You are using an old version of your web browser.

Please note that the website might not function correctly using an outdated browser. We recommend updating your browser or using another one.

This site uses cookies to offer you the best user experience. By continuing browsing this site you agree to the use of cookies. Alternatively you may change your browser settings. For further information, please read our Privacy Notice.

I agree

Data Privacy


Protecting customers and other stakeholders’ personal data is of utmost importance. The Sampo Group companies operate in the financial and insurance sector, which is a highly regulated industry and characterised by a high amount of personal data processing. Sampo Group can face business risks, operational risks, and reputational risks if it fails to comply with data privacy regulations and guidelines.

Group-level approach

At Sampo Group, the guidance documents regarding data privacy are the Sampo Group Code of Conduct and the Sampo Group Data Privacy Statement, which are both reviewed annually and approved by the Board of Directors of Sampo plc. In addition, each Group company has adopted supplementary policies and guidelines for its own purposes.

The Sampo Group companies are committed to processing personal data in a lawful, fair, and transparent manner , while respecting human rights in all aspects of data management. The Group companies obtain, process, store, and retain personal data in compliance with all relevant data privacy laws.

All Group companies aim to ensure that the privacy of the employer, employees, customers, and other stakeholders is not breached, and that adequate data privacy training is offered to all employees and contingent workers of the company. The Group companies also ensure that incident investigation and processes for corrective actions are in place.


Requests from Data Subjects, Sampo Group 2021 2020* 2019*
Right of access 1,975 322 187
Right to rectification 12 0 0
Right to erasure 508 132 111
Right to restriction on processing 0 0 0
Right to data portability 0 2 2
Right to object** 79 0 0
Right not to be subject to a decision solely by automated processing 0 0 0
Number of requests from data subjects, total 2,574 456 300

* Excluding Hastings
** No data available for Topdanmark.

Complaints from Data Subjects and Data Protection Authorities, Sampo Group 2021 2020* 2019*
Number of complaints from data subjects 60 74 3
Number of complaints from data protection authorities 18 10 0

* Excluding Hastings

Data Breaches Reported to Local Data Protection Authorities, Sampo Group 2021 2020* 2019*
Number of data breaches reported to local data protection authorities 175 110 41

* Excluding Hastings

Data privacy policies of the Sampo Group companies

All Sampo Group companies have privacy policies in place and available online. The policies describe, for example, how and why personal data is processed and stored. They also include descriptions of the rights of data subjects and how these are implemented.

If Data Privacy Policy
Topdanmark Data Privacy Policy
Hastings Data Privacy Policy
Mandatum Life Data Privacy Policy



If’s Data Protection Office aims to ensure that data protection rules are respected within the company. If’s data privacy is built upon a foundation comprised of codes of conduct, security policy, data privacy policy, ethics policy, and data processing agreements. If has a data privacy management framework that helps create a culture of commitment to data protection. The framework includes appropriate awareness-raising, reporting structures, screenings, assessments, security measures, and data processing agreements.

If’s data protection officer (DPO) reports to the chief information security officer (CISO). As required by law, the DPO acts independently and reports quarterly and, when deemed necessary, to the CEO and the Board of Directors of If. In addition, If has a personal data breach manager and privacy officers located in Sweden, Norway, and Finland.

The Data Protection Office safeguards the foundation of data privacy through screening and early data protection impact risk assessments (DPIA) of the organisation’s processing activities, new technologies, development projects, systems, services, and third-party providers for possible non-compliance. During screening and DPIAs, third parties are reviewed to ensure they help If uphold their obligations under the GDPR and through a data processing agreement.

Aside from screening and risk assessments, If’s data processors are annually assessed. The accountability principle requires controllers and processors to take responsibility for their processing activities and for how they comply with data protection principles.

If’s data retention policies are documented and applied to both system processing and manual processes. Retention policies are assessed and reviewed on a regular basis. Deletion procedures and anonymisation techniques currently in place ensure storage limitation and de-identification of personal and sensitive personal data. Every deletion and anonymisation procedure is fully described and documented as evidence to fulfil the accountability principle. This includes logs to prove procedures are implemented.

If conducts user access controls and reviews on a regular basis, ensuring better access control. Every control and review is fully documented as evidence to fulfil the accountability principle.

In some cases, If needs to give suppliers access to personal data when the suppliers perform services on If’s behalf. When suppliers handle personal data on If’s behalf, this is done in accordance with applicable data protection laws, and If enters into a data processing agreement. The agreement states how If’s suppliers, and sub-suppliers if applicable, shall handle If’s data. Due to globalisation and technological development, If may, to a limited extent, transfer or allow access to data outside the EU/EEA. This is always done in compliance with applicable data protections laws. If does its utmost to protect individual privacy by handling personal data carefully and taking appropriate and necessary safeguards.

Due to local laws and a stricter interpretation of the GDPR, If uses a technology that ensures that emails sent from If domains use a more appropriate method of encryption to secure personal data.

Employee training

If’s Data Protection Office uses awareness-raising activities to prevent and mitigate user risk. The activities are designed to help employees and contingent workers (consultants and external contractors) understand the role they play in helping to combat personal data breaches.

If’s awareness-raising activities include mandatory data privacy e-learning courses, refresher courses, DPIA courses, privacy by design and default courses, and internal networking through 120 experts called privacy champions. These activities help employees and contingent workers understand appropriate data protection and the risks associated with their actions. In addition, If’s internal data privacy web page provides a source of information for all employees and contingent workers, offering practical help, contacts, training, guidelines, and information on data privacy processes and methods.

Incident reporting

If reviews data breach trends monthly to provide support to the business functions. Trends are also addressed within If’s Information Security committee to identify possible risk management synergies between data privacy and information security, such as weighing up the probability of occurrence, damage, risks to the rights and freedoms of data subjects, or importance for the company's overall protection. The collaboration between the DPO and the CISO is key to ensuring a level of security appropriate to the risk.

According to If’s internal personal data breach reporting process, data breaches are analysed, handled, documented, and reported when necessary, within the 72-hour requirement. The risk to the data subject is identified, analysed, and evaluated, resulting in appropriate measures. Evidence of each data breach is recorded to fulfil the accountability principle.



Topdanmark has a comprehensive management system for data privacy, including procedures and policy on how to handle personal data. The Board of Directors and the Executive Management of Topdanmark have overall responsibility for and focus on ensuring that the company’s data privacy is at an adequate level and that sufficient resources have been allocated to it.

Topdanmark conducts supplier risk assessments and instructs suppliers on how to handle personal data using data processing agreements. The company makes decisions on the extent and frequency of supervision of data processors based on the risk assessments.

Topdanmark's DPO provides advice and recommendations to ensure continuous improvement of personal data protection and data subjects’ rights. Where security measures are concerned, advice is provided in close cooperation with the Group's CISO. In addition, the DPO carries out regular surveys on Topdanmark's personal data protection and reports quarterly to the Board of Directors and the Executive Board of the company.

Employee training

Topdanmark ensures data privacy by continuously training its employees. At Topdanmark, all new employees undergo an e-learning programme that focuses on lawful and secure processing of personal data. At regular intervals, existing employees also undergo courses to guarantee a focus on the topic.

In addition, employees have a possibility to contact the DPO and experienced GDPR lawyers for advice. Guidance related to personal data is also available on a dedicated page on the company intranet.

Incident reporting

Topdanmark takes customer privacy seriously, and the goal is to avoid data breaches altogether. When incidents do happen, however, typically because of a human error, data breaches are handled, assessed, and reported to the Data Protection Authority in a timely manner, where appropriate. If the risk to data subjects is considered high, data subjects are notified of the incident. For every incident, Topdanmark assesses how similar incidents can be avoided in the future and introduces measures to support this.



Hastings has a formal Data Protection Policy that applies to all its operations, including data relating to existing or potential customers or employees. Hastings ensures that its approach to the collection, use, sharing, and retention of user data is clearly stated and available to all data subjects. Should privacy notices and other data policies that apply to data subjects be amended, Hastings is committed to notifying those data subjects affected in a timely and appropriate manner.

Hastings maintains a focus that ensures statutory customer privacy rights are upheld, including a commitment to processing personal data securely by means of appropriate technical and organisational measures. Hastings’ policies and procedures seek to ensure the information is collected, stored, and used correctly, to protect personal data and to make sure the data is kept for no longer than it should be.

Regarding contractors, Hastings ensures that there are clauses within their contracts stating it is their responsibility to be up to date with the latest data protection training. Where relevant, the company also ensures that the contractors have data protection policies in place.

Employee training

All Hastings employees are appropriately trained for their role and are subject to annual data privacy certification via Hastings’ learning management platform.

Incident reporting

Hastings has operational measures in place to monitor and respond to data incidents and breaches. Incidents and concerns are reported to a central Data Protection team for triage, recording, and support. Escalation processes are in place to engage the DPO and other senior roles, as required, as part of the company-wide incident management process.



Personal data management at Mandatum is based on the Data Protection Policy, which is approved annually by Mandatum Asset Management and Mandatum Life’s boards of directors. It applies to all personal data processing carried out in Mandatum and concerns all persons in Mandatum’s service and its outsourcing partners. The Data Protection Policy provides information about the processing of personal data at Mandatum, the type of personal data processed and used, the sharing of personal data with authorities and Mandatum’s partners according to legal requirements, and the rights data subjects have regarding the processing of their data. The policy is supplemented by data protection principles and guidelines, which are brought to the attention of employees and, if needed, to material third parties. Third parties are required to sign a data processing agreement (DPA) as part of the sourcing contract.

The Data Protection Policy is also closely linked to other internal policies, such as the Information Management Policy and the Information Security Policy. The purpose of the Information Management Policy is to set forth the identification of information and the determination of ownership, as well as the classification of information. The policy is additionally complemented by the Information Management Principles, which lay down in greater detail the means for implementing roles and tasks, as well as the processing that corresponds to the classification.

The boards of directors and the CEOs of Mandatum Asset Management and Mandatum Life are responsible for ensuring that the companies’ data privacy is at an adequate level and that sufficient resources are allocated to it. The Data Governance unit directs and supervises the data protection and data security measures at Mandatum. The unit is headed by the DPO, who is also part of Mandatum's risk management function and reports to the business management team, the boards of directors, and the Sampo Group Audit Committee on a quarterly basis and whenever necessary. The DPO can be contacted by data subjects, whether they are employees or customers. The DPO is, for example, responsible for Mandatum’s data protection strategy, policies, guidelines, monitoring, and reporting, and for addressing data protection deviations. In addition, the DPO highlights development needs related to data privacy and promotes measures to meet them.

Mandatum complies with data protection by design and by default, and with the other obligations stipulated in the regulation. Data protection risk management is part of the company's operational risk management process. Data protection risks are assessed regularly, and the risk assessment is reviewed quarterly. The likelihood and severity of the risk to the rights and freedoms of the data subject are determined by reference to the nature, scope, context, and purpose of the processing. The most significant risks are reported to both the Risk Management Committee and the boards of directors quarterly. In addition, DPIAs are conducted when new processing methods or technologies are introduced, or major changes are made to the existing ones.

The systems used by Mandatum are classified and safeguarded according to their inherent risks. During the planning phase of acquiring services or implementing new procedures or technology, a DPIA is carried out when it appears likely that the data processing operations will involve a high risk to the rights and freedoms of the data subjects. The results of the DPIAs are used to reduce the risk levels and to ensure that the requirements of the GDPR have been appropriately considered.

At Mandatum, access to data is controlled based on user access rights management. Processing personal data without a work-based reason is strictly prohibited by the Data Protection Policy. Such processing is logged and monitored. In customer online services, strong authentication is required, and communication is encrypted.

Employee training

Every Mandatum employee participates in data protection training annually. The training is provided to new employees during their onboarding. The training is extended to the providers of outsourced services as needed. The completion rate of the data privacy-related e-learning is monitored periodically. In addition to the general e-learning, different teams and units are provided with customised training throughout the year.

Incident reporting

The most significant data breaches are reported to both the Risk Management Committee and the boards of directors quarterly, except cases that should be reported ad hoc.

Sampo plc

Sampo plc’s Legal unit directs and oversees the data privacy activities within Sampo plc to ensure continued compliance with relevant regulations. This includes ensuring that employee awareness of data privacy matters is on an adequate level, assisting business units in identifying data privacy-related processes, and processing of personal data, as well as other topics arising from the GDPR.

Data privacy is an integral part of the onboarding process of new employees, and existing employees are offered additional training sessions when considered necessary.

More information in Sampo Group’s Sustainability Report.

Updated 13 Dec 2022