The handling and protection of personal information at Elo

© Elo Mutual Pension Insurance Company 2019

Acquiring and handling of information

Elo’s tasks, intended uses of personal data, and registered persons

Elo Mutual Pension Insurance Company is an employment pension company that manages the statutory pension security of employees and self-employed persons in accordance with the Employees’ Pensions Act (TyEL) and the Self-Employed Persons Pension Act (YEL), and, for this purpose, manages the accrued funds in a manner that ensures the benefits inherent to the insurances.

Elo only collects personal data to the extent that is necessary for the implementation of the tasks stated below. Elo processes the personal data of its customers and ensures the protection of its customers’ privacy in accordance with the currently valid relevant legislation, including pension legislation, the EU General Data Protection Regulation (hereinafter GDPR), the national data protection legislation and legislation governing the insurance industry and credit institutions as well as provisions concerning investment funds.

Statutory services

For the purpose of managing statutory pension security, Elo maintains and processes personal data concerning the insured, policyholders and those who represent them (such as insurance brokers), and applicants and recipients of pensions and rehabilitation benefits.

In order to execute statutory pension security, Elo processes information provided by the applicants themselves and information retrieved from Elo’s registers, the shared registers of the employment pension scheme and different authorities.  Elo’s statutory tasks also include providing customers with preliminary advice concerning pension issues, and personal data is also processed for this purpose. In connection with compensation settlements and the provision of preliminary advice, Elo also processes information related to the individual’s health.

For the purpose of insurance management, we need information about the contact persons of our policyholders and about the ownership of companies. For the determination of TyEL insurance contributions, we gather information about the employees’ wages and salaries, which are necessary for the calculation of the employees’ pension amounts as well. Insurance information is also processed for the purpose of monitoring the insurance business.

The processing of personal data within insurance and compensation activities is based on Finnish legislation, the GDPR and social security agreements. If Elo does not receive information to which it is entitled by virtue of the law or information that is requested as necessary in order to settle an issue, it will not be possible to resolve the issue or the lack of information may lead to an unfavourable outcome for the registered person or policyholder.

Information collected for the management of statutory tasks is also used for statistics and research as well as for the purpose of ensuring the functioning and accuracy of specific systems (testing).

Online service agreements and use of the online services

Consumer customers and corporate customers can sign agreements with Elo for the use of online services. In order to provide the Online Service, Elo maintains information concerning the users of Elo’s Online Service.

By their use of the online services, the customers consent to disclosing to Elo information related to online communications and transactions, so that this information can, if necessary, be combined with other data concerning the customer, processed for the purposes of customer relationship management and utilised to improve the quality and functionality of the online service offered to the customer.

Agreements concerning investment activities

As part of its investment activities, Elo offers its customer companies financing solutions and owns real estate, the leasing, property management and related activities (e.g., invoicing) of which are managed by external service providers. In order to manage the leasing and property management activities, these service providers maintain a register containing all the relevant information about the tenants and service providers. Information about loan recipients and pledgers are stored in a loan register to assist in credit management.

Account management and operational development

The processing of personal data is also necessary for the development of Elo’s own operations, so that we can offer our customers competitive services and ensure the high quality of our customer services. As part of the development of our operations, we also use information collected for the management of statutory insurance and compensation matters for the additional purpose of conducting analyses on transaction methods, and of evaluating and reporting on the efficiency of our activities.

Contact information is used in customer communications for, among other purposes, promoting and marketing Elo’s services and distributing topical information to insurance customers. The contact information is also used for the issuing of customer feedback surveys. 

Data is collected from our chat and phone services for the purposes of documenting customer service situations and of ensuring the legal protection of the customers.

Sources of information

Elo may request personal data from the registered persons themselves or their representatives, from public registers maintained by the authorities, or from other sources from which Elo is entitled by law to request information (e.g. institutions managing statutory social insurance or health care providers). The employers of the insured provide us with regular payroll and other employment-related information for insurance purposes and compensation decisions. In order to maintain and verify customer contact information, we acquire data from, among others, Posti Group Oy and the Population Information System.

As concerns loan customers and policyholders, and the recovery of benefits, Elo also acquires information from credit records.

Right of access and other rights of registered persons

A registered individual has the right to know what information concerning him or her has been stored in personal registers. A registered person who wishes to exercise their right of access must first prove their identity. If the registered person feels that any information Elo has concerning him or her is incorrect, that person can demand that the information be rectified.

However, when Elo is processing information for the purpose of managing statutory pension security, the rights of the registered person to have their personal data removed or transferred to another system or to refuse the processing of their information are limited by the relevant legislation.

We provide automated decisions concerning old-age and partial early old-age pensions and YEL insurance. Upon receiving an automated decision, registered individuals have the right to demand a manual reprocessing of their application.

Disclosure of information

Elo may only disclose personal data upon the consent of the registered person and in cases in which the recipient has the right, by law, to receive such information from Elo. These rights concern, for example, institutions managing statutory social insurance, the tax authorities and distraint authorities, who need such information to carry out their own tasks. The employer has the right to receive information about granted pensions, e.g., for the adjustment of the insurance contribution. Elo may also disclose personal data to other countries by virtue of the international law treaties to which Elo is bound and EU legislation, in cases where such actions are necessary for the realisation of pension security. For the management of its support tasks and investment activities in accordance with the valid employment pension legislation, Elo also uses external service providers, which will then process the personal data on behalf of Elo. Payment transactions take place through banks operating in Finland, whereby personal data is transferred to the banks.

Elo uses companies located outside of the EU to implement tasks related to the maintenance and development of its information systems. In such cases, pseudonymisation is applied to any personal data that is disclosed to parties outside of the EU to ensure that, without additional information, no individual persons can be identified. 

Elo will not, without the consent of the registered person, disclose information to other external parties. It is possible to withdraw consent at any time.

Protection of registers and related data security

Elo’s registers, in which the data is stored, are properly protected and isolated from the public network. Unauthorised entry into the data systems is blocked by the use of technical firewall and access control systems. Any data in digital format is protected using technical verification procedures. The storage of documents and archived materials in paper format has been secured through the use of fire and burglar alarm and access control systems.

The rights to use Elo’s personal data registers are restricted and the personal data is only processed by persons authorised to do so as part of their specific work duties. Elo’s entire personnel is bound by a legal obligation to professional secrecy. Furthermore, Elo employees have separately signed a confidentiality agreement. Elo also requires the signing of a corresponding confidentiality agreement by its co-operative partners.

Contractual methods are used to ensure that any parties processing personal data, Elo included, are complying with the proper protection measures, as required by law, as well as with any processing instructions separately issued by Elo.

Protection of telecommunications connections and related data security

Authentication (username and password, Tupas id) is required for all of Elo’s online and transaction services, and the transfer of information via these channels is protected using high-level encryption technology. The icon of a lock usually appears in the address field of the browser when a secure connection has been established.

Confidentiality cannot be guaranteed for e-mail messages (e.g., unprotected e-mail or chat service messages) that are sent over an open data network. If customers choose to send messages that contain confidential information to Elo using an unprotected e-mail connection, they do so at their own risk. Elo always sends any messages containing confidential personal data via a secured communication channel.

Elo’s website may contain links to the websites of other service providers. Elo is not liable for the content, data security or legality of any websites maintained by other service providers.

The online services are also protected by a time-out function if the user does not log out of the service properly.

Privacy policy statements

The adjoining privacy policy statements provide more detailed information about the data stored in the personal registers maintained by Elo, the information sources and parties to whom Elo may disclose information, as well as the storage time periods and the rights of registered persons. The privacy policy statements can also be viewed at Elo’s customer service sites.

Visiting address: Revontulentie 7, FI-02100 Espoo, Finland Telephone: +358 (0)20 703 50 (general customer service)

Privacy statement employment pension insurances and customer relationship management >

Privacy statement pension processes >

Privacy statement phone service >

Privacy statement occupational well-being surveys >

Privacy statement newsletters >

Privacy statement  filing systems for information regarding events and surveys >

Privacy statement log management filing system >

Privacy statement job applicants >

Privacy statement filing system for camera surveillance >

Privacy statement questionnaire surveys and raffles >