OP Financial Group’s owner-customer data file

Privacy notice

1. General information

This Privacy Notice contains information required by the EU General Data Protection Regulation (hereinafter the General Data Protection Regulation) and the national law for a data subjects, that is, for the controller's customer, employees and for the supervisory authority.

2. Controller and its contact information

For each OP Financial Group cooperative bank
Postal address: P.O. Box 308, 00013 OP
Street address: Gebhardinaukio 1 00510 HELSINKI
The controller’s contact person: OP Financial Group’s Data Protection Team
Phone: 010 253 1333 (in English), 0100 0500 (in Finnish)
E-mail: dataprotection@op.fi

3. Data Protection Officer’s contact information

OP Financial Group’s Data Protection Officer
OP Financial Group
Postal address: P.O. Box 308, 00013 OP
Email: dataprotection@op.fi

4. Name of the personal data file

OP Financial Group’s owner-customer data file
This privacy notice template describes how personal data is processed in each OP cooperative bank’s owner-customer data file. The data subjects in the data file are OP cooperative bank’s owner-customers.

5. The purpose of personal data processing and legal basis for processing

Purposes of use of personal data

The controller uses personal data in the owner-customer data file mainly to maintain information on owner-customer and Group-wide loyalty programme membership, and to distribute information on loyalty programme membership to other OP Financial Group entities. Information on loyalty programme membership is distributed so that the Group entities can offer benefits based on owner-customer membership to the data subjects included in the programme. The controller also maintains the public membership list of owner-customers.

Information on owner-customer and loyalty programme membership may also be used for the following purposes:

  • customer service and customer relationship management and development, including customer communications
  • provision, development and quality assurance of services
  • business development
  • monitoring and analysis of product and service use and customer segmentation, for example, in order for the controller to be able to offer personalised product and service content to the users
  • opinion polls and market surveys
  • direct marketing
  • targeted marketing and advertising
  • fulfilling statutory obligations and any other official rules and regulations

The data file includes profiling using automatic decision-making, which is conducted when an OP cooperative bank’s customer becomes an owner-customer via op.fi. Owner-customer membership will be approved automatically, if the customer has extended OP eServices user identifiers and the membership contribution can be debited to the customer’s account upon application.

Through the fully automated decision process, we can ensure that the customer can submit the matter for manual processing and decision. General information about automatic decision-making and profiling is available in OP’s Privacy Statement at op.fi/dataprotection.

Legal basis of processing

Legal grounds Processing
Contractual relationship or actions preceding the conclusion of a contract Becoming an owner-customer and owner-customer membership
Consent Upon becoming an owner-customer, the customer can give his/her approval for joining the loyalty programme
Statutory obligation For example, maintaining the public membership list in accordance with the Co-operatives Act and disclosure of information to the tax office in accordance with tax legislation
Legitimate interests of the controller For example, use of personal data in direct marketing or for business development, and disclosure of information to data files of other OP Group entities may be based on legitimate interests.

The controller ensures that processing based on legitimate interests is proportionate to the data subject’s benefits and that it corresponds to his/her reasonable expectations.

6. Categories of personal data

Category of personal data Data content of the category
Basic information Name, personal identity code and member number
Consent Data subject’s consent for joining OP Financial Group’s loyalty programme mmm
Contract and product information Information on an agreement between the data subject and an OP cooperative bank
Owner-customer membership and loyalty programme data
Customer activity data Tasks and transactions related to the management of the customer relationship
Recordings and content of messages Recordings and messages in various formats, in which the data subject is a party, for example, call recordings

7. Recipients and recipient groups of personal data

Any personal data collected may be disclosed within OP Financial Group. Information may be disclosed to other personal data files of OP Financial Group entities, for example, to offer owner-customer benefits and to verify the right to vote in the election of Representative Assembly.

Data may in statutory cases be disclosed to relevant authorities, such as the tax authorities.

8. Transfer of personal data

The controller uses suppliers in data processing but no data will be transferred outside of the EU or EEA.

9. Personal data retention period or criteria for determining the period

Personal data may be processed within the validity of the contractual relationship. Once the contractual relationship has ended, the data will be erased after ten years in accordance with the erasure processes followed by the controller.
After the contractual relationship has ended, OP Financial Group entities may process the personal data for direct marketing purposes in accordance with applicable legislation.

10. Personal data sources and updates

Personal data is collected primarily from the data subjects themselves. In addition, it is obtained from OP Group’s customer data files. Personal data may also be collected when the data subject uses certain controller services , such as online services.

11. Data subject’s rights

Data subjects have the right to receive the controller’s confirmation of whether their personal data will be processed or not, or whether they have already been processed.

If the controller processes a data subject’s personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.

The controller may charge a reasonable administrative fee for additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.

The data subject also has the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.

After the application of the General Data Protection Regulation has begun, the data subject will, in certain cases, also have the right to request the controller to restrict the processing of their personal data or to otherwise oppose the processing. In addition, under the General Data Protection Regulation, the data subject may request that the data they have provided themselves be transferred in machine-readable format.

All of the above requests must be submitted to the abovementioned contact person of the controller.

If a data subjects considers that his/her personal data is not processed legally, he/she has the right to file a complaint to the supervising authority.

12. Right to cancel prior consent

If the controller processes the data subject’s personal data on the basis of consent, the data subject has the right to cancel such consent. The cancellation of consent does not affect the lawfulness of processing performed based on the consent prior to its cancellation. Such cancellation may, however, have an effect on the usability and functionalities of the service.

13. Protection methods regarding the filing system

We process personal data securely in accordance with applicable laws. We have carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.

The controller has protected the data appropriately in technical and organisational terms. The data file is protected using, for example, the following tools:

  • protection of equipment and data files
  • access control
  • user identity verification
  • access rights
  • registration of usage events
  • processing guidelines and supervision

The controller also requires of its suppliers the appropriate protection of personal data to be processed.