Pension customer or rehabilitee

Varma provides statutory pension cover in accordance with the Employees Pensions Act (TyEL) and the Self-employed Persons Pensions Act (YEL). In this task, we maintain and process personal data about pensioners.

Privacy Statement

Varma provides statutory pension cover in accordance with the Employees Pensions Act (TyEL) and the Self-employed Persons Pensions Act (YEL). In this task, we maintain and process personal data about pensioners. Your information will be processed in the following matters and activities:

  • management of a pension or rehabilitation case
  • measures relating to pension taxation
  • advice and pension estimates
  • determination of pension liabilities and related statutory statistics
  • consistent application of legislation
  • implementation of Varma’s research activities.

These measures included in Varma’s statutory task are specified exhaustively in legislation. In terms of research activities, the grounds for processing are the research subject’s consent or legislation. Personal data may also be processed in connection with the testing and quality assurance of service-related IT systems. We will not process your personal data for any purposes other than those mentioned above.

In order to carry out its statutory task, Varma has information about you belonging to two categories of personal data:

  • basic information and information for communication and identification, and
  • information required for managing the pension or rehabilitation case, pension advice and pension payment and debt collection

The more detailed content of this information is described below:

  • basic information and information for communication and identification: last name, first name, date of birth, language, personal identity code, contact information (street address, postcode, city/town, country of residence, telephone number, e-mail address), online and electronic service user data
  • information required for managing a pension or rehabilitation case, such as occupation, date of death, family status data (guardianship data, children, information about spouse, i.e. marriage or registered partnership), spouse’s last name, first name and personal identity code, information about the validity of marriage or partnership, employer, information relating to the calculation of pension (employment history with income data), benefit decision history, retirement age, information about the accrual of pension
  • information relating to the payment of benefits, such as banking information for payments, amount, benefit recipients, taxation information
  • information about debt collection and enforced collection, such as fees and off-sets from pension, enforced collection from pension
  • information about other paid or rejected social benefits based on, for example, traffic or accident insurance, benefit application to Kela and decision concerning it
  • information based on pension estimate and other pension advice
  • information about legal representative, such as the legal representative’s name and contact information

Information about your health will be processed only when required for managing your case and only in the way specifically referred to in legislation.

We regularly receive information for the management of your pension or rehabilitation case from:

  • employer
  • Finnish Centre for Pensions
  • tax administration
  • registers of the authorities
  • Arek’s earnings and accrual system and information service
  • physicians, health care service and rehabilitation providers
  • unemployment insurance fund
  • employment authorities
  • the Digital and Population Data Services Agency
  • other pension institutions and insurance companies
  • social welfare authorities
  • enforcement authorities
  • Social Insurance Institution of Finland (Kela)
  • banks
  • Varma’s telephone and chat service providers

The above-mentioned parties are bound by the non-disclosure obligations concerning them. They may only disclose the information required for managing your case to Varma in accordance with their non-disclosure regulations.

Varma has a statutory duty to store your data in the provision of earnings-related pension. With regard to storage, we comply with the provisions of employment pension legislation (Employees Pensions Act TyEL section 218 and Self-Employed Persons’ Pensions Act YEL section 160). Your data will only be stored for the period specified for managing the pension or rehabilitation case. After the fixed period, we will erase your data from Varma’s information systems. The fixed periods are as follows:

  • management of a pension and rehabilitation case, payment of pensions: lifetime and following 5 calendar years
  • survivors' pension: time of payment of survivors' pension and following 5 calendar years
  • pension advice: 5 calendar years (e.g. a pension estimate is stored for 5 years after its calculation)
  • appeal: 50 years, unless the data has to be stored as pension or insurance documents for a longer period
  • calculation of pension liabilities for the employer: lifetime and following 6 calendar years
  • telephone call recordings: 6 calendar months
  • chat service data: 1 month and seven days
  • information related to making an appointment at a customer service point: 6 months
  • research activities: the material is stored for as long as it is used for research purposes, after which it is destroyed

Varma may only disclose your information to parties with a statutory right to receive the information for a purpose specified by law. Such parties include various authorities in the way separately set out in legislation. In addition, we use subcontractors in the processing and storage of information. According to law, Varma is liable for their activities as strictly as it is for its own operations. In order to manage your pension or rehabilitation case, the following parties, among others, have the right to access the data according to law:

  • your employer
  • Finnish Centre for Pensions
  • tax administration
  • other pension or insurance institution
  • Social Insurance Institution of Finland (Kela)
  • unemployment insurance fund
  • social welfare authority
  • employment authority
  • enforcement authority
  • Pension Appeals Court
  • Insurance Court
  • bank (for example Nordea, whose website contains a record of personal data processing)
  • intermediate bank (Danske Bank, whose website contains a record of personal data processing)

There are no legal provisions concerning the disclosure of data for the purpose of the planning and implementation of your rehabilitation, which means that we can disclose your information only based on your consent at that time. The following parties have the right to access the data for the purpose of your rehabilitation planning and implementation:

  • your employer
  • rehabilitation partner
  • Social Insurance Institution of Finland (Kela)

With your consent, we may ask your employer to provide more information on your work duties (we will not disclose your health data), assign a rehabilitation counsellor to prepare a rehabilitation plan or ask Kela to provide benefits data concerning you.

You have the right to withdraw your consent at any time through Varma’s eServices on the Messages and attachments page. Withdrawing your consent has no effect on the lawfulness of any processing that took place before consent was withdrawn. To ensure the progress of rehabilitation, it may nevertheless be necessary to disclose your data to parties involved in the implementation of the rehabilitation programme, which is why a revocation may hamper the processing of your rehabilitation matter.

Personal data may only be processed by persons authorised to do so in accordance with access rights management. Access to personal data, hardware and servers is limited to persons whose duties require it. The persons processing the data are subject to a statutory secrecy obligation, and they have additionally signed a separate non-disclosure agreement.

Subcontractors may also be used for performing services. The subcontractors are subject to the same non-disclosure regulations and commitments as Varma’s employees.

The employees have been instructed in the processing of personal data, and they are trained and tested to understand and prevent risks to the data in the data file.

Compliance with the principles of processing personal data is verified through internal and external audits and by documenting our own operations.

Varma maintains high-quality data security in its internal data network. The transfer of personal data in the public data network is secured using secure and appropriate encryption technology. When transmitted through the public communications network, confidential data is secured by technical measures. The servers used in processing data are located in data centres protected with access control and security systems, and data files containing personal data have been isolated from public information networks with technical security measures. Personal data is stored in secured premises.

The data is backed-up regularly and log data is collected on the use of data to develop the services and investigate any incidents and cases of abuse.

The confidentiality, integrity, availability, data availability and redundancy of processing systems and services is ensured through various systems and methods, such as data security updates and system audits.

With regard to service companies engaging in data processing, the processing of data is based on agreements and access rights granted and supervised by Varma.

Yes. In such transfers, the protection of personal data is secured through GDPR-compliant transfer mechanisms.

We utilise automated decision-making in our pension processing. The automation speeds up and improves the processing. We always take legal and good governance requirements into account in this processing. You have the right to appeal a decision. More information will be given in connection with the decision.

If you would like to get additional information about the processing of personal data at Varma, please contact us by secure email.

You have the right to receive a confirmation of whether personal data about you is processed by Varma. In case we process your personal data, you have the right to receive a copy of the data processed. Please send your request for information by using the personal data request form.

We will provide the information to you within a month of receiving your request. The fixed period may be extended by a maximum of two months in certain situations. If the period is extended, we will inform you of it within one month of receiving your request. What should I do to supplement or rectify my personal data? If you observe a shortcoming, inaccuracy or error in the personal data we have provided to you, you have the right to request your data is supplemented or rectified. The same right applies to outdated information. Please send your request to have your data supplemented or rectified by secure email.

The right to demand personal data to be erased referred to in data protection legislation does not apply to the processing of data in Varma’s statutory pension insurance operations or situations in which there is a statutory obligation to store the data or the data needs to be stored to prepare, present or defend a legal claim. Therefore, it is not possible to erase the data pertaining to pension insurance based on a demand during the period when it has to be stored for managing statutory pension insurance. However, we will erase your personal data without a separate request after the statutory fixed period for its storage has expired.

Since it concerns the implementation of statutory pension security, Varma is obligated to process your personal data, and the processing cannot be prohibited. The right to demand the restriction of personal data processing referred to in data protection legislation does not apply to statutory pension insurance operations, so it is not possible to restrict the processing of data.

The right to demand the transfer of personal data to another system referred to in data protection does not apply to statutory pension insurance operations, so it is not possible to transfer your data.

If Varma refuses to take measures based on your request, we will inform you of the legal grounds for our negative reply without delay and within a month of receiving your request at the latest. You can submit the matter to the Data Protection Ombudsman if you have received a negative reply to your request from Varma. We will include the contact details of the Data Protection Ombudsman in our reply. You may appeal against the decision of the Data Protection Ombudsman by appealing to the Administrative Court in accordance with the Administrative Judicial Procedure Act. The decision of the Data Protection Ombudsman includes instructions for appeal, which provides you with instructions for appealing to the Administrative Court.

Send a secure email

This document is based on the requirements of the EU’s General Data Protection Regulation.

Updated 2 September 2021

© Varma Mutual Pension Insurance Company