Alandia Insurance is the name used for the group of companies consisting of Försäkringsaktiebolaget Alandia and Försäkringsaktiebolaget Liv-Alandia.
- Försäkringsaktiebolaget Alandia, Business ID (FO No.) 0145065-2 (FI), Corporate Registration No. 502049-4224 (SE)
- Försäkringsaktiebolaget Liv-Alandia, Business ID (FO No.) 0971621-6
The above companies referred to, which are both Finnish limited liability insurance companies within Alandia Insurance have been granted a concession in Finland, and the business is monitored by the Finnish Financial Supervisory Authority, www.finansinspektionen.fi and the Office of the Data Protection Ombudsman, www.tietosuoja.fi
Alandia Insurance also operates in various other EU and EEA countries, and our operations are monitored by the relevant supervisory authority, e.g. in Sweden by the Swedish Financial Supervisory Authority, www.finansinspektionen.se.
The aim of the GDPR is to secure the freedom and rights of individuals with respect to their personal data. The GDPR is to replace Directive 95/46/EC and strengthen and harmonise EU/EEA procedures concerning the collection, storage, processing, access, use, transfer and deletion of personal data, and by establishing obligations for "controllers" and "processors" of personal data. The GDPR aims to provide individuals with the same level of legally enforceable rights throughout the EU/EEA, and a supervisory framework.
The GDPR applies to those “controllers” and “processors” within the EU/EEA who may process personal data, but also to those outside the EU/EEA who may offer goods or services to individuals within that area or send personal data to organisations within the EU/EEA, or send personal data to recipients within the EU/EEA.
The role of Alandia Insurance as controller
Each limited liability company within the Alandia group of companies will act as a controller in relation to external service providers when determining the purposes and the means (type of data and method) of processing of personal data. In these circumstances the service providers are considered to be processors.
If the processor determines the purpose and means of processing of personal data, the processor shall be considered to be a controller in respect of that processing.
When external service providers such as correspondents, surveyors, experts and brokers determine the purpose and means of the processing of the relevant data they will in these circumstances be considered to be controllers in relation to each limited liability company.
The duty of the controller is to implement appropriate measures for the processing of personal data in accordance with the GDPR, which includes implementing a data protection policy and other specific procedures for processing personal data.
The processor on the other hand must provide the controller with guarantees of appropriate technical and organisational measures so that the processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject. In these circumstances a separate contract or agreement complying with special requirements should be concluded between the controller and the processor.
“Personal data” means any information relating to an identifiable person (i.e. the data subject) who can be identified directly or indirectly.
“Processing personal data” means any operation or set of operations that is performed on personal data, such as collection, recording, storage, alteration, use, disclosure by transmission, dissemination or otherwise making available, deletion or destruction.
Personal data that is collected
In order to provide insurance services and conduct our business we may collect and process the following personal data:
- contact information regarding customers, correspondents, brokers and other service providers or relevant parties in association with our insurance business
- data relating to the insurance agreement and other data needed for the specific insurance
- information needed for claims handling
- information about current and/or former employees and personnel representatives
Alandia Insurance may also collect health information (sensitive personal data) when needed for the handling of personal injury/illness claim cases. This information will only be used for the specific purposes for which it was provided in order to carry out the agreed service.
Purpose of collection and processing of personal data
Personal information is used to respond to your request or inquiry, and in the ordinary course of conducting our business. Personal data is used for the purpose of:
- providing and administering relevant insurance policies
- handling and paying claims
- performing due diligence to avoid money laundering, fraud and financial crime
- recruiting personnel and fulfilling duties as an employer
- for marketing purposes
Collection of personal data to assess credit rating
Alandia Insurance has the right to use credit data when assessing whether an insurance is to be granted. Single instances of payment default are not, however, an obstacle when granting an insurance. Several instances of payment default in a credit register may nevertheless be an obstacle in terms of granting an insurance, where an objective assessment of the instances of payment default shows that the customer may neglect payment of insurance premiums. In these instances, Alandia strives, together with the applicant, to investigate the prerequisites for granting an insurance.
Collection of personal data in order to prevent money laundering and financing of terrorism
Personal data that is collected in order to prevent money laundering and financing of terrorism is only processed in order to prevent, reveal and investigate crimes. We comply with Finnish legislation on prevention of money laundering, the aim of which is to prevent money laundering and financing of terrorism, to contribute towards its being revealed and investigated, and to rationalise saving and recovery of the proceeds of crime. According to the law we are obliged to always establish a customer’s identity and to report to the authorities if there is any reason to doubt the legal origin of the funds or other property used in a business transaction or if there is a reason to suspect that they are used for committing a crime within the meaning of the law.
How personal data is collected
The personal data is collected from you and the parties you authorise, as well as from public records kept by the authorities. Personal data from elsewhere is only collected pursuant to legislation. Data can be collected from hospitals, care facilities, doctors, other insurance companies, the Social Insurance Institution, the Tax Administration, the police and credit-information records. In order to process personal injury/illness claims personal data including health data can also be collected from correspondents, brokers and other service providers.
The legal basis for lawful processing
We process personal data in accordance with GDPR and Personal Data Act as well as other relevant legislation.
Personal data may be processed on the following legal grounds:
- when necessary in order to enter into a contract at the request of the data subject
- to meet obligations under a contract to which the data subject is party
- to meet statutory or other regulatory requirements
- to verify agreements/events in the event of disputes
- to meet operational needs
- for a specific purpose with the data subject’s consent
Disclosure of personal data
We do not disclose confidential personal data to unauthorised persons unless you have given your consent for this, or the disclosure is pursuant to a law. We reserve the right to forward data to other companies within the group and to other companies we are collaborating with, for the purposes of customer care and marketing.
Protection of personal data
We prevent unauthorised persons from gaining access to customer information by means of authentication and authorisation checks for the computer systems, firewalls and network security and by means of access control to locations where physical documents are stored.
Right to scrutiny and correction
As a data subject you have the right to review your personal data and demand that incorrect, unnecessary, deficient or out-of-date personal data be corrected.
More detailed information on the personal data being processed and how it is processed by Alandia Insurance is stated in the relevant Privacy notice.
In the Privacy notice you will find more detailed information, e.g. regarding the purpose of the processing, the legal basis for the processing, what personal data the processing covers, where the personal data is collected from and where it is passed on, and for how long it will be saved.
Right to deletion
As a data subject you have the right to have your personal data deleted if it is no longer necessary for the purposes for which it has been collected.
You do not, however, have the right to deletion of the personal data if this data must be stored in order to establish, assert or defend legal claims. Neither is there any right to deletion of personal data during the period when there is a legal obligation to save the personal data.
Right to limited processing
As a data subject you have the right to limit the processing of personal data in order to check whether the personal data is correct or that it is being processed in accordance with the law.
When dealing with statutory accident insurances, as a data subject you do not, however, have the right to request that the processing of the personal data be limited if this request is deemed to be clearly unfounded.
If the processing of your personal data has been limited, it can still be processed if you have consented to this, or if this is necessary in order to establish, assert or defend legal claims.
Right to object to processing
As a data subject you have the right to object to the processing of personal data. If as a data subject you object to the processing of personal data, then this data can no longer be processed – something that may affect the administration of your insurance and handling of claims.
If there is a legal obligation to process personal data, you do not have the right to object to the processing. Neither do you have the right to object to the processing if the personal data is needed in order to establish, assert or defend legal claims.
As a data subject you always have the right to object to processing of your personal data for direct marketing purposes.
Right to data portability
As a complement to your right to review your personal data you also have the right to have any personal data you have passed on to us transferred to you.
You do not, however, have the right to have your personal data transferred if the processing of this data is necessary in order to fulfil a legal obligation.
Procedures for the exercising of the data subject’s rights
If you wish to exercise any of your rights you may use the form Request to exercise data subjects’ rights. State which right you wish to exercise, and if possible what data your request concerns and why you wish to exercise the right.
Your request will be responded to without delay, and at the latest one month from our receiving your request. If Alandia refuses to carry out measures in accordance with your request, we will inform you of the legal reason for this and will attach instructions on how to appeal the response.
Dissatisfaction with processing of personal data
If you deem the processing of your personal data to be in conflict with the current data protection legislation you can email Alandia Insurance’s data protection officer Jan-Mikael Huhtala at firstname.lastname@example.org. In Finland you have the option of bringing your case to the Office of the Data Protection Ombudsman for processing.