OP Retail Customers Plc's digital services customer data file

Updated 16.09.2022

Privacy Notice

1. General information

This Privacy Notice contains information required by the EU General Data Protection Regulation (hereinafter the General Data Protection Regulation) and the national data protection law for a data subject, such as for the controller’s customer, employees and for the supervisory authority.

2. Controller and its contact information

OP Retail Customers Plc

Postal address: P.O. Box 308, 00013 OP
Street address: Gebhardinaukio 1, 00510 HELSINKI
The controller’s contact person: OP Financial Group's Data Protection Team
Telephone: 0100 0500
Email address: tietosuoja@op.fi

3 Data Protection Officer's contact information

OP Financial Group's Data Protection Officer

OP Financial Group
Postal address: P.O. Box 308, 00013 OP
Email address: tietosuoja@op.fi

4. Name of the personal data file and data subjects

OP Card Company Plc's digital services customer data file

The data subjects are private customers who enter into an agreement with OP Retail Customers Plc on digital services or identification means, as well as persons acting on behalf of entities that enter into the said agreements or who, under such an agreement, represent the customer entity in the digital services.

5. Purpose of personal data processing and legal basis for processing

Purposes of processing

The use of digital services and a means of identification require the processing of personal data. The controller processes personal data included in the data file mainly to provide the data subject / the entity represented by the data subject digital service platforms, such as the op.fi service, OP-mobile, OP Business mobile, electronic signature service and phone service, or a means of identification with which to use these services. Below you can find more detailed information on how personal data is used in the data file.

The purposes of personal data use include:

  • Customer service and customer relationship management and development, including customer communications
  • Provision, development and quality assurance of services
  • Business development
  • Monitoring and analysis of service use and customer segmentation, for example, in order for the controller to be able to offer personalised service content to the users
  • Opinion polls and market surveys
  • Direct marketing
  • Targeted marketing and advertising
  • Fulfilling statutory obligations and any other official rules and regulations
  • Risk management
  • Ensuring the security of services and investigating abuses

Automated decision-making and profiling

Personal data processing within the scope of the data files involves automated decision-making. Automated decision-making is involved when a decision is made automatically only in such a way that a person does not participate in making an individual decision and when such a decision has legal effects on the data subject and considerably affects the data subject in a similar manner.

If automated decision-making is included in the product or service purchased by the customer, this is informed upon purchase of the product or service. When the decision process is fully automated, the controller ensures that the data subject can submit the matter for manual processing and decision.

Processing of personal data within the scope of the data file includes profiling. Profiling means automated processing of personal data where certain aspects relating to a natural person are evaluated by utilising this data.

General information about automated decision-making and profiling is available in OP Financial Group's Privacy Statement at op.fi/dataprotection.

The controller uses automated decision-making when concluding an agreement on digital services or identification means  with a private customer. Automated decision-making includes profiling using the following data concerning data subjects: personal identity code, address, information on whether the data subject is alive, representation, and certain sanctions lists published by the authorities.

Sanctions monitoring

The data subject's personal data may be used to investigate whether the person is subject to international sanctions applied by the controller. Further information on OP Financial Group's sanctions compliance is primarily available in the terms and conditions of the acquired product or service. The sanctions list review ensures that international sanctions do not constitute an obstacle to a person's customer relationship or to acting as a representative of an entity.

Legal bases of processing

The table below describes the legal bases of processing personal data used by the data file and provides examples of processing performed on each basis.

Legal basis Example
Contractual relationship or actions preceding the conclusion of a contract Personal data is processed in the data file mainly on a contractual basis to provide and deliver the digital service  or identification means acquired by a data subject or an entity.
Statutory obligation Sanctions legislation

Act on Strong Electronic Authentication and Electronic Trust Services concerning a means of identification
Legitimate interests of the controller or a third party Direct marketing and business development are often based on the controller's legitimate interest. International sanctions monitoring performed by the controller is partly based on a legitimate interest.

The controller may disclose information to the other personal data files of OP Financial Group entities on the basis of legitimate interests.

In most cases, the controller's legitimate interests are based on the customer relationship or similar relationship between the controller and the data subject. The controller ensures that the processing performed on this basis is proportionate to the data subject's benefits and meets his/her reasonable expectations.

6. Categories of personal data

Category of personal data Data content of the category
Basic information

For a private customer: personal identity code or comparable foreign identifier and name
The data subject's address
Type of verification document or other information on the verification method

For a person acting on behalf of an entity:

Personal identity code or comparable foreign identifier or date of birth and name
Email address
Phone number

Customer relationship information Information that uniquely identifies and classifies a private customer
Contract and product information Information on the contract between the controller and data subject or the entity represented by the data subject
Customer activity data Tasks and transactions related to the management of the customer relationship
Behavioural information (incl. information collected using cookies and other such technologies) Tracking of the data subject's online behaviour and use of services using, for example, cookies. The collected information may include a website browsed by the user, the device model, unique device and/or cookie ID, channel such as an application, mobile browser or web browser, browser version, IP address, session ID, session time and duration, and the display resolution and operating system.

7. Recipients and recipient groups of personal data

Data recipients

Any personal data collected may be disclosed within OP Financial Group as permitted by law and to the relevant authorities, such as the Finnish Financial Supervisory Authority and the Finnish Communications Regulatory Authority.

When disclosing personal data included in the data file, the controller takes into account the requirements of mandatory legislation.

Transfer of data to suppliers

The controller uses suppliers in the provision of IT services, for example OP-Services Ltd, which process personal data for its account. The controller concludes appropriate agreements on personal data processing with such suppliers.

International transfers of data

The controller uses suppliers in data processing, and data may be transferred outside of the EU or EEA. When data is transferred outside of the EU or EEA, the transfer is done using the EU Commission’s standard contractual clauses or some other transfer mechanism in accordance with legislation. Read more about international transfers of personal data and the European Commission's standard contractual clauses at OP’s website: op.fi/dataprotection.

Some of the controller’s suppliers are other OP Financial Group entities. They provide the controller with information system and other support services, among other things.

8. Personal data retention period or criteria for determining the period

Personal data of the data subject may be processed within the validity of the contractual relationship. Once the contractual relationship / customer relationship has ended, the data will be erased or anonymised after ten years in accordance with the erasure processes followed by the controller.

After the contractual relationship has terminated, the controller may process the personal data for direct marketing purposes in accordance with applicable legislation.

Personal data sources and updates

Personal data is collected primarily from the data subjects themselves. In addition, the entity's administrator or other representative may disclose data on the entity's other data subjects. Personal data may also be collected when the data subject uses certain controller services, such as online services.

Personal data can also be collected and updated within the limits permitted by law from the personal data files of third parties, such as:

  • Digital and Population Data Services Agency
  • in addition, the credit information register controllers, based on the agreement on electronic transactions for corporate customers
  • in addition, the other customer data files of OP Financial Group entities, based on the agreement on electronic transactions for corporate customers
  • parties that maintain databases with information that is necessary to identify parties subject to international sanctions followed by the controller

9. Data subject's rights

Data subjects have the right to receive the controller's confirmation of whether their personal data will be processed or not, or whether they have already been processed.

If the controller processes a data subject's personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.

The controller may charge a reasonable administrative fee for additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.

The data subject also has the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.

After the application of the General Data Protection Regulation has begun, the data subject will, in certain cases, also have the right to request the controller to restrict the processing of their personal data or to otherwise oppose the processing. In addition, under the General Data Protection Regulation, the data subject may request that the data they have provided themselves be transferred in machine-readable format.

All of the above requests must be submitted to the abovementioned contact person of the controller.

If a data subject considers that their personal data is not processed legally, they have the right to file a complaint with the supervisory authority.

10. Protection methods regarding the data file

The controller processes personal data securely and in a manner fulfilling the requirements of applicable laws. It has carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.

The controller has protected the data appropriately in technical and organisational terms. The data file is protected using, for example, the following tools:

  • Protection of equipment and files
  • Access control
  • User identity verification
  • Access rights
  • Registration of usage events
  • Processing guidelines and supervision

The controller also requires that its suppliers ensure appropriate protection of the personal data to be processed.