Please note that the website might not function correctly using an outdated browser. We recommend updating your browser or using another one.
The ultimate goal of Sampo Group companies' data privacy operations is to protect customers and other external and internal stakeholders’ personal data.
Sampo Group wants the processes related to personal data to be carried out lawfully; employees to be aware of and comply with the data protection rules; necessary technical and organizational measures to be adopted to protect personal data; and individual Group companies’ data protection policies and guidelines to be transparent toward data subjects, stakeholders, and other interested parties.
Sampo Group companies comply with the relevant EU and national data privacy regulations and are committed to processing personal data in a lawful, fair, and transparent manner. All Group companies aim to ensure that the privacy of employees, customers, shareholders, and other stakeholders is not breached, and that adequate data privacy training is offered to Group employees.
At Sampo Group, the guidance documents regarding data privacy are the Sampo Group Code of Conduct and the Sampo Group Data Privacy Statement, which are both reviewed annually and approved by the Board of Directors of Sampo plc. In addition, each Group company has adopted more detailed policies and guidelines for their own commercial purposes.
|Requests from Data Subjects, Sampo Group*||2020||2019|
|Right of access||322||187|
|Right to rectification||0||0|
|Right to erasure||132||111|
|Right to restriction on processing||0||0|
|Right to data portability||2||2|
|Right to object||0||0|
|Right not to be subject to a decision solely by automated processing||0||0|
|Number of requests from data subjects, total||456||300|
* Excluding Hastings
|Complaints from Data Subjects and Data Protection Authorities, Sampo Group*||2020||2019|
|Number of complaints from data subjects||74||3|
|Number of complaints from data protection authorities||10||0|
* Excluding Hastings
|Data Breaches Reported to Local Data Protection Authorities, Sampo Group*||2020||2019|
|Number of data breaches reported to local data protection authorities||110||41|
* Excluding Hastings
During 2020, Sampo Group companies received a total of 456 requests from data subjects. 10 complaints were received from regulatory bodies and 74 from data subjects. The complaints from regulatory bodies were customer complaints filed directly with the authorities or responses to requests for clarification. All complaints were resolved in a timely manner. The increase in complaints is primarily due to the data subjects’ overall greater awareness and knowledge of their rights.
In 2020, human and technical errors were identified as root causes for the 110 data breaches reported to the authorities. When a privacy or security breach is detected, the Group companies initiate predefined management processes according to their internal policies and guidelines. Data subjects and data protection authorities were notified accordingly, and appropriate measures were taken to resolve the incidents, such as a change in procedures or a reminder of due care.
The data protection officer (DPO) ensures the foundation of data privacy through appropriate training programs and an internal network, to continuously increase data privacy awareness. According to the organizational structure, the DPO reports to the chief information security officer. As required by law, the DPO acts independently and reports quarterly and when deemed necessary to the CEO and the Board of Directors of If.
The DPO leads the Data Protection Office with a personal data breach manager and privacy officers located in Sweden, Norway, Finland, and Estonia. The members of the Data Protection Office are training to be Certified Information Privacy Professionals (CIPP/E) by 2022.
If provides e-learning courses and digital classroom training for all its employees and contingent workers. The training is supplemented with a network of 120 experts called privacy champions. The privacy champions receive in-depth training in data privacy on a continuous basis, and it is their responsibility to spread their acquired knowledge to their teams, departments, functions, and units. In addition, If’s internal data privacy webpage provides a source of information for all employees, offering practical help, contacts, training, guidelines, and information on data privacy processes and methods.
All data breaches are analyzed, handled, and reported when necessary, within the 72-hour requirement, through a well-defined and unified process. Based upon a framework from the European Union Agency for Cybersecurity (ENISA), the risk to the data subject is identified, analyzed, and evaluated, resulting in appropriate measures. Data breaches are reviewed on a monthly basis to identify trends in order to provide support to the business functions.
If’s data retention policies are applied to both system processing and manual processes. Deletion procedures and anonymization techniques are in place to ensure storage limitation and de-identification of personal and sensitive personal data. User access reviews are conducted on a regular basis, and more than 400 data protection impact assessments (DPIA) have been conducted since the enforcement of the GDPR. Consent and cookie practices are improved on a continuous basis to ensure compliance with the principles of processing.
In some cases, If needs to give suppliers access to personal data when the suppliers perform services on If’s behalf. When suppliers handle personal data on If’s behalf, it is done in accordance with applicable data protection laws and If enters into a Data Processor Agreement. The DPA states how If’s suppliers, and sub-suppliers if applicable, shall handle If data. Transfer of data outside EU/EEA is always made in compliance with applicable data protections laws.
Due to local laws and a stricter interpretation of the GDPR, If uses a technology that automatically ensures that all emails sent from If domains use a more appropriate method of encryption to secure personal data.
Topdanmark has implemented a comprehensive management system for data privacy, including procedures and policy on how to handle personal data.
The Board of Directors and the Executive Management of Topdanmark have overall responsibility for ensuring that the company’s data privacy is at an adequate level and that sufficient resources have been allocated to it. The data protection officer advises on and monitors compliance with data protection regulations and reports to the Board of Directors, including reporting on data breaches.
Topdanmark’s Board of Directors has approved a policy on the overall requirements on the use of personal data. In addition, Topdanmark carries out risk assessments on external data processors used in claims handling, for example.
Compliance with the legislation in force on processing of personal data is ensured, for example, by continuous training of employees. All new employees at Topdanmark must undergo an e-learning program that focuses, for example, on the correct processing of personal data and the GDPR. At regular intervals, existing employees undergo a short e-learning course to ensure a continued focus on data privacy.
Hastings Group (Hastings) takes the protection of personal data very seriously and recognizes that its customers and employees want clarity and transparency about how their data is used and protected.
Hastings has a formal Data Protection Policy that applies to all its operations, including data relating to existing or potential customers or employees. In support of this policy all employees are appropriately trained for their role and subject to annual certification via Hastings’ learning management platform.
Hastings links its data protection and data activities to its goals and strategy and promotes effective management of cyber security risks, data risks, and threats that it faces daily.
Hastings ensures that its approach to the collection, use, sharing and retention of user data is clearly stated and available to all data subjects. Should privacy notices and other data policies that apply to data subjects be amended, Hastings is committed to notifying those data subjects affected in a timely and appropriate manner.
Hastings maintains a focus that ensures customer statutory privacy rights are upheld, including a commitment to processing personal data securely by means of appropriate technical and organizational measures. Hastings’ policies and procedures seek to ensure the information is collected, stored, and used correctly, to protect personal data, and to make sure the data is kept for no longer than it should be.
Personal data management at Mandatum Life is based on the Data Protection Policy, which is approved annually by the company’s Board of Directors. It applies to all personal data processing carried out in Mandatum Life and concerns all persons in Mandatum Life’s service and its outsourcing partners. One of the main objectives of the policy is to ensure that the rights of data subjects are exercised according to the GDPR.
The policy is supplemented by data protection principles and guidelines, which are brought to the attention of employees and, if needed, to material third parties. The Data Protection Policy is also closely linked to other internal policies, such as the Information Management Policy and the Information Security Policy, which include more detailed guidelines on the classification of information, processing rules, supervising and addressing problem situations, and securing data and systems with leading safeguards.
Mandatum Life’s Board of Directors and the CEO are responsible for ensuring that the company’s data privacy is at an adequate level and that sufficient resources are allocated to it. The Data Governance unit directs and supervises the company's data protection and data security measures. The unit is headed by the company's DPO. The DPO is also part of Mandatum Life's risk management function and reports to the operational management team, the Board of Directors, and the Sampo Group Audit Committee on a quarterly basis and whenever necessary. The DPO can be contacted by data subjects, whether they are employees or customers. The DPO carries out the tasks determined in the GDPR. The DPO is, for example, responsible for Mandatum Life’s data protection strategy, policies, guidelines, monitoring, and reporting, and for addressing data protection deviations. In addition, the DPO highlights development needs related to data privacy and promotes measures to meet them.
Mandatum Life complies with data protection by design and by default, and with the other obligations stipulated in the regulation. Data protection risk management is part of the company's operational risk management process. Compliance with these obligations requires Mandatum Life to conduct a thorough assessment of the risks that the processing of personal data poses to the data subjects, for example when planning operations that involve processing of sensitive data. The likelihood and severity of the risk to the rights and freedoms of the data subject are determined by reference to the nature, scope, context, and purpose of the processing.
The systems used by Mandatum Life are classified and safeguarded according to their inherent risks. During the planning phase of acquiring services or implementing new procedures or technology, a DPIA is carried out when it appears likely that the data processing operations will involve a high risk to the rights and freedoms of the data subjects. The results of the DPIAs are used to reduce the risk levels and to ensure that the requirements of the GDPR have been considered.
At Mandatum Life, access to data is controlled based on user access rights management. Processing personal data without a work-based reason is strictly prohibited by the Data Protection Policy. Such processing is logged and monitored. Logging into the online services the company provides to its customers requires strong authentication, and the communications of the Internet services used by the customers are encrypted.
Every Mandatum Life employee participates in data protection training annually. The training is provided to new employees during their onboarding. The training is extended to the providers of outsourced services as needed. The completion rate of the data privacy-related e-learning is monitored periodically. In addition to the general e-learning, different teams and units are provided with customized training throughout the year.
More information in Sampo Group’s Corporate Responsibility report, p. 35.