Updated on 27 September 2022
Privacy notice
1. General
This Privacy Notice contains information required by the EU General Data Protection Regulation (hereinafter the General Data Protection Regulation) and the national law for a data subjects, that is, for the controller's customers, employees and for the supervisory authority.
2. Controller and its contact information
OP Cooperative
Postal address: P.O. Box 308, 00013 OP
Street address: Gebhardinaukio 1, 00510 HELSINKI
The controller’s contact person: Juha Forsblom
E-mail: juha.forsblom(a)op.fi
3. Data Protection Officer’s contact information
OP Financial Group’s Data Protection Officer
OP Financial Group
Postal address: P.O. Box 308, 00013 OP
Email: tietosuoja(a)op.fi
4. Name of the data file
OP Customer research data file
The following are data subjects; different entities of the OP Financial Groups (banking, insurance and asset management) customers, employees and the representatives of the client entities.
The following groups can also be data subjects; OPs potential clients, clients from other banks, other consumers who have participated to consumer interviews, to product testings and to other surveys or consumers who have participated to surveys about user experience. Potential client is a person who is not yet a customer of OP Financial Group but to whom entities from OP Financial Group are marketing their services or products.
5. Purposes of personal data processing and legal basis for processing
Purposes of processing
Processing of personal data is required in the case of client surveys and interviews, in case of other services of the OP Financial Group and when the customer satisfaction is monitored. The data controller is processing the data mainly for the reasons of gathering anonymized research data and for purposes of analyzing this data.
The persons under the data file are contacted for the purposes of their opinions, views, experiences and feedback. This can happen for instance in case of developing the products and services, for communication purposes and for measuring and supporting the decision making.
Below you can find more detailed information on how personal data is utilized in the data file.
The purposes of personal data use include:
- conducting market surveys, client surveys, interviews and usability research for private and corporate customers
- sending surveys which are measuring client experience
- communication for sending electronic surveys
- communication through phone for recruiting people for interviews
- communication relating to customer feedback
- developing services and quality assurance
- statistical user purposes
- possible rewarding for taking part to surveys and to research
- supporting the development of business operations based on the results of client surveys
Legal basis of processing
The table below describes the legal bases of processing personal data used by the data file and provides examples of processing performed on each basis.
| Legal basis | Example |
|---|---|
| Consent | The processing of personal data is based on consent when the data subjects are not customers of OP Financial Group. Example: Surveys which are sent via electronic channels are based on the consent of the data subject. |
| Legitimate interest of the data controller or a third party | The processing of data from OP Financial Groups customers is based on legitimate interest. The controller may disclose information to other personal data files of OP Financial Group entities on the basis of legitimate interests. In most cases, the controller’s legitimate interests are based on the customer relationship or similar relationship between the controller and the data subject. The controller ensures that the processing performed on this basis is proportionate to the data subject’s benefits and meets his/her reasonable expectations. |
6. Categories of personal data
Below are the categories of personal data processed in the data file.
| Categories of personal data | Content of the data gategory |
|---|---|
| Basic information | Data subject’s name Data subject’s personal identity code Data subject’s contact information Data subject’s age Data subject’s gender |
| Customer relationship information | Backround information, such as age group and territorial limitations, which are in the customer data files of OP Financial Groups entities. This data is used for the purpose of gathering it to the survey and will not be used for individual processing when the results are analysed and reported. |
| Consents | The consents given and withheld by the data subject concerning personal data processing |
| Contract and product infomation | The controller’s and data subject’s contract information Information on products and services acquired by the data subject |
| Client data | Tasks and events related to the management of customer relationship which can be used for sending surveys for example for the purpose of measuring the client experience. |
| Background information | Information from the survey, which the person reveals himself/herself for example age, gender, income and the place of residence. Data will not be processed invidually when the results are analyzed and reported. |
| The fields of interest | Information on the data subject’s areas of interest as far as they appear from the content of the survey. Data will not be processed invidually when the results are analyzed and reported. |
| Behavioral information | The following data from the responder included in the surveys will be recorded: - Data from the responder’s browser - Data regarding Web mails, the http-reference that is to say from which page it came to the answer link - Which pages of the survey he/she has visited (survey tracking) - System generated identifier for the answer - Surveys language - Surveys status: invited, unfinished, finished, serial number for the answers - The last page answered - Timestamps: information from sending the invitation, time of reply, time for starting and finishing the survey, time used for certain page. In addition www-server program holds a log which includes IP address, device, operating system, browser data and time stamps. |
| Data from the responses | Data given by the responder himself/herself during the survey (for example answers from the survey, data infomed from the survey) Data will not be processed individually. |
7. Recipients and recipient groups of personal data
Data recipients
Personal data collected may be used within OP Financial Group as permitted by law.
Personal data may be disclosed to authorities based on legal grounds.
When disclosing personal data included in the data file, the controller takes into account the requirements of mandatory legislation, including the controller’s confidentiality obligations.
Transfer of data to suppliers
The controller uses suppliers which process personal data for its account. The controller concludes appropriate agreements on personal data processing with such suppliers.
The data controller may use suppliers for conducting interviews in which case the supplier will carry out recruiting, research, assessment and reporting or may only conduct some part of the survey suh as conducting customer interviews and reporting.
Suppliers provide the controller with information system services, such as research invitations, follow the gathering of research data and send reminder messages if needed. Some of the controller’s suppliers are other OP Financial Group entities.
International transfers of data
The controller uses suppliers in data processing, and data may be transferred outside of the EU or EEA. When data is transferred outside of the EU or EEA, the transfer is done using the EU Commission’s standard contractual clauses or some other transfer mechanism in accordance with legislation. Read more about international transfers of personal data and the European Commission's standard contractual clauses at OP’s website: op.fi/dataprotection.
Some of the controller’s suppliers are other OP Financial Group entities. They provide the controller with information system and other support services, among other things.
8. Personal data retention period or criteria for determining the period
The data collected through client surveys conducted by the data controller and the supplier shall be deleted after 3 to 6 months from the end of the project.
Regarding potential clients or other natural persons who are not clients of the OP Financial Group, the data controller shall processes the data the maximum of one year from the time the data subject indicated his/hers interests towards the products or services of the data controller with an active measure.
9. Personal data sources and updates
Personal data is collected primarily from the data subjects themselves. Personal data may also be collected when the data subject uses certain controller services, such as online services.
Personal data can also be collected and updated within the limits permitted by law from the personal data files of third parties, such as:
- Digital and Population Data Services Agency
- personal data files maintained by other authorities
- credit information register controllers
- Bank and Insurance business and wealth management
- other customer data files of OP Financial Group entities
10. Data subject’s rights
Data subjects have the right to receive the controller’s confirmation of whether their personal data will be processed or not, or whether they have already been processed.
If the controller processes a data subject’s personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.
The controller may charge a reasonable administrative fee for additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.
The data subject also has the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.
The data subject may, in certain cases, also have the right to request the controller to restrict the processing of their personal data or to otherwise oppose the processing. In addition, under the General Data Protection Regulation, the data subject may request that the data they have provided themselves be transferred in machine-readable format.
If a data subject considers that his /her personal data is not processed legally, he/she has the right to file a complaint with the supervisory authority.
11. Right to cancel prior consent
If the controller processes the data subject’s personal data on the basis of consent, the data subject has the right to cancel such consent by contacting the customer service of the data controller. The cancellation of consent does not affect the lawfulness of processing performed based on the consent prior to its cancellation.
12. Organisation of protection of data file
The controller processes personal data securely in accordance with applicable laws. It has carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.
The controller has protected the data appropriately in technical and organisational terms. The data file is protected using, for example, the following measures:
- protection of equipment and data files
- access control
- user identity verification
- registration of usage events
- processing guidelines and supervision
The controller also requires that its suppliers and other partners ensure appropriate protection of the personal data to be processed.