browser that allow them to collect data for their own use. These third parties have their own privacy policies, which you can read on their respective websites.

See our cookie policy.

In order to implement the principle of public access, LocalTapiola maintains a description of its data reserves. This is known as the description of document publicity. The purpose of the description is to assist LocalTapiola customers who wish to make a request for information concerning LocalTapiola's documents.

For the purposes of this context, targeted paid online marketing means the targeted displaying of paid advertising elsewhere on the internet than on our own websites together with advertising platform service providers.

LocalTapiola Group companies purchase targeted online marketing from the service providers of various advertising platforms. As applicable, we act as joint controllers in respect of personal data together with each advertising platform service provider (Meta) when we cooperate in the processing of personal data in order to target online marketing on the advertising platform of the service provider in question. We have concluded written agreements on the processing of personal data with all entities that act as joint controllers.

The advertising platform service providers process the personal data we disclose only for targeting our advertising and for displaying it on their advertising platforms to the target groups we have determined. The service providers erase the personal data we disclose after the effecting of online marketing, but in any case not later than 6 months after this effecting.

We process the data subject’s personal data on the ground of our legitimate interest.

In target group list-based online marketing, we target advertising based on a target group listing extracted from our registers. Into a tool provided by the advertising platform service provider, we upload the target group list we have compiled. This list contains pseudonymised personal data: a hashed mobile phone number and a hashed email address. The pseudonymisation and hashing procedures we employ mean that personal data are processed into an encoded format in such a way that they are no longer directly identifiable.

The advertising platform service provider compares the pseudonymised target group we uploaded with their own customer records in order to find matching data. After a successful matching process, our and the advertising platform service provider’s combined data create custom audience lists to which our advertising is further targeted on the digital advertising platform (in the media) of the service provider in question.

In target group list-based targeting of advertising, depending on our advertising campaigns, we use solutions provided by different advertising platform service providers: Meta.

Read more about the data privacy policies of the advertising platform service providers we use: