Data protection is a key part of insurance operations. This page contains information on how Nordea Insurance Finland Ltd, hereinafter ‘Nordea Insurance’, processes your personal data.
Nordea Bank Abp acts as an insurance intermediary for Nordea Insurance, and Nordea Life Assurance Finland Ltd acts as a representative for Nordea Insurance. Nordea Bank Abp and Nordea Life Assurance Finland Ltd handle customer-facing communication, such as selling and managing insurance policies. Further information on the processing of personal data in Nordea Bank Abp and Nordea Life Assurance Ltd can be obtained from their privacy policies. If you want to know what personal data Nordea has on you, please read the instructions for submitting a request.
At Nordea Insurance, we process personal data for a number of reasons. When we write “you”, we mean you as a customer, a potential customer, an insurance policyholder, an insured person, a claim applicant, our customer’s employee, a tenant or other relevant party, such as a beneficial owner, an authorised representative or a key person of a company.
1. What personal data Nordea Insurance collects
Personal data is in most cases collected directly from you or generated as part of the use of Nordea Insurance’s services, products and channels.
The categories of personal data that we collect and use are listed below. We have provided examples of the types of personal data that fall within each category. Please note that the list of examples is not exhaustive. The type of personal data that we collect from you will depend on the service or product we are providing to you.
The personal data we collect can be grouped into the following categories:
- Identification information: including your personal identity number, full name, access codes to Nordea Mobile and Netbank, and IP address.
- Contact information: including your physical or postal address, phone number and email address.
- Financial information: including type of contract, transaction data and insurance policies.
- Information related to statutory requirements: including country of taxation or foreign tax identification number, information related to customer due diligence and anti-money laundering requirements.
- Profiling information: including demographic information and profession.
- Information related to you as a customer: for example, your history with Nordea Insurance.
- Special categories of personal data: for example, we need information on the insured person’s state of health for granting covers against a temporary disability, a critical illness or a permanent disability and for processing claims.
Personal data we may collect from you:
Some of the personal data collected by Nordea Insurance is provided directly by you. For example, we collect personal data from new customers, such as the name, personal identity number, email address and phone number. We also collect information about your income and debt to be able to provide you with the product or service in question. We also collect information which you provide us with in our digital channels, such as messages (feedback, requests etc.) you have sent us.
Phone calls and chat conversations with you may also be recorded and stored for verification of orders, documentation, and for quality control and development purposes. For security purposes, we may have surveillance cameras in our branches.
Personal data that we may collect from third parties:
To be able to offer you our products and services and to comply with statutory requirements, we will also collect personal data from third parties, such as publicly available and other external sources. To ensure your personal data is accurate and up-to-date, we receive periodic updates of some personal data categories from third parties (e.g. public authorities).
Examples of third party data sources include:
- Registers held by governmental agencies (such as population registers and registers held by tax authorities, company registration offices and supervisory authorities).
- Financial sanctions lists (for example, lists held by international organisations such as the EU and UN as well as national organisations such as the Office of Foreign Assets Control (OFAC)).
- Registers held by credit-rating agencies and other commercial information providers providing information on e.g. beneficial owners and politically exposed persons.
- Health data from health institutions.
- Other entities in the Nordea Group or other entities which we collaborate with.
- Publicly available data, for example from social media or via search engines. Social media platforms may also share data with us in accordance with your personalised privacy settings in those channels/media.
2. How Nordea Insurance may use your personal data and the lawful basis for doing so
We use and process your personal data under the lawful bases and for the purposes described below.
Necessary for the performance of a contract with you
One reason we process personal data is to collect and verify the data prior to making an offer and entering into a contract with you. We also process personal data in order to document and fulfil our contractual obligations towards you.
Examples of activities necessary for the performance of a contract with you:
- Processing of personal data in connection with granting insurance and payment of claims
- Collecting your contact information to provide you with customer service during the contract period, including customer care and customer administration and communication with you.
In addition to the performance of a contract, compliance with our obligations defined in the law, regulations and official rulings requires us to process personal data.
Examples of statutory obligations requiring personal data processing:
- Know Your Customer (KYC) requirements
- Preventing, investigating and uncovering money laundering and terrorist financing
- Sanctions screening
- Bookkeeping regulations
- Reporting to the tax authorities, the police as well as the enforcement and supervisory authorities
- Risk management obligations, including those related to insurance risks and capital adequacy requirements
- Other obligations related to service or product specific legislation, for example legislation governing securities, funds and insurance.
We use your personal data where necessary to further our legitimate interests, as long as those legitimate interests are not overridden by your interests or fundamental rights and freedoms.
Examples of our processing based on legitimate interests:
Marketing, product and customer analyses. Marketing measures, development of processes, business and systems, including testing, are based on the processing of personal data.
Profiling for customer analyses made for marketing purposes.
Anonymisation of financial and demographic data to create statistics to test and develop new products and services. Anonymised and aggregated statistics cannot be linked to an individual.
Analyses of the use of social media for the purpose of providing better and more targeted marketing and communication, services and advice, including responding to your comments and providing you with user support.
Possible establishment, exercise or defence of legal claims and collection procedure.
There are specific situations in which we will ask for your consent. Below are examples of such situations.
If we need your health data to process your insurance application, we will ask for your consent to process your health data. You can refuse to give your consent, but in that case we are unfortunately unable to process your application and grant the insurance policy to you.
If needed, we will also ask for your consent to request additional information concerning your state of health from health care providers. With your consent, we will request the health data required to process your application from the entities mentioned in the consent on your behalf. You also have the right to refuse to give your consent to requesting your data from health care providers. Please note that in this case you will need to provide us with any data we may need to process your application.
Based on the General Data Protection Regulation (GDPR), you also have the right to withdraw your consent to the processing of your health data. Please note that if you withdraw your consent, we will have to suspend the processing of your application. We will, however, store data about your application under the Finnish Insurance Contracts Act or, if your insurance policy has entered into force, under the Finnish Data Protection Act on the basis of your customer relationship with us.
You also have the right to withdraw your consent to requesting additional information concerning your health from health care providers. Please note that if you withdraw your consent, you will need to provide us with any data we may need to process your application, as we cannot request it on your behalf.
3. Automated decision-making and profiling
Automated decision-making means that a decision concerning you may be made fully based on automated data processing without human involvement. Automated decision-making is based on the personal data we collect.
We may use automated decision-making to approve your insurance application or claim in order to speed up the processing and to ensure equal decisions. If you are dissatisfied with a decision you have received in which automated decision-making was used, you can ask for the case to be reprocessed by a natural person on behalf of the data controller. You have the right to state your position, receive an account of the decision made and dispute the decision. You also have the right to refuse automated decision-making being used in your case. Please note that any insurance or claim decision that differs from your application is always made by a natural person.
We may also use profiling when processing personal data. Profiling means the automatic processing of personal data whereby this data is used to assess certain characteristics of a person.
Buying and changing an insurance policy
We utilise automated decision-making when making decisions on whether to grant insurance.
Such decisions are based on the personal data we collect as well as on our insurance guidelines, which comply with the applicable legislation, insurance terms and conditions and good insurance practice.
We utilise automated decision-making and profiling when making decisions on whether to grant insurance when you fill out a health declaration upon buying insurance through our digital channels or providing information on the state of health of the insured.
Termination of an insurance policy
An insurance policy can be terminated automatically due to invoices being left unpaid.
4. Who Nordea Insurance may disclose or transfer your personal data to
We may disclose/transfer your personal data to other parties, such as the authorities, entities in the Nordea Group, suppliers and business partners. Before disclosing or transferring your data we will always ensure that we respect the relevant financial industry secrecy obligations, such as insurance secrecy.
We disclose data about taxable insurance claim payments and paid pension insurance premiums to the Finnish Tax Administration. To Kela we disclose data about the pensions paid. At times we may also disclose data to, for instance, the enforcement authorities upon request.
Customer due diligence data and other personal data may also be disclosed to the police for raising an official investigation into money laundering or terrorist financing. In addition, the same data may be disclosed to the National Bureau of Investigation for raising an official investigation into such crimes with which property or a criminal benefit related to money laundering or terrorist financing has been obtained.
Nordea Group companies
Based on legislation governing insurance companies, Nordea Insurance may share data with Nordea Bank Abp, excluding customers’ health data. Nordea Bank Abp acts as an agent for Nordea Insurance, handling customer-facing communication, including selling and managing insurance policies. Therefore Nordea Bank Abp, Nordea Insurance and Nordea Life Assurance Finland Ltd, which owns Nordea Insurance, have common customer data systems.
In addition, Nordea Insurance may disclose data to Nordea Life Assurance Finland Ltd. Based on your consent, we may also share information belonging to special categories of personal data, such as health data, with Nordea Life Assurance Finland Ltd.
Nordea Insurance collaborates with partners in order to offer products and services to customers. We have chosen our partners carefully and we have contracts that govern the processing of personal data in place with selected suppliers.
You may give consent to Nordea Insurance to request health data from health institutions for processing your insurance applications and insurance claims. To obtain the necessary data, Nordea Insurance may disclose detailed information on your health and insurance to the health institutions in question.
In certain situations, Nordea Insurance collaborates with a reinsurer. In these cases, Nordea Insurance also has a legal right to disclose personal data. The reinsurer acts as an independent controller.
Transfers of personal data to third countries
In certain cases, Nordea Insurance may transfer personal data to organisations operating in countries outside the European Economic Area, i.e. to third countries. Such data transfers can be made if any of the following conditions apply:
- The EU Commission has decided that the data protection level of the relevant country is adequate.
- Other appropriate safeguards have been taken, including the use of the Standard Contractual Clauses approved by the EU Commission or the data processor has valid Binding Corporate Rules (BCR) in place.
- Exceptions are applied to special situations, including if the performance of a contract so requires or you have given your consent to the transfer of the data in question.
5. How Nordea Insurance protects your personal data
Keeping your personal data safe and secure is at the centre of how we do business. We use appropriate technical, organisational and administrative security measures to protect any information we hold from loss, misuse and unauthorised access, disclosure, alteration and destruction.
6. Your privacy rights
You as a data subject have rights in respect of personal data Nordea Insurance holds on you. You have the following rights:
a) Right to request access to your personal data. You have a right to access the personal data we have on you. In many cases, this information is already present to you in your online services from us. However, your right to access may be restricted by legislation or in order to protect the privacy of other persons.
b) Right to request rectification of incorrect or incomplete data. If your personal data are incorrect or incomplete, you are entitled to have the data rectified, unless this is restricted by legislation.
c) Right to request erasure. You have the right to request erasure of your personal data in the following cases:
- you withdraw your consent to the processing and there is no other legitimate reason for processing,
- you object to the processing and there is no justified reason for continuing the processing,
- you object to processing for direct marketing,
- processing is unlawful.
Due to legislation governing the financial sector, we are in many cases obliged to retain personal data on you during your customer relationship, and even after that, e.g. to comply with a statutory obligation or where processing is carried out to manage legal claims.
d) Right to restrict the processing of personal data. If you contest the correctness of the data which we have registered about you or the lawfulness of processing, or if you have objected to the processing of the data in accordance with your right to object, you may request us to restrict the processing of this data. The processing will only be restricted to storage until the correctness of the data can be established, or until it can be verified whether our legitimate interests override your interests.
If you are entitled to erasure of the data which we have registered about you but the data is necessary for you to defend a legal claim, you may request us to restrict the processing to storage if you want to keep the data.
Even when processing of your data has been restricted as described above, Nordea Insurance may process your data in other ways if this is necessary to enforce a legal claim or you have given your consent.
e) Right to object to data processing based on our legitimate interest. You can always object to the processing of your personal data if the processing is based on our legitimate interest, including direct marketing and profiling in connection with such marketing.
f) Right to withdraw consent. When the lawful basis for a specific processing activity is your consent, you have a right to withdraw your consent at any time. Information about your right to withdraw your consent is provided when Nordea Insurance asks for your consent.
g) Right to data portability. You have a right to receive personal data that you have provided to us in a machine-readable format. This right applies to personal data processed only by automated means and on the basis of consent or performance of a contract. Where secure and technically feasible, we can also transmit the data to another controller.
Your request to exercise your rights as listed above will be assessed given the circumstances in the individual case. Open the instructions for making a request. Please note that we may also retain and use your information as necessary to comply with statutory obligations, resolve disputes and enforce our contracts.
7. How long Nordea Insurance stores your personal data
We store your data as long as necessary for the performance of a contract and as required by retention requirements in laws and regulations. If we keep your data for other purposes than those of the performance of a contract, such as for anti-money laundering, bookkeeping and regulatory capital adequacy requirements, we keep the data only if necessary and/or mandated by laws and regulations for the respective purpose.
- Bookkeeping regulations: up to ten years.
- Information on the performance of a contract: up to ten years after the end of the customer relationship to defend against legal claims, if any.
- Preventing money laundering and terrorist financing: minimum five years after termination of the business connection or the performance of the individual transaction.
- Rejected insurance applications: three years.
- Insurance offers: nine months after an offer has been made.
10. Contacting us or the data protection authority
You can also file a complaint or contact the Data Protection Authority in any country where Nordea offers you products or services.