Data protection

The data subjects are Turva's insurance and insurance claims customers. In the case of institutional customers, the data subjects are their affiliated persons, such as beneficial owners. Data subjects also include customers who have previously been our customers as well as potential customers and their affiliated persons. Persons related to the customer, such as guardians and attorneys-in-fact, are also data subjects.

We only process personal data that is necessary for our purposes, such as:

We process personal data only for predefined purposes, such as:

We process personal data mainly on the basis of a contractual relationship and the measures preceding it. The performance of a contract is the primary basis for processing, in cases such as when we process the policyholder's personal data for the purpose of giving an insurance quote and later when the insurance contract is in force.

The processing of personal data may also be based on the consent of the data subject or on the legal obligations or legitimate interests of the controller of the data, Turva. We may disclose information to our service provider partners on the basis of consent, whereas the Anti-Money Laundering Act obligates us to collect and store certain identifying personal data on our customers. Legitimate interest is the basis for processing, for example, when we process personal data for direct marketing purposes, to prevent misuse and fraud, or to pay compensation to an injured party not part of the customer relationship.

We mainly collect your personal data directly from you. You provide us with your data when you interact with us, such as when you enter into an insurance or investment service contract, claim compensation, log in to our online service, call our customer service or participate in our competitions. We may also collect data about you by observing how you use our services, especially through cookies. Our use of cookies is described in more detail in the section on cookies.

We also collect your data from third parties, such as parties authorised by you, registers maintained by the authorities, credit information registers, joint registers of insurance companies, medical institutions and other insurance companies. We update addresses from Posti's address service and cross-check with the Population Information System to ensure that the information is accurate and up-to-date.

Your data will only be processed by Turva employees who need access to the data to perform their duties. Turva's employees are bound by a statutory obligation of secrecy, and each employee must also sign a non-disclosure agreement in which they pledge to keep customer information confidential.

In producing and providing our services, we use partners to whom we transfer personal data for processing. These partners act as our sub-processors and process personal data in accordance with our instructions. We require our sub-processors to protect personal data appropriately and we inspect and audit their operations.

We disclose personal data to parties outside Turva only with your consent or when there is a legal basis for disclosing the data. We may disclose your data based on your consent, such as when we send a direct billing authorisation to a medical institution. Based on the law, we may disclose your data to the authorities, such as tax authorities, prosecutors and pre-trial investigation authorities, and to other insurance companies.

The disclosure of personal data refers to situations where personal data is given to another controller to process. We also transfer personal data for processing purposes to our partners, who process personal data on our behalf and thus act as our sub-processors.

We have defined retention periods for the personal data we collect, taking into account the requirements of legislation and the effectiveness and fluency of business operations, such as insurance and investment services. Occasionally, we may be required by law to retain data for a certain period of time. This is not always the case, in which case we retain the data for as long as it is necessary for us.

We store data necessary for the customer relationship at least for the duration of the customer relationship. In general, it is necessary for us to continue storing data even after the customer relationship has ended.

The retention period of your personal data varies depending on the type of service transactions you have or have had. For example:

We record phone calls, audio recordings of online meetings, chat conversations and online messages. They are used for verifying transactions, ensuring the quality of customer service and development and training purposes.

We use automated decision-making. Automated decision-making means that a decision is made entirely on the basis of automated personal data processing without the input of a human. We use automated decision-making to improve the efficiency of our insurance and claims processing and other services we provide, for example.

The data used in automated decision-making include information provided by you and information already in our systems. We may also use personal data obtained from third parties, such as a credit information register, and information about insurance terms and conditions and our internal guidelines.

We will notify you of automated decision-making separately in connection with each service that uses automated decision-making and, if necessary, ask for your consent to its use.

Once you have received the automated decision, you have the right to appeal against and request that the matter be reviewed by a human employee.

We use automated decision-making in non-life insurance operations in the following contexts, among others:

We also make use of profiling. Profiling means the automated processing of personal data where we evaluate certain personal characteristics by combining and analysing data.

We use profiling for the following purposes, among others:

We may transfer your personal data outside the EU and EEA within the limits of data protection legislation.

Some external service providers or other recipients of personal data may be located or process personal data outside the EU or EEA. We use the necessary transfer mechanisms and complementary safeguards permitted by law to ensure that the level of protection of personal data is not compromised in situations where the data is transferred outside the EU or EEA. Such transfer mechanisms include, for example, adequacy decisions by the European Commission and the use of standard contractual clauses with recipients of data located outside the EU or EEA.

The standard contractual clauses we use are available on the EU legislative and justice website: Commission Decision (2021/914) (in Finnish). You can also request a copy of the standard contractual clauses by contacting our Data Protection Officer.

We may use your customer due diligence information and other personal data for the prevention, uncovering and investigation of money laundering and the financing of terrorism as prescribed in the Anti-Money Laundering Act, and in bringing under investigation money laundering and financing of terrorism as well as the crime committed to obtain the assets or proceeds of crime involved in the financing of money laundering or the financing of terrorism.

We may use your personal data to determine whether you are subject to international sanctions we are required to comply with.

Finnish insurance companies maintain shared registers about insurance claims and fraudulent claims. Insurance companies disclose information on claims and crimes and suspected crimes against the company to the registers. Insurance companies use the information in the registers when granting insurance and processing claims. The purpose of the registers is to prevent and detect insurance fraud and crime by sharing information between insurance companies. Turva also discloses information to registers and uses the information in the registers.

We register information about claims reported to us in the insurance companies' joint claims register. The register collects information on the claim and the insured person. When the insurance company submits the basic information in the claim to the claims register, the company receives information about claims filed by the applicant at other insurance companies. Based on the information in the claims register, we may also exchange more detailed information about claims between other insurance companies. We use the information in the claims register to prevent fraud against insurance companies, with the purpose to prevent a person from filing false claims at several insurance companies.

We register information on crimes and suspected offences against our insurance operations in the insurance companies' common fraudulent claims register. The register collects information on the claim and the insured person. In addition, we check the information entered in the register. Entering information in the fraudulent claims register requires that a suspected criminal act has been reported to the police or prosecutor. Entries made on the basis of a suspected crime are erased from the register if the person in question is found innocent of the act in a court of law or the case is dropped. We use the information in the fraudulent claims register in insurance handling and claims settlement to prevent and detect crime against insurance companies.

We use the necessary and best-practice technical and organisational data security methods to safeguard personal data. We protect personal data so that it cannot be accessed without authorisation or lost, destroyed or altered without a basis.

We ensure the protection of personal data with firewalls, separation of environments and various encryption and protection technologies, among other measures. We continuously monitor our data security. We make sure that our data centres are secure and access control is at an appropriate level.

Access to personal data is restricted with suitable access rights restrictions, and we apply access rights management processes. Access rights are always based on work duties. Personal data can only be accessed by employees who have a need to do so for the performance of their duties. We monitor to ensure that access rights are necessary at all times and remove expired access rights.

We collect logs on the processing of personal data. Logs indicate what, why and when a processing activity occurred. We use logs to monitor the processing of personal data, ensure that no errors have occurred and investigate possible errors.

Our employees involved in processing personal data are regularly trained and provided with instructions.

We also require our sub-processors to safeguard the data appropriately, and inspect and audit their operations.

The controller is Turva Mutual Insurance Company. The controller for life insurance products is LocalTapiola.

Further information on the processing of personal data is available at Turva’s branch offices. In questions about the processing of personal data and data security, you can email us at tietosuoja(at)turva.fi .

Contact information for Turva’s Data Protection Officer:
Phone: 03 2313 9355
Email: tietosuoja(at)turva.fi

Mailing address:
Turva Mutual Insurance Company
Legal and compliance / Data Protection Officer
PO Box 117
FI-33100 Tampere

If you feel that our processing of personal data violates the law, you have the right to lodge a complaint with the supervisory authority. In Finland, the supervisory authority is the Data Protection Ombudsman. However, we recommend that you first contact us using the contact details of our Data Protection Officer.

Contact information of the Office of the Data Protection Ombudsman

Email: tietosuoja@om.fi
Mailing address: PO Box 800, FI-00531 Helsinki
Phone: 029 566 6700

The first and foremost reason why we ask for your customer information is to ensure that the customer’s interests are met. In addition, as a financial sector operator, Turva is required by the law to identify and know its customers. By identifying and knowing its customers, Turva ensures that customer information is up-to-date and prevents abuse in the financial sector.

Turva has a strong presence in various social media channels. Where applicable, we act as joint controllers of personal data with social media service providers (Meta, LinkedIn and Twitter) for Turva's community pages, messaging services, tracking pixels and visitor data in these channels. This information applies to persons who have interacted with one of the social media community pages managed by Turva or have accepted social media cookies on the Turva website.

We process the data subject's personal data on the basis of our legitimate interest. In the case of tracking pixels, the processing is based on the consent given by the data subject. We use the data to maintain community pages, market Turva's services, products and offers, carry out competitions and raffles, receive feedback, purchase advertising from social media channels, measure the availability of pages or advertisements, and to provide customer service on social media. We only process data for our own purposes. Social media service providers process data in accordance with their own data protection principles and are generally responsible for compliance with data protection legislation and the implementation of data security and the rights of data subjects. You can manage your privacy settings in the service in question.

We obtain information that a data subject has made public in the service, such as username and profile picture. In addition, the data subject may provide other information on their own initiative through comments, publications or messaging services. We also receive anonymised statistical data about visitors to our community pages and how visitors interact with the page content (Meta Page Insights, LinkedIn Page Analytics and Twitter Analytics). The data we store in the data file is not transferred outside the European Union or European Economic Area.

The controller determines the retention period of personal data, taking into account applicable legislation as well as the needs and efficiency of business operations. The purpose of the retention periods is to safeguard the rights of both the data subjects and Turva. We may process comments, posts and messages on community pages until the data subject deletes the comment or post. We may also delete a comment or post earlier if we deem it necessary to ensure the appropriateness of comments and posts, for example. Data subjects may request the deletion of a conversation in the messaging service from the owner of the community page in the service. You can also restrict the processing of your personal data by unliking and/or unfollowing the community page.

Where applicable, we act as joint controllers with Meta Platforms Ireland Ltd. (Meta) with respect to Turva's community pages, messaging service, insights and tracking pixel in the service.

We have signed an addendum on joint controllership, which defines the responsibilities of both controllers regarding compliance with obligations under the EU General Data Protection Regulation (GDPR) and the joint processing of personal data. Learn more at https://www.facebook.com/legal/controller_addendum

For Facebook Insights (Page Insights), the controllers' responsibilities for complying with their obligations under the GDPR are described in the Page Insights Controller addendum. Learn more at https://www.facebook.com/legal/terms/page_controller_addendum

Meta processes personal data in accordance with its own privacy policies. For more information about the purposes, legal bases and privacy policies of Meta's processing of personal data as well as the information required by the joint controllership and Articles 13(1)(a) and (b) of the GDPR, please see Facebook's Privacy Policy at www.facebook.com/privacy/policy

Where applicable, we act as joint controllers with LinkedIn Ireland Unlimited Company (LinkedIn) with respect to Turva's community pages, messaging service, insights and tracking pixel in the service.

We have signed an addendum on joint controllership for the processing of visitor data (Page Insights), which defines the responsibilities of both controllers regarding compliance with obligations under the EU General Data Protection Regulation (GDPR) and the joint processing of personal data. For more information, please visit: https://legal.linkedin.com/pages-joint-controller-addendum

For more information about the purposes, legal bases and privacy policies of LinkedIn's processing of personal data as well as the information required by the joint controllership and Articles 13(1)(a) and (b) of the GDPR, please see LinkedIn's Privacy Policy at https://www.linkedin.com/legal/privacy-policy

Where applicable, we act as joint controllers with Twitter International Unlimited Company (Twitter) with respect to Turva's community pages, messaging service, insights and tracking pixel in the service.

For more information about the purposes, legal bases and privacy policies of Twitter's processing of personal data as well as the information required by the joint controllership and Articles 13(1)(a) and (b) of the GDPR, please see Twitter's Privacy Policy at https://twitter.com/en/privacy

Our websites and services may contain links to third-party sites and services and embedded content from third parties, such as Google Maps and YouTube videos. These third parties have their own privacy policies, which you can read on their respective websites.

In order to implement the principle of public access, Turva maintains a description of its data reserves. This is known as the description of document publicity. The purpose of the description is to assist Turva's customers when they wish to make a request for information concerning Turva's documents.

On this page , you can read pre-contract information related to distance sales when purchasing insurance from Turva.