Data privacy

At Sampo Group personal data is processed in a lawful, fair, and transparent manner. The aim is to ensure that the privacy of the customers, employees, shareholders, and other stakeholders is not breached. Sampo Group can face business risks, operational risks, and reputational risks if it fails to comply with data privacy regulations and guidelines.

Governance

At Sampo Group, the guidance documents regarding data privacy are the Sampo Group Code of Conduct and the Sampo Group Data Privacy Statement. Both documents are reviewed annually, approved by Sampo’s Board of Directors, and available on Sampo’s website. In addition to the group level principles, Sampo Group has supplementary and more detailed policies and due diligence processes for specific purposes. Examples of these policies are personal data policies and guidelines whereas the processes include awareness-raising, reporting structures, screenings, impact assessments, security measures, and data processing agreements, among others. The ultimate responsibility for the implementation of the group level principles and company-specific policies and processes lies with the management of each individual Sampo Group company. Reporting on data privacy is provided regularly (e.g. quarterly, when deemed necessary) to the CEOs and boards of directors of respective Sampo Group companies.

When third parties handle personal data on Sampo Group’s behalf, it is done in accordance with applicable data protection laws, and Sampo Group enters into a data processing agreement (or similar). The agreement states how suppliers and, if applicable, sub-suppliers shall handle Sampo Group’s data. Where relevant, the Group also ensures that the contractors have data protection policies in place. Third-party data processors are assessed regularly. Sampo Group may, to a limited extent, transfer or allow access to data outside the EU/EEA. This is always done in compliance with applicable data protections laws.

Sampo Group conducts quarterly risk assessments on its technologies and practices affecting user data. Each data processing activity registered in the Records of Processing Activities is also reviewed annually. In addition, in line with the General Data Protection Regulation (GDPR), the Group conducts monitoring activities and risk assessments whenever deemed necessary, focusing on specific areas of interest. Internal audits related to data privacy are conducted with varying frequency and scope.

Employee training

Sampo Group offers mandatory and regular (e.g. annual) awareness-raising activities to employees and contingent workers to prevent and mitigate user risk. Such activities include mandatory data privacy training, refresher courses, data protection impact assessment courses, and privacy by design and default courses. These activities help employees and contingent workers understand appropriate data protection, and the risks associated with their actions. In addition, Sampo Group’s intranet pages are a source of information for all employees and contingent workers, offering practical help, contacts, training, guidelines, and information on data privacy processes and methods.

Reporting and providing remedy

Sampo Group has procedures for investigating possible data privacy breaches and processes for corrective actions to protect the personal data of consumers and end-users. Data breaches are analysed and handled according to fixed processes, and they are assessed and reported in a timely manner to the local authorities, when applicable. Escalation processes are in place to engage the DPOs and other senior roles.

Data breaches are analysed, handled, documented, and reported, when necessary, within the 72-hour requirement. The risk to the data subject is identified, analysed, and evaluated, resulting in appropriate measures. Evidence of each data breach is recorded to fulfil the accountability principle. Sampo Group also addresses data breach trends in information security committees (or similar) to identify possible risk management synergies between data privacy and information security, such as weighing up the probability of occurrence, damage, or risks to the rights and freedoms of data subjects.