Please note that the website might not function correctly using an outdated browser. We recommend updating your browser or using another one.
Sampo Group companies operate in the financial and insurance sector, which is a highly regulated industry and characterized by a high amount of personal data processing. Most of the measures adopted in the field of financial and insurance services concern data relating, directly or indirectly, to individuals. Therefore, the protection of personal data is of great importance.
At Sampo Group, the guidance documents regarding data privacy are the Sampo Group Code of Conduct and the Sampo Group Data Privacy Statement, which are both approved by the Board of Directors, reviewed annually, and updated when deemed necessary. Each Group company has adopted more detailed policies and guidelines on data privacy for their own commercial purposes.
|Number of Complaints Received Concerning Breaches of Data Privacy, Sampo Group||2019|
|Complaints from Data Subjects||3|
|Complaints from Data Protection Authorities||0|
The Data Protection Officer (DPO) directs and oversees all principles of personal data protection activities within If and ensures compliance with the General Data Protection Regulation (GDPR) and local privacy laws in each of If’s operating countries. The Data Protection Office is led by the DPO with a Personal Data Breach Manager located in Sweden and four Personal Data Protection Managers. One is located in Sweden, one in Norway, two in Finland, and one in Estonia. The members of the Data Protection Office have started training and aim to be Certified Information Privacy Professionals (CIPP/E) by 2022.
During 2019, it became apparent that the DPO and the Chief Information Security Officer (CISO) would benefit from joining forces, as there are multiple areas where the two roles need to collaborate to have a comprehensive set of policies and approaches. As of February 2020, the DPO reports to the CISO. As required by law, the DPO acts independently and reports quarterly and when deemed necessary to the CEO and the Board of Directors of If.
In 2020, If continued to review the company’s internal Data Subject Access Rights (DSAR) processes to ensure compliance with the GDPR and to take into consideration guidelines from the local data protection authorities. The review focused on how to better process verbal data subject requests, how to understand when and which right of access applies, how to be aware of the information the company needs to provide to data subjects, and when the company can refuse a data subject’s request.
Further, during 2020, If continued to provide data privacy training for all new employees as an integrated part of the company’s mandatory training program. Earlier in 2018, the company had launched a series of mandatory data privacy nano-learning lessons for all employees, which were followed up by more traditional e-learning. Since 2019, e-learning programs ranging from privacy by design & default guidelines and access log accountability requirements have been launched. The data protection impact assessment method was previously taught on-site but has now been replaced by a digital classroom. The e-learning programs are a natural part of If’s learning center designed and available for all employees and contingent workers.
E-learning and the digital classroom is supplemented with a network of 120 dedicated professionals called Privacy Champions. The Privacy Champions receive in-depth training in data privacy on a continuous basis, and it is their responsibility to spread their acquired knowledge to their teams, departments, functions, and units. In addition, If’s internal data privacy webpage provides a source of information for all employees, offering practical help, contacts, training, guidelines, and information on data privacy processes and methods.
In some cases, If needs to give suppliers access to personal data when the suppliers perform services on If’s behalf. When suppliers handle personal data on If’s behalf, it is done in accordance with applicable data protection laws and If enters into a Data Processor Agreement. The DPA states how If’s suppliers, and sub-suppliers if applicable, shall handle If data. Transfer of data outside EU/EEA is always made in compliance with applicable data protections laws.
Possible data breaches are analyzed, handled, and reported within the 72-hour requirement through a well-defined and unified process. Based upon a framework from the European Union Agency for Cybersecurity (ENISA), the risk to the data subject is identified, analyzed, and evaluated thus resulting in appropriate measures. Data breaches are reviewed on a monthly basis to identify trends in order to provide support to the business functions.
If’s data retention policies are applied to both systematic processing as well as manual processes. Deletion procedures and anonymization techniques are in place to ensure storage limitation and de-identification of personal and sensitive personal data. User access reviews are conducted on a regular basis and more than 400 data protection impact assessments have been conducted. Consent and cookie practices have been improved to ensure compliance with the principles of processing.
Due to local laws and a stricter interpretation of the GDPR, If uses a technology that automatically ensures that all emails sent from If domains use a more appropriate method of encryption to secure personal data.
The Board of Directors and the Executive Management of Topdanmark have overall responsibility for ensuring that the company’s data protection is on an adequate level and that sufficient resources have been allocated to it.
The Compliance function is responsible for the company's data protection strategy, business procedures, guidelines, monitoring, and reporting, including reporting on data breaches. Further, the DPO focuses on the ongoing development and analysis of data protection. Topdanmark’s IT Security Committee is, in close cooperation with the DPO, business, and Compliance, responsible for keeping data security up to date. Topdanmark’s IT systems ensure that personal data is up to date, deleted when no longer relevant, not distorted, and not accessed by unauthorized persons.
Topdanmark’s Board of Directors has approved a policy on the overall requirements on the use of personal data. Topdanmark has processes for continuous mapping and risk assessment of data processing processes, to ensure a high level of personal data protection. In addition, Topdanmark carries out risk assessments on external data processors used in claims handling, for example. In 2019, Topdanmark strengthened the company’s GDPR-related processes by improving risk assessment and control of data processors, and ensuring that data security for new digital systems is assessed early in the planning phase of a project.
All new employees of Topdanmark must undergo an e-learning program that ensures knowledge and focus on the correct processing of personal data and the GDPR. At regular intervals, existing employees undergo a short e-learning course to ensure the continued focus on data privacy.
During 2020, Topdanmark will implement a technology that automatically ensures that emails are sent with the best possible encryption. In addition, more digital communication will be transferred to secure communication channels.
Personal data management at Mandatum Life is based on the Data Protection Policy, which is approved annually by the company’s Board of Directors. It applies to all personal data processing carried out in Mandatum Life and concerns all persons in Mandatum Life’s service and its outsourcing partners. One of the main objectives of the policy is to ensure that the rights of data subjects are exercised according to the GDPR. The policy is supplemented by data protection principles and guidelines, which are brought to the attention of employees and, if needed, to material third parties. The Data Protection Policy is also closely linked to other internal policies, such as the Information Management Policy and the Information Security Policy, which include more detailed guidelines for the classification of information, processing rules, supervising and addressing problem situations, and securing data and systems with leading safeguards.
Mandatum Life’s Board of Directors and CEO are responsible for ensuring that the company’s data privacy is at an adequate level and that sufficient resources are allocated to it. Mandatum Life has a DPO, who can be contacted by data subjects, whether they are employees or customers. The DPO carries out the tasks determined in the GDPR. The DPO is, for example, responsible for Mandatum Life’s data protection strategy, policies, guidelines, monitoring, and reporting, and for addressing data protection deviations. In addition, the DPO highlights development needs related to data privacy and promotes measures to meet them.
Mandatum Life complies with data protection by design and by default, and with the other obligations stipulated in the regulation. Compliance with these obligations requires Mandatum Life to conduct a thorough assessment of the risks that the processing of personal data poses to the data subjects, for example when planning operations that involve processing sensitive data. The likelihood and severity of the risk to the rights and freedoms of the data subject are determined by reference to the nature, scope, context, and purpose of the processing. The systems used by Mandatum Life are classified and safeguarded according to their inherent risks. During the planning phase of acquiring services or implementing new procedures or technology, a Data Protection Impact Assessment (DPIA) is carried out when it appears likely that the data processing operations involve a high risk to the rights and freedoms of the data subjects. The results of the DPIA are used to reduce the risk levels and to ensure that the requirements of the GDPR have been considered. During 2019, over 20 DPIAs were completed or started at Mandatum Life.
At Mandatum Life, access to data is controlled based on user access rights management. Processing personal data without a work-based reason is strictly prohibited by the Data Protection Policy. Such processing is logged and monitored.
Every Mandatum Life employee participates in data protection training annually. The training is provided to new employees during their onboarding. The training is extended to the providers of outsourced services as needed. The completion rate of the data privacy related e-learning is monitored periodically, and the completion rate was 99 per cent at the end of 2019, considering the induction period for new employees. In addition to the general e-learning, different teams and units are provided with customized training throughout the year. In 2019, Mandatum Life focused on providing training for the Sales and Sales Support, IT, and Business Development units.
In 2019, there were several projects underway to seek assurance and get independent evaluation of the controls in the areas of information security and data privacy. In addition to data protection self-assessment, these included assessments by an independent auditor: an information security maturity assessment and an ISAE 3000 Type I audit of Pension Insurance and Personnel Funds Services covering both information security and data privacy aspects of processing. Mandatum Life also continued the implementation of annual activities covering different monitoring tasks, reviews, and assessments, but also regular reporting to different stakeholders during 2019.
Further information can be found in the Corporate Responsibility Report (page 32).