Skip to content sitemap




This privacy policy describes how the Finnish Mutual Patient Insurance Company (“SKPVY” or “controller”) processes personal data. The privacy policy applies to our website, marketing and customer relationship management, as well as the processing of personal information related to the products and services we offer.

We comply with applicable data protection laws in all processing of personal data. Data protection legislation refers to existing data protection legislation, such as the General Data Protection Regulation of the European Union (2016/679) and the Finnish Data Protection Act (5.12.2018/1050). Data protection terms not defined in this privacy policy will be construed in accordance with data protection law.

Our services and websites may also include links to external websites and services operated by other organisations. This privacy policy is not applicable to their use, so we encourage you to read the privacy policys that apply to them separately.

“Personal data” means any data relating to natural persons (“data subjects”) from which a person can be identified, directly or indirectly, as further defined in the Data Protection Regulation.


Registrar: Finnish Mutual Patient Insurance Company (hereinafter also ”SKPVY”)
Business ID: 3146137–9
Address: Annankatu 12 A 20, 00120 HELSINKI
Email address:


Processing purposesLegal basis
Conducting insurance and compensation business incl. designing new productsLegal obligation
Invoicing of purchases and sales and debt collectionLegal obligation
Customer service and communication as well as customer satisfaction surveysLegitimate interest
Management of stakeholder relations incl. contacts via website or other channel and cooperation with subcontractors and service providersLegitimate interest
Management of legal obligations such as activities related to accounting, taxation, contract management, customer identification and customer database maintenance as well as management of reporting obligationsLegal obligation
Ensuring information security, data protection and the safety of persons and assetsLegal obligation
Administrative measures (incl. implementation of information management services)Legitimate interest
Management of warranty and defect liability issues as well as handling of complaints and management of legal and regulatory proceedingsLegal obligation
Prevention and investigation of misconduct such as notifications received through the reporting channelLegal obligation
Improving the user experience on our website and other services and tracking user trafficLegitimate interest


Data groupExamples of data content
Identification and contact informationName and contact information, social security number if needed, position or task, organisation
Information regarding products and services, and customer communications or other contactsInformation related to contracts, communications and complaints
Pseudonymized patient injury dataData received from the Patient Insurance Center, including e.g. claim ID, insurance number, compensation and reservation information, diagnosis and procedure codes, place of injury, date of occurrence, date of birth, gender and settlement information
Information on the use of websites and other electronic services, and the information collected with cookiesIP-address, electronic communications identification information, search and browsing information, browser and operating system information, and consents given to set cookies
Reporting channelThe reporting channel is basically anonymous unless the person adds personal information such as name and contact information or other identifying information

We collect personal information directly from the data subject, for example in connection with transactions, or when the data subject uses our services either on his own behalf or on behalf of the organisation he represents, or when the data subject visits our website or other electronic services, responds to customer satisfactions surveys or otherwise contacts us. In addition, the Patient Insurance Center provides information about patient injuries of policyholders and insured parties, compensation costs and reservations for future compensations.

We also receive contact and background information regarding representatives of our customers and partners from other external sources, such as private registry services and registers maintained by government agencies.

Upon request, we will provide more information about the data sources we use to collect personal information.


We retain personal information for as long as necessary to fulfil the purposes set forth in this privacy policy.

Due to legal obligations, the processed information is retained for accounting obligations for 7 years, for reporting obligations and all responsibilities and obligations related to insurance business, as well as legal proceedings or the settlement of similar disagreements for at least 10 years after the termination of the insurance policy. This material contains information about customer relationship management and communication.

Documents related to compensations are primarily retained by the Patient Insurance Centre.

Other than customer and communication related information is retained as long as the processing of the matter requires, and 6 months have passed since the resolution or processing of the matter.

User and transaction data collected with website cookies are retained for 2 months. Cookie consent information is retained for 1 year.

After the termination of the purpose of use, the personal data will be deleted or made anonymous within a reasonable time.

Upon request, we will provide more information about our privacy practices.


Various service providers and other third parties may also be used to process personal data, such as technical solutions or server space providers or accounting and financial management service providers. We take care of the agreements required by data protection legislation with the parties we use to process personal data.

Personal data may be disclosed to third parties in situations required by law or authority or for the purpose of investigating misconduct and ensuring security. In addition, personal data may have to be disclosed in connection with legal proceedings or similar legal proceedings.

If the controller is involved in a merger, business transaction or other corporate arrangement, personal data may be disclosed to the parties to the arrangement or to parties assisting in the arrangement.

Upon request, we will provide more information about the recipients of personal information.


We mainly process personal data within the European Economic Area. Personal data may also be processed out of the European Economic Area, and if personal data is transferred out of the European Economic Area, we will ensure the lawfulness of the transfer of personal data through an appropriate safeguard mechanism, such as using the European Commission’s model contract clauses.

Upon request, we will provide further information regarding the transfer of personal data and the protection mechanisms used.


Data security and the protection of personal data are of primary importance to us. The controller shall process personal data in a manner that ensures the proper security of the personal data, including protection against unauthorised processing and accidental loss, destruction or damage.

The controller shall use appropriate technical and organisational safeguards to ensure this, including the use of firewalls, encryption techniques, secure equipment facilities, appropriate passage control and access control, guidance to personnel involved in the processing of personal data as well as subcontractors. All parties processing personal data have a duty of confidentiality in matters related to the processing of registered personal data, in accordance with the Employment Contracts Act and the confidentiality provisions of the agreements.

In accordance with this privacy policy, the controller may outsource the processing of personal data to service providers or subcontractors, in which case the controller shall ensure, with adequate contractual obligations, that the personal data are processed properly and lawfully.


Data subjects have rights to below described own personal data in accordance with data protection legislation. However, the application of the rights in each individual situation depends on the purpose and legal basis of the use of personal data. The registered can make a request regarding the rights to the registrar, whose contact information is found in section 2.

  • Right of access to personal data. The data subject has the right to receive confirmation as to whether the personal data of the data subject and other data on the processing of personal data in accordance with data protection legislation are processed. The data subject has the right to receive a copy of the personal data.
  • Right to rectification of personal data. The data subject has the right, with certain restrictions, to request the correction or deletion of incorrect or inaccurate information.
  • Right to delete personal data. The data subject has the right to request the deletion of his or her personal data in accordance with the provisions of data protection legislation. Upon request, we will delete personal information unless we are required by law or any other applicable exception under data protection law to retain personal information.
  • Right to restrict processing. In accordance with the conditions of data protection legislation, the data subject has the right to request a restriction on the processing of personal data in certain situations.
  • Right to transfer personal data. The data subject has the right to request the transfer of his or her personal data to another data controller. The right of transfer applies in principle to personal data which have been provided by the data subject to the controller in a structured and machine-readable form and which are processed on the basis of the data subject’s consent or agreement and / or for which processing is automatic.
  • Right to object to proceedings. The data subject has the right to object to the processing of personal data based on legitimate interests, including profiling, in accordance with the conditions of data protection law. We may refuse a request if the processing is necessary to achieve the overriding and legitimate interests of the controller or a third party. However, the data subject always has the right to object to the processing of personal data for direct marketing purposes and for profiling related to direct marketing.
  • Right to withdraw consent. If the processing of personal data is based on the consent of the data subject, the data subject has the right to withdraw his or her consent to the processing of personal data concerning him or her. Withdrawal of consent shall not affect any previous processing of the withdrawal.

Exercise of rights

We hope you will contact us if you have any questions regarding the processing of your personal information.

You may submit a data subject’s rights request by letter or email using the contact information provided in this privacy policy.

The identity of the applicant will be verified before the request is processed. A request shall be replied to within a reasonable time and, in principle, within one month of the request and the verification of identity. If the request cannot be granted, the refusal shall be notified separately.


The data subject has the right to lodge a complaint with a data protection authority if the data subject considers that the processing of personal data relating to him or her infringes current data protection legislation.

Contact information for the Finnish Data Protection Authority can be found here.


This privacy policy may need to be amended from time to time. Changes may also be based on changes in data protection legislation. We therefore encourage you to review the privacy policy regularly for any changes.

This privacy policy was updated on 21 December 2023.