Privacy and security policy
Privacy Policy for Marketing and Customer Communication
Varma provides earnings-related pension insurance in accordance with the Employees Pensions Act (TyEL) and the Self-employed Persons Pensions Act (YEL), and in connection with this task, the company invests pension assets profitably and securely. As part of this task, we maintain and process personal data, and communicate about our products and services to our client companies’ contact persons and to our potential clients. The collection of your personal data is based on law, consent or Varma’s or a third party’s legitimate interest.
On what basis and for what purpose does Varma process my personal data?
Varma tarjoaa lakisääteistä työntekijän eläkelain (TyEL) ja yrittäjän eläkelain (YEL) mukaista Varma provides earnings-related pension insurance in accordance with the Employees Pensions Act (TyEL) and the Self-employed Persons Pensions Act (YEL), and in connection with this task, the company invests pension assets profitably and securely.
As part of this task, we maintain and process personal data, and communicate about our products and services to our client companies’ contact persons and to our potential clients. The collection of your personal data is based on law, consent or Varma’s or a third party’s legitimate interest.
Your personal data is processed for the following purposes:
- customer communications
- newsletters and other direct marketing
- implementation and analysis of campaigns and events
- targeted advertising linked to web analytics in Varma’s channels and on other online platforms
- questionnaires, surveys and statistics
- development of online platforms
If a partner of Varma is involved in implementing these purposes, your personal data may also be processed in that context.
What data pertaining to me does Varma process?
We save the personal data of potential customers (separate approval) and of current client companies’ individuals in a marketing register for direct marketing and communication purposes. This data includes:
- name of data subject
- role or profession
- age
- gender
- native language
- identifiers linked to the data subject
- contact details: postal address, telephone number, email address, IP address
In addition:
When it comes to implementing and monitoring campaigns and events, we collect personal data in a marketing register, but only to the extent necessary for the event or campaign, and the individual’s privacy is not compromised. Personal data collected in connection with events and campaigns is stored for a short period of time and only for as long as there are grounds to save the data.
The personal data of Varma’s client companies’ contact persons is also saved in the marketing register for targeted marketing communications.
In order to implement consent and prohibition obligations for direct marketing, the marketing consents and prohibitions given by data subjects may also be processed in the marketing register.
From whom does Varma receive the data necessary for managing my affairs?
The data of Varma’s client companies’ contact persons is received in the marketing register from Varma’s customer register, residential and business premises tenants’ register and investment operations’ register. Data is also obtained from the providers of Varma’s phone and chat service. The data used in marketing is also obtained from the data subjects themselves, by collecting data on the use of the services, from the downloading of content and in connection with marketing events
Personal data may also be acquired from third-party data sources.
How long will Varma store my data for?
Personal data related to managing earnings-related pension insurance is processed and stored in the manner described in Varma’s statement concerning processing activities and informing the data subject.
For marketing and customer communications, personal data is stored on the same basis. If you do not have a client relationship with Varma, you can influence whether you are included in the marketing register, either by changing your cookie settings or by prohibiting direct marketing. Permanent cookies remain on the device of the user who visited the website until the user or the server that sent the cookies removes them. Cookie expiry periods can be checked with the party maintaining the cookies. Phone call recordings are stored for one year, and chatbot and chat conversation data for 3 months.
Who can Varma disclose my data to?
We only disclose personal data in accordance with the right to information and in accordance with disclosure rights and obligations based on legislation.
Personal data processing carried out on behalf of Varma Mutual Pension Insurance Company is always based on personal data processing contracts and on guidelines that define the rights and obligations of the parties in terms of processing and protecting personal data.
Varma processes personal data primarily in Finland, the EU/EEC area or in other countries with an adequate level of data protection that are approved by the EU Commission
What safeguards and measures does Varma take to protect my personal data?
Personal information may be processed only by those who are authorised to do so, in accordance with access management. Access to personal data, devices and servers is limited to those individuals who require it to perform their work tasks. The persons processing personal data are subject to a statutory obligation of secrecy, and they have signed a separate non-disclosure agreement.
Subcontractors may also be used to carry out the services. Subcontractors are subject to the same confidentiality rules and secrecy obligations as Varma’s personnel.
Personnel have been given instructions on personal data processing, and they are trained and tested in understanding and preventing the risks that threaten register data.
Internal and external audits, as well as documentation on the company’s own operations, demonstrate compliance with the principles of data processing.
Varma maintains a high level of data security in its internal data network. When personal data is transferred in the public data network, secure and appropriate encryption technology is used. Confidential data that is sent via the public data transmission network is secured by technical means. The servers used for data processing are located in data centres that are protected by access control and security systems, and data registers containing personal data are segregated from public data networks through technical security arrangements. Personal data is stored in secure business facilities.
The data is regularly backed up, and log data on its use is collected in order to develop the services and to investigate possible errors and misuse.
The confidentiality, integrity, usability, data availability, and resilience of processing systems and services is ensured through various systems and methods, such as information security updates and system audits.
For service companies handling data processing tasks, data processing is based on contracts and on user rights granted and controlled by Varma.
Is my personal data transferred and processed outside the EU/EEC?
Yes. In such transfers, the protection of personal data is secured through GDPR-compliant transfer mechanisms.
Is my personal data subject to automatic decision-making and profiling?
Yes, the cookies and other internet identifiers used on Varma’s website enable well-functioning web services and development work, improve the security and user-friendliness of the service, and enable targeted marketing.
Based on the data collected through the website, Varma can analyse and develop its services based on knowing the contents that users are interested in and how the web services are used.
The data can also be used to target Varma’s and its marketing partners’ marketing and communications, and to optimise marketing measures.
Users of the website can consent to or prohibit the use of cookies through their browser settings. If cookies are disabled, it is possible that some services in Varma’s website cannot be used.
Where can I find more information about the processing of my personal data?
If you would like more information on personal data processing at Varma, send a secure email.
Do I have the right to receive information about personal data that concerns me?
You have the right to receive confirmation about whether personal data pertaining to you is processed at Varma. If we do process your personal data, you have the right to receive a copy of the data being processed. Please send your request for such information by using the personal data request form.
We will deliver the information to you no later than one month after we have received your request. In certain situations, this period may be extended by a maximum of two months, in which case we will inform you within one month of receiving your request.
How do I go about supplementing or correcting my personal data?
If you notice that your personal data contains incomplete, inaccurate or erroneous information, you have the right to request that your personal data be rectified. The same applies to expired data. Please send a request to have your data supplemented or rectified in a secure email.
Do I have the right to have my personal data deleted?
The right to demand that personal data be erased, as referred to in data protection legislation, does not apply to data processed as part of Varma’s statutory pension insurance operations, nor to situations where the data is necessary for the establishment, exercise or defence of legal claims. It is thus not possible to delete, based on a request, data related to pension insurance during the period when such data is necessary for managing statutory pension insurance.
We will, however, automatically delete your personal data once the statutory period for storing the data has expired.
If you do not have a client relationship with Varma, you can request that your data be erased from the marketing register at any time, either by unsubscribing yourself or by contacting Varma in a secure email.
Can I prohibit or restrict the processing of my personal data?
Since this concerns the implementation of statutory pension cover, Varma is obligated to process your personal data, and such processing cannot be prohibited. The right to demand the restriction of personal data processing as referred to in data protection legislation does not apply to statutory pension insurance operations, which means it is not possible to restrict the processing of data.
If you are not in a contractual relationship with Varma, you can control the processing of your personal data in the web environment by prohibiting cookies, and you can opt out of the marketing register at any time by unsubscribing yourself when you receive our message.
Where can I complaint about the processing of my personal data?
If Varma refuses to carry out measures according to your request, we will inform you of the legal grounds for our refusal without delay and no later than one month after we have received your request. If Varma refuses your request, you can take the matter to the office of the data protection ombudsman. We will include the contact details of the office of the data protection ombudsman in our response letter. You have the possibility to file an appeal against the data protection ombudsman’s decision with the Administrative Court, in accordance with the Administrative Judicial Procedure Act. The data protection ombudsman’s decision includes instructions on how to appeal against the decision with the Administrative Court.
How can I contact Varma?
What is the legal basis for this Privacy Statement?
This Privacy Statement is based on the requirements of the European Union’s General Data Protection Regulation (GDPR).