Most companies will have made extensive progress in preparing for the General Data Protection Regulation (GDPR) by the time the regulation enters into force next spring, on 25th May 2018. The challenges in applying the regulation will vary, depending on whether the company’s operations are purely commercial or statutory, or somewhere in between.
As insurance under the Employees Pensions Act (TyEL) is based on a contract, Varma has received questions from its client companies about whether the GDPR will bring new obligations or require additional measures related to Varma.
Varma ensures compliance with GDPR when processing its clients’ personal data
Varma’s client companies do not need to take any additional measures concerning personal data related to earnings-related pension insurance.
As an implementer of statutory earnings-related pension insurance, Varma ensures that the requirements of the GDPR are met when processing the personal data of the insured employees of its client companies and pensioners. No new contracts, documents or other actions related to pension insurance are thus needed from client companies in order to meet the requirements of the GDPR.
TyEL insurance is based on an insurance contract. According to this contract, the employer transfers the risk of implementing pension insurance and managing pension assets to the earnings-related pension company against an insurance contribution. Under the GDPR, the earnings-related pension insurance company is the controller, as its processing purposes are defined in Finnish legislation. Varma’s client companies are also controllers, but under an insurance contract, the processing of personal data related to the arrangement of pension cover is transferred to Varma and, as the implementer of statutory pension cover, Varma is the controller as referred to in the regulation.
Varma is also responsible for the processing of personal data by its subcontractors
Varma’s position and task as a private earnings-related pension insurer are statutory, and the company looks after the pension cover and related personal data as an independent controller. To the extent that Varma has outsourced tasks related to personal data processing, the company governs the lawfulness of the subcontractor relationship on a contractual basis. Such contracts are typically, e.g., ICT contracts. The operations of the subcontractor, referred to as the “Processor” in the EU regulation, are also laid down in the regulation. From Varma’s and its customers’ point of view, the GDPR offers the controller a tool for managing personal data processing according to the rules also in subcontractor relationships. When it comes to personal data processing, Varma is responsible for the operations of its subcontractors in the same way as for its own.