For us at Turva, the careful and secure processing of personal data is of essential importance. When processing personal data, we comply with the law and good data management and processing practices and exercise caution. We strive to ensure that our customers’ privacy and other fundamental rights are not violated.
How do we process personal data?
The data subjects are Turva's insurance and insurance claims customers. In the case of institutional customers, the data subjects are their affiliated persons, such as beneficial owners. Data subjects also include customers who have previously been our customers as well as potential customers and their affiliated persons. Persons related to the customer, such as guardians and attorneys-in-fact, are also data subjects.
We only process personal data that is necessary for our purposes, such as:
personal data related to identification, including name and personal identity code
contact information, including name, address, email and phone number
information related to the services and products we offer, such as the content of insurance coverage and health declaration
information related to the customer relationship and its management, such as language and contacts
information about choices made by the customer, such as restrictions on direct marketing
customer communications, such as call recordings, audio recordings of online meetings, chat conversations and online messages
information required by law, such as personal data used to identify the customer in accordance with the Anti-Money Laundering Act
trade union information, if the customer has given permission to process the data
We process personal data only for predefined purposes, such as:
customer service and communication as well as customer relationship management, such as responding to contacts and sending out announcements about products
provision and development of our services and products, such as the performance of insurance contracts and claims processing on the basis of insurance contracts
marketing of our services and products, targeted marketing and direct marketing, such as targeted online marketing and direct marketing messages
opinion and market research, such as sending out customer service feedback surveys
organising and enabling participation in promotions, raffles and competitions
monitoring, analysing and compiling statistics on the use of our services and products, such as tracking and analytics of pages visited on our website
ensuring the security of our services and risk management
detection and investigation of nonconformities, such as fraud against insurance companies
fulfilling obligations based on law and in accordance with official directions and instructions, such as collecting customer identification data and monitoring sanction lists
We process personal data mainly on the basis of a contractual relationship and the measures preceding it. The performance of a contract is the primary basis for processing, in cases such as when we process the policyholder's personal data for the purpose of giving an insurance quote and later when the insurance contract is in force.
The processing of personal data may also be based on the consent of the data subject or on the legal obligations or legitimate interests of the controller of the data, Turva. We may disclose information to our service provider partners on the basis of consent, whereas the Anti-Money Laundering Act obligates us to collect and store certain identifying personal data on our customers. Legitimate interest is the basis for processing, for example, when we process personal data for direct marketing purposes, to prevent misuse and fraud, or to pay compensation to an injured party not part of the customer relationship.
We also collect your data from third parties, such as parties authorised by you, registers maintained by the authorities, credit information registers, joint registers of insurance companies, medical institutions and other insurance companies. We update addresses from Posti's address service and cross-check with the Population Information System to ensure that the information is accurate and up-to-date.
Your data will only be processed by Turva employees who need access to the data to perform their duties. Turva's employees are bound by a statutory obligation of secrecy, and each employee must also sign a non-disclosure agreement in which they pledge to keep customer information confidential.
In producing and providing our services, we use partners to whom we transfer personal data for processing. These partners act as our sub-processors and process personal data in accordance with our instructions. We require our sub-processors to protect personal data appropriately and we inspect and audit their operations.
We disclose personal data to parties outside Turva only with your consent or when there is a legal basis for disclosing the data. We may disclose your data based on your consent, such as when we send a direct billing authorisation to a medical institution. Based on the law, we may disclose your data to the authorities, such as tax authorities, prosecutors and pre-trial investigation authorities, and to other insurance companies.
The disclosure of personal data refers to situations where personal data is given to another controller to process. We also transfer personal data for processing purposes to our partners, who process personal data on our behalf and thus act as our sub-processors.
We have defined retention periods for the personal data we collect, taking into account the requirements of legislation and the effectiveness and fluency of business operations, such as insurance and investment services. Occasionally, we may be required by law to retain data for a certain period of time. This is not always the case, in which case we retain the data for as long as it is necessary for us.
We store data necessary for the customer relationship at least for the duration of the customer relationship. In general, it is necessary for us to continue storing data even after the customer relationship has ended.
The retention period of your personal data varies depending on the type of service transactions you have or have had. For example:
As a rule, the retention period for insurance and claims data is 100 years from the end of the insurance or the last date of processing of the claim in statutory CTP and accident insurance, and at least 10 years in voluntary types of insurance.
Data related to non-life insurance quotes is stored for at least 18 months from the date of the quote.
Life insurance and claims data are stored for at least 10 years from the end of the insurance.
Data related to life insurance quotes is stored for at least 3 years from the date of the quote.
We record phone calls, audio recordings of online meetings, chat conversations and online messages. They are used for verifying transactions, ensuring the quality of customer service and development and training purposes.
We use automated decision-making. Automated decision-making means that a decision is made entirely on the basis of automated personal data processing without the input of a human. We use automated decision-making to improve the efficiency of our insurance and claims processing and other services we provide, for example.
The data used in automated decision-making include information provided by you and information already in our systems. We may also use personal data obtained from third parties, such as a credit information register, and information about insurance terms and conditions and our internal guidelines.
We will notify you of automated decision-making separately in connection with each service that uses automated decision-making and, if necessary, ask for your consent to its use.
Once you have received the automated decision, you have the right to appeal against and request that the matter be reviewed by a human employee.
We use automated decision-making in non-life insurance operations in the following contexts, among others:
We may use automated decision-making to decide whether or not to grant an insurance purchased online. The automated system may decide to either grant the insurance or forward the matter to an employee for further processing. Automated decisions are based on information provided by the customer, existing information in our systems and information obtained from third parties, such as a credit information register.
We may use automated decision-making to settle claims and as part of other activities related to claims processing. The automated system may decide to either pay the claim or forward the matter to an employee for manual processing. Automated decisions are based on information provided by you, existing information in our systems, and information obtained from third parties, such as the claims register, as well as insurance terms and conditions.
We also make use of profiling. Profiling means the automated processing of personal data where we evaluate certain personal characteristics by combining and analysing data.
We use profiling for the following purposes, among others:
In insurance processing to price the insurance based on the risk of damage. The risk of damage is calculated based on information about the customer and the insured object.
In claims settlement, when we carry out a risk assessment of the damage in order to identify the risk of fraud. The risk assessment is based on information about the customer and claim.
For targeted marketing.
We may transfer your personal data outside the EU and EEA within the limits of data protection legislation.
Some external service providers or other recipients of personal data may be located or process personal data outside the EU or EEA. We use the necessary transfer mechanisms and complementary safeguards permitted by law to ensure that the level of protection of personal data is not compromised in situations where the data is transferred outside the EU or EEA. Such transfer mechanisms include, for example, adequacy decisions by the European Commission and the use of standard contractual clauses with recipients of data located outside the EU or EEA.
The standard contractual clauses we use are available on the EU legislative and justice website:
We may use your customer due diligence information and other personal data for the prevention, uncovering and investigation of money laundering and the financing of terrorism as prescribed in the Anti-Money Laundering Act, and in bringing under investigation money laundering and financing of terrorism as well as the crime committed to obtain the assets or proceeds of crime involved in the financing of money laundering or the financing of terrorism.
We may use your personal data to determine whether you are subject to international sanctions we are required to comply with.
Finnish insurance companies maintain shared registers about insurance claims and fraudulent claims. Insurance companies disclose information on claims and crimes and suspected crimes against the company to the registers. Insurance companies use the information in the registers when granting insurance and processing claims. The purpose of the registers is to prevent and detect insurance fraud and crime by sharing information between insurance companies. Turva also discloses information to registers and uses the information in the registers.
We register information about claims reported to us in the insurance companies' joint claims register. The register collects information on the claim and the insured person. When the insurance company submits the basic information in the claim to the claims register, the company receives information about claims filed by the applicant at other insurance companies. Based on the information in the claims register, we may also exchange more detailed information about claims between other insurance companies. We use the information in the claims register to prevent fraud against insurance companies, with the purpose to prevent a person from filing false claims at several insurance companies.
Fraudulent claims register
We register information on crimes and suspected offences against our insurance operations in the insurance companies' common fraudulent claims register. The register collects information on the claim and the insured person. In addition, we check the information entered in the register. Entering information in the fraudulent claims register requires that a suspected criminal act has been reported to the police or prosecutor. Entries made on the basis of a suspected crime are erased from the register if the person in question is found innocent of the act in a court of law or the case is dropped. We use the information in the fraudulent claims register in insurance handling and claims settlement to prevent and detect crime against insurance companies.
We use the necessary and best-practice technical and organisational data security methods to safeguard personal data. We protect personal data so that it cannot be accessed without authorisation or lost, destroyed or altered without a basis.
We ensure the protection of personal data with firewalls, separation of environments and various encryption and protection technologies, among other measures. We continuously monitor our data security. We make sure that our data centres are secure and access control is at an appropriate level.
Access to personal data is restricted with suitable access rights restrictions, and we apply access rights management processes. Access rights are always based on work duties. Personal data can only be accessed by employees who have a need to do so for the performance of their duties. We monitor to ensure that access rights are necessary at all times and remove expired access rights.
We collect logs on the processing of personal data. Logs indicate what, why and when a processing activity occurred. We use logs to monitor the processing of personal data, ensure that no errors have occurred and investigate possible errors.
Our employees involved in processing personal data are regularly trained and provided with instructions.
We also require our sub-processors to safeguard the data appropriately, and inspect and audit their operations.
Data subjects’ rights
You have a number of rights related to the processing of your personal data, which are described below.
You can exercise your rights by contacting our Data Protection Officer or through other means indicated by us for this purpose. The contact details of our Data Protection Officer can be found at the bottom of this page in the contact information section. Below, under each right, we explain in more detail how you can exercise that particular right.
Please note that we need to be able to identify you in order to process your request, so when contacting us about the exercise of your rights, you need to include sufficient identifying information such as name, personal identity code, postal address and telephone number.
As a rule, exercising your rights is free of charge for you. However, in the case of clearly unfounded or excessive requests, we may charge a reasonable fee or refuse to comply with the request.
If the processing of your personal data is based on your consent, you have the right to withdraw your consent. The withdrawal of consent has no effect on past processing activities.
When requesting consent, we will also tell you how you can withdraw your consent. In matters related to the withdrawal of consent, you can also contact our Data Protection Officer.
You have the right to know whether we process your personal data and, if so, to receive a copy of all your data and detailed information about the processing of your personal data.
Your key customer information are listed in our online service, where you can view the information at any time. If you wish to view your personal data more extensively, you can submit a separate request for access to your data. You can request access using the
You can send the form or your questions regarding the processing of your data to us using the contact details of our Data Protection Officer.
If your request for access concerns an individual claim, you can most quickly and easily request the data by contacting the party that made the claim settlement decision directly.
Contact details of the Data Protection Officer:
Turva Mutual Insurance Company
Legal and compliance / Data Protection Officer
PO Box 117
You have the right to request the rectification (correction) of inaccurate or incomplete data.
Your key customer information is listed in our online service, where you can also manage the information. You can also update your customer information by contacting our customer service or visiting our branch office. See our contact information for details. You can also send a separate rectification request to our Data Protection Officer.
Data subjects have the right to request the erasure of their personal data.
In certain situations, you have the right to demand the erasure of your data. Personal data may be erased at your request if the retention period of the data has expired or the data is otherwise deemed unnecessary or unjustified. We cannot erase data that must be stored due to a legal obligation or other justified need.
You can also send the request to erase your data to our Data Protection Officer. To identify the customer making the data erasure request, we need your name, address, phone number and personal identity code.
You have the right to prohibit the processing of your data for direct marketing purposes and for profiling related to direct marketing.
You can manage direct marketing permissions in our online service. You can also prohibit direct marketing and related marketing activities by contacting our customer service or visiting our branch office. You can unsubscribe from direct marketing messages by clicking on the link provided in the message.
In certain situations, you have the right to request that the processing of your data be restricted or otherwise object to the processing of your data. You can also request the transfer of personal data that you have provided in a machine-readable format, where technically feasible.
You can exercise these rights by contacting us with the contact details of our Data Protection Officer.
We use automated decision-making. We will notify you of this separately in connection with each service that uses automated decision-making and, if necessary, ask for your consent to its use.
Once you have received the automated decision, you have the right to appeal against and request that the matter be reviewed by a human employee.
You can exercise your right by contacting the party that issued the decision.
Turva has several personal data files, each of which has its own privacy statement. In the privacy statement, we explain important information related to the processing of personal data, such as the controllers, types of personal data collected, purposes of processing and the legal basis for processing.
You can read the privacy statement for Turva’s common customer data file and the privacy statements of other key data files from the links below.
The privacy statements are available in Finnish.
We reserve the right to change and update the privacy statements if necessary.
Privacy statement for the customer data file
Privacy statement for the job applicant data file
Privacy statement for the insurance and claims register of non-life insurance
The controller is Turva Mutual Insurance Company. The controller for life insurance products is LocalTapiola.
Turva Mutual Insurance Company
Legal and compliance / Data Protection Officer
PO Box 117
If you feel that our processing of personal data violates the law, you have the right to lodge a complaint with the supervisory authority. In Finland, the supervisory authority is the Data Protection Ombudsman. However, we recommend that you first contact us using the contact details of our Data Protection Officer.
Customer due diligence
We identify and know our owner-customers and partners. Knowing our customers also helps us provide them with even better service.
The first and foremost reason why we ask for your customer information is to ensure that the customer’s interests are met. In addition, as a financial sector operator, Turva is required by the law to identify and know its customers. By identifying and knowing its customers, Turva ensures that customer information is up-to-date and prevents abuse in the financial sector.
Turva has a strong presence in various social media channels. Where applicable, we act as joint controllers of personal data with social media service providers (Meta, LinkedIn and Twitter) for Turva's community pages, messaging services, tracking pixels and visitor data in these channels. This information applies to persons who have interacted with one of the social media community pages managed by Turva or have accepted social media cookies on the Turva website.
We process the data subject's personal data on the basis of our legitimate interest. In the case of tracking pixels, the processing is based on the consent given by the data subject. We use the data to maintain community pages, market Turva's services, products and offers, carry out competitions and raffles, receive feedback, purchase advertising from social media channels, measure the availability of pages or advertisements, and to provide customer service on social media. We only process data for our own purposes. Social media service providers process data in accordance with their own data protection principles and are generally responsible for compliance with data protection legislation and the implementation of data security and the rights of data subjects. You can manage your privacy settings in the service in question.
We obtain information that a data subject has made public in the service, such as username and profile picture. In addition, the data subject may provide other information on their own initiative through comments, publications or messaging services. We also receive anonymised statistical data about visitors to our community pages and how visitors interact with the page content (Meta Page Insights, LinkedIn Page Analytics and Twitter Analytics). The data we store in the data file is not transferred outside the European Union or European Economic Area.
The controller determines the retention period of personal data, taking into account applicable legislation as well as the needs and efficiency of business operations. The purpose of the retention periods is to safeguard the rights of both the data subjects and Turva. We may process comments, posts and messages on community pages until the data subject deletes the comment or post. We may also delete a comment or post earlier if we deem it necessary to ensure the appropriateness of comments and posts, for example. Data subjects may request the deletion of a conversation in the messaging service from the owner of the community page in the service. You can also restrict the processing of your personal data by unliking and/or unfollowing the community page.
Facebook and Instagram
Where applicable, we act as joint controllers with Meta Platforms Ireland Ltd. (Meta) with respect to Turva's community pages, messaging service, insights and tracking pixel in the service.
We have signed an addendum on joint controllership, which defines the responsibilities of both controllers regarding compliance with obligations under the EU General Data Protection Regulation (GDPR) and the joint processing of personal data. Learn more at
Where applicable, we act as joint controllers with LinkedIn Ireland Unlimited Company (LinkedIn) with respect to Turva's community pages, messaging service, insights and tracking pixel in the service.
We have signed an addendum on joint controllership for the processing of visitor data (Page Insights), which defines the responsibilities of both controllers regarding compliance with obligations under the EU General Data Protection Regulation (GDPR) and the joint processing of personal data. For more information, please visit:
Where applicable, we act as joint controllers with Twitter International Unlimited Company (Twitter) with respect to Turva's community pages, messaging service, insights and tracking pixel in the service.
Our websites and services may contain links to third-party sites and services and embedded content from third parties, such as Google Maps and YouTube videos. These third parties have their own privacy policies, which you can read on their respective websites.
In order to implement the principle of public access, Turva maintains a description of its data reserves. This is known as the description of document publicity. The purpose of the description is to assist Turva's customers when they wish to make a request for information concerning Turva's documents.