1. General information
This Privacy Notice contains information required by the EU General Data Protection Regulation (hereinafter the General Data Protection Regulation) and the national data protection law for a data subject, that is, for the controller’s customer, employees and for the supervisory authority.
2. Controller and its contact information
OP Fund Management Company Ltd
Postal address: PO Box 308, FI-00101 Helsinki
Street address: Gebhardinaukio 1, 00510 HELSINKI
The controller’s contact person: OP Financial Group’s Data Protection Team
Phone: 010 253 1333 (in English), 0100 0500 (in Finnish)
3. Data Protection Officer’s contact information
OP Financial Group’s Data Protection Officer
OP Financial Group
Postal address: P.O. Box 308, FI-00013 OP
4. Name of the personal data file
OP Fund Management Company Ltd’s unit data file
The data file contains the personal data of all private persons and persons working on behalf of institutional customers owning funds managed and distributed by OP Fund Management.
5. Purpose of personal data processing and legal basis for processing
Purposes of processing
The data file processes personal data primarily in order to offer funds and to carry out fund orders. See below for a more detailed description of the use of personal data in the data file.
The purposes of personal data use include:
- customer service and customer relationship management, including customer communications and reporting
- production, offer and delivery of services, and development and quality assurance of services
- business development
- monitoring and analysing service use, and customer segmentation
- targeted marketing and advertising
- fulfilling statutory obligations and any other official rules and regulations
- Risk management
- Ensuring the security of services and investigating abuses
Processing of personal data within the scope of the data file includes profiling. Profiling means automated processing of personal data where certain aspects relating to a natural person are evaluated by utilising this data.
General information about automated decision-making and profiling is available in OP Financial Group’s Privacy Statement at op.fi/dataprotection.
Information in the data file can be utilised, for example, when creating marketing target groups.
Preventing money laundering and terrorist financing, and sanctions monitoring
KYC information and other data subject’s personal data may be used to prevent, uncover and detect money laundering and terrorist financing as well as for other purposes required by the Act on Preventing and Detecting Money Laundering and Terrorist Financing.
The data subject’s personal data may be used to investigate if the person is subject to international sanctions applied by the controller. Further information on OP Financial Group’s sanctions compliance is primarily available in the terms and conditions of the acquired product or service.
Legal bases of processing
The table below describes the legal bases of processing personal data used by the data file and provides examples of processing performed on each basis.
|Contractual relationship or actions preceding the conclusion of a contract||Actions based on a contract or its conclusion|
|Statutory obligation||Legislation on the prevention of money laundering and financing of terrorism
Statutory reporting to the authorities
|Legitime interests||Direct marketing and business development are often based on the controller’s legitimate interest. International sanctions monitoring performed by the controller is partly based on a legitimate interest.
The controller may disclose information to the other personal data files of OP Financial Group entities on the basis of legitimate interests.
In most cases, the controller’s legitimate interests are based on the customer relationship or similar relationship between the controller and the data subject. The controller ensures that the processing performed on this basis is proportionate to the data subject’s benefits and meets his/her reasonable expectations.
6. Categories of personal data
|Category of personal data||Data content of the category|
|Basic information||Private person:
Data subject’s name
Data subject’s personal identity code
Data subject’s address details
Person acting on behalf of the entity:
Contact person's name and information about his/her connection with the entity
|Know Your Customer (KYC) information||Statutory KYC information such as the information required to identify the customer and to determine their financial status and political exposure|
|Contract and product information||Data subject’s ownership of OP funds|
|Behavioural information (incl. information collected using cookies and other such technologies)||Tracking of the data subject’s online behaviour and use of services using, for example, cookies. The collected information may include a website browsed by the user, the device model, unique device and/or cookie ID, channel such as an application, mobile browser or Web browser, browser version, IP address, session ID, session time and duration, and the display resolution and operating system.|
7. Recipients and recipient groups of personal data
Any personal data obtained may be used within OP Financial Group as permitted by the law. In addition, personal data may be disclosed, for example, to:
- relevant authorities, such as the Finnish Tax Administration and Bank of Finland in statutory cases
Transfer of data to suppliers
The controller uses suppliers which process personal data for its account. The controller concludes appropriate agreements on personal data processing with such suppliers.
The suppliers provide the controller with information system services, among other things. Some of the controller’s suppliers are other OP Financial Group entities.
International transfers of data
The controller uses suppliers in personal data processing, and data will be transferred outside of the EU / EEA to a limited extent.
Data is transferred outside of the EU / EEA using standard contractual clauses based on data protection legislation or using another transfer mechanism permitted by legislation that guarantee appropriate protection of personal data. A transfer mechanism used by the controller is the standard contractual clauses adopted by the EU Commission that can be found at this address.
8. Personal data retention period or criteria for determining the period
Personal data may be processed within the validity of the contractual relationship. Once the contractual relationship / customer relationship has ended, the data will be erased or anonymised after ten years in accordance with the erasure processes followed by the controller.
After the contractual relationship has terminated, the controller may process the personal data for direct marketing purposes in accordance with applicable legislation.
The controller may be under an obligation to process some personal data in the data file for a period longer than stated above in order to comply with legislation or requirements set by the relevant authorities, such as capital adequacy regulation.
9. Personal data sources and updates
OP Fund Management’s data file receives the data subject’s personal data from the latter’s Group member cooperative bank or OP Asset Management Ltd. The Group member cooperative banks and OP Asset Management Ltd collect personal data mainly from the data subjects themselves, and also from certain external sources, such as the Population Register Centre.
10. Data subject’s rights
Data subjects have the right to receive the controller’s confirmation of whether their personal data will be processed or not, or whether they have already been processed.
If the controller processes a data subject’s personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.
The controller may charge a reasonable administrative fee for additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.
The data subject also has the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.
After the application of the General Data Protection Regulation has begun, the data subject will, in certain cases, also have the right to request the controller to restrict the processing of their personal data or to otherwise oppose the processing. In addition, under the General Data Protection Regulation, the data subject may request that the data they have provided themselves be transferred in machine-readable format.
All of the above requests must be submitted to the abovementioned contact person of the controller.
If a data subject considers that his/her personal data is not processed legally, he/she has the right to file a complaint to the supervisory authority.
11. Protection methods regarding the data file
The controller processes personal data securely in accordance with applicable laws. It has carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.
The controller has protected the data appropriately in technical and organisational terms. The data file is protected using, for example, the following tools:
- Protection of equipment and data files
- Access control
- User identity verification
- Access rights
- Registration of usage events
- Processing guidelines and supervision
The controller also requires of its suppliers the appropriate protection of personal data to be processed.