Customer data file for rental management

Privacy Notice

1. General Information

This Privacy Notice contains information required by the EU General Data Protection Regulation (hereinafter the General Data Protection Regulation) and the national data protection law for a data subject, such as for the controller’s customer, employees and for the supervisory authority.

2. Controller and its contact information

Each group company of OP Financial Group or a real estate fund* and insurance and pension institution managed by OP Financial Group (also hereinafter OP) that owns and rents dwelling units or business premises that independently maintains a personal data file described in this notice.

Postal address: P.O. Box 308, 00013 OP
Street address: Gebhardinaukio 1 00510 HELSINKI
The controller's contact person: OP Financial Group’s Data Protection Team
Phone: 0100 0500
Email: dataprotection(a)

3. Data Protection Officer's contact information

OP Financial Group's Data Protection Officer
OP Financial Group
Postal address: P.O. Box 308, 00013 OP
Email: dataprotection(a)

4. Name of the personal data file and data subjects

The data subjects include private individuals who are or have been tenants of the dwelling units owned by the controller and persons acting on behalf of such institutions that are or have been lessees of premises owned by the controller.

Data subjects may also include potential customers, private individuals and persons acting on behalf of such an institution or company with whom an agreement has been drafted.

5. Purposes of personal data processing and legal basis for processing

5.1 Purposes of processing

The main purpose of use of the personal data in the data file is contacts with the customer related to renting a home or leasing premises, such as sending rent bills to the customer and informing of issues related to the tenancy agreement. Below you can find more detailed information on how personal data is used in the data file.

Purposes of use of personal data:

  • Customer service and customer relationship management and development, including customer communications
  • Production, provision and delivery of services, and development and quality assurance of services
  • Business development
  • Opinion polls and market surveys
  • Fulfilling statutory obligations and any other official rules and regulations
  • Risk management
  • Ensuring the security of services and investigating abuses
  • Direct marketing
  • Targeted marketing and advertising

Anti-money laundering and counter-terrorist financing, and sanctions monitoring

KYC information and other data subject's personal data may be used to prevent, uncover and detect money laundering and terrorist financing as well as for other purposes required by the Act on Preventing and Detecting Money Laundering and Terrorist Financing.

The data subject's personal data may be used to investigate whether the person is subject to international sanctions applied by the controller. Further information on OP's sanctions compliance is primarily available in the terms and conditions of the acquired product or service.

5.2 Legal bases of processing

Personal data processing is mainly based on the valid or expired rental/lease agreement, such as billing and collecting rents/lease payments or on measures preceding the conclusion of the rental/lease agreement, such as offering dwelling units or business premises on the basis of a private individual's home application or of an institution's contact related to premises.

Personal data processing can also be based on: 

  • the controller's statutory obligation, such as providing the tenant/lessee with information on property repairs affecting housing or business, planned water supply or power cuts or the maintenance of equipment in the building, such as that of lifts.
  • the controller's or a third party's legitimate interests, such as customer satisfaction and market research surveys on the basis of which the controller can further develop its business and services related to housing or lease of business premises. In most cases, the controller's legitimate interests are based on the customer relationship or similar relationship between the controller and the data subject.
  • personal data may also be disclosed within OP based on the controller's legitimate interest.

6. Categories of personal data

Category of personal data Data content of the category
Basic information Data subject's name and personal ID code or business ID as well as contact details (address, email address and phone number)
Identification details of persons acting on the behalf of an entity or company and information on connections to the entity or company
KYC information Statutory KYC information such as the information required to identify the customer and to determine their financial status and political exposure
Customer relationship information Information that uniquely identifies and classifies the customer
Contract and product information The controller's and data subject's contract information
Customer activity data Tasks and transactions related to the management of customer relationship
Background information For example, details of the life situation and financial status of the data subject, such as credit information
Recordings and content of messages Messages in various formats, in which the data subject is a party, for example, email messages
Technical verification data Identifier determined by a device or an application, with which the user of the device or application can be identified, using additional information if necessary
Behavioural information (incl. information collected using cookies and other such technologies) Tracking of the data subject's online behaviour and use of services using, for example, cookies. The collected information may include a website browsed by the user, the device model, unique device and/or cookie ID, channel such as an application, mobile browser or web browser, browser version, IP address, session ID, session time and duration, and the display resolution and operating system.

7. Recipients and recipient groups of personal data

7.1 Data recipients

Any personal data obtained may be used within OP as permitted by the law. Furthermore, personal data may be disclosed, for example, to parties which have given a rental security deposit, such as the Social Insurance Institution of Finland, bank or a customer entity's parent company as those which have given the rental security deposit as well as a debt-collection agency in the case of collection measures.

If required by law, personal data may also be disclosed to the relevant authorities, such as municipal authorities in the case of interest-subsidised homes.

Personal data will also be disclosed if the controller sells a property to a third party. This involves disclosing personal data necessary for the management of the rental/lease relationship and issue.

When disclosing personal data included in the data file, the controller takes into account the requirements of mandatory legislation, including the controller's confidentiality obligations.

7.2 Transfer of data to suppliers

The controller uses suppliers which process personal data for its account. The suppliers provide the controller, for example, with rental management services (such as estate agency business related to dwelling units and business premises and billing rents/lease payments), property appraisal and information system services. Some of the controller's suppliers are other OP entities.

The controller concludes appropriate agreements on personal data processing with such suppliers.

7.3 International transfers of data

The controller uses suppliers in data processing, and data may be transferred outside of the EU or EEA. When data is transferred outside of the EU or EEA, the transfer is done using the EU Commission’s standard contractual clauses or some other transfer mechanism in accordance with legislation. Read more about international transfers of personal data and the European Commission's standard contractual clauses at OP’s website:

Some of the controller’s suppliers are other OP Financial Group entities. They provide the controller with information system and other support services, among other things.

8. Personal data retention period or criteria for determining the period

The controller processes personal data during the validity of the rental/lease agreement. Once the rental/lease agreement has terminated, the controller will erase or anonymise the data after around ten years in accordance with the erasure processes it follows.

The personal data of potential customers is erased after approximately five years from the previous contact.

9. Personal data sources and updates

Personal data is collected primarily from the data subjects themselves. Personal data can also be collected and updated within the limits permitted by law from the personal data files of third parties, examples including:

  • Digital and Population Data Services Agency
  • personal data files maintained by other authorities
  • credit information register controllers
  • parties that maintain databases with information that is necessary to identify political exposure and parties subject to international sanctions followed by the controller

10. Data subject's rights

Data subjects have the right to receive the controller's confirmation of whether their personal data will be processed or not, or whether they have already been processed.

If the controller processes a data subject's personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.

The controller may charge a reasonable administrative fee for additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.

The data subject also has the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.

After the application of the General Data Protection Regulation has begun, the data subject will, in certain cases, also have the right to request the controller to restrict the processing of their personal data or to otherwise oppose the processing. In addition, under the General Data Protection Regulation, the data subject may request that the data they have provided themselves be transferred in machine-readable format.

All of the above requests must be submitted to the abovementioned contact person of the controller.

If a data subject considers that his/her personal data is not processed legally, he/she has the right to file a complaint with the supervisory authority.

11. Protection methods regarding the data file

The controller processes personal data securely and in a manner fulfilling the requirements of applicable laws. It has carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.

The controller has protected the data appropriately in technical and organisational terms. The data file is protected using, for example, the following tools:

  • protection of equipment and files
  • access control
  • user identity verification
  • access rights
  • registration of usage events
  • processing guidelines and supervision

The controller also requires that its suppliers and other partners ensure appropriate protection of the personal data to be processed.