OP Custody Ltd customer data file

Privacy notice

1. General information

This Privacy Notice contains information required by the EU General Data Protection Regulation (hereinafter the General Data Protection Regulation) and the national data protection law for a data subject, such as for the controller’s customer, employees and for the supervisory authority.

2. Controller and controller’s contact information

OP Custody Ltd
Postal address: P.O. Box 308, 00013 OP
Street address: Gebhardinaukio 1 00510 HELSINKI
The controller's contact person: OP Financial Group's Data Protection Team
Telephone: 0100 0500
Email: dataprotection@op.fi

3. Data Protection Officer's contact information

OP Financial Group's Data Protection Officer
OP Financial Group
Postal address: P.O. Box 308, FI-00013 OP, Finland
Email: dataprotection@op.fi

4. Name of the personal data file and data subjects

OP Custody Ltd customer data file

The data subjects of the data file are the controller's customers and potential customers. Data subjects include private individuals and the contact persons, persons in charge and owners of corporate and institutional customers (hereinafter the company).

5. Purposes of personal data processing and legal basis for processing

Purposes of processing
In this customer data file, personal data is used primarily or the purpose of the provision, delivery and development of the controller’s securities storage, settlement, issuance and custodian services. Below, you can find more detailed information on how personal data is utilised in the data file.
  • Customer service and customer relationship management and development, in-cluding customer communications
  • Provision, development and quality assurance of services
  • Business development
  • Monitoring and analysis of service use and customer segmentation, for example, in order for the controller to be able to offer personalised service content to the users
  • Opinion polls and market surveys
  • Fulfilling statutory obligations and any other official rules and regulations
  • Risk management
  • Ensuring the security of services, and preventing and investigating abuses
  • Training purposes
Crime prevention / Anti-money laundering and counter-terrorist financing, and sanctions monitoring​ 

Know Your Client (KYC) information and other personal data of data subjects may be used to prevent, uncover and detect money laundering and terrorist financing as well as for other purposes required by the Act on Preventing and Detecting Money Laundering and Terrorist Financing.

The data subject's personal data may be used to investigate whether the person is subject to international sanctions applied by the controller. Further information on OP Financial Group’s sanctions compliance is primarily available in the terms and conditions of the acquired product or service.
Legal bases of processing
The table below describes the legal bases of processing personal data contained in the data file and provides examples of processing performed on each basis.
Legal basis Example
Contractual relationship or actions preceding the conclusion of a contract
  • Establishing a customer account
  • Personal data processing necessary for contract enforcement
Statutory obligations
  • Anti-money laundering and counter-terrorist financing legislation
  • Legislation specific to the line of business
  • Other statutory personal data processing, such as cooperation with the police or tax authorities, and obligations related to reporting to the authorities
Legitimate interests of the controller or a third party
  • Establishing a potential customer and offering services to a potential customer may be based on a legitimate interest.
  • Data disclosure within OP Financial Group may be based on a legitimate interest

6. Categories of personal data

Category Content
Basic information
  • Data subject's name, personal identity code / business ID, data subject's postal address, phone number, email address
  • The name and contact details of corporate customers' contact persons, persons in charge and owners, and information on the person’s position with regard to the entity
CDD information
  • Statutory KYC information such as the information required to identify the customer and to determine their financial status and political exposure
Customer information
  • Information that uniquely identifies and categorises the customer relationship, such as tax code, nationality, language used for communication, profession or position
Contract and product information
  • The controller's and data subject's contract information
  • Information on products and services acquired by the data subject
Customer activity data
  • Tasks and transactions related to the management of customer relationship
Background information
  • For instance, information on the data subject's financial standing, personal circumstances, experience and knowledge related to investment activities
Behavioural information (including information collected by means of cookies and other similar technologies)
  • Tracking of the data subject's online behaviour and use of services using, for example, cookies. The collected information may include a website browsed by the user, the device model, unique device and/or cookie ID, channel such as an application, mobile browser or web browser, browser version, IP address, session ID, session time and duration, and the display resolution and operating system.
Recordings and content of messages
  • Recordings and messages in various formats, in which the data subject is a party, for example call recordings
Technical verification data
  • Identifier determined by a device or an application with which the user of the device or application can be identified, using additional information if necessary

7. Recipients of personal data and recipient categories

Data recipients
Any personal data obtained may be used within OP Financial Group if permitted by law, like for regulatory reporting purposes.
Personal data may be disclosed to authorities, including the Finnish Tax Administration or the Finnish Financial Supervisory Authority, only within the limits permitted by law. Annual notifications of the controller’s customers are sent to the tax administration.
In addition, personal data may be disclosed, for example, to:
  • Finnish Central Securities Depository Ltd for entries of book-entry accounts
When disclosing personal data included in the data file, the controller takes into account the requirements of mandatory legislation, including the controller’s confidentiality obligations.
Transfer of data to suppliers
The controller has suppliers who process personal data on the controller’s account. The controller undertakes to conclude appropriate agreements on personal data processing with all such suppliers.

The controller’s suppliers provide the controller with, for example, information system ser-vices. Some of the controller’s suppliers are other OP Financial Group entities.

International transfers of data

The controller uses suppliers in personal data processing, and data is transferred outside of the EU or EEA to a limited extent. The controller also discloses personal data outside of the EU / EEA.

Data is transferred outside of the EU / EEA using standard contractual clauses based on data protection legislation or using another transfer mechanism permitted by legislation that guarantee appropriate protection of personal data.

A transfer mechanism used by the controller is the standard contractual clauses adopted by the European Commission.

8. Personal data retention period or criteria for determining the period

Personal data may be processed within the validity of the customer and contractual relationship. It will also be processed after the end of the customer and contractual relationship for a period deemed necessary at any given time and what is stated below.

Contractual information will be erased approximately ten years after the contract has terminated. Information on customer relationship, such as KYC information, will be erased or anonymised approximately ten years after the last contract has terminated. The information will be erased in accordance with the controller's erasure processes.

Potential customers' data will be retained as long as the retention is necessary to establish a potential customer relationship, however no longer than for ten years.

The controller may be under an obligation to process some personal data in the data file for a period longer than stated above in order to comply with legislation or requirements set by the relevant authorities, such as capital adequacy measurement regulation.

9. Personal data sources and updates

Personal data is collected primarily from the data subjects themselves or, on a case-by-case basis, from the entity on behalf of which they act. Personal data may also be collected when the data subject uses certain controller services, such as online services. Personal data may, within the limits permitted by law, also be obtained from other OP Financial Group entities for risk management purposes, for example.

Personal data can also be collected and updated within the limits permitted by law from the personal data files of third parties, such as:

  • the Finnish Digital Agency
  • personal data files maintained by other authorities, such as the Trade Register
  • Databases of parties who keep information needed for identifying political exposure and individuals subject to the international sanctions observed by the controller

10. Data subject's rights

Data subjects have the right to receive confirmation from the controller as to whether or not their personal data will be, or have been, processed.

If the controller processes a data subject’s personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.

The controller may charge a reasonable administrative fee for any additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.

The data subject also has the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.

After the application of the General Data Protection Regulation has begun, the data subject will, in certain cases, also have the right to request the controller to restrict the processing of their personal data or to otherwise oppose the processing. In addition, under the General Data Protection Regulation, the data subject may request that the data they have provided themselves be transferred in machine-readable format.

All requests mentioned herein must be submitted to the abovementioned contact person of the controller.

If a data subject considers that their personal data is not processed legally, they have the right to file a complaint with the supervisory authority.

11. Protection methods regarding the data file

The controller is committed to processing personal data securely and in a manner that satisfies the requirements of applicable laws. The controller has carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.

The controller has taken appropriate technical and organisational measures to protect the data. The data file is protected using, for example, the following tools:
  • Protection of hardware and files
  • Access control
  • User identity verification
  • Access rights
  • Registration of usage events
  • Processing guidelines and supervision
The controller also requires of its suppliers and other partners appropriate protection of any personal data to be processed.