Data privacy
Protecting customers and other stakeholders’ personal data is of utmost importance for Sampo Group.
The insurance sector, which is a highly regulated industry, is characterised by a high amount of personal data processing. Sampo Group can face business risks, operational risks, and reputational risks if it fails to comply with data privacy regulations and guidelines.
Approach
At Sampo Group, the guidance documents regarding data privacy are the Sampo Group Code of Conduct and the Sampo Group Data Privacy Statement, which are both reviewed annually, and approved by the Board of Directors of Sampo plc. In addition, each Group company has adopted supplementary policies and guidelines for its own purposes, and has data privacy frameworks or similar procedures that help create a culture of commitment to data protection. The procedures include, for example, awareness-raising, reporting structures, screenings, impact assessments, security measures, and data processing agreements.
At Sampo Group personal data is processed in a lawful, fair, and transparent manner. The aim is to ensure that the privacy of the employer, employees, customers, and other stakeholders is not breached. Reporting on data privacy is provided regularly to the CEOs and Board of Directors of respective Sampo Group companies. Sampo Group also has incident investigation and processes for corrective actions in place.
Sampo Group uses awareness-raising activities offered to employees and contingent workers to prevent and mitigate user risk. Such activities include mandatory data privacy training, refresher courses, data protection impact assessment (DPIA) courses, and privacy by design and default courses. These activities help employees and contingent workers understand appropriate data protection, and the risks associated with their actions. In addition, the intranet is a source of information for all employees and contingent workers, offering practical help, contacts, training, guidelines, and information on data privacy processes and methods.
When third parties handle personal data on Sampo Group’s behalf, it is done in accordance with applicable data protection laws, and Sampo Group enters into a data processing agreement (or similar). The agreement states how suppliers and, if applicable, sub-suppliers shall handle Sampo Group’s data. Third-party data processors are assessed regularly.
Goals and ambitions
The goal of the Sampo Group’s data privacy operations is to protect employees, customers, and other stakeholders’ personal data.
Requests from data subjects
Sampo Group
| Requests from data subjects | 2023 | 2022 | 2021 |
|---|---|---|---|
| Right of access | 3,550 | 2,433 | 1,975 |
| Right to rectification | 11 | 3 | 12 |
| Right to erasure | 465 | 583 | 508 |
| Right to restriction on processing | 0 | 59 | 0 |
| Right to data portability | 0 | 1 | 0 |
| Right to object* | 105 | 32 | 79 |
| Right not to be subject to a decision solely by automated processing | 0 | 0 | 0 |
| Number of requests from data subjects, total | 4,131 | 3,111 | 2,574 |
Mandatum is included in 2021 and 2022 figures.
* Topdanmark is not included in 2021–2023 figures, as data was not available.
Complaints from data subjects and data protection authorities*
Sampo Group
| 2023 | 2022 | 2021 | |
|---|---|---|---|
| Number of complaints from data subjects | 197 | 119 | 60 |
| Number of complaints from data protection authorities | 6 | 9 | 18 |
Mandatum is included in 2021 and 2022 figures.
Data breaches reported to local data protection authorities*
Sampo Group
| 2023 | 2022 | 2021 | |
|---|---|---|---|
| Number of data breaches reported to local data protection authorities | 167 | 175 | 175 |
Mandatum is included in 2021 and 2022 figures.
Company-level information
Governance
If’s Data Protection Office aims to ensure that data protection rules are respected within the company. If’s data privacy is built upon a foundation comprised of codes of conduct, security policy, data privacy policy, ethics policy, and data processing agreements. If has a data privacy management framework that helps create a culture of commitment to data protection. The framework includes appropriate awareness-raising, reporting structures, screenings, assessments, security measures, and data processing agreements.
If’s data protection officer (DPO) reports to the chief compliance officer (CCO). As required by law, the DPO acts independently and reports quarterly and, when deemed necessary, to the CEO and the Board of Directors of If. In addition, If has a personal data breach manager and privacy officers located in Sweden, Norway, and Finland.
The Data Protection Office safeguards the foundation of data privacy through screening and early data protection impact risk assessments (DPIA) of the organisation’s processing activities, new technologies, development projects, systems, services, and third-party providers. During screening and DPIAs, third parties who will process data on If’s behalf are reviewed to ensure they help If uphold its obligations under the GDPR. When third parties handle personal data on If’s behalf, this is done in accordance with applicable data protection laws, and If enters into a data processing agreement. The agreement states how If’s suppliers, and sub-suppliers if applicable, shall handle If’s data. If’s third-party data processors are assessed annually.
If’s data retention policies are documented and applied to both system processing and manual processes. Retention policies are assessed and reviewed on a regular basis. Deletion procedures and anonymisation techniques currently in place ensure storage limitation and de-identification of personal and sensitive personal data. Every deletion and anonymisation procedure is fully described and documented. This includes logs to prove procedures are implemented.
If conducts user access controls and reviews on a regular basis, ensuring better access control. Every control and review is fully documented as evidence to fulfil the accountability principle.
Due to local laws and a stricter interpretation of the GDPR, If uses a technology that ensures that emails sent from If domains use a more appropriate method of encryption to secure personal data.
If may, to a limited extent, transfer or allow access to data outside the EU/EEA. This is always done in compliance with applicable data protections laws.
Employee training
If’s Data Protection Office uses awareness-raising activities to prevent and mitigate user risk. The activities are designed to help employees and contingent workers understand the role they play in helping to combat personal data breaches.
If’s awareness-raising activities include mandatory data privacy e-learning courses, refresher courses, DPIA courses, privacy by design and default courses, and internal networking through 120 experts called privacy champions. These activities help employees and contingent workers understand appropriate data protection and the risks associated with their actions. In addition, If’s internal data privacy web page provides a source of information for all employees and contingent workers, offering practical help, contacts, training, guidelines, and information on data privacy processes and methods.
Incident reporting
If reviews data breach trends monthly to provide support to the business functions. Trends are also addressed within If’s Information Security committee to identify possible risk management synergies between data privacy and information security, such as weighing up the probability of occurrence, damage, or risks to the rights and freedoms of data subjects.
According to If’s internal personal data breach reporting process, data breaches are analysed, handled, documented, and reported, when necessary, within the 72-hour requirement. The risk to the data subject is identified, analysed, and evaluated, resulting in appropriate measures. Evidence of each data breach is recorded to fulfil the accountability.
Governance
Topdanmark has a comprehensive management system for data privacy, including procedures and policy on how to handle personal data. The Board of Directors and the Executive Management of Topdanmark have overall responsibility for and focus on ensuring that the company’s data privacy is at an adequate level and that sufficient resources have been allocated to it.
Topdanmark conducts supplier risk assessments and instructs suppliers on how to handle personal data using data processing agreements. The company makes decisions on the extent and frequency of supervision of data processors based on the risk assessments. In addition, Topdanmark works closely with the Danish Data Protection Agency, which is responsible for examining complaints and provides support in risk identification and awareness creation.
Topdanmark's DPO provides advice and recommendations to ensure continuous improvement of personal data protection and data subjects’ rights. Where security measures are concerned, advice is provided in close cooperation with the Group's CISO. In addition, the DPO carries out regular surveys on Topdanmark's personal data protection and reports quarterly to the Board of Directors and the Executive Board of the company.
Employee training
Topdanmark ensures data privacy by continuously training its employees. At Topdanmark, all new employees undergo an e-learning programme that focuses on lawful and secure processing of personal data. At regular intervals, existing employees also undergo data privacy training. In addition, employees have the possibility to contact the DPO and experienced GDPR lawyers for advice. Guidance related to personal data is also available on a dedicated page on the company intranet.
Incident reporting
At Topdanmark, data breaches are handled according to fixed processes, and they are assessed and reported to the Data Protection Authority in a timely manner. If the risk to data subjects is considered high, they are notified of the incident. Topdanmark follows up on every data breach and assesses how similar incidents can be avoided in the future.
Governance
Hastings has a formal Data Protection Policy that applies to all its operations, including data relating to existing or potential customers or employees. Hastings ensures that its approach to the collection, use, sharing, and retention of user data is lawful, fair, transparent, clearly stated, and available to all data subjects.
Hastings has a dedicated Data Governance Steering Group. The steering group comprises the Group Chief Risk Officer, Chief Operating Officer, Group Chief Financial Officer, Chief Information Security Officer, Head of Data Governance, and Data Protection Officer. Each business area leader is responsible for ensuring that Hastings’ data protection policy is adhered to within their business areas. Reviews are held monthly at board level, as well as in monthly Data Governance Steering Group meetings. Hastings has a network of Data Protection Champions across the company to assist with the task of embedding the principles of data protection and privacy by design and default within the business. Hastings employs the services of expert external auditors to independently assess its data protection policies and procedures and commits to acting on any recommendations appropriately.
Regarding contractors, Hastings ensures that there are clauses within their contracts stating it is their responsibility to be up to date with the latest data protection training. Where relevant, the company also ensures that the contractors have data protection policies in place.
Employee training
All Hastings employees undertake mandatory training on data privacy on joining the company and on an annual basis thereafter. In addition, with the assistance of the Data Protection Champions, the Data Protection team conducts role-specific data protection training across the business to continuously improve the organisation’s data protection awareness and knowledge.
Incident reporting
Hastings has operational measures in place to monitor and respond to data incidents and breaches. Incidents and concerns are reported to a central Data Protection team for triage, recording, and support. Escalation processes are in place to engage the DPO and other senior roles, as required, as part of the company-wide incident management process.
Governance
Sampo plc’s Legal unit directs and oversees the data privacy activities within Sampo plc to ensure continued compliance with relevant regulations. This includes ensuring that employee awareness of data privacy matters is at an adequate level, assisting business units in identifying data privacy-related processes, and processing of personal data, as well as other topics arising from the GDPR.
Employee training
Data privacy is an integral part of the onboarding process of new employees, and existing employees are offered additional training sessions when considered necessary.
Related information:
Updated