OP cooperative bank customer data file

Privacy notice

Created or edited on: 15 December 2023

1. General

This Privacy Notice contains information required by the EU General Data Protection Regulation (hereinafter the General Data Protection Regulation) and the national legislation for a data subject, that is, for the controller’s customer, employees and for the supervisory authority.

2. Controller and controller’s contact information

Each OP Financial Group cooperative bank

Postal address: P.O. Box 308, 00013 OP, Finland

Street address: Gebhardinaukio 1 00510 HELSINKI

Controller’s contact person: OP Financial Group’s Data Protection Team

Telephone: 0100 0500

Email: dataprotection@op.fi

3. Data Protection Officer’s contact information

OP Financial Group’s Data Protection Officer

OP Financial Group

Postal address: P.O. Box 308, 00013 OP, Finland

Email: dataprotection@op.fi

4. Name of the personal data file

OP cooperative bank customer data file

Every OP cooperative bank has its own customer data file. This Privacy Notice describes how personal data is processed in each OP cooperative bank’s customer data file.

The data subjects in the data file are an OP cooperative bank’s customers and potential customers. The data subject can be a private individual or a person acting on behalf of an entity and the entity they represent use some OP cooperative bank’s services, including an entrepreneur.

A potential customer relationship typically arises, when a person expresses their interest in OP cooperative bank services on the op.fi service or when visiting a bank branch. A potential customer relationship can also, for example, arise because a person is a customer of some other OP Financial Group entity and this entity releases the customer’s data to the OP cooperative bank for marketing purposes.

5. Purposes of personal data processing and legal basis for processing

5.1 Purposes of processing

Banking operations require personal data processing. The OP cooperative bank customer data file entails the processing of personal data necessary, for example, to credit and investment services. Below, you can find more detailed information on how personal data is utilised in the data file.

The purposes of personal data use include:

  • Customer service and customer relationship management and development, including customer communications
  • Provision, development and quality assurance of services
  • Business development
  • Monitoring and analysis of product and service use and customer segmentation in order for the controller to be able to offer personalised product and service content to the users, for example.
  • Opinion polls and market surveys
  • Direct marketing
  • Targeted marketing and advertising
  • Compliance with the requirements and obligations related to payment services
  • Fulfilling statutory obligations and any other official rules and regulations
  • Identification of insolvency
  • Risk management and regulatory reporting
  • Ensuring the security of services and investigating any fraud
  • Training purposes

Automated decision-making and profiling

With regard to certain products and services, personal data processing within the scope of the data file involves automated decision-making. These products may include, for example, home loans applied for in digital channels and unsecured consumer loans. The purpose of automated processing is to reduce processing times and safeguard equitable decisions. Automated decision-making is used because the decision is necessary for entering into, or performance of, a contract between the data subject and the controller. If automated decision-making is included in a product or service, this will be informed upon purchase of the product or service. When the decision process is fully automated, the controller ensures that the matter can be submitted for manual processing and decision.

Processing of personal data within the scope of the data file includes profiling. Profiling means the automated processing of personal data for evaluating certain personal aspects of an individual. 

The controller’s operations involve automated financing decisions. These include customer-specific profiling of data subjects with the purpose of assessing their creditworthiness in order to make loan decisions and sign loan agreements. In addition, data subjects are subject to profiling in order to identify insolvency. The requirement to assess creditworthiness and identification of insolvency is based on legislation.

Information on the loan applicant’s repayment capacity is used in support of automated loan decisions. This includes information of the loan applied for, information provided by the loan applicant during the loan application process, information available from the credit data file

 maintained by Suomen Asiakastieto Oy as well as OP Financial Group’s internal information on the applicant’s payment and credit history. In addition, address information obtained from the Digital and Population Data Services Agency is utilised in decision-making.

The consequence of automated processing and profiling to the data subject is either automated approval or automated refusal of the loan application. The terms and conditions of agreement, such as the interest rate on a loan or credit, may also be determined on the basis of automated processing and profiling. The system may also transfer the case directly to expert assessment, which means that a natural person processes the application and makes the decision. The transfer of the loan application to manual processing may be based, for example, on the applicant’s age of under 18 years or on the fact that the loan application could not have been approved through automated processing. Monitoring data subjects’ ability to pay and related classifications are profiling methods relevant to operations. Possible reasons for the refusal of a loan application include insufficient repayment capacity, negative credit entry in the credit report, registered payment default or non-fulfilment of OP’s agreements.

If the defined requirements do not pose an obstacle for granting a loan, the applicant can be subjected to a credit rating to measure their repayment capacity. The amount of loan applied for is then proportioned to the credit rating determined for the applicant. In addition to information provided in connection with the loan application process, aspects that may be taken into account in the decision-making include information on the loan applied for, the applicant’s young age and any delayed payments. 

The method applied in making loan decisions is regularly assessed and monitored in order to ensure its reliability. If a decision has been made on the basis of automated decision-making, a data subject may request for reconsideration of the application through manual (non-automated) processing.

General information about automated decision-making and profiling is available in OP’s Privacy Statement at op.fi/dataprotection.

Preventing crimes

Know Your Customer (KYC) information and the data subject’s other personal data may be used in the prevention, uncovering and investigation of money laundering and terrorism financing, and in bringing under investigation money laundering and terrorism financing as well as the crime committed to obtain the assets or proceeds of crime involved in money laundering or terrorism financing.

The data subject’s personal data may be used to investigate whether the person is subject to international sanctions applied by the controller. Further information on OP Financial Group’s sanctions compliance is primarily available in the terms and conditions of the purchased product or service.

The controller may process personal data concerning crimes or suspected crimes made directly against the operations of the credit institution, if that is necessary in order to prevent and detect such crimes.

5.2 Legal basis for processing

The table below describes the legal bases for processing personal data contained in the data file and provides examples of processing performed on each basis.

Legal basis Example
Contractual relationship or actions preceding the conclusion of a contract Actions based on an agreement, such as account agreement, credit agreement or investment services agreement, or its conclusion
Statutory obligation Such as laws governing anti-money laundering and counter-terrorist financing, credit information legislation, consumer protection legislation, accounting provisions and the Act on Strong Electronic Identification and Electronic Trust Services

Sector-specific laws, such as the Act on Credit Institutions, Act on Investment Services and regulation related to collateral securities and lending
Legitimate interests of the controller or a third party In most cases, the controller’s legitimate interests are based on the customer relationship or similar relationship between the controller and the data subject. 

For instance, direct marketing or developing products and services, or typically disclosing information within OP Financial Group

The controller ensures that such processing is proportionate to the data subject’s benefits and meets the data subject’s reasonable expectations.
Consent Direct marketing through an electronic channel is usually based on the consent of the data subject

6. Categories of personal data

Categories of personal data concerning customers

Category of personal data Data content of the category
Basic information Private customer: the data subject’s name, personal ID code and contact details such as address, phone number and email address

Institutional customer: identification details of persons acting on the behalf of an entity and information on connections to the entity
KYC information Statutory KYC information, such as the information required to identify the customer and determine their financial status and political exposure
Customer information Information that uniquely identifies and classifies customer relationship, such as duration and nature of the customer relationship or borrower grade
Consents Any consents given or withheld by the data subject concerning personal data processing
Contract and product information Details of the contract between the controller and the data subject
Information on products and services purchased by the data subject
Customer activity data Tasks and transactions related to the management customer relationship
Background information For instance, information on the data subject’s life situation, investment experience and knowledge, and on his/her financial standing and goals
Areas of interest For instance, information on the data subject’s life situation, investment experience and knowledge, and on the data subject’s financial standing and goals
Behavioural information (including information collected by means of cookies and other similar technologies) Tracking of the data subject’s online behaviour and use of services using, for example, cookies. The collected information may include a website browsed by the user, the device model, unique device and/or cookie ID, channel such as an application, mobile browser or web browser, browser version, IP address, session ID, session time and duration, and the display resolution and operating system.
Recordings and content of messages Recordings and messages in various formats, to which the data subject is a party, for example voice call recordings
Special categories of personal data The special categories of personal data laid down in Article 9 of the General Data Protection Regulation, including health and trade union membership
Technical verification data Identifier determined by a device or an application, with which the user can be identified, using additional information if necessary

Categories of personal data concerning potential customers

The data content to be processed is determined, for example, by the group of potential customers in question. Below is a description of the kinds of data content that the controller typically processes.

Category of personal data Data content of the category
Basic information The data subject’s name, personal ID code and contact details such as address, phone number and email address
Customer information Information that uniquely identifies the customer, such as the start date and nature of customer relationship
Contract and product information Information on the controller’s offers to the data subject
Customer activity data Tasks and transactions related to the management of the customer relationship
Behavioural information (including information collected by means of cookies and other similar technologies) Tracking of the data subject’s online behaviour and use of services using, for example, cookies. The collected information may include a website browsed by the user, the device model, unique device and/or cookie ID, channel such as an application, mobile browser or web browser, browser version, IP address, session ID, session time and duration, and the display resolution and operating system.
Recordings and their content Various telephone recordings to which the data subject is a party
Technical verification data Identifier determined by a device or an application, with which the user can be identified, using additional information if necessary

7. Recipients of personal data and recipient categories

When disclosing personal data included in the data file, the controller takes into account the requirements of mandatory legislation, including the credit institution’s confidentiality obligations. Below is a description of typical data disclosures from the data file.

Any personal data obtained may be used within OP Financial Group as permitted by law. Within investment services, data may be disclosed, for example, to an entity within the Group that manages securities custody.

When payments are transmitted, legislation requires that personal data concerning the payer or the payee is submitted at the same time when funds are transferred.

In case the Act on Guaranties and Third-Party Pledges so requires, we will disclose collateral recipient information to the provider of collateral and the guarantor.

Data is also disclosed to the sector’s shared customer default register.

In addition, personal data may be disclosed to Google with the data subject's consent, if the data subject has taken Google Pay in use.

Data may in statutory cases be disclosed to relevant authorities, such as the Financial Supervisory Authority, the police, the execution authorities and the Finnish Tax Administration. Annual notifications of the controller’s customers are sent to the tax administration. Moreover, the data may be disclosed to debt-collection agencies.

By law, the controller may disclose information under the Act on the Bank and Payment Accounts Monitoring System to competent authorities, such as the police, enforcement authority and the Customs. The Customs is responsible for transmitting the information pertaining to law to the competent authorities. Data subjects must direct their questions related to bank and payments accounts monitoring system to the Customs.

8. Transfer of personal data

The controller uses suppliers in data processing, and data may be transferred outside of the EU or EEA. When data is transferred outside of the EU or EEA, the transfer is done using the EU Commission’s standard contractual clauses or some other transfer mechanism in accordance with legislation. Read more about international transfers of personal data and the European Commission's standard contractual clauses at OP’s website: op.fi/dataprotection.

Some of the controller’s suppliers are other OP Financial Group entities. They offer, for example, credit, collateral and IT support services to the controller.

9. Personal data retention period or criteria for determining the period

Personal data may be processed within the validity of the customer and contractual relationship. Customer relationship refers to the data subject becoming an OP cooperative bank customer. The customer’s basic information and KYC information are collected to establish a customer relationship. A contractual relationship arises when a customer signs an agreement with an OP cooperative bank concerning a product or service.

Contractual information will be erased approximately ten years after the contract has terminated. Information on customer relationship, such as KYC information, will be erased or anonymised approximately ten years after the last contract has terminated. The information will be erased in accordance with the controller’s erasure processes.

Data concerning potential customers will mainly be stored for six months after establishing a potential customer relationship. If the potential customer relationship with an OP cooperative bank is based on customer data received from another OP Financial Group entity for this purpose, such customer relationship will remain in the register until the data subject is no longer a customer of the entity that disclosed the information.

The controller may process personal data for direct marketing purposes under applicable laws even after the end of a contractual relationship.

10. Personal data sources and updates

Personal data is primarily collected from the data subjects themselves. Personal data may also be collected when the data subject uses certain services of the controller, such as online services.

Personal data may be obtained from other OP Financial Group data files and entities as permitted by the law. This data can be used, for example, for risk management and marketing purposes.

All phone calls to and from the controller may be recorded. We may use call recordings to verify customer transactions, assure the quality of customer service and develop our services and for training purposes.

Personal data can also be collected and updated within the limits permitted by law from the personal data files of third parties, including the following:

  • Registers maintained by authorities such as the Digital and Population Data Services Agency, execution authorities and the police
  • Credit data file controllers
  • Shared customer default register of the financial sector
  • Obtaining information necessary to identify a person’s political exposure and whether they are subject to international sanctions observed by the controller, from parties maintaining databases containing such information

11. Data subjects’ rights

Data subjects have the right to receive the controller’s confirmation of whether their personal data will be processed or not, or whether they have already been processed.

If the controller processes a data subject’s personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.

The controller may charge a reasonable administrative fee for any additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.

Data subjects also have the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.

Data subjects also have, in certain circumstances, the right to request the controller to restrict the processing of their personal data or to otherwise object to processing. In addition, data subjects may request that the data they have provided themselves be transferred in a machine-readable format.

All requests mentioned herein must be submitted to the abovementioned contact person of the controller.

If a data subject considers that their personal data is not processed legally, they have the right to file a complaint with the supervisory authority.

12. Right to cancel prior consent

If the controller processes a data subject’s personal data on the basis of consent, the data subject has the right to cancel such consent. The cancellation of consent does not affect the lawfulness of processing performed on the basis of said consent prior to its withdrawal. Such cancellation may, however, have an effect on the usability and functionalities of the controller’s services.

13. Protection methods regarding the data file

The controller is committed to processing personal data securely and in a manner that fulfils the requirements of applicable laws. The controller has carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.

The controller has taken appropriate technical and organisational measures to protect the data. The data file is protected using, for example, the following tools:

  • Protection of hardware and files
  • Access control
  • User identity verification
  • Access rights
  • Registration of usage events
  • Processing guidelines and supervision

The controller also requires of its suppliers appropriate protection of any personal data to be processed.