Varma provides statutory pension cover in accordance with the Employees Pensions Act (TyEL) and the Self-employed Persons Pensions Act (YEL). In this task, we maintain and process personal data about insured persons.
Your information will be processed in the following matters and activities:
- insurance, insurance management
- determination of pension contribution liabilities and related statutory statistics
These measures included in Varma’s statutory task are specified exhaustively in legislation. We will not process your personal data for any purposes other than those mentioned above.
In order to carry out its statutory task, Varma has information about you belonging to two categories of personal data:
- basic information and information for communication and identification, and
- insurance, insurance contributions and determination of insurance contribution
The more detailed content of this information is described below:
- basic information and information for identification: last name, first name, personal identity code
- information required for insurance and insurance management, such as information relating to insured employees’ employment relationships (employer, commencement and end of employment relationship, earnings information), information about the pension cover included in the insurance
We regularly receive information for the management of your pension or rehabilitation case from:
- Finnish Centre for Pensions
- registers of the authorities
- Arek’s earnings and accrual system and information service
- other pension institutions and insurance companies
- Varma’s telephone and chat service providers
The above-mentioned parties are bound by the non-disclosure obligations concerning them. They may only disclose the information required for managing your case to Varma in accordance with their non-disclosure regulations.
Varma has a statutory duty to store your data in the provision of earnings-related pension. With regard to storage, we comply with the provisions of employment pension legislation (Employees Pensions Act TyEL section 218 and Self-Employed Persons’ Pensions Act YEL section 160). Your data will only be stored for the period specified for managing the pension or rehabilitation case. After the fixed period, we will erase your data from Varma’s information systems. The fixed periods are as follows:
- information relating to insurance, management of insurance contribution, determination of insurance contribution (and debt collection): validity of insurance and following 10 years
- Calculation of TyEL insurance contribution liability: lifetime of the TyEL insured person and following 6 calendar years
- appeal: 50 years, unless the data has to be stored as pension or insurance documents for a longer period
- telephone call recordings: 6 calendar months
- chat service data: 1 month and seven days
- information related to making an appointment at a customer service point: 6 months
Varma may only disclose your information to parties with a statutory right to receive the information for a purpose specified by law. Such parties include various authorities in the way separately set out in legislation. In addition, we use subcontractors in the processing and storage of information. According to law, Varma is liable for their activities as strictly as it is for its own operations. For insurance and insurance management purposes, the following parties, among others, have the right to access the data by law:
- your employer
- Finnish Centre for Pensions
- tax authorities
- other pension or insurance institution
Personal data may only be processed by persons authorised to do so in accordance with access rights management. Access to personal data, hardware and servers is limited to persons whose duties require it. The persons processing the data are subject to a statutory secrecy obligation, and they have additionally signed a separate non-disclosure agreement.
Subcontractors may also be used for performing services. The subcontractors are subject to the same non-disclosure regulations and commitments as Varma’s employees.
The employees have been instructed in the processing of personal data, and they are trained and tested to understand and prevent risks to the data in the data file.
Compliance with the principles of processing personal data is verified through internal and external audits and by documenting our own operations.
Varma maintains high-quality data security in its internal data network. The transfer of personal data in the public data network is secured using secure and appropriate encryption technology. When transmitted through the public communications network, confidential data is secured by technical measures. The servers used in processing data are located in data centres protected with access control and security systems, and data files containing personal data have been isolated from public information networks with technical security measures. Personal data is stored in secured premises.
The data is backed-up regularly and log data is collected on the use of data to develop the services and investigate any incidents and cases of abuse.
The confidentiality, integrity, availability, data availability and redundancy of processing systems and services is ensured through various systems and methods, such as data security updates and system audits.
With regard to service companies engaging in data processing, the processing of data is based on agreements and access rights granted and supervised by Varma.
Yes. In such transfers, the protection of personal data is secured through GDPR-compliant transfer mechanisms.
If you would like to get additional information about the processing of personal data at Varma, please contact us by secure email.
You have the right to receive a confirmation of whether personal data about you is processed by Varma. In case we process your personal data, you have the right to receive a copy of the data processed. Please send your request for information by using the personal data request form.
We will provide the information to you within a month of receiving your request. The fixed period may be extended by a maximum of two months in certain situations. If the period is extended, we will inform you of it within one month of receiving your request.
If you observe a shortcoming, inaccuracy or error in the personal data we have provided to you, you have the right to request your data is supplemented or rectified. The same right applies to outdated information. Please send your request to have your data supplemented or rectified by secure email.
The right to demand personal data to be erased referred to in data protection legislation does not apply to the processing of data in Varma’s statutory pension insurance operations or situations in which there is a statutory obligation to store the data or the data needs to be stored to prepare, present or defend a legal claim. Therefore, it is not possible to erase the data pertaining to pension insurance based on a demand during the period when it has to be stored for managing statutory pension insurance.
However, we will erase your personal data without a separate request after the statutory fixed period for its storage has expired.
Since it concerns the implementation of statutory pension security, Varma is obligated to process your personal data, and the processing cannot be prohibited. The right to demand the restriction of personal data processing referred to in data protection legislation does not apply to statutory pension insurance operations, so it is not possible to restrict the processing of data.
The right to demand the transfer of personal data to another system referred to in data protection legislation does not apply to statutory pension insurance operations, so it is not possible to transfer your data.
If Varma refuses to take measures based on your request, we will inform you of the legal grounds for our negative reply without delay and within a month of receiving your request at the latest. You can submit the matter to the Data Protection Ombudsman if you have received a negative reply to your request from Varma. We will include the contact details of the Data Protection Ombudsman in our reply. You may appeal against the decision of the Data Protection Ombudsman by appealing to the Administrative Court in accordance with the Administrative Judicial Procedure Act. The decision of the Data Protection Ombudsman includes instructions for appeal, which provides you with instructions for appealing to the Administrative Court.
This document is based on the requirements of the EU’s General Data Protection Regulation.
© Varma Mutual Pension Insurance Company