Data file of owner-customers, candidates and supporters eligible for the election of OP’s Representative Assembly

Privacy notice

Created or last edited on: 14 June 2021

1. Overview

This Privacy Notice contains the information that must be provided to data subjects, such as controllers’ customers and employees, as well as the competent supervisory authority under the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act.

2. Controller and controller’s contact information

OP Financial Group member cooperative banks that hold the election of their Representative Assembly in 2021, in accordance with OP Financial Group’s shared election concept.

The controller’s contact person: Data Protection Team
Phone: 0100 0500
Email: dataprotection@op.fi

3. Data Protection Officer’s contact information

OP Financial Group’s Data Protection Officer
OP Financial Group
Postal address: P.O. BOX 308, FI-00013 OP, FINLAND
Email: dataprotection@op.fi

4. Name of the personal data file and data subjects

Data file of owner-customers, candidates and supporters eligible for the election of OP’s Representative Assembly.

5. Purposes of personal data processing and legal basis for processing

5.1 Purposes of processing

The purpose of use of personal data is to carry out the election in 2021 of the Representative Assembly of each OP Financial Group member cooperative bank and related communication with the candidates and their supporters. The candidates’ answers on the voting aid application will be saved and published to make it easier for voters to select candidates.

5.2 Legal basis for processing

The table below describes the legal bases for processing personal data contained in the data file and provides examples of processing performed on each basis.

Legal basis Example
Consent Details of the candidate and the supporter are saved and processed based on their consent.
Statutory obligations Arrangement of the election of an OP cooperative bank’s Representative Assembly and its implementation method.
Legitimate interests of the controller or a third party Details of owner-customers eligible to vote and who have voted are saved to arrange the election and to ensure that each and every owner-customer eligible to vote can cast one vote and nobody can cast more than one vote.

6. Categories of personal data

Category Data content
Basic information Name of owner-customer/candidate/supporter
Personal ID code
Data subject’s contact information: phone number, email address and address
Place of residence
Title/job/occupation of candidate
Information on the existing employment, if any, with OP Financial Group
Information on support and candidacy Information on consent to standing as a candidate in the Representative Assembly election and on supporter consent
Information on owner-customer membership OP cooperative bank’s owner-customer membership
Consents Any consents given or withheld by the data subject concerning personal data processing
Answers given on the voting aid application
(only candidates)
Views, interests and background information given by the candidate related to the development of OP and its services that the candidate gives when answering the questions on the voting aid application
Recordings and content of messages
(only candidates)
The candidate’s photo and picture ID, phone recordings and email messages, if any, related to the election process.
Candidate’s number of votes
(only candidates)
Number of the votes received by the candidate.

7. Recipients of personal data and recipient categories

7.1 Data recipients

Any personal data obtained may be used within OP Financial Group as permitted by law. In addition, personal data may be disclosed in statutory cases, for example, to relevant authorities.

7.2 Transfer of data to suppliers

The controller has suppliers which process personal data for its account. The controller concludes appropriate agreements on personal data processing with all such suppliers.

The controller’s suppliers provide the controller with, for example, information system services. Some of the controller’s suppliers are other OP Financial Group entities.

7.3 International transfers of data

As a rule, the controller does not transfer data in this data file outside of the EU/EEA. However, if the data were transferred outside of the EU/EEA in an individual case, the controller will always apply transfer mechanisms permitted by law, such as standard contractual clauses based on data protection legislation, that guarantee appropriate protection of personal data.

The controller uses subcontractors for personal data processing. 

8. Personal data retention period or criteria for determining the period

The controller saves and process personal data for five years, covering the term of the elected Representative Assembly. 

9. Personal data sources and updates

Personal data is primarily collected from the data subjects themselves. Personal data may also be collected when the data subject uses certain services of the controller, such as online services. The data subject’s photo can be delivered directly from the photographer’s studio to the voting aid application at the request of the data subject.

Personal data may also be collected and updated within the limits permitted by law from the personal data files of third parties, including the following:

  • Population Information System
  • Personal data files maintained by other authorities

10. Data subjects’ rights

Data subjects have the right to receive the controller’s confirmation of whether their personal data will be processed or not, or whether they have already been processed.

If the controller processes a data subject’s personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed. 

The controller may charge a reasonable administrative fee for any additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.

The data subject also has the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.

In certain circumstances, the data subject also has the right to request the controller to restrict the processing of their personal data or to otherwise object to processing. In addition, under the General Data Protection Regulation, the data subject may request that the data they have provided themselves be transferred in machine-readable format.

All requests mentioned herein must be submitted to the abovementioned contact person of the controller.
If a data subject considers that their personal data is not processed legally, they have the right to file a complaint with the supervisory authority.

11Right to cancel prior consent

If the controller processes a data subject’s personal data on the basis of consent, the data subject has the right to cancel such consent. The cancellation of consent does not affect the lawfulness of processing performed on the basis of said consent prior to its withdrawal. Such cancellation may, however, have an effect on the usability and functionalities of the controller’s services.

12. Protection methods regarding the data file

The controller is committed to processing personal data securely and in a manner that satisfies the requirements of the applicable laws. The controller has carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.

The controller has taken appropriate technical and organisational measures to protect the data. The data file is protected using, for example, the following tools:

  • Protection of hardware and files
  • Access control
  • User identity verification
  • Access rights
  • Registration of usage events
  • Processing guidelines and supervision

The controller also requires of its suppliers and other partners appropriate protection of any personal data they process.