1. General information
2. Controller and controller’s contact information
Postal address: P.O. Box 308, 00013 OP
Street address: Gebhardinaukio 1 00510 HELSINKI
The controller's contact person: OP Financial Group's Data Protection Team
Telephone: 0100 0500
3. Data Protection Officer's contact information
OP Financial Group
Postal address: P.O. Box 308, FI-00013 OP, Finland
4. Name of the personal data file and data subjects
The data subjects of the data file are the controller's customers and potential customers. Data subjects include private individuals and the contact persons, persons in charge and owners of corporate and institutional customers (hereinafter the company).
5. Purposes of personal data processing and legal basis for processing
- Customer service and customer relationship management and development, in-cluding customer communications
- Provision, development and quality assurance of services
- Business development
- Monitoring and analysis of service use and customer segmentation, for example, in order for the controller to be able to offer personalised service content to the users
- Opinion polls and market surveys
- Fulfilling statutory obligations and any other official rules and regulations
- Risk management
- Ensuring the security of services, and preventing and investigating abuses
- Training purposes
Know Your Client (KYC) information and other personal data of data subjects may be used to prevent, uncover and detect money laundering and terrorist financing as well as for other purposes required by the Act on Preventing and Detecting Money Laundering and Terrorist Financing.
The data subject's personal data may be used to investigate whether the person is subject to international sanctions applied by the controller. Further information on OP Financial Group’s sanctions compliance is primarily available in the terms and conditions of the acquired product or service.
|Contractual relationship or actions preceding the conclusion of a contract||
|Legitimate interests of the controller or a third party||
6. Categories of personal data
|Contract and product information||
|Customer activity data||
|Behavioural information (including information collected by means of cookies and other similar technologies)||
|Recordings and content of messages||
|Technical verification data||
7. Recipients of personal data and recipient categories
- Finnish Central Securities Depository Ltd for entries of book-entry accounts
The controller’s suppliers provide the controller with, for example, information system ser-vices. Some of the controller’s suppliers are other OP Financial Group entities.
International transfers of data
The controller uses suppliers in personal data processing, and data is transferred outside of the EU or EEA to a limited extent. The controller also discloses personal data outside of the EU / EEA.
Data is transferred outside of the EU / EEA using standard contractual clauses based on data protection legislation or using another transfer mechanism permitted by legislation that guarantee appropriate protection of personal data.
A transfer mechanism used by the controller is the standard contractual clauses adopted by the European Commission.
8. Personal data retention period or criteria for determining the period
Contractual information will be erased approximately ten years after the contract has terminated. Information on customer relationship, such as KYC information, will be erased or anonymised approximately ten years after the last contract has terminated. The information will be erased in accordance with the controller's erasure processes.
Potential customers' data will be retained as long as the retention is necessary to establish a potential customer relationship, however no longer than for ten years.
The controller may be under an obligation to process some personal data in the data file for a period longer than stated above in order to comply with legislation or requirements set by the relevant authorities, such as capital adequacy measurement regulation.
9. Personal data sources and updates
Personal data is collected primarily from the data subjects themselves or, on a case-by-case basis, from the entity on behalf of which they act. Personal data may also be collected when the data subject uses certain controller services, such as online services. Personal data may, within the limits permitted by law, also be obtained from other OP Financial Group entities for risk management purposes, for example.
Personal data can also be collected and updated within the limits permitted by law from the personal data files of third parties, such as:
- the Finnish Digital Agency
- personal data files maintained by other authorities, such as the Trade Register
- Databases of parties who keep information needed for identifying political exposure and individuals subject to the international sanctions observed by the controller
10. Data subject's rights
If the controller processes a data subject’s personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.
The controller may charge a reasonable administrative fee for any additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.
The data subject also has the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.
After the application of the General Data Protection Regulation has begun, the data subject will, in certain cases, also have the right to request the controller to restrict the processing of their personal data or to otherwise oppose the processing. In addition, under the General Data Protection Regulation, the data subject may request that the data they have provided themselves be transferred in machine-readable format.
All requests mentioned herein must be submitted to the abovementioned contact person of the controller.
If a data subject considers that their personal data is not processed legally, they have the right to file a complaint with the supervisory authority.
11. Protection methods regarding the data file
The controller has taken appropriate technical and organisational measures to protect the data. The data file is protected using, for example, the following tools:
- Protection of hardware and files
- Access control
- User identity verification
- Access rights
- Registration of usage events
- Processing guidelines and supervision