Investor data file for real estate funds

Updated on 15 February 2023

Privacy Notice

1. General information

This Privacy Notice contains information required by the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act for data subjects, such as the controller’s customers and employees, and for the supervisory authority.

2. Controller and its contact information

Each real estate fund managed by OP Financial Group (also hereinafter OP) that independently maintains a personal data file described in this notice.

Postal address: P.O. Box 308, 00013 OP
Street address: Gebhardinaukio 1 00510 HELSINKI
The controller's contact person: OP Financial Group's Data Protection Team
Phone: 0100 0500

3. Data Protection Officer's contact information

OP Financial Group's Data Protection Officer
OP Financial Group
Postal address: P.O. Box 308, 00013 OP

4. Name of the personal data file and data subjects

The controller’s personal data file for real estate funds.

The data subjects are persons acting on behalf of organisations or companies that have invested in real estate funds managed by OP or persons acting on behalf of potential investors

The data subjects also include persons selling real estate, plots or other property to real estate funds and persons connected to these sales.

5. Purposes of personal data processing and legal basis for processing

5.1 Purposes of processing

Investment services and purchase and sales measures require personal data processing. The controller processes data included in the data file mainly for producing, providing and delivering investment services and for purchasing and selling property. Below, you can find more detailed information on how personal data are utilised in the data file.

The purposes of personal data use include:

  • Customer service and customer relationship management and development, as well as reporting
  • Production, provision and delivery of services, and quality assurance of services
  • Business development
  • Fulfilling statutory obligations and any other official rules and regulations
  • Risk management
  • Ensuring the security of services and investigating abuses
  • Targeted marketing and advertising

Anti-money laundering and counter-terrorist financing, and sanctions monitoring

Know Your Client (KYC) information and other personal data of data subjects may be used to prevent, uncover and detect money laundering and terrorist financing, as well as for other purposes required by the Act on Preventing and Detecting Money Laundering and Terrorist Financing.

The data subject’s personal data may be used to investigate whether the person is subject to international sanctions applied by the controller.

5.2 Legal bases of processing

The table below describes the legal bases for processing personal data contained in the data file, and provides examples of processing performed on each basis.

Legal basis Example
Contractual relationship or actions preceding the conclusion of a contract Personal data are processed in the data file on a contractual basis (investment commitment) to provide and deliver in-vestment services acquired by the data subject. 

In the case of the purchase and sale of property, personal data are processed on a contractual basis.  
Legal obligation Personal data are processed in the data file based on the Act on Preventing and Detecting Money Laundering and Terror-ist Financing and on sanctions legislation.
Legitimate interests of the controller or a third party Disclosing data to other OP companies and service providers for the purpose, for example, of customer relationship management or marketing, may be based on a legitimate interest.

International sanctions monitoring performed by the controller is partly based on a legitimate interest.

In most cases, the controller’s legitimate interests are based on the customer relationship or similar relationship between the controller and the data subject. The controller has a responsibility to ensure that any processing performed on this basis is proportionate to the data subject’s interests and meets his/her reasonable expectations.

6. Categories of personal data

Category Data content
Basic information Data subject’s name and personal ID code or business ID if required

Data subject’s contact details (address, email address and telephone number).

Name and contact details of persons act-ing on behalf of the institution or compa-ny
KYC information Statutory KYC information such as the information required to identify the customer and to determine their financial status and political exposure
Customer relationship information Information that uniquely identifies and classifies the customer
Contract and product information The controller’s and data subject’s contract information, as well as holdings in each mutual fund

Information on products and services purchased by the data subject
Customer activity data Tasks and transactions related to the management customer relationship
Recordings and content of messages Recordings and messages in various for-mats, to which the data subject is a party, for example voice call recordings

7. Recipients and recipient groups of personal data

7.1 Data recipients  

Any personal data obtained may be used within OP as permitted by law. Personal data may be disclosed to the authorities, including the Finnish Tax Administration or the Finnish Financial Supervisory Authority, only within the limits permitted by law.

When disclosing personal data included in the data file, the controller takes into account the requirements of mandatory legislation, including the controller’s confidentiality obligations.

7.2 Transfer of data to suppliers

The controller has suppliers which process personal data for its account. The controller concludes appropriate agreements on personal data processing with all such suppliers.

The controller’s suppliers provide the controller with information system services, for example. Some of the controller’s suppliers are also other than OP entities.

7.3 International transfers of data

The controller uses subcontractors for data processing, and data may be transferred outside the EU or EEA. When data is transferred outside the EU or EEA, the transfer is done using the European Commission’s standard contractual clauses or some other transfer mechanism in accordance with legislation. Further details on international transfers of personal data and standard contractual clauses are available from OP’s website at

8. Personal data retention period or criteria for determining the period

The controller processes personal data during the validity of the contractual relationship. Once the contractual relationship has terminated, the controller will erase or anonymise the data after around five years in accordance with the erasure processes it follows.

The controller processes potential customer personal data for no more than one year calculated from the date when the data subject through their active action last showed interest in the products or services of the controller.

The personal data obtained during sales and purchase measures are stored for 5 years from the signing of the bill of purchase.  Bills of purchase are primarily stored as long as the controller operates.

9. Personal data sources and updates

Personal data are primarily collected from the data subjects themselves.

Personal data may also be collected and updated within the limits permitted by law from the personal data files of third parties, including the following:

  • Digital and Population Data Services Agency
  • personal data files maintained by other authorities
  • credit data file controllers
  • databases of parties who keep information needed for identifying political exposure and individuals subject to the international sanctions observed by the controller
  • other customer data files of OP entities

10. Data subject's rights

Data subjects have the right to receive the controller’s confirmation of whether their personal data will be processed or not, or whether they have already been processed.

If the controller processes a data subject’s personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.

The controller may charge a reasonable administrative fee for any additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.

The data subject also has the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes. In certain circumstances, the data subject also has the right to request the controller to restrict the processing of their personal data or to otherwise object to processing. In addition, under the General Data Protection Regulation, the data subject may request that the data they have provided themselves be transferred in machine-readable format.

All requests mentioned herein must be submitted to the abovementioned contact person of the controller.

If a data subject considers that their personal data are not being processed legally, they have the right to file a complaint with the competent supervisory authority.

11. Protection methods regarding the data file

The controller is committed to processing personal data securely and in a manner that satisfies the requirements of the applicable laws. The controller has carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.

The controller has taken appropriate technical and organisational measures to protect the data. The data file is protected using, for example, the following tools:

  • Protection of hardware and files
  • Access control
  • User identity verification
  • Access rights
  • Registration of usage events
  • Processing guidelines and supervision

The controller also requires that its suppliers and other partners engage in appropriate protection of any personal data they process.