Corporate governance privacy statement

Varma’s corporate governance is based on the Finnish Act on Earnings-Related Pension Insurance Companies. Varma has executive bodies in accordance with the law and the Articles of Association. In this task, we process and maintain the personal data of persons belonging and related to Varma’s corporate governance and some of their related parties. In addition, we process personal data in connection with corporate governance tasks related to Varma’s statutory obligations, official regulations and contractual obligations.

Privacy Statement

The processing of data is based context-specifically on Varma’s statutory obligations, legitimate interest, performance of a contractual relationship or consent.

To the applicable extent, the data may be processed for the following purposes, among others:

The activities of the governing executive bodies, for example

  • the selection and operation of the company’s executive bodies and the organisation of related corporate governance (Annual General Meeting, Supervisory Board, Election Committee, Board of Directors, and President and CEO)
  • obligations relating to any business transactions with management and its related parties
  • reporting in accordance with the corporate governance recommendation
  • reporting on external positions of trust held by Varma employees
  • administration of Varma’s advisory boards related to earnings-related pension operations (advisory boards for pension matters, people covered by insurance, entrepreneurs, employers and pension recipients)

Compliance with statutory and regulatory obligations as well as contractual obligations, such as

  • compliance with obligations related to insider matters and the prevention of market abuse
  • compliance with obligations related to the prevention of money laundering and the financing of terrorism, and sanctions regulations
  • operations of the whistleblowing channel
  • contract operations and management, accounting, taxation, monetary transactions and the organisation of audits
  • maintenance of the transparency register

The data processed depends on the purpose of the processing of personal data related to corporate governance. The data processed includes, for example:

  • In relation to the operations of the governing executive bodies: basic data and banking details of the members of the bodies, basic data of the management member’s spouse and incompetent wards and data about their controlled corporations, data required for management qualification regulations and data related to meeting arrangements, for example
  • In relation to the administration of the advisory boards related to Varma’s earnings-related pension operations: the basic data and banking details of the advisory board members as well as data related to meeting arrangements, for example
  • In relation to reporting in accordance with the corporate governance recommendation and reporting based on sustainability legislation and commitments: data concerning Varma’s management, such as name, year of birth, education and work experience
  • In relation to insider matters and the prevention of market abuse: basic data of insiders, data about controlled entities, data about underage children and other wards, data about the ownership of securities and any other data required by law, for example
  • In relation to the prevention of money laundering and the financing of terrorism, sanctions regulations and the operations of the whistleblowing channel: data required by law
  • In relation to contract operations and management as well as accounting, taxation and the management of monetary transactions and the organisation of audits: names and contact details of contract partners, invoicers and other similar parties as well as their representatives and other contact persons, for example
  • In relation to activities related to ensuring a high standard of ethics (such as identifying conflicts of interest): names and data associated with dependencies, for example.
  • In relation to lobbying reporting into the transparency register, we process data required by applicable legislation, such as name details.

The data is mainly requested from the data subject themselves. Varma may also obtain data from other sources based on the purpose of data use in accordance with applicable legislation. Data may also be obtained from the Trade Register and other official registers, for example.

The data is stored according to the purpose of its use as required by applicable legislation.

Varma may only disclose your data to parties with a statutory right to receive the data for a purpose specified by law. Such parties include various authorities in the way separately set out in legislation. For example, the personal data of members of Varma’s governing bodies are registered in the Trade Register in accordance with applicable legislation.

In addition, we use subcontractors in the processing and storage of data. According to law, Varma is liable for their activities as strictly as it is for its own operations.

Personal data may only be processed by persons authorised to do so in accordance with access rights management. Access to personal data, hardware and servers is limited to persons whose duties require it. The persons processing the data are subject to a statutory secrecy obligation, and they have additionally signed a separate non-disclosure agreement.

Subcontractors may also be used for performing services. The subcontractors are subject to the same non-disclosure regulations and commitments as Varma’s employees.

The employees have been instructed in the processing of personal data, and they are trained and tested to understand and prevent risks to the data in the data file.

Compliance with the principles of processing personal data is verified through internal and external audits and by documenting our own operations.

Varma maintains high-quality data security in its internal data network. The transfer of personal data in the public data network is secured using secure and appropriate encryption technology. When transmitted through the public communications network, confidential data is secured by technical measures. The servers used in processing data are located in data centres protected with access control and security systems, and data files containing personal data have been isolated from public information networks with technical security measures. Personal data is stored in secured premises.

The data is backed-up regularly and log data is collected on the use of data to develop the services and investigate any incidents and cases of abuse.

The confidentiality, integrity, availability, data availability and redundancy of processing systems and services is ensured through various systems and methods, such as data security updates and system audits.

With regard to service companies engaging in data processing, the processing of data is based on agreements and access rights granted and supervised by Varma.

Yes. In such transfers, the protection of personal data is secured through GDPR-compliant transfer mechanisms.

No.

If you would like to get additional information about the processing of personal data at Varma, please contact us by secure email.

You have the right to receive a confirmation of whether personal data about you is processed by Varma. In case we process your personal data, you have the right to receive a copy of the data processed. Please send your request for information by secure email.

We will provide the information to you within a month of receiving your request. The fixed period may be extended by a maximum of two months in certain situations. If the period is extended, we will inform you of it within one month of receiving your request.

If you observe a shortcoming, inaccuracy or error in the personal data we have provided to you, you have the right to request your data is supplemented or rectified. The same right applies to outdated information. Please send your request to have your data supplemented or rectified by secure email.

You have the right to request Varma as the controller to erase, for example, outdated data about you. In this case, the data must be erased immediately when there are no longer grounds for the processing. This right applies to situations in which personal data is no longer needed for the purposes for which it was collected or if you withdraw your consent to the processing of data and the processing was based on your consent and there are no other legal grounds for the processing and it does not need to be stored by law.

The right to demand personal data be erased referred to in data protection legislation does not apply to situations in which there is a statutory obligation to store the data or the data needs to be stored to prepare, present or defend a legal claim.

Therefore, it is not possible to erase the data based on a demand during the period when it has to be stored in the above-mentioned situations.

However, we will erase your personal data without a separate request after the fixed period for its storage has expired.

If the automatic processing of your data is based on consent or an agreement concluded with you, you have the right to receive the information about you, after which you may transfer the information to another controller. This only applies to information you have provided to Varma yourself. We will provide the information in a commonly used electronic format.

Since it concerns the implementation of Varma’s statutory tasks, Varma is obligated to process your personal data, and the processing cannot be prohibited. The right to demand the restriction of personal data processing referred to in data protection legislation does not apply to statutory operations, so it is not possible to restrict the processing of data.

You have the right to have Varma, as the controller, restrict the processing of data about you in certain situations. The restriction on processing refers to marking the stored data with the aim of restricting its subsequent processing.

In spite of this, your data may continue to be stored. You will be notified before the restriction is removed. You can exercise the right if you deny the accuracy of the data or lawfulness of processing, for example. Processing will be restricted while the accuracy of the data or lawfulness of processing is ensured.

If Varma refuses to carry out measures according to your request, we will inform you of the legal grounds for our refusal without delay and no later than one month after we have received your request. If Varma refuses your request, you can take the matter to the office of the data protection ombudsman. We will include the contact details of the office of the data protection ombudsman in our response letter. You have the possibility to file an appeal against the data protection ombudsman's decision with the Administrative Court, in accordance with the Administrative Judicial Procedure Act. The data protection ombudsman's decision includes instructions on how to appeal against the decision with the Administrative Court.

Send a secure email

This Privacy Statement is based on the requirements of the European Union's General Data Protection Regulation (GDPR).

Updated 14 October 2024


© Varma Mutual Pension Insurance Company