Privacy Notice of OP Asset Management Ltd’s customer data file

Privacy notice

1. General information

This Privacy Notice contains information required by the EU General Data Protection Regulation (hereinafter the General Data Protection Regulation) and the national law for a data subjects, that is, for the controller's customer, employees and for the supervisory authority.

2. Controller and its contact information

OP Asset Management Ltd
Postal address: P.O. Box 1068, 00013 OP
Street address: Gebhardinaukio 1, 00510 HELSINKI
The controller’s contact person: OP Financial Group’s Data Protection Team
Phone: 010 253 1333 (in English), 0100 0500 (in Finnish)

3. Data Protection Officer’s contact information

OP Financial Group’s Data Protection Officer
OP Financial Group
Postal address: P.O. Box 308, 00013 OP

4. Name of the personal data file

OP Asset Management Ltd’s customer data file

The personal data of OP Asset Management Ltd’s customers and potential customers are processed in the data file. The data subjects are private individuals and entities.

5. The purpose of personal data processing and legal basis for processing

Purpose of use of personal data

  • Customer service and customer relationship management and development, including customer communications
  • Provision, development and quality assurance of services
  • Business development
  • Monitoring and analysis of product and service use and customer segmentation, for example, in order for the controller to be able to offer personalised product and service content to users
  • Opinion polls and market surveys
  • Direct marketing
  • Targeted marketing and advertising
  • Fulfilling statutory obligations and any other official rules and regulations
  • Risk management
  • Ensuring the security of services and investigating abuses
  • Training purposes

Processing of personal data within the scope of the data file includes profiling. Profiling means automated processing of personal data evaluating certain aspects relating to a natural person by utilising this data. Further information about profiling is available in OP’s Privacy Statement at Another example of profiling performed within the scope of the data file is assessing the risk tolerance of a customer receiving investment advice and determining a suitable target market for the customer based on his/her investor profile. A controller who provides investment advice services has a statutory obligation to perform such an assessment.

Know Your Customer information and the data subject’s other personal information may be used in the prevention, uncovering and investigation of money laundering and the financing of terrorism, and in bringing under investigation the money laundering and financing of terrorism as well as the crime committed to obtain the assets or proceeds of crime involved in the financing of the money laundering or financing of terrorism.

The data subject’s personal data may be used to investigate if the person is subject to international sanctions applied by the controller. Further information on OP Financial Group’s sanctions compliance is primarily available in the terms and conditions of the acquired product or service.

Legal basis of processing

Personal data is processed in the data file on several legal bases.

A general basis for processing personal data is a contractual relationship between the controller and the data subject or carrying out measures prior to concluding an agreement at the request of the data subject, for example replying to a request for quote.

The controller also processes personal data to comply with statutory requirements, such as the MiFID II / MiFIR regulatory framework applicable to the sector, and with legislation governing anti-money laundering and counter-terrorist financing.

Personal data processing may also be based on the data subject’s consent, such as permission for electronic direct marketing, or on the controllers legitimate interests. In addition to the controller, other OP Financial Group entities may use personal data based on legitimate interests, for example, for direct marketing or business development. In most cases, the controller’s legitimate interests are based on the customer relationship or similar relationship between the controller and the customer.

6. Categories of personal data

Category of personal data Data content of the category
Basic information Data subject’s name
The data subject’s address, telephone number and email address
Data subject’s tax status

Private individual: personal ID, place of birth, domicile, nationality, job title /profession, level of education, legal competence

Entity: identification details of persons acting on the behalf of an entity and information on connections to the entity
Know Your Customer (KYC) information Statutory KYC information such as the information required to identify the customer and to determine their financial status and political exposure
Customer relationship information Information that uniquely identifies and classifies the customer, such as investor profile information
Consents The consents given and withheld by the data subject concerning personal data processing
Contract and product information The controller’s and data subject’s contract information
Information on products and services acquired by the data subject
Customer activity data Tasks and transactions related to the management of customer relationship
Background information For example, details of the life situation and financial status of the data subject
Areas of interest Information on the data subject’s areas of interest
Recordings and content of messages Recordings and messages in various formats, in which the data subject is a party, for example, call recordings and e-mails


7. Recipients and recipient groups of personal data

Any collected personal data may be disclosed within OP Financial Group as permitted by the law. Data is disclosed within the Group to, among others, the entity providing securities custody services.

Data may in statutory cases be disclosed to relevant authorities, such as the Financial Supervisory Authority and the Finnish Tax Administration. An annual notification of the controller’s customers, among other things, is sent to the tax authorities.

8. Transfer of personal data

The controller uses suppliers in data processing, and data will be transferred outside of the EU or EEA to a limited extent. When data is transferred outside of the EU or EEA, the transfer is done using the EU Commission’s standard contractual clauses or some other transfer mechanism in accordance with legislation.

Some of the controller’s suppliers are other OP Financial Group entities. They provide the controller with information system and other support services, among other things.

9. Personal data retention period or criteria for determining the period

Personal data may be processed within the validity of the contractual relationship. Once the contractual relationship / customer relationship has ended, the data will be erased or anonymised after ten years in accordance with the erasure processes followed by the controller. The personal data of potential customers is erased or anonymised approximately five years from the previous contact.

After the contractual relationship has ended, the controller may process the personal data for direct marketing purposes in accordance with applicable legislation.

10. Personal data sources and updates

Personal data is collected primarily from the data subjects themselves. Data may be collected when the data subject uses certain services of the controller, such as online services. Personal data may also be obtained from other OP Financial Group entities as permitted by law.

Personal data can also be collected and updated as permitted by law from the personal data files of third parties, such as the Population Register Centre, the Trade Register and other registers maintained by the authorities, as well as from credit information register controllers.

Information necessary to identify political exposure and parties subject to international sanctions followed by the controller may be collected from third parties that maintain such data files.

11. Data subject’s rights

Data subjects have the right to receive the controller’s confirmation of whether their personal data will be processed or not, or whether they have already been processed.

If the controller processes a data subject’s personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.

The controller may charge a reasonable administrative fee for additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.

The data subject also has the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.

After the application of the General Data Protection Regulation has begun, the data subject will, in certain cases, also have the right to request the controller to restrict the processing of their personal data or to otherwise oppose the processing. In addition, under the General Data Protection Regulation, the data subject may request that the data they have provided themselves be transferred in machine-readable format.

All of the above requests must be submitted to the abovementioned contact person of the controller.

If a data subject considers that his/her personal data is not processed legally, he/she has the right to file a complaint with the supervisory authority.

12. Right to cancel prior consent

If the controller processes the data subject’s personal data on the basis of consent, the data subject has the right to cancel such consent. The cancellation of consent does not affect the lawfulness of processing performed based on the consent prior to its cancellation. Such cancellation may, however, have an effect on the usability and functionalities of the service.

13. Protection methods regarding the data file

The controller has protected the data appropriately in technical and organisational terms. The data file is protected using, for example, the following tools:

  • Protection of equipment and data files
  • Access control
  • User identity verification
  • Access rights
  • Registration of usage events
  • Processing guidelines and supervision

The controller also requires of its suppliers the appropriate protection of personal data to be processed.