Privacy Notice for the OP Smart Contracts service

Privacy notice

1. Overview

This Privacy Notice contains information required by the EU General Data Protection Regulation (hereinafter the General Data Protection Regulation) and national legislation to be provided to data subjects, including the controller’s customers and employees, and to the supervisory authority.

2. Controller and its contact information

Pivo Wallet Oy
Postal address: PL 308, FI-00013 OP
Street address: Gebhardinaukio 1, 00510 HELSINKI
Controller's contact person: OP Smart Contracts customer service
Phone: 010 253 0300

3. Data Protection Officer's contact information

OP Financial Group's Data Protection Officer
OP Financial Group
Postal address: PL 308, FI-00013 OP

4. Name of the personal data file

Customer data file of the OP Smart Contracts service

The data file contains the personal data of users who purchase or sell vehicles in the OP Smart Contracts service or visit the website of the OP Smart Contracts service.

In the OP Smart Contracts service provided by the controller, Pivo Wallet Oy, users can carry out vehicle sales between private individuals from start to finish. In the service, users can also apply for financing from OP Corporate Bank for the purchase of a vehicle and buy vehicle insurance from Pohjola Insurance.

In the provision of financing, Pivo Wallet acts as an agent of OP Corporate Bank, and OP Corporate Bank is the controller and processor of personal data for the purpose of granting financing in accordance with the Privacy Notice for OP Corporate Bank's customer data file. OP Corporate Bank is the controller of the service used to pay for the vehicle. OP Corporate Bank is also the controller of personal data processing related to anti-money laundering required by law.

Pohjola Insurance Ltd is the controller and processor of personal data processed for the purpose of granting insurance in accordance with its Privacy Notice. The service provider, Pivo Wallet, acts as an agent of Pohjola Insurance in the sale insurance in the Smart Contracts service. Users can also use the service to submit the notification of transfer of the vehicle's ownership to the Finnish Transport and Communications Agency Traficom in the notification service provided by Pohjola Insurance. The service provider and controller of this service is Pohjola Insurance.

5. Purposes of personal data processing and legal basis for processing

5.1 Purposes of processing

The purposes of use of personal data include the following:

  • Customer service and customer relationship management and development, including customer communications
  • Providing services and products (OP Smart Contracts service), development, automation and quality assurance as well as customer and user modelling
  • Monitoring and analysis of product and service use and customer segmentation, for example, in order for the controller to be able to offer personalised product and service content to users
  • Ensuring the security of services and investigating abuses
  • Risk management
  • training purposes
  • Direct marketing, opinion polls and market surveys, distance selling, targeting of marketing and advertising
  • Fulfilling statutory obligations and any other official rules and regulations
  • Conducting and developing other business


Processing of personal data within the scope of the data file includes profiling. Profiling means the automated processing of personal data for evaluating certain personal aspects of an individual. Marketing involves carrying out target group sampling, and targeting is based on various segments.

Further information about profiling in OP Financial Group available in the Privacy Statement at

Preventing crimes

Know Your Client (KYC) information and other personal data of data subjects may be used to prevent, uncover and detect money laundering and terrorist financing, as well as for other purposes required by the Act on Preventing and Detecting Money Laundering and Terrorist Financing.

Users who have not identified themselves in the OP Smart Contracts service:

Use of the OP Smart Contracts service requires that the user identify themselves. Visitors who have not identified can only access the front page of the service. In this case, the visitor's personal data is used with the user's consent for analytics and marketing purposes with a cookie placed on the user's device.

5.2 Legal bases for processing

The table below describes the legal bases for processing personal data contained in the data file, and provides examples of processing performed on each basis.

Legal basis Example
Contractual relationship or actions preceding the conclusion of a contract Personal data in the data file is mainly processed based on the performance of a contract using data provided by the data subject.

Provision of the service is based on the terms and conditions of the OP Smart Contracts service. Personal data of users is processed on the basis of these terms and conditions when users create and carry out vehicle sale orders.
Consent Direct electronic marketing is based on the data subject's consent, for example, on a consent to direct electronic marketing given by the data subject. Direct electronic marketing means direct marketing via email, SMS or in-app push notification, for example.

The use of non-essential cookies on the website is also based on the data subject's consent. Data subjects may also subscribe to newsletters with their consent.
Legal obligation Personal data are processed in the data file for the purpose of preventing and detecting money laundering and terrorist financing and on the basis of sanctions legislation. Personal data is also processed to comply with obligations under tax and accounting legislation, for example.
Legitimate interests of the controller or a third party Direct marketing over the phone and by mail is often based on the controller's legitimate interest.

Business development and the prevention of misuse and fraud are also based on the controller's legitimate interest.

In addition, disclosures of data between OP Financial Group entities are often based on legitimate interests.

6. Categories of personal data

Category Data content
Basic information Data subject's personal identity code for identity verification purposes
Data subject's name
Data subject's contact details (email address and phone)
Vehicle registration number
Customer relationship information Information that uniquely identifies and classifies the customer, such as transaction ID or user ID
Know Your Customer (KYC) information Statutory KYC information such as the information required to identify the customer and to determine their financial status and political exposure
Consents Any consents given or withheld by the data subject concerning personal data processing
Customer activity data Tasks and transactions related to the management of the customer relationship, such as interactions with the OP Smart Contracts customer service and sales transactions executed in the service.
Recordings and content of messages Recordings and messages in various formats, to which the data subject is a party, such as voice call recordings of customer service interactions
Behavioural information (incl. information collected using cookies and other such technologies) Tracking of the data subject's online behaviour and use of services using, for example, cookies. The collected information may include a website browsed by the user, the device model, unique device and/or cookie ID, a channel such as an application, mobile browser or web browser, a browser version, IP address, session ID, session time and duration, and the display resolution and operating system.

7. Recipients and recipient groups of personal data

7.1 Data recipients

Any personal data obtained may be used within OP Financial Group as permitted by law.

Personal data may be disclosed to the authorities within the limits permitted by law. The OP Smart Contracts service checks from the Finnish Transport and Communications Agency Traficom's register whether the seller is the vehicle's true owner by retrieving the information from Traficom's system based on the vehicle registration number and verifying ownership based on the seller's personal identity code.

When disclosing personal data included in the data file, the controller takes into account the requirements of mandatory legislation.

7.2 Transfer of data to suppliers

The controller has suppliers which process personal data for its account. The controller concludes appropriate agreements on personal data processing with all such suppliers.

The controller’s suppliers provide the controller with, for example, information system services. Some of the controller’s suppliers are other OP Financial Group entities.

7.3 International transfers of data

The controller uses subcontractors for data processing, and data may be transferred outside the EU or EEA. When data is transferred outside the EU or EEA, the transfer is done using the European Commission’s standard contractual clauses or some other transfer mechanism in accordance with legislation. Further details on international transfers of personal data and standard contractual clauses are available from OP's website at

8. Personal data retention period or criteria for determining the period

The controller processes personal data during the validity of the customer relationship. Information on customer relationship, such as KYC information, will be erased or anonymised approximately five years after the last transaction has been executed.

The deed of sale for the transaction is retained for one year after the conclusion of the sale.

After the contractual relationship has terminated, the controller may process personal data for direct marketing purposes in accordance with applicable legislation.

The controller may be under an obligation to process some personal data in the data file for a period longer than stated above in order to comply with legislation or requirements set by the relevant authorities, such as tax and accounting legislation.

If the customer purchases insurance offered by Pohjola Insurance or car financing offered by OP Corporate Bank via the OP Smart Contracts service, the data collected for these purposes is stored in the manner specified in the Privacy Notices for the customer data files of the controllers of these services, which are Pohjola Insurance and OP Corporate Bank, respectively.

9. Personal data sources and updates

Personal data are primarily collected from the data subjects themselves. Personal data may also be collected from the data subject's device when the data subject uses certain services of the controller.

All phone calls to and from the controller may be recorded. We may use call recordings to verify customer transactions, assure the quality of customer service and develop our services and for training purposes.

Personal data can also be collected and updated as permitted by law from the data files of third parties, such as the customer data files of other OP Financial Group entities and the vehicle information register maintained by the Finnish Transport and Communications Agency Traficom.

10. Data subjects' rights

Data subjects have the right to receive the controller's confirmation of whether their personal data will be processed or not, or whether they have already been processed.

If the controller processes a data subject’s personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.

The controller may charge a reasonable administrative fee for any additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.

The data subject also has the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes. In certain circumstances, the data subject also has the right to request the controller to restrict the processing of their personal data or to otherwise object to processing. In addition, under the GDPR, data subjects may request that the data they have provided themselves be transferred in a machine-readable format.

All requests mentioned herein must be submitted to the abovementioned contact person of the controller.

If a data subject considers that their personal data is not processed legally, they have the right to file a complaint with the supervisory authority.

11. Right to cancel prior consent

If the controller processes a data subject’s personal data on the basis of consent, the data subject has the right to cancel such consent. The cancellation of consent does not affect the lawfulness of processing performed on the basis of said consent prior to its withdrawal. Such cancellation may, however, have an effect on the usability and functionalities of the controller’s services.

12. Protection methods regarding the data file

The controller is committed to processing personal data securely and in a manner that satisfies the requirements of the applicable laws. The controller has carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.

The controller has taken appropriate technical and organisational measures to protect the data. The data file is protected using, for example, the following tools:

  • Protection of hardware and files
  • Access control
  • User identity verification
  • Access rights
  • Registration of usage events
  • Processing guidelines and supervision

The controller also requires that its suppliers and other partners engage in appropriate protection of any personal data they process.