Tenant of residential and commercial premises

Varma engages in letting as part of its investment activities. We process and maintain personal data to execute contractual relationships relating to leasing business and residential premises or to perform pre-contract measures and to see to the obligations and rights relating to property management as well as to protect buildings and their users and to perform services for tenants. In these activities, Varma is the data controller according to the EU’s General Data Protection Regulation.

Colliers Finland Oy is Varma’s partner and the data processor according to the EU’s General Data Protection Regulation in letting and maintaining residential premises. Colliers Finland Oy processes and stores the personal data of Varma’s residential property letting customers on behalf of Varma for the duration required on the basis of the lease relationship between Varma and the tenant. Colliers Finland Oy uses tenants’ personal data and discloses it to Varma’s and Colliers Finland Oy’s subcontractors when providing the tenants with services falling under the lessor’s responsibilities. Personal data is processed in activities related to water consumption, the management of keys, the use of buildings’ sauna, shower and recreational facilities by tenants and the use and repairs made to the apartment and the building.

Lowell Oy is Varma’s partner and the data processor according to the EU’s General Data Protection Regulation in debt collection services relating to rent invoices for business and residential premises and property management invoices. Lowell Oy processes and stores the personal data of Varma’s business and residential premises tenants and personal data relating to property management when taking care of debt collection services relating to rent invoices and property maintenance invoices on behalf of Varma.

In this task, we maintain and process the personal data of housing applicants and tenants and personal data relating to property management.

Your information will be processed in the following matters and activities:

• management of the tenancy of commercial or residential premises (incl. marketing)
• verifying credit rating in accordance with the Credit Data Act to ensure solvency
• management and development of commercial premises customer relationships (incl. marketing)
• property management, incl. the execution of matters related to the maintenance, use, guarding and repairs and energy management of premises, buildings and common areas.

In order to manage the commercial or residential premises lease, Varma has information about you belonging to the following categories of personal data:

• information relating to the lease
• basic information and information for communication and identification
• information about the payment of rent and deposits
• information relating to the rent deposit, such as information about its payment
• information relating to property management

The more detailed content of this information is described below:

• information about leases, lease term, information about rent and any separate fees, such as fee for electricity, water, information about rent adjustment and information about the leased premises/unit
• basic information and information for communication and identification, such as name, personal identity code, postcode, telephone number, e-mail address
• information about the payment of rent and deposits, such as payment history data

• Colliers Finland Oy
• Lowell Oy
• general customer databases and authorities
• persons providing services for property management and maintenance
• Varma's telephone and chat service providers

The above-mentioned parties are bound by the non-disclosure obligations concerning them. They may only disclose the information required for managing your case to Varma in accordance with their non-disclosure regulations.

Varma will store your data for managing the commercial or residential lease. Varma has an obligation to store information about contractual relationships for a pre-defined period and accounting data relating to these contractual relationships for the period specified in accounting legislation. Your data will only be stored for the period specified for managing the commercial or residential lease. After the fixed period, we will erase your data from Varma’s information systems. The fixed periods are as follows:

• data relating to leases and property management invoicing: a minimum of 6 years from the end of the year during which the financial period ended
• taxation-related information relating to leases and property management invoicing: a minimum of 10 years from the end of the financial period
• telephone call recordings: 1 year
• chatbot and chat conversation data: 3 months

• Colliers Finland Oy
• Lowell Oy
• Service providers that offer services according to the Aika Koteja concept to tenants in Aika Koteja locations
• Enforcement authorities for carrying out evictions and rent collection

Personal data may only be processed by persons authorised to do so in accordance with access rights management. Access to personal data, hardware and servers is limited to persons whose duties require it. The persons processing the data are subject to a statutory secrecy obligation, and they have additionally signed a separate non-disclosure agreement.

Subcontractors may also be used for performing services. Subcontractors are subject to the same non-disclosure regulations and commitments as Varma’s employees.

The employees have been instructed in the processing of personal data, and they are trained and tested to understand and prevent risks to the data in the data file.

Compliance with the principles of processing personal data is verified through internal and external audits and by documenting our own operations.

Varma maintains high-quality data security in its internal data network. The transfer of personal data in the public data network is secured using secure and appropriate encryption technology. When transmitted through the public communications network, confidential data is secured by technical measures. The servers used in processing data are located in data centres protected with access control and security systems, and data files containing personal data have been isolated from public information networks with technical security measures. Personal data is stored in secured premises.

The data is backed-up regularly, and log data is collected on the use of data to develop the services and investigate any incidents and cases of abuse.

The confidentiality, integrity, availability, data availability and redundancy of processing systems and services is ensured through various systems and methods, such as data security updates and system audits.

With regard to service companies engaging in data processing, the processing of data is based on agreements and access rights granted and supervised by Varma.

Yes. In such transfers, the protection of personal data is secured through GDPR-compliant transfer mechanisms.

Yes, cookies and other internet identifiers are used in Varma’s online service to ensure the functionality and development of our online service. They also help us improve the safety and user-friendliness of our services and target marketing. The information collected from the online service allows Varma to analyse and develop its services as it knows what data content is of interest to users and how the online service is used. Varma and its marketing partners can also use the information to target communications and marketing messages and to optimise marketing measures. Online service users can accept or prevent the use of cookies in their browser settings. If you disable the cookie function, you may be unable to use some of Varma’s online services.

Read more about cookies

If you would like to get additional information about the processing of personal data at Varma, please contact us by secure email.

You have the right to receive a confirmation of whether personal data about you is processed by Varma. In case we process your personal data, you have the right to receive a copy of the data processed. Please send your request for information by using the personal data request form.

We will provide the information to you within a month of receiving your request. The fixed period may be extended by a maximum of two months in certain situations. If the period is extended, we will inform you of it within one month of receiving your request. What should I do to supplement or rectify my personal data? If you observe a shortcoming, inaccuracy or error in the personal data we have provided to you, you have the right to request your data is supplemented or rectified. The same right applies to outdated information. Please send your request to have your data supplemented or rectified by secure email.

You have the right to request Varma as the controller to erase, for example, outdated information about you. In this case, the data must be erased immediately when there are no longer grounds for the processing. This right applies to situations in which personal data is no longer needed for the purposes for which it was collected or if you withdraw your consent to the processing of data and the processing was based on your consent and there are no other legal grounds for the processing and it does not need to be stored by law.

The right to demand personal data erased referred to in data protection legislation does not apply to situations in which there is a statutory obligation to store the data or the data needs to be stored to prepare, present or defend a legal claim.

Therefore, it is not possible to erase the data based on a demand during the period when it has to be stored in the above-mentioned situations.

However, we will erase your personal data without a separate request after the fixed period for its storage has expired.

If the automatic processing of your data is based on your consent or an agreement drawn up with you, you have the right to obtain the data that pertains to you. This only concerns information that you have submitted to Varma yourself. You can, if you wish, transfer the information in question to another controller. We will deliver the data in a generally used and electric format.

You have the right to have Varma, as the controller, restrict the processing of data about you in certain situations. The restriction on processing refers to marking the stored data with the aim of restricting its subsequent processing.

In spite of this, your data may continue to be stored. You will be notified before the restriction is removed. You can exercise the right if you deny the accuracy of the data or lawfulness of processing, for example. Processing will be restricted while the accuracy of the data or lawfulness of processing is ensured. In addition, you have the right to object to direct marketing (including profiling) if your data will be processed for direct marketing purposes.

Yes. – You have the right to object to direct marketing if your data will be processed for direct marketing purposes.

If Varma refuses to take measures based on your request, we will inform you of the legal grounds for our negative reply without delay and within a month of receiving your request at the latest. You can submit the matter to the Data Protection Ombudsman if you have received a negative reply to your request from Varma. We will include the contact details of the Data Protection Ombudsman in our reply. You may appeal against the decision of the Data Protection Ombudsman by appealing to the Administrative Court in accordance with the Administrative Judicial Procedure Act. The decision of the Data Protection Ombudsman includes instructions for appeal, which provides you with instructions for appealing to the Administrative Court.

Send a secure email

This document is based on the requirements of the EU’s General Data Protection Regulation.