Privacy notice
Created or last edited on: 29.3.2022
1. Overview
This Privacy Notice contains the information that must be provided to data subjects, such as controllers’ customers and employees, as well as the competent supervisory authority under the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act.
2. Controller and controller’s contact information
OP Financial Group member cooperative banks that hold the election of their Representative Assembly, in accordance with OP Financial Group’s shared election concept.
The controller’s contact person: OP Financial Group’s Data Protection Team
Phone: 0100 0500
Email: dataprotection@op.fi
3. Data Protection Officer’s contact information
OP Financial Group’s Data Protection Officer
OP Financial Group
Postal address: P.O. BOX 308, FI-00013 OP, FINLAND
Email: dataprotection@op.fi
4. Name of the personal data file and data subjects
Data file of owner-customers, candidates and supporters eligible for the election of OP’s Representative Assembly.
5. Purposes of personal data processing and legal basis for processing
5.1 Purposes of processing
The purpose of use of personal data is to carry out the election of the Representative Assembly of each OP Financial Group member cooperative bank and related communication with the candidates and their supporters. The candidates’ answers on the voting aid application will be saved and published to make it easier for voters to select candidates.
5.2 Legal basis for processing
The table below describes the legal bases for processing personal data contained in the data file and provides examples of processing performed on each basis.
| Legal basis | Example |
|---|---|
| Consent | Details of the candidate and the supporter are saved and processed based on their consent. |
| Statutory obligations | Arrangement of the election of an OP cooperative bank’s Representative Assembly and its implementation method. |
| Legitimate interests of the controller or a third party | Details of owner-customers eligible to vote and who have voted are saved to arrange the election and to ensure that each and every owner-customer eligible to vote can cast one vote and nobody can cast more than one vote. |
6. Categories of personal data
| Category | Data content |
|---|---|
| Basic information | Name of owner-customer/candidate/supporter Personal ID code Data subject’s contact information: phone number, email address and address Place of residence Title/job/occupation of candidate Information on the existing employment, if any, with OP Financial Group Information on the existing role, if any, in any OP Financial Group’s management body |
| Information on support and candidacy | Information on consent to standing as a candidate in the Representative Assembly election and on supporter consent |
| Information on owner-customer membership | OP cooperative bank’s owner-customer membership |
| Consents | Any consents given or withheld by the data subject concerning personal data processing |
| Answers given on the voting aid application (only candidates) |
Views, interests and background information given by the candidate related to the development of OP and its services that the candidate gives when answering the questions on the voting aid application |
| Behavioural information (including information collected by means of cookies and other similar technologies) | Online behaviour and use of services using, for example, cookies. The collected information may include a website browsed by the user, the device model, unique device and/or cookie ID, channel such as an application, mobile browser or web browser, browser version, IP address, session ID, session time and duration, and the display resolution and operating system. |
| Recordings and content of messages (only candidates) |
The candidate’s photo and picture ID, phone recordings and email messages, if any, related to the election process. |
| Candidate’s number of votes (only candidates) |
Number of the votes received by the candidate. |
7. Recipients of personal data and recipient categories
Any personal data obtained may be used within OP Financial Group as permitted by law. In addition, personal data may be disclosed in statutory cases, for example, to relevant authorities.
8. Transfer of personal data
The controller uses suppliers in data processing, and data may be transferred outside of the EU or EEA. When data is transferred outside of the EU or EEA, the transfer is done using the EU Commission’s standard contractual clauses or some other transfer mechanism in accordance with legislation. Read more about international transfers of personal data and the European Commission's standard contractual clauses at OP’s website: op.fi/dataprotection.
Some of the controller’s suppliers are other OP Financial Group entities. They provide the controller with information system and other support services, among other things.
9. Personal data retention period or criteria for determining the period
The controller saves and process personal data for five years, covering the term of the elected Representative Assembly.
10. Personal data sources and updates
Personal data is primarily collected from the data subjects themselves. Personal data may also be collected when the data subject uses certain services of the controller, such as online services. The data subject’s photo can be delivered directly from the photographer’s studio to the voting aid application if the data subject enters their picture ID received from the studio to the voting aid application.
Personal data may only be collected from the personal data files of other OP Financial Group entities within the limits permitted by law, for example, in order to verify a person’s right to vote in the Representative Assembly elections.
Personal data may also be collected and updated within the limits permitted by law from the personal data files of third parties, including the following:
- Digital and Population Data Services AgencyPersonal data files maintained by other authorities
11. Data subjects’ rights
Data subjects have the right to receive the controller’s confirmation of whether their personal data will be processed or not, or whether they have already been processed.
If the controller processes a data subject’s personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.
The controller may charge a reasonable administrative fee for any additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.
The data subject also has the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.
In certain circumstances, the data subject also has the right to request the controller to restrict the processing of their personal data or to otherwise object to processing. In addition, under the General Data Protection Regulation, the data subject may request that the data they have provided themselves be transferred in machine-readable format.
All requests mentioned herein must be submitted to the abovementioned contact person of the controller.
If a data subject considers that their personal data is not processed legally, they have the right to file a complaint with the supervisory authority.
12. Right to cancel prior consent
If the controller processes a data subject’s personal data on the basis of consent, the data subject has the right to cancel such consent. The cancellation of consent does not affect the lawfulness of processing performed on the basis of said consent prior to its withdrawal. Such cancellation may, however, have an effect on the usability and functionalities of the controller’s services.
13. Protection methods regarding the data file
The controller is committed to processing personal data securely and in a manner that satisfies the requirements of the applicable laws. The controller has carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.
The controller has taken appropriate technical and organisational measures to protect the data. The data file is protected using, for example, the following tools:
- Protection of hardware and files
- Access control
- User identity verification
- Access rights
- Registration of usage events
- Processing guidelines and supervision
The controller also requires of its suppliers and other partners appropriate protection of any personal data they process.