OP Financial Group’s owner-customer data file

Privacy notice

1. General

This Privacy Notice contains information required by the EU General Data Protection Regulation (hereinafter the General Data Protection Regulation) and the national legislation for a data subject, that is, for the controller’s customer, employees and for the supervisory authority.

2. Controller and controller’s contact information

Each OP Financial Group cooperative bank
Postal address: P.O. Box 308, 00013 OP, Finland
Street address: Gebhardinaukio 1 00510 HELSINKI
Controller’s contact person: OP Financial Group’s Data Protection Team
Telephone: 0100 0500
Email: dataprotection@op.fi 

3. Data Protection Officer’s contact information

OP Financial Group’s Data Protection Officer
OP Financial Group
Postal address: P.O. Box 308, 00013 OP, Finland
Email: dataprotection@op.fi

4. Name of the personal data file

OP Financial Group’s owner-customer data file

This privacy notice template describes how personal data is processed in each OP Financial Group cooperative bank’s owner-customer data file. The data subjects in the data file are OP cooperative bank’s owner-customers.

5. Purpose of personal data processing and legal basis for processing

Purposes of use of personal data

The controller uses personal data in the owner-customer data file mainly to maintain information on owner-customer and Group-wide loyalty programme membership, and to distribute information on loyalty programme membership to other OP Financial Group entities. Information on loyalty programme membership is distributed so that the Group entities can offer benefits based on owner-customer membership to the data subjects included in the programme. The controller also maintains the public membership list of owner-customers.
Information on owner-customer and loyalty programme membership may also be used for the following purposes:

  • Customer service and customer relationship management and development, including customer communications
  • Provision, development and quality assurance of services
  • Business development
  • Monitoring and analysis of product and service use and customer segmentation, for example, in order for the controller to be able to offer personalised product and service content to users
  • Opinion polls and market surveys
  • Direct marketing
  • Targeted marketing and advertising
  • Processing of personal data related to the use of administrative rights of owner-customers, or members of the Cooperative, such as arranging Cooperative and Representative Assembly Meetings and the election of the Representative Assembly
  • Fulfilling statutory obligations and any other official rules and regulations

The data file includes profiling using automated decision-making, which is conducted when an OP cooperative bank’s customer becomes an owner-customer on the op.fi service. Owner-customer membership will be approved automatically, if the customer has OP User ID and the membership contribution can be debited from the customer’s account upon application.

Through the fully automated decision process, we can ensure that the customer can submit the matter for manual processing and decision. General information about automated decision-making and profiling is available in OP’s Privacy Statement at op.fi/dataprotection.

Legal basis for processing

Legal grounds Processing
Contractual relationship or actions preceding the conclusion of a contract Becoming an owner-customer and owner-customer membership
Consent Upon becoming an owner-customer, the customer can give their approval for joining the loyalty programme (family unit)
Statutory obligations For example, maintaining the public membership list in accordance with the Co-operatives Act and disclosure of information to the tax office in accordance with tax legislation

Processing of personal data related to the implementation of administrative rights of owner-customers
Legitimate interests of the controller For example, use of personal data in direct marketing or for business development, and disclosure of information to data files of other OP Financial Group entities may be based on legitimate interests

The controller ensures that processing based on legitimate interests is proportionate to the data subject’s benefits and that it meets his/her reasonable expectations.

6. Categories of personal data

Category of personal data Data content of the category
Basic information Name, personal identity code and member number
Consent Data subject’s consent for joining OP Financial Group’s loyalty programme
Contract and product information Information on an agreement between the data subject and an OP cooperative bank
Information on data subject’s owner-customer membership and loyalty programme
Customer activity data Tasks and transactions related to the management customer relationship
Behavioural information (incl. information collected using cookies and other such technologies) Tracking of the data subject’s online behaviour and use of services using, for example, cookies. The collected information may include a website browsed by the user, the device model, unique device and/or cookie ID, channel such as an application, mobile browser or web browser, browser version, IP address, session ID, session time and duration, and the display resolution and operating system.
Recordings and content of messages Recordings and messages in various formats, to which the data subject is a party, for example voice call recordings
Technical identification data Identifier determined by a device or an application, with which the user can be identified, using additional information if necessary


7. Recipients of personal data and recipient categories

Any personal data collected may be disclosed within OP Financial Group. Information may be disclosed to other personal data files of OP Financial Group entities, for example, to offer owner-customer benefits and to verify the right to vote in the election of the Representative Assembly.

Data may in statutory cases also be disclosed to relevant authorities, such as the tax authorities.

8. Transfer of personal data

The controller uses suppliers in data processing, and data may be transferred outside of the EU or EEA. When data is transferred outside of the EU or EEA, the transfer is done using the EU Commission’s standard contractual clauses or some other transfer mechanism in accordance with legislation. Read more about international transfers of personal data and the European Commission's standard contractual clauses at OP’s website: op.fi/dataprotection.

Some of the controller’s suppliers are other OP Financial Group entities. They provide the controller with information system and other support services, among other things.

9. Personal data retention period or criteria for determining the period

Personal data may be processed within the validity of the contractual relationship. Once the contractual relationship has ended, the data will be erased after ten years in accordance with the erasure processes followed by the controller. Personal data processed for the implementation of owner-customer’s administrative rights may be retained longer. For example, the minutes of Cooperative and Representative Assembly Meetings with appendixes, including attendance information, are retained permanently due to legislation binding the controller.

After the contractual relationship has ended, OP Financial Group entities may process the personal data for direct marketing purposes in accordance with applicable legislation.

10. Personal data sources and updates

Personal data is primarily collected from the data subjects themselves. In addition, it is obtained from OP Financial Group’s customer data files. Personal data may also be collected when the data subject uses certain services of the controller, such as online services. 

All phone calls to and from the controller may be recorded. We may use call recordings to verify customer transactions, assure the quality of customer service and develop our services and for training purposes.

11. Data subjects’ rights

Data subjects have the right to receive the controller’s confirmation of whether their personal data will be processed or not, or whether they have already been processed.

If the controller processes a data subject’s personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed. 

The controller may charge a reasonable administrative fee for any additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.

Data subjects also have the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.

Data subjects also have, in certain circumstances, the right to request the controller to restrict the processing of their personal data or to otherwise object to processing. In addition, data subjects may request that the data they have provided themselves be transferred in a machine-readable format.

All requests mentioned herein must be submitted to the abovementioned contact person of the controller.

If a data subject considers that their personal data is not processed legally, they have the right to file a complaint with the supervisory authority.

12. Right to cancel prior consent

If the controller processes a data subject’s personal data on the basis of consent, the data subject has the right to cancel such consent. The cancellation of consent does not affect the lawfulness of processing performed on the basis of said consent prior to its withdrawal. Such cancellation may, however, have an effect on the usability and functionalities of the controller’s services.

13. Protection methods regarding the data file

We process personal data securely in accordance with applicable laws. We have carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.
The controller has taken appropriate technical and organisational measures to protect the data. The data file is protected using, for example, the following tools:

  • Protection of hardware and files
  • Access control
  • User identity verification
  • Access rights
  • Registration of usage events
  • Processing guidelines and supervision

The controller also requires of its suppliers appropriate protection of any personal data to be processed.