OP Identity Service Broker’s customer data file

Privacy notice

1. General information

This Privacy Notice contains information required by the EU General Data Protection Regulation (hereinafter the General Data Protection Regulation) and the national data protection law for a data subject, that is, for the controller's customer, and for the supervisory authority.

2. Controller and its contact information

OP Financial Group member cooperative banks and OP Corporate Bank plc together

Postal address: P.O. Box 308, 00013 OP
Street address: Gebhardinaukio 1, 00510 HELSINKI
The controller’s contact person: OP Financial Group's Data Protection Team
Telephone: 0100 0500
Email: dataprotection@op.fi

3. Data Protection Officer's contact information

OP Financial Group's Data Protection Officer
OP Financial Group
Postal address: P.O. Box 308, 00013 OP
Email address: tietosuoja@op.fi

4. Name of the personal data file

OP Identity Service Broker’s customer data file.

The personal data file is a joint file of OP Financial Group’s banks, and each controller is fully liable for the processing of personal data within its scope.

The data subjects of the data file are the persons acting on behalf of the actual and potential customers of the member cooperative banks’ and OP Corporate Bank’s Identity Service Broker. Customers are entities such as merchants.

In addition, data subjects include the private users of the identification broker service. These persons transfer from a transaction service via an identification broker service to a service provided by an identification device issuer (such as a bank or telecom operator) and whose identification data is transferred back to the transaction service.

5. Purpose of personal data processing and legal basis for processing

Purposes of processing

The controller processes the personal data in the data file in order to produce, provide and deliver the identification broker service defined in the Act on Strong Electronic Identification and Electronic Trust Services (617/2009, with later amendments, hereinafter also the Identification Act).

The Finnish Communications Regulatory Authority’s Regulation 72/2016 on Electronic Identification and Trust Services and Recommendation 216/2017 S Code of conduct for identification service trust network appendix Processing of personal data in a trust network for electronic identification are also applied to processing.

Personal data of persons acting on behalf of institutional customers are used for following purposes:

  • Customer service and customer relationship management and development, including customer communications
  • Production, provision and delivery of services, and development and quality assurance of services
  • Business development
  • Opinion polls and market surveys
  • Direct marketing
  • Targeted marketing and advertising
  • Fulfilling statutory obligations and any other official rules and regulations
  • Risk management
  • Ensuring the security of services and investigating abuses
  • Training

Personal data of private customers, i.e. the users of the service, are used for following purposes:

  • Production, provision and delivery of services, and development and quality assurance of services
  • Fulfilling statutory obligations and any other official rules and regulations
  • Ensuring the security of services and investigating abuses

Anti-money laundering and counter-terrorist financing, and sanctions monitoring

The KYC information and other personal data of the persons acting on behalf of institutional customers may be used to prevent, uncover and detect money laundering and terrorist financing as well as for other purposes laid down in the Act on Preventing and Detecting Money Laundering and Terrorist Financing. The controller, as a diligent service provider, takes these measures based on a legitimate interest.

The personal data of persons acting on behalf of institutional customers may be used to investigate whether the person is subject to international sanctions applied by the controller. Further information on OP Financial Group's sanctions compliance is primarily available in the terms and conditions of the acquired product or service.

Legal bases of processing

The table below describes the legal bases of processing personal data used by the data file and provides examples of processing performed on each basis.

Legal basis Example
Contractual relationship or actions preceding the conclusion of a contract Actions based on a contract or its conclusion:

Processing of the data of persons acting on behalf of institutional customers in the data file is primarily based on a contract.

In the case of private users of the identification broker service, processing of personal data is based on an order. When providing the identification broker service, the controller transmits the end-user’s personal data relating to the identification event to the institutional customer buying the identification broker service.
Statutory obligation Processing of the data of private customers (consumer customers) in the data file is, in part, based on statutory obligations (Identification Act and the Finnish Communications Regulatory Authority’s lower level regulations).

Sanctions monitoring within the data file is, in part, based on law.
Legitimate interests of the controller or a third party Following actions concerning persons acting on behalf of institutional customers may be based on a legitimate interest:

•    Processing KYC information for the purposes laid down in the Act on Preventing Money Laundering and Terrorist Financing
•    International sanctions monitoring
•    Disclosing information to personal data files of other OP Financial Group entities

The controller ensures that the processing performed on this basis is proportionate to the data subject's benefits and meets his/her reasonable expectations.

6. Categories of personal data

Category of personal data Data content of the category
Basic information Persons acting on behalf of institutional customers:

Data subject’s name, email address, telephone number, address, postcode and town/city, personal ID, nationality, information concerning the person’s connection with or position in the entity

Identification broker service users:

Data subject’s name and personal ID, identification service used for identification, eService for which the user was identified, time stamp of the identification event, IP address as well as several other technical details relating to the identification event that are needed for later verification of the identification event.
KYC information Persons acting on behalf of institutional customers:

KYC information such as the information required to identify the customer and to determine their financial status and political exposure.
Customer activity data Tasks and transactions related to the management of the customer relationship.
Behavioural information (incl. information collected using cookies and other such technologies) Tracking of the data subject's online behaviour and use of services using, for example, cookies. The collected information may include a website browsed by the user, the device model, unique device and/or cookie ID, channel such as an application, mobile browser or web browser, browser version, IP address, session ID, session time and duration, and the display resolution and operating system.
Recordings and content of messages Recordings and messages in various formats, in which the data subject is a party, for example call recordings.
Technical verification data Identifier determined by a device or an application with which the user of the device or application can be identified, using additional information if necessary.

7. Recipients and recipient groups of personal data

Data recipients

Persons acting on behalf of institutional customers

Any personal data obtained may be used within OP Financial Group as permitted by law. In addition, personal data may be disclosed, for example, to relevant authorities such as the police in statutory cases.

Identification broker service users

The identification broker service user’s personal data received from the identification device issuer (bank, telecom operator) are disclosed to the transaction service for which the user  identifies. In addition, data may be disclosed to relevant authorities in statutory cases.

Transfer of data to suppliers

The controller uses suppliers, which process personal data for its account. The suppliers provide the controller with information system services, among other things. Some of the controller's suppliers are other OP Financial Group entities.

International transfers of data

The controller uses suppliers in data processing, and data on persons acting on behalf of institutional customers is transferred outside of the EU or EEA to a limited extent.

Data is transferred outside of the EU or EEA using standard contractual clauses based on data protection legislation or using another transfer mechanism permitted by legislation that guarantees appropriate protection of personal data. As one of the transfer mechanisms, the controller uses the standard contractual clauses adopted by the European Commission available at this address:

https://ec.europa.eu/info/strategy/justice-and-fundamental-rights/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en

8. Personal data retention period or criteria for determining the period

Personal data of the persons acting on behalf of institutions are processed for the duration of the contractual relationship. Once the contractual relationship has terminated, the data will be deleted or anonymised after around seven years in accordance with the deletion processes followed by the controller. The data of the potential customers will be erased in around six months' time of the date of the transaction or contact or as soon as the potential customer wants.

After the contractual relationship has terminated, the controller may process the personal data for direct marketing purposes in accordance with applicable legislation.

The identification broker service user’s personal data is stored for 5 years of the identification event, after which they are deleted automatically.

9. Personal data sources and updates

Persons acting on behalf of institutional customers

Personal data is collected primarily from the data subjects themselves. Personal data may also be collected when the data subject uses certain controller services, such as online services.

Personal data can also be collected and updated within the limits permitted by law from the personal data files of third parties, such as:

  • The Trade Register
  • Personal data files maintained by other authorities (such as execution authorities)
  • Other customer data files of OP Financial Group entities.
  • Parties that maintain databases with information that is necessary to identify parties subject to political exposure and international sanctions followed by the controller

Identification broker service users

Identification broker service users’ personal data forwarded to the transaction service are always obtained from the identification device issuer (banks and telecom operators).

10. Data subject's rights

Data subjects have the right to receive the controller's confirmation of whether their personal data will be, or have been, processed.

If the controller processes a data subject's personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.

The controller may charge a reasonable administrative fee for additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.

The data subject also has the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.

In certain cases, the data subject also has the right to request the controller to restrict the processing of their personal data or to otherwise oppose the processing. In addition, under the General Data Protection Regulation, the data subject may request that the data they have provided themselves be transferred in machine-readable format.

The requests mentioned herein must be submitted to the abovementioned contact person of the controller. However, because the identification broker service user’s personal data transmitted in connection with the identification event come from the customer data file of the identification device issuer, which is under the obligation to verify said data from the Population Information System, any errors in and corrections to these personal data should be notified first and foremost to the issuer’s customer service and/or the Population Information System.

If the data subject considers that their personal data is not processed legally, they have the right to file a complaint with the supervisory authority.

11. Protection methods regarding the data file

The controller processes personal data securely and in a manner fulfilling the requirements of applicable laws. It has carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.

The controller has protected the data appropriately in technical and organisational terms. The data file is protected using, for example, the following tools:

  • Protection of equipment and files
  • Access control
  • User identity verification
  • Access rights
  • Registration of usage events
  • Processing guidelines and supervision

The controller also requires that its suppliers ensure appropriate protection of the personal data to be processed.
 

12. Principles governing identification

The principles governing identification in the Identification Broker Service are available on op.fi.