1. General information
This Privacy Notice contains information required by the EU General Data Protection Regulation (hereinafter the General Data Protection Regulation) and the national data protection law for a data subject, such as for the controller’s customer, employees and for the supervisory authority.
2. Controller and its contact information
Each real estate fund* maintained by OP Financial Group (also hereinafter OP) that independently maintains a personal data file described in this notice.
(*For example Real Estate Fund Finland III Ky, OP Asuntorahasto I Ky, OP Toimitilakiinteistö Ky)
Postal address: P.O. Box 308, 00013 OP
Street address: Gebhardinaukio 1 00510 HELSINKI
The controller's contact person: OP Financial Group's Data Protection Team
Phone: 0100 0500
3. Data Protection Officer's contact information
OP Financial Group's Data Protection Officer
OP Financial Group
Postal address: P.O. Box 308, 00013 OP
4. Name of the personal data file and data subjects
Investor data file for real estate funds
Data subjects include persons acting on behalf of institutions or companies investing in real estate funds managed by OP or persons acting on behalf of potential investors.
5. Purposes of personal data processing and legal basis for processing
Purposes of processing
Investment service requires personal data processing. The controller processes data included in the data file mainly for producing, providing and delivering investment services. Below you can find more detailed information on how personal data is used in the data file.
The purposes of personal data use include:
- customer service and customer relationship management and development as well as reporting
- production, provision and delivery of services, and quality assurance
- business development
- fulfilling statutory obligations and any other official rules and regulations
- risk management
- ensuring the security of services and investigating fraud
- targeted marketing and advertising
Anti-money laundering and counter-terrorist financing, and sanctions monitoring
KYC information and other data subject’s personal data may be used to prevent, uncover and detect money laundering and terrorist financing as well as for other purposes required by the Act on Preventing and Detecting Money Laundering and Terrorist Financing.
The data subject's personal data may be used to investigate whether the person is subject to international sanctions applied by the controller. Further information on OP's sanctions compliance is primarily available in the terms and conditions of the acquired product or service.
Legal bases of processing
The table below describes the legal bases of processing personal data used by the data file and provides examples of processing performed on each basis.
|Contractual relationship or actions preceding the conclusion of a contract||Personal data is processed in the data file mainly on a contractual basis (investment commitment) to provide and deliver investment services acquired by the data subject.|
|Statutory obligation||Personal data is processed in the data file based on the Act on Preventing and Detecting Money Laundering and Terrorist Financing and on sanctions legislation.|
|Legitimate interests of the controller or a third party||Disclosing data to other OP companies and service providers for the purpose, for example, of customer relationship management or marketing, may be based on a legitimate interest.
International sanctions monitoring performed by the controller is partly based on a legitimate interest.
In most cases, the controller's legitimate interests are based on the customer relationship or similar relationship between the controller and the data subject. The controller ensures that the processing performed on this basis is proportionate to the data subject's benefits and meets his/her reasonable expectations.
6. Categories of personal data
|Category of personal data||Data content of the category|
|Basic information||Data subject's name
Data subject's contact details (address, email address and telephone number).
Name and contact details of persons acting on behalf of the institution or company
|KYC information||Statutory KYC information such as the information required to identify the customer and to determine their financial status and political exposure|
|Customer relationship information||Information that uniquely identifies and classifies the customer|
|Contract and product information||The controller's and data subject's contract information as well as holdings in each mutual fund
Information on products and services acquired by the data subject
|Customer activity data||Tasks and transactions related to the management of customer relationship|
|Recordings and content of messages||Recordings and messages in various formats, in which the data subject is a party, for example, call recordings|
7. Recipients and recipient groups of personal data
Any personal data obtained may be used within OP as permitted by the law. Personal data may be disclosed to authorities, including the Finnish Tax Administration or the Finnish Financial Supervisory Authority, only within the limits permitted by law.
When disclosing personal data included in the data file, the controller takes into account the requirements of mandatory legislation, including the controller's confidentiality obligations.
Transfer of data to suppliers
The controller uses suppliers which process personal data for its account. The controller concludes appropriate agreements on personal data processing with such suppliers.
The suppliers provide the controller with information system services, among other things. Some of the controller's suppliers also are other than OP entities.
International transfers of data
As a rule, the controller does not transfer data in this data file outside of the EU / EEA. However, if the data were transferred outside of the EU / EEA in an individual case, the controller will always apply transfer mechanisms permitted by law, such as standard contractual clauses based on data protection legislation, that guarantee appropriate protection of personal data.
As one of the transfer mechanisms, the controller would use the standard contractual clauses adopted by the European Commission available
8. Personal data retention period or criteria for determining the period
The controller processes personal data during the validity of the contractual relationship. Once the contractual relationship has terminated, the controller will erase or anonymise the data after around five years in accordance with the erasure processes it follows.
The controller processes potential customer personal data for no more than one year calculated from the date when the data subject through his/her active action last showed interest in the products or services of the controller.
9. Personal data sources and updates
Personal data is collected primarily from the data subjects themselves.
Personal data can also be collected and updated within the limits permitted by law from the personal data files of third parties, examples including:
- the Population Register Centre
- personal data files maintained by other authorities
- credit information register controllers
- parties that maintain databases with information that is necessary to identify political exposure and parties subject to international sanctions followed by the controller
- other customer data files of OP entities
10. Data subject's rights
Data subjects have the right to receive the controller's confirmation of whether their personal data will be processed or not, or whether they have already been processed.
If the controller processes a data subject's personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.
The controller may charge a reasonable administrative fee for additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.
The data subject also has the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.
After the application of the General Data Protection Regulation has begun, the data subject will, in certain cases, also have the right to request the controller to restrict the processing of their personal data or to otherwise oppose the processing. In addition, under the General Data Protection Regulation, the data subject may request that the data they have provided themselves be transferred in machine-readable format.
All of the above requests must be submitted to the abovementioned contact person of the controller.
If a data subject considers that his/her personal data is not processed legally, he/she has the right to file a complaint with the supervisory authority.
11. Protection methods regarding the data file
The controller processes personal data securely and in a manner fulfilling the requirements of applicable laws. It has carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.
The controller has protected the data appropriately in technical and organisational terms. The data file is protected using, for example, the following tools:
- protection of equipment and files
- access control
- user identity verification
- access rights
- registration of usage events
- processing guidelines and supervision
The controller also requires that its suppliers and other partners ensure appropriate protection of the personal data to be processed.