The purpose of this notice is to provide privacy information required by the EU General Data Protection Regulation (GDPR) to both the data subject i.e. the data controller’s client and to the supervisory authority. The register is the company’s client register and covers the clients and prospective clients of the data controller.
2 DATA CONTROLLER AND CONTACT DETAILS
Name and business ID: Söderberg & Partners Finland Oy, 2708514-7, “data controller”
Address: Töölönkatu 4, 00100, Helsinki
3 PURPOSE AND LEGAL BASIS FOR PROCESSING PERSONAL DATA
The purpose and the applicable legal basis for the use of personal data are as follows:
Providing and developing insurance broking services, and related consultancy and advisory services on the basis of agreements with corporate and public entity clients.
Fulfilment of statutory obligations and legal requirements (such as identification of the client and the prevention of money laundering and terrorist financing), including compliance with the regulations and instructions of the supervising authorities (Financial Supervisory Authority).
We are lawfully registered by the Financial Supervisory Authority who regulates and supervises our activities. Insurance brokerage is subject of special legislation that controls the activities of registered insurance brokers, including strict obligation of confidentiality as regards personal data and other client specific information.
4 CATEGORIES AND CONTENTS OF PERSONAL DATA
Regarding our corporate and public entity clients, our client register may contain statutory information required to identify the client and its status, entities’ ID-numbers, names, addresses, financial data, insurance contracts, resumes of insurances, insurance solutions, quotations and proposals as well as service contracts and invoicing & payment data.
As regards persons employed or represented by our client entities, the client register may contain:
- names, ID-numbers, titles
- addresses, telephone numbers and e-mail addresses
- information on employment and remuneration history
- limited health status data
5 SOURCES OF PERSONAL DATA
Personal data may be obtained from our contractual corporate and public entity clients, from the subject individuals themselves, from insurance companies, cookies and from publicly available sources.
6 RECIPIENTS AND GROUPS OF RECIPIENTS OF PERSONAL DATA
Personal data may be disclosed, inter alia, to insurance companies, pension institutions, social insurance institutions, health care providers, client entities and the subject individual for the fulfilment of our contractual obligations; and to competent authorities in statutory situations.
7 TRANSFERING PERSONAL DATA
Personal data processed by us or by our subcontractors is not transferred outside of the EU or the EEA.
8 PROTECTION OF THE REGISTER
The protection of the means and equipment for storing data and documents is appropriately maintained and the documents are stored in a secured space. The access control at the data controller’s premises has been appropriately arranged.
The right to access to the data and documentation (whether in electronic or written form) is controlled by each responsible broker who will allow access only to such other employees of the controller as are under obligation of confidentiality.
9 DATA RETENTION
Data will be saved only as long as our contractual obligations to the client or our statutory obligations so require. Unnecessary and outdated data will be erased, also at other times when deemed necessary or required by law or statutory regulations.
10 RIGHTS OF THE DATA SUBJECT
Each individual data subject has the right to receive confirmation from the data controller as to whether or not personal data concerning the data subject are being processed, or whether personal data has been processed.
The data subject is entitled to receive a copy of the processed personal data and the personal data undergoing processing.
The data subject has also the right to obtain from the controller the rectification, erasure or processing restriction of personal data concerning him/her and the data subject has the right to prohibit the processing of personal data for direct marketing purposes.
Where processing of personal data of the data subject is based on consent, the data subject shall have the right to withdraw his/her consent. However, a withdrawal of consent may detrimentally affect the usability and functionality of the service in question.
The withdrawal of consent shall not affect the right and lawfulness of processing based on consent prior to its withdrawal.
All requests mentioned here shall be provided to the data controller.
In case the data subject finds the processing of his or her personal data unlawful, he/she has the right to lodge a complaint with the competent supervisory authority.