1. General information
This Privacy Notice contains information required by the EU General Data Protection Regulation (hereinafter the General Data Protection Regulation) and the Personal Data Act for a data subject, or for the controller’s customer, employees and for the supervisory authority.
2. Controller and its contact information
A data file shared by OP Financial Group (also hereinafter OP) companies (including OP Cooperative with its subsidiaries and the Group's cooperative banks), excluding Pohjola Health Ltd.
Postal address: P.O. Box 308, 00013 OP
Street address: Gebhardinaukio 1, 00510 HELSINKI
The controller’s contact person: OP Financial Group's Data Protection Team
Telephone: 010 253 1333 (in English), 0100 0500 (in Finnish)
3. Data Protection Officer's contact information
OP Financial Group's Data Protection Officer
OP Financial Group
Postal address: P.O. Box 308, 00013 OP
4. Name of the personal data file
OP Financial Group's campaign and newsletter data file
The data file covers those who have demonstrated interest in services provided by OP Financial Group companies as well as subscribers to the newsletter and those participating in a campaign or competition. The data concerned has not been included in the customer data files of OP Financial Group companies.
5. Purpose of personal data processing and legal basis for processing
Purposes of processing
The purposes of use of personal data include the following:
- Newsletter services (for example OP Media, Chydenius) and arranging campaigns, for example, in connection with events and competitions, especially related customer service and customer relationship management, including notifications and communications
- Planning and developing OP's product and service offerings as well as targeting these offerings
- Business development
- Monitoring and analysis of service use and segmentation of users and subscribers, for example, in order for the controller to be able to offer personalised service content to the users
- Opinion polls and market surveys
- Direct marketing
- Targeted marketing and advertising in internal and external media
- Training purposes
Processing of personal data within the scope of the data file includes profiling. Profiling means automated processing of personal data where certain aspects relating to a natural person are evaluated by utilising this data. Marketing involves carrying out target group sampling and targeting is based on various segments. Further information about profiling is available in OP’s Privacy Statement at op.fi/dataprotection.
Legal bases of processing
|Consent||Processing may be based on the data subject's consent, for example, on a consent to direct electronic marketing given by the data subject. Data subjects may also subscribe to newsletters with their consent.|
|Legitimate interests of the controller||Direct marketing or participation in a competition may also be based on legitimate interests. The data subject can demonstrate interest in OP Financial Group or its products and services in connection with events, for example.|
6. Categories of personal data
|Category of personal data||Data content of the category|
|Basic information||Data subject's name
Data subject's contact details, such as email address, phone number and address
|Customer relationship information||Information that uniquely identifies and classifies a potential customer such as source of contact details or alias/nick|
|Consents||The consents given and withheld by the data subject concerning personal data processing|
|Customer activity data||Contact details|
|Background information||Language for transactions|
|Areas of interest||Information on the data subject’s areas of interest|
|Behavioural information (incl. information collected using cookies and other such technologies)||Tracking of the data subject's online behaviour and use of services using, for example, cookies. The collected information may include a website browsed by the user, the device model, unique device and/or cookie ID, channel such as an application, mobile browser or web browser, browser version, IP address, session ID, session time and duration, and the display resolution and operating system.|
|Technical verification data||Identifier determined by a device or an application, with which the user of the device or application can be identified, using additional information if necessary.|
7. Recipients and recipient groups of personal data
Transfer of data to suppliers
The controller uses suppliers which process personal data for its account. The controller concludes appropriate agreements on personal data processing with such suppliers.
The suppliers provide the controller with information system services, among other things. Some of the controller's suppliers are other OP Financial Group entities.
International transfers of data
The controller uses suppliers in personal data processing, and data will be transferred outside of the EU or EEA to a limited extent.
Data is transferred outside of the EU or EEA using standard contractual clauses based on data protection legislation or using another transfer mechanism permitted by legislation that guarantee appropriate protection of personal data. A transfer mechanism used by the controller is the standard contractual clauses adopted by the European Commission that can be found
8. Personal data retention period or criteria for determining the period
Personal data collected in competitions and campaigns will be retained for some 6 months, after which the data will be erased in accordance with the erasure processes followed by the controller.
In connection with subscription to newsletters, personal data will be retained according to the validity period of the subscription. However, the data retention period after the data subject has terminated their subscription is a maximum of around 2 years. Thereafter, the data will be erased according to the controller's erasure process unless the data subject expresses their willingness to continued data processing.
9. Personal data sources and updates
Personal data is collected primarily from the data subjects themselves. Personal data may also be collected when the data subject uses certain controller services, such as online services.
10. Data subject’s rights
Data subjects have the right to receive the controller's confirmation of whether their personal data will be processed or not, or whether they have already been processed.
If the controller processes a data subject's personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.
The controller may charge a reasonable administrative fee for additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.
The data subject also has the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.
After the application of the General Data Protection Regulation has begun, the data subject will, in certain cases, also have the right to request the controller to restrict the processing of their personal data or to otherwise oppose the processing. In addition, under the General Data Protection Regulation, the data subject may request that the data they have provided themselves be transferred in machine-readable format.
All of the above requests must be submitted to the abovementioned contact person of the controller.
If a data subject considers that his/her personal data is not processed legally, he/she has the right to file a complaint with the supervisory authority.
11. Right to cancel prior consent
If the controller processes the data subject's personal data on the basis of consent, the data subject has the right to cancel such consent. The cancellation of consent does not affect the lawfulness of processing performed based on the consent prior to its cancellation. Such cancellation may, however, have an effect on the usability and functionalities of the service. Every newsletter contains a cancellation link. Additional information is available from the person in charge of the data file.
12. Protection methods regarding the data file
The controller has protected the data appropriately in technical and organisational terms. The data file is protected using, for example, the following tools:
- Protection of equipment and files
- Access control
- User identity verification
- Access rights
- Registration of usage events
- Processing guidelines and supervision
The controller also requires of its suppliers the appropriate protection of personal data to be processed.