Processing of personal data

Last revised: 30.06.2020

At PFA Pension (PFA), we take good care of your personal data, and we want to inform you, as our customer, about how we handle your data. Here you can read about what your personal data is used for, how long we store it, and who we share it with. You can also read about your rights, and who you can contact at PFA if you have any questions about the use of your personal data.

 

PFA is the data controller - how to contact us?

PFA is responsible for the processing of your personal data in connection with your pension and insurance plan. Our Contact information:

PFA Pension, insurance, limited company
Sundkrogsgade 4
2100 Copenhagen Ø
Telephone: + 45 70 12 50 00
CVR No. 13 59 43 76

If you are a customer with PFA Bank, you can see how PFA Bank processes your personal data by clicking here (in Danish only).

If you are a member of a board of directors, a member of an executive board or a key employee with the PFA Group, you can learn more about with how PFA processes your personal data by clicking here (in Danish only).

If you are an insurance customer and you buy insurances in “LB Forsikring to PFA”, you can se which categories of personal data we exchange and how we use them in different contexts by clicking here (in Danish only).

Contact details of PFA's data protection officer

If you have any questions regarding PFA’s protection and processing of your personal data, please feel free to contact our Data Protection Officer.

Our DPO can be contacted in the following ways:

By email:             databeskyttelse@pfa.dk

By telephone:  +45 70 20 75 15
By letter:            PFA Pension, insurance, limited company
                                 Sundkrogsgade 4,
                                2100 Copenhagen Ø,
                                att: Data Protection Officer

 

1. Purpose of processing personal data

PFA processes your personal data for the various purposes described below. Under each listed purpose, you can see which categories of personal data PFA processes, where PFA obtains personal data from, why we are authorised to process your personal data, and who PFA can disclose the personal data to. You can view the full text by clicking the purpose(s) you want to read about.

1. Offers for business customers with a Danish CVR no. and organisations to establish pension and insurance plans

In some cases, we process personal data about you when we offer a pension and insurance plan to the company or organisation which you are either employed with or a member of. This is done to calculate a price for the plan.

Categories of personal data

We process various personal data about you. The personal data can be:

General categories of personal data:
Date of birth, gender, information about your employment (for instance employer and salary information) and the size of your pension savings.

Why are we allowed to process personal data about you?

PFA collects, uses and discloses your personal data based on the following legal basis: Collection, use and disclosure of general personal data about you is necessary for PFA to pursue legitimate interests, which means to offer your company or organisation a pension and insurance plan with PFA (the General Data Protection Regulation Article 6(1)(f)).

Where do we obtain your personal data from?

PFA receives personal data from your employer, insurance broker or organisation (of which you are a member).

Disclosure of your personal data
PFA may disclose your personal data to the following parties or categories of recipients:
  • Your employer or insurance agent who assists your employer/organization or you regarding your pension scheme.
  • PFA's partners who assist our company with, for example, technical support and supplier services.

2. Establishment, individual adjustment and change of pension and insurance plans

You will be registered as a customer with PFA through a compulsory plan established by your employer or in certain cases through a voluntary plan.

Generally, registration takes place when PFA receives the first payment to your plan from your employer and/or when the employer registers you by using an administration system. On registration and in connection with future individual adjustments and/or changes of your plan, we will process the necessary data about you for the purpose of establishing and changing your plan with PFA.

Categories of personal data

We process various personal data about you. The personal data can be:

General categories of personal data:
Name, civil registration number, proof of identity (for instance passport if you cannot be identified through the Danish Civil Registration System), information about your customer relationship with PFA (for instance your payments, risk profile, insurance cover and any other products), information about your employment (for instance employer and salary information), family relationships (spouse/domestic partner/children), information about sickness absence period, marital status (including any legal separation and/or divorce decree or order).

Special categories of personal data (sensitive personal data):
Registration:
Generally, when you are registered as a customer with PFA, we will not process any sensitive personal data about you. However, in connection with a company’s change of supplier or when it concerns voluntary plans, data concerning health and trade union membership (if the agreement is conditional on membership) may be processed.

Adjustments and changes:
In the event of individual adjustments such as a request for increase of coverage, PFA will process data concerning health.
In connection with general changes of the plan you are covered by, it might be necessary for us to process sensitive personal data about you if the change poses an increased risk to PFA.

Where do we obtain your personal data from?

When PFA does not obtain personal data from you, we may obtain it from:

  • The Danish Civil Registration System
  • Employer, insurance broker or organisation (of which you are a member)
  • Previous pension and insurance company
  • Hospitals, general practitioners, other doctors and treatment facilities such as specialists, chiropractors, physiotherapists, psychologists etc.
  • The Danish Centre of Health & Insurance.
  • International information providers and publicly available sources
Why are we allowed to process personal data about you?

PFA collects, uses and discloses your personal data based on the following legal basis:

  • Collection and use of general personal data about you are necessary for PFA to comply with the agreement/the pension and insurance plan that we have with you (the General Data Protection Regulation Article 6(1)(b)).
  • Your general personal data, sensitive personal data and civil registration number will be collected, used and disclosed based on content/express consent given by you (the General Data Protection Regulation Article 6(1)(a) and Article 9(2)(a), cf Article 6(a) and the Finanscial Business Act section 117(1), cf the Regulation Article 6(1), cf. (2), cf (3) and the General Data Protection Act Section 11(2)(2)).
  • Collection, use and disclosure of civil registration number is necessary for the establishment, excercise and defence of legal claims (the Data Protection Act Section 11(2)(4) and Section 7(1) as well as the General Data Protection Regulation Article 9(2)(f)).
  • Processing of sensitive personal data is necessary for the establishment, exercise and defence of legal claims (the General Data Protection Regulation Article 9(2)(f), cf Article 6(1)(b) and (f) and the Financial Business Act section 117(1) cf. the Regulation Article 6(1) cf. (2) cf.(3)).
  • Collection, use and disclosure of civil registration number and ordinary personal data are necessary as, according to the Danish Act on Measures to Prevent Money Laundering and Financing of Terrorism, PFA has a legal obligation to procure proof of identity and make risk assessments of the customers (including assessing whether you are politically exposed or closely related to a politically exposed person) and notify the Danish Money Laundering Secretariat (State Prosecutor for Serious Economic and International Crime) about any suspicions in order to prevent and stop money laundering and financing of terrorism (the Data Protection Act Section 11(2)(1) and the General Data Protection Regulation Article 6(1)(c)).
Disclosure of your personal data

PFA may disclose your personal data to the following parties or categories of recipients:

  • The Danish Centre of Health & Insurance, for example in connection with rejection of establishment.
  • PFA’s business partners who assist our company with technical support, supplier services etc.
  • Your employer or insurance agent who assists your employer/organization or you regarding your pension scheme.

3. Advisory services and general administration of plans

We process your personal data when we give advisory services and administer your plan with PFA. This could for instance be:

  • when we advise you, communicate with you or when you make use of our personalised digital solutions.
  • when we administer payments to and payouts from your pension plan.
  • when we forward information to you about changes in your pension summary, your terms and conditions and other administrative information.

    We use, analyse and automatically compile the information we collect to give you targeted and relevant information (in legal terms referred to as “profiling”). This way, PFA ensures that you get the information that we assess to be of the greatest value to you.

  • For instance, we advise our customers in connection with life events like marriage, divorce and purchase of property. Therefore, we may, for instance, need to find all customers who have relocated within the recent year so that we can advise them on how to adjust their plan when their personal finances undergo major changes.
  • We advise our customers in connection with legislative changes. If a legislative amendment affects a specific pension product, we will identify the customers who have this exact pension product, so that we can contact them and explain which impact the legislative amendment will have on them.
Categories of personal data

We process various personal data about you. The personal data can be:

General categories of personal data:
Name, contact information, civil registration number, gender, customer or policy number, proof of identity (such as passport if your identity cannot be proved through the Danish Civil Registration System), information about your customer relationship with PFA Pension (such as your payments, risk profile, insurance cover and any other products), size of pension savings, payment information, information about state pension, information about your employment (such as employer and salary information), municipal information, information about wealth, disappearance information, information you have agreed to share with us at My PFA (for example about plans with other pension companies, any information uploaded from PensionsInfo, tax information, any uploaded ‘e-skat’ or information otherwise submitted to the tax authorities) and any personal data about children and spouse.

Special categories of personal data (sensitive personal data):
Health information and trade union membership.

Where do we obtain your personal data from?

In connection with our advisory services, we use the information available in our database or at My PFA. In addition, we will in many cases receive supplementary personal data from you. This could be personal data that we receive from you through My PFA. When you provide us with your information through My PFA at mitpfa.dk, it is ensured that the data transmission to PFA is made through a secure channel.

When PFA does not receive the personal data from you, we may obtain it from:
  • Employer, insurance broker or organisation (of which you are a member), for example if you change collective agreement or you experience changes in your employment.
  • Previous pension and insurance company, for instance if you request to have pension savings transferred from another company to PFA.
  • Banks and other financial institutions, for instance if you request to have pension savings transferred from another company to PFA.
  • Public authorities.
  • The Danish Civil Registration System in connection with change of address or marital status.
Why are we allowed to process personal data about you?

PFA collects, uses and discloses your personal data based on the following legal basis:

  • Collection, use and disclosure of general personal data about you is necessary for PFA to comply with the agreement/the pension and insurance plan that we have with you (the General Data Protection Regulation Article 6(1)(b) and the Financial Business Act section117(1), cf the Regulation Article 6(1), cf (2), cf (3)).
  • Collection, use and disclosure of civil registrerion number is necessary for the establishment, exercise and defence of legal claims (the Data Protection Act Section 11(2)(4) and Section 7(1) as well as the General Data Protection Regulation Article 9(2)(f)).
  • Processing of sensitive personal data is necessary for the establishment, exercise and defence of legal claims (the General Data Protection Regulation Article 9(2)(f), cf Article (6(1)(b) and (f) and the Financial Business Act section 117(1) cf. the Regulation Article 6(1) cf. (2) cf.(3)).
  • Collection, use and disclosure of civil registration number, sensitive personal data and general personal data are necessary as PFA is legally obligated under the Danish Anti-Money Laundering Act to identify and risk-assess customers, as well as inform the Danish Money Laundering Secretariat (the State Prosecutor for Serious Economic and International Crime) about any suspicions to prevent and stop money laundering and financing of terrorism. PFA obtains personal data about you in connection with customer identification procedures and as a result of examination, registration and monitoring of the pension plan (the Data Protection Act Section 11(2)(1), the Data Protection Regulation Article 9(2)(g) and the Data Protection Regulation Article 6(1)(c)).
  • Collection, use and disclosure of your civil registration number and general personal data are necessary as, according to the Danish Tax Control Act, PFA has a legal obligation to report data to SKAT, the Danish Customs and Tax Administration. Additionally, PFA is liable to withhold tax on payout of pension savings to you. In that connection, PFA will disclose your personal data in compliance with the Danish Pension Taxation Act. PFA discloses civil registration numbers for identification of our customers in connection with reporting financial information and payment of tax (the Data Protection Act Section 11(2)(1) and the General Data Protection Regulation Article 6(1)(c)).
  • Disclosure of your general personal data, including your civil registration number, to banks and other financial institutions is necessary for us to comply with the agreement/the pension and insurance plan that we have with you (The Financial Business Act section 117(1), cf the General Data Protection Regulation Article 6(1), cf. (2), cf (3) and the General Data Protection Regulation Article 6(1)(b) and the Data Protection Act Section 11(2)(3)).
Disclosure of your personal data

PFA may disclose your personal data to the following parties or categories of recipients:

  • Your employer or an insurance broker assisting your employer/organisation or you regarding your pension payment conditions.
  • PFA’s business partners who assist us with technical support, supplier services etc.
  • Banks and other financial institutions in connection with transfer of deposits.
  • Public authorities, for instance SKAT, in connection with statutory reporting.

4. Handling of claims and payout of insurance

We process your personal data in connection with our assessment of whether we can offer treatment or insurance payout in connection with claims or preventive measures.

Categories of personal data

We process various personal data about you. The personal data can be:

General categories of personal data:
Name, contact information, civil registration number, information about general practitioner, information about treatment facility, information about your employment (such as employer and salary information), payment information, income and wealth information and information about public benefits as well as financial statements for self-employed.

Special categories of personal data (sensitive personal data):
Data concerning health.

Where do we obtain your personal data from?

You are the primary source of your own personal data, and, generally, we seek to obtain your personal data directly from you. In most cases, this means that we obtain your data through My PFA which ensures that the data transfer will be forwarded through a secure connection, or by telephone.

When PFA does not obtain personal data from you, we may obtain it from:
  • Employer
  • Previous pension and insurance company (if your pension or insurance plan is transferred from another company).
  • Hospitals, general practitioner, other doctors and treatment facilities, such as specialists, chiropractors, physiotherapists etc.
  • Public authorities.
  • Public and private records.
  • Social media.
Why are we allowed to process personal data about you?

PFA collects, uses and discloses your personal data based on the following legal basis:

  • Collection, use and disclosure of general personal data about you is necessary in order to comply with the agreement/the pension and insurance plan that we have with you (the General Data Protection Regulation Article 6(1)(b) and the Financial Business Act section 117(1), cf the Regulation Article (6)(1), cf (2), cf (3)).
  • Collection and use of general personal data about you is necessary for us to pursue a legitimate interest, namely to prevent improper use of the insurance (the General Data Protection Regulation Article 6(1)(f)).
  • Collection and use of health information is necessary for the establishment, exercise and defence of legal claims (the General Data Protection Regulation Article 9(2)(f)), cf Article 6(1)(b) and (f) and the Financial Business Act section 117(1) cf. the Regulation Article 6(1) cf. (2) cf.(3)).
  • Collection, use and disclosure of civil registration number are necessary for the establishment, exercise and defence of legal claims (the Data Protection Act Section 11(2)(4), the Data Protection Act Section 7(1) and the General Data Protection Regulation Article 9(2)(f)).
  • Disclosure of general personal data and sensitive personal data will in other cases take place with your consent/express consent (the General Data Protection Regulation, Article 6(1)(a) and the General Data Protection Regulation Article 9(2)(a), cf Article 6(1)(a) and the Business Financial Act section 117(1), cf the Regulation Article 6(1), cf (2), cf (3)) or based on law. This also means disclosure to Patienterstatningen (The Danish Patient Compensation Association) based on the Danish Act on the Right to Complain and Receive Compensation within the Health Service (the General Data Protection Regulation Article 6(1)(c), the General Data Protection Regulation Article 9(2)(g) and the Danish Act on the Right to Complain and Receive Compensation within the Health Service).
Disclosure of your personal data

PFA may disclose your personal data to the following parties or categories of recipients:

  • Employer. We will inform, for instance, the employer if the payout from an insurance plan is made to the employer. However, no information will be disclosed about the type of injury and the extent of the injury.
  • Insurance broker. We inform the insurance broker (if relevant) that you have been awarded a payout due to reduced occupational capacity, however, no information will be disclosed about the type of injury, the extent and amount.
  • PFA’s business partners who assist our company with technical support, supplier services, as facilitator of health services etc.
  • The Danish Centre of Health & Insurance. In special cases, we disclose information to obtain a statement in preparation for our decision.
  • Public authorities, such as Patienterstatningen (The Danish Patient Compensation Association). We disclose information based on the Danish Act on the Right to Complain and Receive Compensation within the Health Service.
  • “danmark” health insurance (Sygeforsikringen “danmark”). If the customer is a member of “danmark” health insurance, we disclose personal data to this company in connection with any reimbursements.
  • Representatives, such as attorneys and trade unions.

5. When your plan expires

We process your personal data when your plan expires. This could for instance be:

  • when your company or organisation switches pension company and terminates its pension and insurance plan with PFA.
  • when you resign due to change of job.
  • when you choose to terminate a voluntary agreement on pension/insurance with PFA.
Categories of personal data

We process various personal data about you. The personal data can be:

General categories of personal data:
Name, contact information, civil registration number, customer and policy number, information about your employment and date of resignation.

Special categories of personal data (sensitive personal data):
Data concerning health.

Where do we obtain your personal data from?

In addition to the information we receive from you, we also collect data from your employer, unless it is a private plan.

Why are we allowed to process personal data about you?

PFA collects, uses and discloses your personal data based on the following legal basis:

  • Collection, use and disclosure of general personal data about you is necessary for the sake of compliance with the terms of the agreement/the pension and insurance plan that we have with you (the General Data Protection Regulation Article 6(1)(b) and the Financial Business Act section 117(1), cf the Regulation Article 6(1), cf (2), cf (3)).
  • Collection, use and disclosure of civil registration number is necessary for the establishment, exercise and defence of legal claims (the Data Protection Act Section 11(2)(4) and Section 7(1) as well as the General Data Protection Regulation Article 9(2)(f)).
  • Processing and disclosure of your personal data is necessary for the establishment, exercise and defence of legal claims (the General Data Protection Regulation Article 9(2)(f), cf Article 6)(1)(b) and (f) as well as the Financial Business Act section 117(1) cf. the Regulation Article 6(1) cf. (2) cf.(3)).
Disclosure of your personal data

PFA may pass on your personal data to the following categories of recipients:

  • Your new pension and insurance company if your employer/organisation switches pension and insurance company.
  • Banks and other financial institutions in connection with transfer of your pension plan at your request.
  • PFA’s business partners who assist us with technical support, supplier services etc.

6. Processing of complaints

As a customer-driven pension company, PFA is responsible for advising you on your pension and insurance plan and to ensure that you get a fair treatment, including that you will receive the payouts you are entitled to, neither more nor less. Occasionally this may lead to complaints.

For example, we use your personal data to process a possible complaint from you about a decision made by PFA. Perhaps you are dissatisfied with the response resulting from our processing of the complaint and choose to file a complaint about PFA to the Insurance Complaints Board or to take PFA to court. In these cases, we will also use your personal data.

Categories of personal data

We process various personal data about you. The personal data can be:

General categories of personal data:
Name, contact information, civil registration number, customer or policy number, information about your customer relationship with PFA Pension (for instance your payments, risk profile, insurance cover and any other products), beneficiary designation, tax information, leisure activities, financial circumstances, information about your employment (such as employer and salary information), occupational situation, family relationships (spouse/domestic partner/children), marital status and information about social problems (not pertaining to health).

Special categories of personal data (sensitive personal data):
Data concerning health and any information about trade union membership.

Personal data relating to criminal convictions and breaches of the law:

Information about criminal offence.

Where do we obtain your personal data from?

When PFA does not receive the personal data from you, we may obtain it from:

  • Employer, insurance broker or organisation (of which you are a member)
  • Representatives, such as lawyer or trade union.
  • Previous or other pension and insurance company, for instance if your pension or insurance plan is transferred from another company.
  • Public authorities (such as municipal documents in cases related to disability pension).
  • Public authorities in connection with cases (for instance cases involving the Danish Data Protection Agency or the Danish Financial Supervisory Authority).
  • Hospitals, general practitioners, other doctors and treatment facilities such as specialists, chiropractors, physiotherapists, psychologists etc.
Why are we allowed to process personal data about you?

PFA collects, uses and discloses your personal data based on the following legal basis:

  • Your general personal data is collected, used and disclosed by PFA based on the balancing of interests in relation to establishment, exercise and defence of legal claims if a customer complains about a decision made by PFA (the Danish Data Protection Regulation Article 6(1)(f) and the Financial Business Act section 117(1), cf the Regulation Article 6(1), cf (2), cf (3)).
  • Collection and use of general personal data and sensitive personal data are necessary to comply with a legal obligation (the General Data Protection Regulation Article 6(1)(c) and Article 9(2)(g), cf. Article 6(1)(c)). PFA has a legal obligation according to the order applying to the complaints manager and the financial companies’ handling of complaints.
  • The sensitive personal data is collected, used and disclosed provided that the data is necessary for the establishment, exercise and defence of legal claims (the General Data Protection Regulation Article 9(2)(f)) cf. Article 6(1)(b) and the Financial Business Act section 117(1) cf. the Regulation Article 6(1) cf. (2) cf.(3)).
  • Collection, use and disclosure of civil registration number are necessary for the establishment, exercise and defence of legal claims (the Danish Data Protection Act Section 11(2)(4), the Danish Data Protection Act Section 7(1) and the General Data Protection Regulation Article 9(2)(f)).
  • Collection, use and disclosure of data about criminal offence are necessary for the establishment, exercise and defence of legal claims (the Danish Data Protection Act Section 8(5), the Danish Data Protection Act Section 7(1) and the General Data Protection Regulation Article 9(2)(f)).
Disclosure of your personal data

PFA may pass on your personal data to the following categories of recipients:

  • Representatives, such as lawyers or trade union.
  • PFA’s business partners who assist us with technical support, supplier services etc.
  • Public authorities in connection with regulatory cases, for instance cases involving the Danish Data Protection Agency or the Danish Financial Supervisory Authority.
  • Banks and financial institutions in connection with payouts to you or assessment of payout.
  • Courts and boards of appeal.

7. Marketing

We process your personal data when we market our products and solutions (as described in our marketing consent).

PFA has various marketing initiatives to ensure that you get exactly the information that is relevant to you regarding your pension plan. PFA provides you with news and information about the customer benefits that are targeted to you, your situation and needs in the different phases of your life.

We use, analyse and automatically compile the information we collect to give you targeted and relevant information (in legal terms referred to as “profiling”). Thus, PFA ensures that you get the information that PFA assess to be of the greatest value to you.

You can also give consent to PFA forwarding marketing material to you through the channels stated in the consent.

Categories of personal data

We process various personal data about you. The personal data can be:

General categories of personal data:
Name, contact information, date for birth, financial circumstances, information about your customer relationship with PFA (such as your payments, risk profile, insurance cover and any other products), salary information, tax information, marital status, family circumstances (spouse/domestic partner/children), demographics, your behaviour on PFA’s digital channels (such as which e-mails you open, which articles you read and what you find interesting at My PFA), your communication with PFA (for instance if you have questions concerning your pension plan, want to book a pension consultation or want more information about one of our products), publicly available or purchased data from, among others, the Building and Dwelling Register (BBR), the Central Business Register (CVR) and Statistics Denmark (such as the value of properties, ownership of companies and demographics), information you have submitted to us through questionnaires, evaluations etc. (for instance about our customer services or our products), information about your present customer relationship with PFA Bank (such as your payments, risk profile, accounts and any other products, provided that you have consented to this).

Where do we obtain your personal data from?

In many cases, no personal data is collected other than the data which is already collected as part of the customer relationship between you and PFA. If PFA receives new personal data about you, it would be:

  • Information about which e-mails/articles etc. you open when you receive marketing material from PFA.
  • Information from publicly available registers in Denmark (such as Statistics Denmark, the Building and Dwelling Register (BBR) and the Central Business Register (CVR)).
Why are we allowed to process personal data about you?

PFA collects your personal data based on the following legal basis:

Collection and use of general personal data are necessary for PFA to pursue legitimate interests, which means to market PFA’s products (the General Data Protection Regulation Article 6(1)(f)).

In certain cases, PFA will also obtain your consent according to the General Data Protection Regulation Article 6(1)(a) and the Financial Business Act section 121, cf the Regulation Article 6(1), cf (2), cf (3), including through disclosure of personal data for marketing purposes.

Disclosure of your personal data

PFA may disclose your personal data to business partners who assist us with technical support, supplier services etc.

8. Analysis and statistics

We process your personal data when we prepare statistics and analyses. This can be:

  • Internal surveys, analyses and profitability assessments
  • Solvency calculations and statutory solvency reporting
  • Actuary report
  • Statistical surveys of significant importance to society when it comes to causes of illnesses, disease patterns and coherence with mortality.
Categories of personal data

In connection with PFA’s compiling of statistics and analyses, we process various personal data about you. The personal data can be:

General categories of personal data:
Name, contact information, civil registration number, gender, customer or policy number, beneficiary designation, information about your customer relationship with PFA Pension (such as your payments, risk profile, insurance cover and any other products), information about your employment (such as employer and salary information), pension payments, tax information, financial circumstances, size of deposit, family relationships (spouse/domestic partner/children), information about death and disappearance notifications.

Special categories of personal data (sensitive personal data):
Data concerning health.

Why are we allowed to process personal data about you?

PFA collects, uses and discloses your personal data in order to to conduct prudent insurance business based on the following legal basis:

  • Processing of general personal data is necessary to comply with PFA’s legal obligations according to the Solvency II regulation, the POG (IDD) regulation regarding requirements for supervision of products and management in relation to insurance companies and insurance distributors as well as the Danish Financial Business Act (the General Data Protection Regulation Article 6(1)(c), and as far as the civil registration number is concerned, the Data Protection Act Section 11(2)(1) and (3)). The legal obligation is found in the National Bank of Denmark Act (“statistical information within its area of competence”) and in the Danish Financial Business Act (“the information required for the Danish Financial Supervisory Authority’s activities”).
  • PFA prepares statistics, analysis and statutory reports in several areas, including solvency statements, provisions, risk reporting, portfolio reports, analysis of run-off results, simulation of expected and current claims/risk coverage in relation to the individual insurance products, among other things profitability, tariffing and development of claims and in relation to the insurance portfolio as a whole. PFA is processing sensitive personal data if the processing is necessary for reasons of substantial public interest according to the Solvency II regulation, the Danish Financial Business Act and the Management Order (the General Data Protection Regulation Article 9(2)(g), cf Article 6(1)(c)). Among other things, it is implied in the above that PFA is under a statutory regulation to make the calculations and analyses.
  • PFA compiles analyses of pooled data about injuries illnesses, disease patterns and coherence with mortality. The analyses are prepared with the objective of reducing the risk of illness and death as well as of obtaining general knowledge about the effect of preventive efforts for the benefit of society. These analyses are made based on the POG (IDD) regulations regarding requirements for supervision of products and management in relation to insurance companies and insurance distributors (the General Data Protection Regulation Article 9(2)(g), cf Article 6(1)(c)).
Disclosure of your personal data

PFA may pass on your personal data to the following recipients:

  • Statistics Denmark
  • Danish Financial Supervisory Authority

9. Compliance with legal obligations

We process your personal data in connection with statutory reporting, and when we need to ensure our compliance with the current legislation, for instance regarding money laundering, personal data and financial activities.

PFA collects, uses and discloses your data in connection with compliance with the General Data Protection Regulation, the Data Protection Act and other relevant legislation, such as the Danish Financial Business Act. For example, it may be:

  • Compulsory documentation
  • Statutory reporting to the authorities
  • Compliance with the principles of processing personal data and the legal basis for the processing
  • Protection of personal data in connection with the initiation and maintenance of technical and organisational precautionary measures, for instance to prevent unauthorised access to PFA’s IT systems
  • Investigation of suspicion or knowledge of security breaches followed by reporting to customers or other affected parties and to the Danish Data Protection Agency
  • Processing of enquiries’ and complaints from customers and others
  • Processing of inspections and enquiries from the Danish Data Protection Agency and the Danish Financial Supervisory Authority
  • Processing of disputes, for instance matters brought before the appeals board or a court of law
  • Statistics

10. Benefits and payouts to spouse, domestic partner and children

If you are the spouse/registered partner, domestic partner, previous spouse or registered partner, beneficiary or next of kin of a pension or insurance customer with PFA, we use your personal data when we, for instance, administer payouts to you in the event of death or in connection with division of the pension plan due to divorce.

Categories of personal data

We use various personal data about you. The personal data can be:

General categories of personal data:
Name, contact information, civil registration number, proof of identity (such as a passport if your identity cannot be proved through the Danish Civil Registration System), payment information, family relationships (spouse/registered partner/domestic partner/children), salary information, date of marriage and marital status (including any legal separation and/or divorce decree or order).

Where do we obtain your personal data from?

When PFA does not receive the personal data from you, we may obtain it from:

  • Public authorities (such as SKAT or the probate court)
  • The estate left by the deceased
  • Nets Denmark A/S (information about your NemKonto Easy Account to be used for receiving payouts)
Why are we allowed to process information about you?

PFA collects, uses and discloses your personal data based on the following legal basis:

  • Collection, use and disclosure of general personal data are necessary to comply with a legal obligation (the General Data Protection Regulation Article 6(1)(c)). According to the Danish Tax Control Act, PFA has a legal obligation to withhold tax on payout of pension savings to you. PFA discloses your personal data to SKAT in accordance with the Pension Taxation Act.
  • Collection, use and disclosure of general personal data are necessary to comply with a legal obligation (the General Data Protection Regulation Article 6(1)(c)). PFA is legally obligated under the Danish Anti-Money Laundering Act to establish your identity, subject you to a risk-assessment and notify the Danish Money Laundering Secretariat (State Prosecutor for Serious Economic and International Crime) about any suspicions to prevent and stop money laundering and financing of terrorism. According to the Danish Insurance Contracts Act, PFA is also under a legal obligation to inform the probate court about designation of beneficiaries.
  • Collection, use and disclosure of civil registration number is necessary for the establishment, exercise and defence of legal claims (the Data Protection Act Section 11(2)(4) and Section 7(1) as well as the General Data Protection Regulation Article 9(2)(f)).
  • Civil registration number is disclosed for identification of you in connection with reporting financial information (the Data Protection Act Section 11(2)(1)).
Disclosure of your personal data

PFA may pass on your personal data to the following categories of recipients:

  • Public authorities, such as the probate court and SKAT (the Danish tax authorities) in connection with withholding estate tax and other taxes.
  • Representatives of the estate
  • PFA’s business partners who assist us with technical support, supplier services etc. 

11. Contact forms and optimisation of user experience on PFA's websites and apps

We process your personal data when you use our websites and apps. This may for instance be information about your behaviour, which we collect by using cookies to optimise the user experience on PFA’s websites and apps, or when you contact PFA using our contact forms (for instance if you have questions in connection with our products, your plan with PFA or in connection with campaigns). Furthermore, you can contact us through our contact form used for complaints (if you, for instance, want to complaint about a decision)

About the handling of complaints, please refer to Chapter 6 “Complaints”.

Categories of personal data

We process various personal data about you. The personal data can be:

General categories of personal data: When you contact us using one of our contact forms, PFA will register the data you enter. The data comprises, for example: name, contact information, date of birth and your civil registration number in order to identify you and process your inquiry.

Where do we obtain your personal data from?

When you use our websites and apps, PFA collects personal data about our behaviour from the following sources:

  • PFA uses Google Analytics and Adobe Analytics on PFA’s websites and apps to analyse how the pages are visited and how the users navigate the pages. Read more about Google Analytics by clicking here and about Adobe Analytics by clicking here.
  • PFA uses cookies; i.a. with the purpose of making the website function, for statistical purposes and for marketing purposes.

You can read more about cookies and what PFA uses the cookies for, and you can access cookie settings to see, for example, how you block or delete cookie settings by clicking here.

Why are we allowed to process personal data about you?

PFA collects, uses and discloses your personal data based on the following legal basis:

  • Collection and use of the general personal data about you is necessary for us to comply with the agreement/pension and insurance scheme we have with you (the General Data Protection Regulation Article6(1)(b)).
  • The general personal data is collected, used and disclosed on the basis of a balance of interest in relation to the establishment, exercise and defence of legal claims by PFA if you complain about a decision made by PFA, or to answer other inquiries from you (the General Data Protection Regulation Article 6(1)(f) and the Financial Business Act aection 117(1), cf the Regulation Article 6(1), cf (2), cf (3)).
  • Collection, use and disclosure of civil registration number is necessary for the establishment, exercise and defence of legal claims (the Data Protection Act Section 11(2)(4) and Section 7(1) as well as the General Data Protection Regulation Article 9(2)(f)).
  • We collect your personal data by using cookies when you visit our websites and apps based on your cookie consent (the General Data Protection Regulation Article 6(1)(a)). We process and disclose the personal data we have collected through cookies in consideration of our legitimate interests in making the website or the app work, for statistical and marketing purposes (the General Data Protection Regulation Article 6(1)(f)). You can read more about the use of cookies in PFA's cookie policy as well as withdraw or change your consent in the cookie overview, and you can also block cookies in your browser.
Disclosure of your personal data

PFA may pass on your personal data to the following categories of recipients:

  • PFA´s business partners who assist us with technical support, supplier services etc. The business partners only act on behalf of PFA, and they are not allowed to use the information for their own purposes.

12. Video surveillance in PFA’s reception area

PFA uses video surveillance in the reception area to create security and to prevent and solve criminal cases.

Categories of personal data

We process various personal data about you. The personal data can be:

General categories of personal data:
Video footage from PFA’s reception area.

Personal data regarding breaches of the law
Any criminal offence committed in PFA’s reception area.

Where do we obtain your personal data from?

PFA collects your personal data when you are situated in PFA’s reception area.

Why are we allowed to process personal data about you?

PFA collects, uses and discloses your personal data based on the following legal basis:

  • We process and disclose the personal data we have collected through our video surveillance in consideration of our legitimate interests in creating security and preventing and solving criminal cases (the General Data Protection Regulation Article 6 (1), (f)).
Disclosure of your personal data

PFA may pass on your personal data to the following categories of recipients:

  • PFA’s business partners who assist us with technical support, supplier services etc.
  • The police, if necessary.
Storage

Video footage is stored for a period of 30 days before being deleted.

13. Suppliers and business partners (not relevant for you as a customer with PFA)

In certain cases, we collect personal data about you if you are employed with one of our suppliers or business partners (hereinafter referred to as contracting party). We collect this personal data when you act on behalf of the contracting party as a contact person, for instance, when entering into contracts with PFA or when supplying services to PFA.

Categories of personal data

We process various personal data about you. The personal data can be:

General categories of personal data:
Name, your contact information at our contracting party where you are employed (for instance your work e-mail) and occupation.

Where do we obtain your personal data from?

PFA collects your personal data from the following sources:

  • If we have not received the personal data from you, we may in some cases get them from our contracting party (where you are employed).
Why are we allowed to process personal data about you?

PFA collects, uses and discloses your personal data based on the following legal basis:

  • We collect, use and disclose your personal information for the use of entering into and complying with our contract with the contracting party (the General Data Protection Regulation Article 6(1)(b)).
Disclosure of your personal data

PFA may pass on your personal data to the following categories of recipients:

  • PFA’s business partners who assist us with technical support, supplier services etc.
2. Transfer of personal data to countries outside the EU/EEA

PFA engages with suppliers and business partners who carry out tasks for PFA. This means that your personal data will be processed by suppliers and business partners (data processors) whenever necessary for the data processor to perform the task in question for PFA. PFA protects your personal data, and, in case of transfer of personal data to data processors in countries outside the EU/EEA, for instance in connection with hosting or support services from one of PFA’s data processors, PFA ensures that the high level of protection is maintained.

PFA strives to use data processors within the EU/EEA, subsequently data processors with countries for which the EU Commission has resolved on the level of protection substantially corresponding to the level applicable within EU (secure third countries). If personal data is transferred to data processors in other third countries, PFA will ensure a sufficient level of protection through its application of the EU Commission’s standard contract on transfer of personal data to countries outside the EU/EEA, or, when it concerns data processors in the US, the EU-US Privacy Shield, provided that the US data processor is certified accordingly.

You can obtain further information about PFA’s transfer of your personal data to third countries by contacting PFA’s Data Protection Officer, and you can at any time request a copy of the EU Commission’s standard contract or other legal basis for the transfer of personal data to third countries by contacting PFA’s Data Protection Officer.

3. Storage of your personal data

PFA stores your personal data until the customer relationship has ended and the limitation periods of the Danish Limitations Act have expired. The storage of personal data is also made with all due respect to PFA’s obligations to store personal data pursuant to the Danish accounting legislation and the Danish Bookkeeping Act. Exceptions may occur, but PFA will store your personal data as stated below. After the storage period has expired, your personal data will be deleted.

Main rules Storage period
Personal data that make up part of the customer relationship with PFA ("the general limitation deadline") 10 years after the customer relationship ceases*
Insurance quotes that you do not accept within the acceptance deadline Six months after the expiry of the acceptance deadline
If you withdraw your application for insurance after submission of personal health information to PFA Personal data is deleted immediately after withdrawal of the application for insurance
If your application is decline on the assumption of insurance or individual risk-taking Three years after the automatic processing of the application is completed
Personal data about you that is obtained and processed to comply with the Danish Anti-Money Laundering Act Five years after the customer relationship ceases

* PFA will forward a letter to you when you no longer have any pension plans, insurance cover or other agreed services with PFA. If your customer relationship has been terminated prematurely, for instance due to repurchase or transfer, PFA will store the letter as documentation of the termination of customer relationship for 10 years after the latest time you would have been eligible for services had the terminated plans still been in force with PFA. Waiting periods may exist that have not been allowed for in the above-mentioned time limit. In addition to the general limitation period of 10 years, PFA thus applies a temporal safety margin of one year before deleting the data. Personal data processed for statistical purposes is stored for 30 years after the end of the customer relationship.

If PFA or the customer performs an action which prolongs the limitation period, for instance, reports a claim, PFA will postpone the deletion of personal data.

PFA ensures that personal data deleted in a system in operation will be deleted should a backup be re-established.

4. Automatic individual decision

When your request to change your insurance plan with PFA involves an increase in risk for PFA we use automated individual decisions. The general logic behind the automation is that the system calculates whether you will be able to increase the risk to the requested level on your plan. The calculation is made automatically. PFA’s automatic processing of an application for insurance or individual increase in risk will cease if the possible outcome of the processing is a rejection of insurance acceptance. In these cases, the processing of your request will be transferred to a PFA employee, so that the automation will not have any negative consequences for you as a customer.

5. Compulsory information

PFA requires your personal data when we, for example, establish and administer your pension and insurance plan. If you do not provide PFA with personal data, the consequence will be that PFA cannot attend to the purposes stated above, for example that we cannot register you as a customer with PFA or we cannot change your pension plan.

6. Your rights

When PFA processes personal data about you, you have the following rights:

Right of access
You are entitled to gain access to which personal data PFA processes about you.  

Right to object
You are entitled to object to the processing of your personal data and to limit the processing of your personal data. You have an unconditional right to object to the processing of your personal data for use in direct marketing, and to object to profiling to the extent that it concerns direct marketing.  

Right to rectification
You have the right to rectify incorrect personal data without undue delay, and you will also have the right to add any missing personal data considering the purposes of the processing.

Right to erasure
You can learn more about when PFA erasures your personal data under clause 3 – Storage of your personal data. In special cases, you will be entitled to have your personal data deleted in PFA before the given deadlines.  

Right to restricted processing
You have the right to restrict PFA’s processing of your personal data in certain cases, including when there is doubt as to the correctness of your information.

Right to data portability
You have the right to have the personal data that you have passed on to PFA transferred to you in a structured, generally used and machine-readable format. Correspondingly, you have the right to have your personal data transferred from PFA to another data controller, such as another pension and insurance company.

Withdrawal of consent
If PFA is processing your personal data based on your consent, you have the right to withddraw your consent at any time. Withdrawal of consent implies that, in the future, PFA will not be allowed to process your personal data for the purpose you consented to. Withdrawal of consent does not affect the processing of your personal data that has been performed prior to the withdrawal, for instance if you have given us consent to disclose the information. PFA may be entitled to process (such as store) your personal data on a basis other than consent. If you revoke your consent, this may in some cases result in discontinuation of the customer relationship.

You can make use of your rights by calling PFA or by forwarding a letter. You can also contact us through My PFA.

There may be conditions or limitations to the rights stated above. Therefore, there is no certainty that you will be entitled to, for instance, data portability or erasure of personal data in the specific case - this will depend on the specific circumstances in connection with the data processing.

7. Complaints to the Danish Protection Agency

You will be entitled to file a complaint at any time to the Danish Data Protection Agency about PFA’s processing of your personal data. However, you should always contact PFA first if you believe that PFA has processed your personal data in conflict with the data protection regulations. This way, you can get PFA’s explanation of the case. You can contact the Danish Data Protection Agency by e-mail at dt@datatilsynet.dk or read more at www.datatilsynet.dk.

The date of the last update to the policy will be stated at the top of the page.