Skip to contentSkip to footer

Data protection

Processing of personal data is an integral element of LocalTapiola Group’s business. For us, careful and safe processing of personal data is paramount. We ensure the appropriate protection of privacy, and process all personal data as required by law and in line with good data management and data processing practice. In this section, we tell you more about the protection of privacy at our Group. Here we aim to give you an overview of the processing of personal data we carry out. This section contains also our most important privacy notices, which describe what, why and how we process personal data in each of our individual data files and registers. The privacy notices are primary over the information provided in this section.

What personal data do we process and why and how?

The data subjects are the customers of LocalTapiola Group companies, such as insurance and claims customers and investor customers. In the case of institutional customers, the data subjects are their affiliated persons, such as beneficial owners. Data subjects also include customers who have previously been our customers as well as potential customers and their affiliated persons. Persons related to the customer, such as guardians and attorneys-in-fact, are also data subjects.

We only process personal data that is necessary for our purposes, such as:

  • personal data related to identification, including name and personal identity code

  • contact information, including name, address, email and phone number

  • information related to the services and products we offer, such as the content of insurance coverage and health declaration and the amount of invested assets.

  • information related to the customer relationship and its management, such as language and contacts

  • information about choices made by the customer, such as restrictions on direct marketing

  • customer communications, such as call recordings, audio recordings of online meetings, chat conversations and online messages

  • information required by law, such as personal data used to identify the customer in accordance with the Anti-Money Laundering Act.

We process personal data only for predefined purposes, such as:

  • customer service and communication as well as customer relationship management, such as responding to contacts and sending out announcements about products

  • provision and development of our services and products, such as the performance of insurance or investment contracts and claims processing on the basis of insurance contracts

  • marketing of our services and products, targeted marketing and direct marketing, such as targeted online marketing and direct marketing messages

  • opinion and market research, such as sending out customer service feedback surveys

  • organising and enabling participation in promotions, raffles and competitions

  • monitoring, analysing and compiling statistics on the use of our services and products, such as tracking and analytics of pages visited on our website

  • ensuring the security of our services and risk management

  • detection and investigation of nonconformities, such as fraud against insurance companies

  • fulfilling obligations based on law and in accordance with official directions and instructions, such as collecting customer identification data and monitoring sanction lists.

We process personal data mainly on the basis of a contractual relationship and the measures preceding it. The performance of a contract is the primary basis for processing, in cases such as when we process the policyholder's personal data for the purpose of giving an insurance quote and later when the insurance contract is in force.

The processing of personal data may also be based on the consent of the data subject or on the legal obligations or legitimate interests of the LocalTapiola Group company acting as the controller of the data. We may disclose information to our service provider partners on the basis of consent, whereas the Anti-Money Laundering Act obligates us to collect and store certain identifying personal data on our customers. Data processing is based on legitimate interest for example when we process personal data for marketing purposes, including for the purposes of targeting of advertising, targeted online marketing or direct marketing, for combating abuse and fraud or to pay a claim to a victim outside the customer relationship.

We mainly collect your personal data directly from you. You provide us with your data when you interact with us, such as when you enter into an insurance or investment service contract, claim compensation, log in to our online service, call our customer service or participate in our competitions. We may also collect data about you by observing how you use our services, especially through cookies. Our use of cookies is described in more detail in the section on cookies.

We also collect your data from third parties, such as parties authorised by you, registers maintained by the authorities, credit information registers, joint registers of insurance companies, medical institutions and other insurance companies. We retrieve the vehicle details from Traficom’s Transport Register.

We update addresses from Posti's address service and cross-check with the Population Information System to ensure that the information is accurate and up-to-date.

Your data will only be processed by LocalTapiola Group companies and employees who need access to the data to perform their duties. Most of our employees are bound by a statutory obligation of secrecy, and each employee must also sign a non-disclosure agreement in which they pledge to keep customer information confidential.

In producing and providing our services, we use partners to whom we transfer personal data for processing. These partners act as our sub-processors and process personal data in accordance with our instructions. We require our sub-processors to protect personal data appropriately and we inspect and audit their operations.

We disclose personal data between the LocalTapiola Group companies insofar as permitted by law. We disclose personal data to parties external to LocalTapiola Group only with your consent or when there is a legal ground or some other legitimate purpose for the disclosure of data. Based on your consent, we may disclose your data for example when issuing a medical institution an authorisation for direct billing or when sending SOK information on your premiums to accrue S Bonus. On the basis of the law, we may disclose your data for example to public authorities, including the tax, prosecution and investigating authorities, and to other insurers. In addition, we may disclose limited amounts of personal data to advertising platform service providers for our marketing purposes, including for the targeting of advertising or for implementing targeted online marketing.

To read more about how we target advertising and online marketing, see “Targeted paid online marketing and joint controllership with advertising platform service providers”. You can find this topic in the Other section at the bottom of the page.

The disclosure of personal data refers to situations where personal data is given to another controller to process. We also transfer personal data for processing purposes to our partners, who process personal data on our behalf and thus act as our sub-processors.

We have defined retention periods for the personal data we collect, taking into account the requirements of legislation and the effectiveness and fluency of business operations, such as insurance and investment services. Occasionally, we may be required by law to retain data for a certain period of time. This is not always the case, in which case we retain the data for as long as it is necessary for us.

We store data necessary for the customer relationship at least for the duration of the customer relationship. In general, it is necessary for us to continue storing data even after the customer relationship has ended. The retention period of your personal data varies depending on the type of service transactions you have or have had. For example:

  • As a rule, the retention period for insurance and claims data is 100 years from the end of the insurance or the last date of processing of the claim in statutory CTP and accident insurance, and at least 10 years in voluntary types of insurance. Data related to non-life insurance quotes is stored for at least 18 months from the date of the quote.

  • Life insurance and claims data are stored for at least 10 years from the end of the insurance. Data related to life insurance quotes is stored for at least 3 years from the date of the quote.

  • In contracts related to investment services, the retention period of data is, as a rule, 10 years from the termination of the contract.

We record phone calls, audio recordings of online meetings, chat conversations and online messages. They are used for verifying transactions, ensuring the quality of customer service and development and training purposes.

We use automated decision-making. Automated decision-making means that a decision is made entirely on the basis of automated personal data processing without the input of a human. We use automated decision-making to improve the efficiency of our insurance and claims processing and other services we provide, for example.

The data used in automated decision-making include information provided by you and information already in our systems. We may also use personal data obtained from third parties, such as a credit information register, and information about insurance terms and conditions and our internal guidelines.

We will notify you of automated decision-making separately in connection with each service that uses automated decision-making and, if necessary, ask for your consent to its use.

Once you have received the automated decision, you have the right to appeal against and request that the matter be reviewed by a human employee.

We use automated decision-making in non-life insurance operations in the following contexts, among others:

  • Purchasing insurance

We may use automated decision-making to decide whether or not to grant an insurance purchased online. The automated system may decide to either grant the insurance or forward the matter to an employee for further processing. Automated decisions are based on information provided by the customer, existing information in our systems and information obtained from third parties, such as a credit information register.

  • Claims settlement

We may use automated decision-making to settle claims and as part of other activities related to claims processing. The automated system may decide to either pay the claim or forward the matter to an employee for manual processing. Automated decisions are based on information provided by you, existing information in our systems, and information obtained from third parties, such as the claims register, as well as insurance terms and conditions.

Profiling

We also make use of profiling. Profiling means the automated processing of personal data where we evaluate certain personal characteristics by combining and analysing data.

We use profiling for the following purposes, among others:

  • In insurance processing to price the insurance based on the risk of damage. The risk of damage is calculated based on information about the customer and the insured object.

  • In claims settlement, when we carry out a risk assessment of the damage in order to identify the risk of fraud. The risk assessment is based on information about the customer and claim.

  • For targeted marketing.

We may transfer your personal data outside the EU and EEA within the limits of data protection legislation.

Some external service providers or other recipients of personal data may be located or process personal data outside the EU or EEA. We use the necessary transfer mechanisms and complementary safeguards permitted by law to ensure that the level of protection of personal data is not compromised in situations where the data is transferred outside the EU or EEA. Such transfer mechanisms include, for example, adequacy decisions by the European Commission and the use of standard contractual clauses with recipients of data located outside the EU or EEA.

The standard contractual clauses we use are available on the EU legislative and justice website:

Commission Implementing Decision (2021/914) (eur-lex.europa.eu)

You can also request a copy of the standard contractual clauses by contacting our Data Protection Officer.

We may use your customer due diligence information and other personal data for the prevention, uncovering and investigation of money laundering and the financing of terrorism as prescribed in the Anti-Money Laundering Act, and in bringing under investigation money laundering and financing of terrorism as well as the crime committed to obtain the assets or proceeds of crime involved in the financing of money laundering or the financing of terrorism.

We may use your personal data to determine whether you are subject to international sanctions we are required to comply with.

Finnish insurance companies maintain shared registers about insurance claims and fraudulent claims. Insurance companies disclose information on claims and crimes and suspected crimes against the company to the registers. Insurance companies use the information in the registers when granting insurance and processing claims. The purpose of the registers is to prevent and detect insurance fraud and crime by sharing information between insurance companies. LocalTapiola Group’s insurance companies also disclose information to registers and use the information in the registers.

Claims register

We register information about claims reported to us in the insurance companies' joint claims register. The register collects information on the claim and the insured person. When the insurance company submits the basic information in the claim to the claims register, the company receives information about claims filed by the applicant at other insurance companies. Based on the information in the claims register, we may also exchange more detailed information about claims between other insurance companies. We use the information in the claims register to prevent fraud against insurance companies, with the purpose to prevent a person from filing false claims at several insurance companies.

Fraudulent claims register

We register information on crimes and suspected offences against our insurance operations in the insurance companies' common fraudulent claims register. The register collects information on the claim and the insured person. In addition, we check the information entered in the register. Entering information in the fraudulent claims register requires that a suspected criminal act has been reported to the police or prosecutor. Entries made on the basis of a suspected crime are erased from the register if the person in question is found innocent of the act in a court of law or the case is dropped. We use the information in the fraudulent claims register in insurance handling and claims settlement to prevent and detect crime against insurance companies.

We use the necessary and best-practice technical and organisational data security methods to safeguard personal data. We protect personal data so that it cannot be accessed without authorisation or lost, destroyed or altered without a basis.

We ensure the protection of personal data with firewalls, separation of environments and various encryption and protection technologies, among other measures. We continuously monitor our data security. We make sure that our data centres are secure and access control is at an appropriate level.

Access to personal data is restricted with suitable access rights restrictions, and we apply access rights management processes. Access rights are always based on work duties. Personal data can only be accessed by employees who have a need to do so for the performance of their duties. We monitor to ensure that access rights are necessary at all times and remove expired access rights.

We collect logs on the processing of personal data. Logs indicate what, why and when a processing activity occurred. We use logs to monitor the processing of personal data, ensure that no errors have occurred and investigate possible errors.

Our employees involved in processing personal data are regularly trained and provided with instructions.

We also require our sub-processors to safeguard the data appropriately, and inspect and audit their operations.

Data subjects’ rights

You have a number of rights related to the processing of your personal data, which are described below.

You can exercise your rights by contacting our Data Protection Officer or through other means indicated by us for this purpose. The contact details of our Data Protection Officer can be found at the bottom of this page in the contact information section. Below, under each right, we explain in more detail how you can exercise that particular right.

Please note that, to examine your rights request, we need to be able to identify you. Your exercise of rights request must include adequate identification information, such as your name, personal identity code, postal address and telephone number.

As a rule, exercising your rights is free of charge for you. However, in the case of clearly unfounded or excessive requests, we may charge a reasonable fee or refuse to comply with the request.

If the processing of your personal data is based on your consent, you have the right to withdraw your consent. The withdrawal of consent has no effect on past processing activities.

When requesting consent, we will also tell you how you can withdraw your consent. In matters related to the withdrawal of consent, you can also contact our Data Protection Officer.

You have the right to know whether we process your personal data and, if so, to receive a copy of all your data and detailed information about the processing of your personal data.

Your key customer information are listed in our online service, where you can view the information at any time. If you wish to view your personal data more extensively, you can submit a separate request for access to your data. You can make a request for access from the Omat tiedot (My Information) section of our online service or using the data access request form.

You can send the form or your questions regarding the processing of your data to us using the contact details of our Data Protection Officer.

If your request for access concerns an individual claim, you can most quickly and easily request the data by contacting the party that made the claim settlement decision directly.

Contact details of the Data Protection Officer:

Email:
tietosuojaj(at)lahitapiola.fi

Mailing address:
LähiTapiola-ryhmä
Lakiasiat ja compliance / tietosuojavastaava
02010 LÄHITAPIOLA

You have the right to request the rectification (correction) of inaccurate or incomplete data.

Your key customer information is listed in our online service, where you can also manage the information. You can also update your customer information by contacting our customer service or visiting our branch office. You can also send a separate rectification request to our Data Protection Officer.

Data subjects have the right to request the erasure of their personal data.

In certain situations, you have the right to demand the erasure of your data. Personal data may be erased at your request if the retention period of the data has expired or the data is otherwise deemed unnecessary or unjustified. We cannot erase data that must be stored due to a legal obligation or other justified need.

You can submit a data erasur erequest in the Omat tiedot (My information) section of our online service. You can also send the request to erase your data to our Data Protection Officer.

You have the right to prohibit the processing of your data for direct marketing purposes and for profiling related to direct marketing.

You can manage direct marketing permissions in our online service. You can also prohibit direct marketing and related marketing activities by contacting our customer service or visiting our branch office. You can unsubscribe from direct marketing messages by clicking on the link provided in the message.

In certain situations, you have the right to request that the processing of your data be restricted or otherwise object to the processing of your data. You can also request the transfer of personal data that you have provided in a machine-readable format, where technically feasible.

You can exercise these rights by contacting us with the contact details of our Data Protection Officer.

We use automated decision-making. We will notify you of this separately in connection with each service that uses automated decision-making and, if necessary, ask for your consent to its use.

Once you have received the automated decision, you have the right to appeal against and request that the matter be reviewed by a human employee.

You can exercise your right by contacting the party that issued the decision.

Privacy statements

LocalTapiola Group has several personal data files, each of which has its own privacy statement. In the privacy statement, we explain important information related to the processing of personal data, such as the controllers, types of personal data collected, purposes of processing and the legal basis for processing.

You can read the privacy statement for our Group’s common customer data file and the privacy statements of other key data files from the links below.

We reserve the right to change and update the privacy statements if necessary.

Privacy statement of the LocalTapiola Group customer data file (PDF)

Privacy statement of the Non-life insurance policies and claims register (PDF)

Privacy statement of the Life insurance policies and claims register (PDF)

Privacy statement of the asset management data file of Asset Management (PDF)

Privacy notice for LocalTapiola Group’s investment business (PDF)

Privacy notice for LocalTapiola Group’s letting business (PDF)

Privacy statement of LocalTapiola Finance Ltd (PDF)

You can obtain other privacy statements by requesting them from our Data Protection Officer’s contact information. Alternatively, you can read the statements at our branch offices:

  • Customer community privacy statement

  • Privacy statement of LocalTapiola Group's debt collection data file

  • Privacy statement of LocalTapiola Group's related party transactions register

  • Privacy statement of the insider register of LocalTapiola Group's investment activities

  • Privacy statement of LocalTapiola Group's politically exposed persons’ transactions register

  • Privacy statement of the insider register of Asset Management

  • Privacy statement of the loan, collateral and guarantee and credit insurance data file

  • Privacy statement of the insurance and claims history system

  • Privacy statement of the camera surveillance data file

  • Privacy statement of the job applicant data file

  • Privacy statement of LocalTapiola Group's stakeholder register

  • Privacy statement of the whistleblowing channel

Contact details

The following LocalTapiola Group companies belonging act as the controllers:

Our Group consists of several companies that operate in different lines of business. Each of the companies in our Group acts as the controller of personal data it collects in its own operations.

For more information on companies that belong to LocalTapiola Group, see the Companies section on our website.

In questions and matters related to the processing of personal data, you can contact our Data Protection Officer by email or post.

Contact details of the Data Protection Officer:

Email:
tietosuoja(at)lahitapiola.fi

Mailing address:
LähiTapiola-ryhmä
Lakiasiat ja compliance / tietosuojavastaava
02010 LÄHITAPIOLA

If you feel that our processing of personal data violates the law, you have the right to lodge a complaint with the supervisory authority. In Finland, the supervisory authority is the Data Protection Ombudsman. However, we recommend that you first contact us using the contact details of our Data Protection Officer.

Contact information of the Office of the Data Protection Ombudsman:

Email: tietosuoja@om.fi

Mailing address: PO Box 800, FI-00531 Helsinki

Phone: 029 566 6700

Customer due diligence

We identify and know our owner-customers and partners. Knowing our customers also helps us provide them with even better service.

The first and foremost reason why we ask for your customer information is to ensure that the customer’s interests are met. In addition, as a financial sector operator, LocalTapiola is required by the law to identify and know its customers. By identifying and knowing its customers, LocalTapiola ensures that customer information is up-to-date and prevents abuse in the financial sector.

LocalTapiola has a legal obligation to collect information about the tax liability of its savings, investment and pension insurance customers. The purpose of collecting tax liability information is to prevent tax evasion through foreign financial institutions. LocalTapiola's obligation applies to private individuals, companies, institutions and estates that are our savings, investment and pension insurance customers.

Other

LocalTapiola Group companies have a strong presence in various social media channels. Where applicable, we act as joint controllers of personal data with social media service providers (Meta, LinkedIn and Twitter) for LocalTapiola community pages, messaging services, tracking pixels and visitor data in these channels. This information applies to persons who have interacted with one of the social media community pages managed by LocalTapiola or have accepted social media cookies on the LocalTapiola website.

We process the data subject's personal data on the basis of our legitimate interest. In the case of tracking pixels, the processing is based on the consent given by the data subject. We use the data to maintain community pages, market LocalTapiola Group services, products and offers, carry out competitions and raffles, receive feedback, purchase advertising from social media channels, measure the availability of pages or advertisements, and to provide customer service on social media. We only process data for our own purposes. Social media service providers process data in accordance with their own data protection principles and are generally responsible for compliance with data protection legislation and the implementation of data security and the rights of data subjects. You can manage your privacy settings in the service in question.

We obtain information that a data subject has made public in the service, such as username and profile picture. In addition, the data subject may provide other information on their own initiative through comments, publications or messaging services. We also receive anonymised statistical data about visitors to our community pages and how visitors interact with the page content (Meta Page Insights, LinkedIn Page Analytics and Twitter Analytics). The data we store in the data file is not transferred outside the European Union or European Economic Area.

The controller determines the retention period of personal data, taking into account applicable legislation as well as the needs and efficiency of business operations. The purpose of the retention periods is to secure the rights of both the data subjects and LocalTapiola. We may process comments, posts and messages on community pages until the data subject deletes the comment or post. We may also delete a comment or post earlier if we deem it necessary to ensure the appropriateness of comments and posts, for example. Data subjects may request the deletion of a conversation in the messaging service from the owner of the community page in the service. You can also restrict the processing of your personal data by unliking and/or unfollowing the community page.

Facebook and Instagram

Where applicable, we act as joint controllers with Meta Platforms Ireland Ltd. (Meta) with respect to LocalTapiola’s community pages, messaging service, insights and tracking pixel in the service.

We have signed an addendum on joint controllership, which defines the responsibilities of both controllers regarding compliance with obligations under the EU General Data Protection Regulation (GDPR) and the joint processing of personal data. For more information, please visit: https://www.facebook.com/legal/controller_addendum.

For Facebook Insights (Page Insights), the controllers' responsibilities for complying with their obligations under the GDPR are described in the Page Insights Controller addendum. For more information, please visit: https://www.facebook.com/legal/terms/page_controller_addendum.

Meta processes personal data in accordance with its own privacy policies. For more information about the purposes, legal bases and privacy policies of Meta's processing of personal data as well as the information required by the joint controllership and Articles 13(1)(a) and (b) of the GDPR, please see Facebook's Privacy Policy at www.facebook.com/privacy/policy

LinkedIn

Where applicable, we act as joint controllers with LinkedIn Ireland Unlimited Company (LinkedIn) with respect to LocalTapiola’s community pages, messaging service, insights and tracking pixel in the service.

We have signed an addendum on joint controllership for the processing of visitor data (Page Insights), which defines the responsibilities of both controllers regarding compliance with obligations under the EU General Data Protection Regulation (GDPR) and the joint processing of personal data. For more information, please visit: https://legal.linkedin.com/pages-joint-controller-addendum.

For more information about the purposes, legal bases and privacy policies of LinkedIn's processing of personal data as well as the information required by the joint controllership and Articles 13(1)(a) and (b) of the GDPR, please see LinkedIn's Privacy Policy at https://www.linkedin.com/legal/privacy-policy.

Twitter

Where applicable, we act as joint controllers with Twitter International Unlimited Company (Twitter) with respect to LocalTapiola's community pages, messaging service, insights and tracking pixel in the service.

For more information about the purposes, legal bases and privacy policies of Twitter's processing of personal data as well as the information required by the joint controllership and Articles 13(1)(a) and (b) of the GDPR, please see Twitter's Privacy Policy at https://twitter.com/en/privacy.

Our websites and services may contain links to third-party sites and services and embedded content from third parties, such as Google Maps and YouTube videos.

We use analytics and customer experience cookies to manage the visibility and use of third-party embedded third-party content on our sites and services. Embedded content from third parties will only appear on our website if you have given your consent to the use of such cookies.

Providers of embedded content may place cookies on your browser that allow them to collect data for their own use. These third parties have their own privacy policies, which you can read on their respective websites.

In order to implement the principle of public access, LocalTapiola maintains a description of its data reserves. This is known as the description of document publicity. The purpose of the description is to assist LocalTapiola customers who wish to make a request for information concerning LocalTapiola's documents.

For the purposes of this context, targeted paid online marketing means the targeted displaying of paid advertising elsewhere on the internet than on our own websites together with advertising platform service providers.

LocalTapiola Group companies purchase targeted online marketing from the service providers of various advertising platforms. As applicable, we act as joint controllers in respect of personal data together with each advertising platform service provider (Sanoma, Alma Media, Meta) when we cooperate in the processing of personal data in order to target online marketing on the advertising platform of the service provider in question. We have concluded written agreements on the processing of personal data with all entities that act as joint controllers.

The advertising platform service providers process the personal data we disclose only for targeting our advertising and for displaying it on their advertising platforms to the target groups we have determined. The service providers erase the personal data we disclose after the effecting of online marketing, but in any case not later than 6 months after this effecting.

We process the data subject’s personal data on the ground of our legitimate interest. In server-side online marketing that is based on online behaviour, data processing is, in part, also based on the data subject’s cookie consent.

Target group list-based online marketing

In target group list-based online marketing, we target advertising based on a target group listing extracted from our registers. Into a tool provided by the advertising platform service provider, we upload the target group list we have compiled. This list contains pseudonymised personal data: a hashed mobile phone number and a hashed email address. The pseudonymisation and hashing procedures we employ mean that personal data are processed into an encoded format in such a way that they are no longer directly identifiable.

The advertising platform service provider compares the pseudonymised target group we uploaded with their own customer records in order to find matching data. After a successful matching process, our and the advertising platform service provider’s combined data create custom audience lists to which our advertising is further targeted on the digital advertising platform (in the media) of the service provider in question.

In target group list-based targeting of advertising, depending on our advertising campaigns, we use solutions provided by three different advertising platform service providers: Meta, Sanoma, and Alma Media.

Server-side targeting of online marketing

In server-side online marketing that is based on online behaviour, we target advertising to users who have visited our website, on the basis of their website visit data. Server-side targeting and marketing is effected only to those users who, when asked for their consent for the use of cookies on our website, accepted the following category: Use of “Advertising” cookies.

Website visit data and the user’s pseudonymised personal data, that is a hashed telephone number and/or a hashed email address, are disclosed, in a server-based manner, from the user’s browser to the advertising platform service provider. For server-based targeting of advertising that is based on online behaviour, we use Meta.

Read more about the data protection policies of the advertising platform service providers we use: