YEL insured person

On what grounds and for what purpose will Varma process my data?

Varma provides statutory pension cover in accordance with the Self-employed Persons Pensions Act (YEL). In this task, we maintain and process personal data about you.

Your information will be processed in the following matters and activities:

  • YEL insurance, insurance management
  • determination and collection of the YEL insurance contribution
  • advice for self-employed persons

These measures included in Varma’s statutory task are specified exhaustively in legislation. We will not process your personal data for any purposes other than those mentioned above.

What information about me will Varma process?

In order to carry out its statutory task, Varma has information about you belonging to the following category of personal data:

  • basic information and information for communication and identification, and online and electronic service user data

The more detailed content of this information is described below:

  • basic information and information for communication and identification: name, personal identity code, Business ID, contact information (street address, postcode, city/town, country of residence, telephone number, e-mail address)
  • online and electronic service user data
  • information required for managing the insurance-related matter, such as role, language preference, self-employed person’s insurance information, taxation information, insurance documents, date of commencement and end of entrepreneurial activity, commencement date of liability, earnings information, insurance contribution percentage and date of death
  • information relating to the determination and collection of the insurance contribution, such as banking information for payments, e-invoice data, information on the payer of insurance contributions, authorisation for managing insurance matters, insurance collection data, insurance invoicing and debt collection data, insurance contribution payment data

From whom does Varma obtain the information required?

We regularly receive information for the management of your pension-related matters from:

  • the policyholder’s notification
  • insurance application
  • Finnish Centre for Pensions
  • Population Information System
  • registers of the authorities
  • Arek’s earnings and accrual system and information service
  • banks
  • from other pension institutions and insurance companies
  • tax administration
  • Kela (Social Insurance Institution of Finland)
  • Trade Register
  • Suomen Asiakastieto Oy
  • Varma’s telephone and chat service providers

The above-mentioned parties are bound by the non-disclosure obligations concerning them. They may only disclose the information required for managing your case to Varma in accordance with their non-disclosure regulations.

How long will Varma store my data?

Varma has a statutory duty to store your data in the provision of earnings-related pension. With regard to storage, we comply with the provisions of employment pension legislation (Employees Pensions Act TyEL section 218 and Self-Employed Persons’ Pensions Act YEL section 160). Your data will only be stored for the period specified for managing the insurance-related matter. After the fixed period, we will erase your data from Varma’s information systems. The fixed periods are as follows:

  • information relating to insurance, management of insurance contribution, determination of insurance contribution (and debt collection): validity of insurance and following 10 years
  • appeal: 50 years, unless the data has to be stored as pension or insurance documents for a longer period
  • telephone call recordings: 6 calendar months
  • chat service data: 1 month and seven days

To whom may Varma disclose my information?

Varma may only disclose your information to parties with a statutory right to receive the information for a purpose specified by law. Such parties include various authorities in the way separately set out in legislation. In addition, we use subcontractors in the processing and storage of information. According to law, Varma is liable for their activities as strictly as it is for its own operations.

For insurance and insurance management purposes, the following parties, among others, have the right to access the data by law:

  • Finnish Centre for Pensions
  • tax administration
  • other pension or insurance institution

What kinds of safety measures and procedures will Varma use to protect my personal data?

Personal data may only be processed by persons authorised to do so in accordance with access rights management. Access to personal data, hardware and servers is limited to persons whose duties require it. The persons processing the data are subject to a statutory secrecy obligation, and they have additionally signed a separate non-disclosure agreement.

Subcontractors may also be used for performing services. The subcontractors are subject to the same non-disclosure regulations and commitments as Varma’s employees.

The employees have been instructed in the processing of personal data, and they are trained and tested to understand and prevent risks to the data in the data file.

Compliance with the principles of processing personal data is verified through internal and external audits and by documenting our own operations.

Varma maintains high-quality data security in its internal data network. The transfer of personal data in the public data network is secured using secure and appropriate encryption technology. When transmitted through the public communications network, confidential data is secured by technical measures. The servers used in processing data are located in data centres protected with access control and security systems, and data files containing personal data have been isolated from public information networks with technical security measures. Personal data is stored in secured premises.

The data is backed-up regularly and log data is collected on the use of data to develop the services and investigate any incidents and cases of abuse.

The confidentiality, integrity, availability, data availability and redundancy of processing systems and services is ensured through various systems and methods, such as data security updates and system audits.

With regard to service companies engaging in data processing, the processing of data is based on agreements and access rights granted and supervised by Varma.

Will my data be transferred and processed outside the EU/EEA?

Yes. – In such transfers, the protection of personal data is secured through contractual arrangements pursuant to the EU model clauses.

Will automated decisions or profiling be made on the basis of my data?

No.

How can I get additional information about the processing of my personal data?

Please send your request to have your data supplemented or rectified by secure email.

Do I have the right to be informed of the personal data concerning me?

You have the right to receive a confirmation of whether personal data about you is processed by Varma. In case we process your personal data, you have the right to receive a copy of the data processed. Please send your request for information by secure email.

We will provide the information to you within a month of receiving your request. The fixed period may be extended by a maximum of two months in certain situations. If the period is extended, we will inform you of it within one month of receiving your request.

What should I do to supplement or rectify my personal data?

If you observe a shortcoming, inaccuracy or error in the personal data we have provided to you, you have the right to request your data is supplemented or rectified. The same right applies to outdated information. Please send your request to have your data supplemented or rectified by secure email.

Do I have the right to have my personal data erased?

The right to demand personal data to be erased referred to in data protection legislation does not apply to the processing of data in Varma’s statutory pension insurance operations or situations in which there is a statutory obligation to store the data or the data needs to be stored to prepare, present or defend a legal claim. Therefore, it is not possible to erase the data pertaining to pension insurance based on a demand during the period when it has to be stored for managing statutory pension insurance. However, we will erase your personal data without a separate request after the statutory fixed period for its storage has expired.

Can I prohibit or restrict the processing of my personal data?

Since it concerns the implementation of statutory pension security, Varma is obligated to process your personal data, and the processing cannot be prohibited. The right to demand the restriction of personal data processing referred to in data protection legislation does not apply to statutory pension insurance operations, so it is not possible to restrict the processing of data.

Can I demand that my personal data be transferred to another system?

The right to demand the transfer of personal data to another system referred to in data protection legislation does not apply to statutory pension insurance operations, so it is not possible to transfer your data.

To whom may I complain about the processing of my personal data?

If Varma refuses to take measures based on your request, we will inform you of the legal grounds for our negative reply without delay and within a month of receiving your request at the latest. You can submit the matter to the Data Protection Ombudsman if you have received a negative reply to your request from Varma. We will include the contact details of the Data Protection Ombudsman in our reply. You may appeal against the decision of the Data Protection Ombudsman by appealing to the Administrative Court in accordance with the Administrative Judicial Procedure Act. The decision of the Data Protection Ombudsman includes instructions for appeal, which provides you with instructions for appealing to the Administrative Court.

How can I contact Varma?

Send a secure email.

What are the legal grounds of this document?

This document is based on the requirements of the EU’s General Data Protection Regulation.