Data protection is an integral part of insurance operations. On this page you can find information on how Nordea Life Assurance processes your personal data.
At Nordea Life Assurance, we process individuals’ personal data for a number of reasons. When we write «you», we mean you as a customer, a potential customer, our customer’s employee, a tenant or other relevant party, such as a beneficial owner, authorised representative and a key person of a company.
1. What personal data Nordea Life Assurance collects
Personal data is in most cases collected directly from you or generated as part of the use of Nordea Life Assurance's services and products. Sometimes additional information is required to keep information up to date or to verify information we collect.
The personal data we collect can be grouped into the following categories:
- Identification information: personal identity number and name. We are obliged to collect documentation of such information, for instance in the form of copies of your passport, driver’s licence, or the like.
- Contact information: phone numbers and addresses, including postal address – in the case of a foreign address, also the home country.
- Financial information: type of agreement, transactional data, credit history and insurance history. In addition, if you apply for risk life insurance with high cover, we ask for additional information on your financial standing.
- Information related to legal requirements: country of taxation or foreign tax payer reference, information related to customer due diligence and anti-money laundering requirements.
- Special categories of data: information concerning health is needed for life insurance policies and the processing of claims. The Finnish data protection act allows insurance companies to process health data, as it is essential for assessing the risks of the insured and for processing claims. Nordea Life Assurance Finland requests health data that is relevant upon concluding an insurance contract from the insured and, with a power of attorney provided by the insured, from physicians, hospitals, maternity clinics, occupational health care units, mental health services, social welfare units, other insurance companies and pension institutions. Nordea Life Assurance Finland may disclose health data to Nordea Insurance with the consent of the insured.
Personal data we may collect from you:
Nordea Life Assurance collects information you provide directly to us. For example, we collect personal data on new customers, such as name, national identification number, e-mail address and phone number, income and debt information to be able to provide you with the product or service in question. We also collect information which you provide us with, such as messages you have sent us, eg feedback or a request in our digital channels.
Calls and chat conversations with you may also be recorded and logged for verification of orders, documentation, and for quality control and development purposes. For security purposes, we may have cameras in our branch offices and at ATMs.
Personal data that we may collect from third parties:
- Publicly available and other external sources; register held by governmental agencies (such as population registers and registers held by tax authorities, company registration offices, enforcement authorities, etc), sanction lists (held by international organisations such as the EU and UN as well as national organisations such as the Office of Foreign Assets Control (OFAC)), registers held by credit-rating agencies and other commercial information providers providing information on eg beneficial owners and politically exposed persons.
- Health data from health institutions (for risk life insurance policies).
- From other entities in the Nordea Group or other entities which we collaborate with.
2. How Nordea Life Assurance may use your personal data and the lawful basis for doing so
We use your personal data to comply with legal and contractual obligations as well as to provide you with offers, advice and services.
Entering into and administration of service and product agreements (performance of a contract)
The main purpose of our processing of personal data is to collect, verify and process personal data prior to giving an offer and entering into a contract with you as well as documenting, administering and completing tasks for the performance of contracts.
Examples of the performance of a contract:
- Insurance policy issuing or payment of insurance claims
- Customer service during the contract period
- Possible establishment, exercise or defence of legal claims and collection procedure
Fulfilment of requirements and obligations for us stated in laws, regulations or decisions from authorities and supervisors (legal obligation)
In addition to the performance of a contract, processing of personal data also takes place for us to fulfil our obligations under law, other regulations or authority decisions.
Examples of processing due to legal obligations:
- Know Your Customer requirements
- Preventing, investigating and uncovering money laundering, terrorist financing, and fraud
- Sanctions screening
- Bookkeeping regulations
- Reporting to tax authorities, police authorities, enforcements authorities, supervisory authorities
- Risk management obligations such as credit performance and quality, capital adequacy, and insurance risks
- Other obligations related to service or product specific legislations, for example securities, funds and insurance legislation
Marketing, product and customer analysis (legitimate interest)
Personal data is also processed in the context of marketing, product and customer analyses. This processing forms the basis for marketing, process, business-and system development. This is to improve our products and optimize our customer offerings.
We have a legitimate interest to use profiling for example when conducting customer analysis for marketing purposes.
If your insurance policy includes cover granted by Nordea Insurance Finland Ltd, we ask for your consent to Nordea Insurance Finland Ltd and Nordea Life Assurance Finland Ltd disclosing to one another information on special categories of personal data needed for attending to a claim or customer relationship, such as health information. Giving your consent is entirely voluntary and you may withdraw your consent if you wish. If you withdraw your consent to the disclosure of your health information, you must terminate your insurance policy.
3. Automated decision-making and profiling
We may utilise automated decision-making in some cases. Automated decision-making is permitted in legislation governing insurance companies. Automated decision-making means that a decision concerning you may be made fully based on automated data processing without human involvement. Automated decision-making is based on the information provided by the customer.
We may use automated decision-making when making decisions on whether to insure the customer. As a result of automated decision-making, an insurance policy may be granted or an insurance case may be forwarded to manual further processing.
By using automated decision-making, we aim to expedite the handling of your case and to make sure that, for example, insurance decisions are fair. For instance, you may receive confirmation that your insurance has become valid right after you have submitted your application. If you are dissatisfied with an automated decision you have received, you can ask for the case to be reprocessed by a natural person on behalf of the data controller. You have the right to state your position, receive an account of the decision made and dispute the decision.
Buying and changing an insurance policy
We utilise automated decision-making when making decisions on whether to grant insurance.
Such decisions are based on the information provided by you as well as our insurance guidelines, which comply with the applicable legislation, insurance terms and conditions and good insurance practice.
We utilise automated decision-making when making decisions on whether to grant insurance when you fill out a health declaration when applying for insurance, buying insurance through our digital channels or providing information on the state of health of the insured.
Termination of an insurance policy
An insurance policy can be terminated automatically due to invoices being left unpaid.
We may also use profiling when processing personal data. Profiling means the automatic processing of personal data whereby these data are used to assess certain characteristics of a person. Profiling is used when insurance policies are purchased.
4. Who Nordea Life Assurance may disclose or transfer your personal data to
We may disclose/transfer your personal data to other parties, such as the authorities, Nordea Group companies, suppliers, payment service providers and business partners. Before disclosing or transferring your data we will always ensure that we respect the relevant financial industry secrecy obligations, such as insurance secrecy.
We disclose data about taxable insurance claim payments and paid pension insurance premiums to the Finnish Tax Administration. To Kela we disclose data about the pensions paid. At times we may also disclose data to, for instance, the enforcement authorities upon request.
Customer due diligence data and other personal data may also be disclosed to the police for raising an official investigation into money laundering or terrorist financing. In addition, the same data may be disclosed to the National Bureau of Investigation for raising an official investigation into such crimes with which property or a criminal benefit related to money laundering or terrorist financing has been obtained.
Nordea Group companies
Nordea Life Assurance may share data with Nordea Bank Abp, excluding customers’ health data. This sharing of data is based on the fact that Nordea Bank Abp, acts as an agent for Nordea Life Assurance, handling all customer-facing communication, such as selling and managing insurance policies.
Nordea Bank Abp and Nordea Life Assurance thus use some of the same customer relationship management systems. This means that Nordea Bank Abp and Nordea Life Assurance act as a controller together.
Nordea Life Assurance collaborates with partners in order to offer products and services to customers. Our partners have been chosen carefully and we have contracts that include the processing of personal data in place with selected suppliers.
In relation to risk life insurance policies, the customer authorises Nordea Life Assurance to request health data from health institutions for issuing the insurance policy and processing insurance claims.
In certain situations, Nordea Life Assurance collaborates with a reinsurer. In these cases, Nordea Life Assurance also has a legal right to disclose data. The reinsurer acts as an independent controller.
Third country transfers
The personal data of Nordea Life Assurance’s customers may be processed outside the European Economic Area. In these cases, the standard contractual clauses (EU model-clauses) approved by the European Commission are used.
You can obtain a copy of the EU model-clauses used for data transfers by Nordea at www.eur-lex.europa.eu by searching with the keyword 32010D0087.
5. How Nordea Life Assurance protects your personal data
Keeping your personal data safe and secure is at the centre of how we do business. We use appropriate technical, organisational and administrative security measures to protect any information we hold from loss, misuse, and unauthorised access, disclosure, alteration and destruction.
6. Your privacy rights
You as a data subject have rights in respect of personal data Nordea Life Assurance holds on you. You have the following rights:
a) request access to your personal data. You have a right to access the personal data we are keeping about you. In many cases this information is already present to you in your online services from us. Your right to access may, however, be restricted by legislation, protection of other persons’ privacy and consideration for the Nordea Group’s business concept and business practices.
b) request correction of incorrect or incomplete data. If the data are incorrect or incomplete, you are entitled to have the data rectified, with the restrictions that follow from legislation.
c) request erasure. You have the right request erasure of your data in case;
- you withdraw your consent to the processing and there is no other legitimate reason for processing,
- you object to the processing and there is no justified reason for continuing the processing,
- you object to processing for direct marketing,
- processing is unlawful or
- when processing personal data on minors, if the data was collected in connection with the provision of information society services.
Due to the financial sector legislation we are in many cases obliged to retain personal data on you during your customer relationship, and even after that, e.g. to comply with a statutory obligation or where processing is carried out to manage legal claims.
d) limitation of processing of personal data. If you contest the correctness of the data which we have registered about you or lawfulness of processing, or if you have objected to the processing of the data in accordance with your right to object, you may request us to restrict the processing of these data to only storage. The processing will only be restricted to storage, until the correctness of the data can be established, or it can be checked whether our legitimate interests override your interests.
e) object to processing based on our legitimate interest. You can always object to the processing of personal data about you for direct marketing and profiling in connection to such marketing.
f) data portability. You have a right to receive personal data that you have provided to us in a machine-readable format. This right applies to personal data processed only by automated means and on the basis of consent or of fulfilling a contract. Where secure and technically feasible the data can also be transmitted to another data controller by us.
Your request to exercise your rights as listed above will be assessed given the circumstances in the individual case. Please note that we may also retain and use your information as necessary to comply with legal obligations, resolve disputes, and enforce our agreements.
Nordea Bank Abp and Nordea Life Assurance collect, process and analyse data regarding the use of our webpages. Traffic data is data connected to visitors on the webpage and data handled in communication fields for sending, distributing or making messages available.
You can set or amend your web browser controls to accept or reject cookies. If you choose to reject cookies, you may still use our websites and some services, however your access to some functionality and areas of our website or services may be restricted substantially.
For more information about cookies, please visit nordea.fi/en (link at the bottom of the page).
8. How long Nordea Life Assurance stores your personal data
We keep your data for as long as necessary for the performance of a contract and as required by retention requirements in laws and regulations. If we keep your data for other purposes than those of the performance of a contract, such as for anti-money laundering, bookkeeping and regulatory capital adequacy requirements, we keep the data only if necessary and/or mandated by laws and regulations for the respective purpose.
Specific examples are:
- Bookkeeping regulations: up to ten years.
- Details on performance of an agreement: up to ten years after end of customer relationship to defend against possible claims.
- Preventing money laundering and terrorist financing: minimum five years after termination of the business connection or the performance of the individual transaction.
- Rejected insurance applications: three years.
- Insurance offers: nine months after an offer has been made.
10. Contacting us or the data protection authority
If you wish to contact Nordea Life Assurance Finland’s DPO, you can send an email to Opens new window or a letter to: Nordea Life Assurance Finland Ltd, Aleksis Kiven katu 9, 00020 Nordea. Please note that we cannot reply to queries about your personal insurance matters via normal e-mail.
You can also lodge a complaint or contact the data protection authority in any of the countries where we provide services or products to you.