1. General information
This Privacy Notice contains information required by the EU General Data Protection Regulation (hereinafter the General Data Protection Regulation) and the Personal Data Act, on the one hand, for a data subject, meaning the controller’s customer, and on the other hand the supervisory authority.
2. Controllers and their contact information
OP Insurance Ltd, A-Insurance Ltd and Eurooppalainen Insurance Company Ltd
The aforementioned insurance companies operate as joint controllers as specified in the General Data Protection Regulation. Hereinafter, controller refers to all three joint controllers, unless otherwise specified.
Postal address: P.O. Box 308, 00013 OP
Street address: Gebhardinaukio 1, 00510 HELSINKI
The controller’s contact person: OP Financial Group’s Data Protection Team
Phone: 010 253 1333 (in English), 0100 0500 (in Finnish)
3. Data Protection Officer’s contact information
OP Financial Group’s Data Protection Officer
OP Financial Group
Postal address: P.O. Box 308, 00013 OP
4. Name of the personal data file
Customer data files of OP Insurance Ltd, A-Insurance Ltd and Eurooppalainen Insurance Company Ltd. Private individuals and entities, including entrepreneurs, are data subjects. With respect to an entity, data subjects are persons acting on its behalf.
Previous customers and private individuals and entities deemed potential customers are also data subjects.
The data subjects include persons who have paid the premium on the policyholder’s behalf, persons who have claimed or received compensation under the insurance contracts, persons otherwise entitled to compensation under the insurance contracts (such as beneficiaries), as well as persons liable to repay the insurance compensation (persons with so-called recourse debt).
5. Purpose of personal data processing and legal basis for processing
Insurance operations require personal data processing. The data subject’s personal data is needed, for example, for concluding an insurance contract and for payment of compensation. Below you can find more detailed information on how personal data is used in the data files.
Purpose of use of personal data
- Customer service and customer relationship management and development, including customer communications
- Providing services and products (insurance business, execution and maintenance of insurance contracts, claims settlement based on insurance contracts), development, automation and quality assurance
- Monitoring and analysis of product and service use and customer segmentation, for example, in order for the controller to be able to offer personalised product and service content to users
- Ensuring the security of services and investigating abuses
- Risk management
- Training purposes
- Direct marketing, opinion polls and market surveys, distance selling, targeting of marketing and advertising
- Fulfilling statutory obligations and any other official rules and regulations
- Conducting and developing other business
The purposes of using personal data in OP Insurance Ltd and A-Insurance Ltd are, in addition to the aforementioned, to execute granted statutory insurance (occupational accident and disease insurance, and motor liability insurance).
Personal data processing within the scope of the data files involves automated decision-making. If this kind of decision-making is included in the product or service that you have acquired, you will be informed of that when you purchase a product or service. Processing of personal data within the scope of the data file includes profiling. Profiling means automated processing of personal data evaluating certain aspects relating to a natural person by utilising this data.
Automated decision-making occurs, for example, when you buy insurance on eServices. At the same time, profiling is conducted to match the price of the insurance to the level of risk. Profiling is also utilised, for example, to target advertising and to steer claim decision queuing in order to speed up the service.
General information about automated decision-making and profiling is available in OP’s Privacy Statement at op.fi/dataprotection.
Know Your Customer information and the data subject’s other personal information may be used in the prevention, uncovering and investigation of money laundering and the financing of terrorism, and in bringing under investigation the money laundering and financing of terrorism as well as the crime committed to obtain the assets or proceeds of crime involved in the financing of the money laundering or financing of terrorism.
The data subject’s personal data may be used to investigate if the person is subject to international sanctions applied by the controller. Further information on OP Financial Group’s sanctions compliance is primarily available in the terms and conditions of the acquired product or service.
Legal basis of processing
We process the data subject’s personal data mainly based on a contractual relationship and the measures preceding it.
Personal data processing can also be based on
- The data subject’s consent, such as consent to acquire patient data from a hospital/clinic,
- The controller’s statutory obligations, such as requirements of Finnish tax legislation and the Insurance Companies Act, or
- The legitimate interests of the controller or a third party, such as use of data for direct marketing, providing that the data subject is aware of it and has not forbidden it, as well as for business development. Disclosure of information between OP Financial Group entities too is often based on legitimate interests.
In most cases, the controller’s legitimate interests are based on the customer relationship or similar relationship between the controller and the customer. The controller ensures that such processing is proportionate to the data subject’s benefits and meets his/her reasonable expectations.
The processing of the data subject’s personal health data in the data file is based on legislation or the data subject’s consent.
The controller has the right to process data on the criminal activity, criminal charges or other criminal consequences of the insured, claimant or tortfeasor that are necessary for the insurance company to determine liability.
6. Categories of personal data
|Category of personal data||Data content of the category|
|Basic information||Private person: Data subject’s name and personal identity code
Entity including entrepreneurs: Identification details of persons acting on the behalf of an entity and information on connections to the entity
|Know Your Customer (KYC) information||Statutory KYC information such as the information required to identify the customer and to determine their financial status and political exposure|
|Customer relationship information||Information that uniquely identifies and classifies the customer, such as customer code and policy code|
|Consents||The consents given and withheld by the data subject concerning personal data processing|
|Contract and product information||The controller’s and data subject’s contract information
Information on products and services acquired by the data subject
|Customer activity data||Tasks and transactions related to the management of the customer relationship, such as policy changes and claim handling information|
|Background information||Details of the life situation and financial status of the data subject
For example, information from the Tax Administration on salaries and benefits for implementation of occupational accidents and diseases insurance
|Areas of interest||Information on the data subject’s areas of interest, such as interest in services and products of OP Financial Group entities|
|Behavioural information (incl. information collected using cookies and other such technologies)||Tracking of the data subject’s online behaviour and use of services using, for example, cookies. The collected information may include a website browsed by the user, the device model, unique device and/or cookie ID, channel such as an application, mobile browser or Web browser, browser version, IP address, session ID, session time and duration, and the display resolution and operating system.|
|Recordings and content of messages||Recordings and messages in various formats, in which the data subject is a party, such as call recordings|
|Special categories of personal data||The special categories of personal data laid down in Article 9 of the General Data Protection Regulation that include health, biometric data for the purpose of uniquely identifying a natural person, and trade union membership|
|Location and sensor data||Tracking the data subject’s location and information on the subject collected with sensors|
|Technical verification data||Identifier determined by a device or an application, with which the user of the device or application can be identified, using additional information if necessary|
7. Recipients and recipient groups of personal data
Collected personal data may be distributed within OP Financial Group and other companies of the financial amalgamation as permitted by the law. In addition, personal data may be disclosed, for example, to:
- Finance Finland, in regard to insurance sector claims statistics
- A hospital/clinic, based on the data subject’s consent
- Partners that are used in producing and providing services. These partners may therefore process personal data on the behalf of the controller or as independent controllers.
Personal data may be disclosed to authorities, including enforcement or social welfare authorities, the Finnish Tax Administration or the Finnish Financial Supervisory Authority, only within the limits permitted by law. An annual notification of the controller’s customers is sent to the tax authorities.
8. Transfer of personal data
The controller uses suppliers in data processing, and data may be transferred outside of the EU or EEA to a limited extent. When data is transferred outside of the EU or EEA, the transfer is done using the EU Commission’s standard contractual clauses or some other transfer mechanism in accordance with legislation.
Some of the controller’s suppliers are other OP Financial Group entities. They provide the controller with information system and other support services, among other things.
9. Personal data retention period or criteria for determining the period
The controller determines the retention periods for the personal data taking into account the applicable laws and the functionality and efficiency of the business, for example claims settlement and managing insurance affairs.
For example, in several voluntary insurance lines, information on insurance contracts must be retained for a minimum of 15 years from the date of termination of the contract. Regarding statutory personal injuries and road accidents, the statutory retention period is 100 years from the last processing date.
After the contractual relationship has ended, the controller may process the personal data for direct marketing purposes in accordance with applicable legislation.
10. Personal data sources and updates
Personal data is collected primarily from the data subjects themselves. Personal data may also be collected when the data subject uses certain services of the controller, such as online services.
Personal data can also be collected and updated within the limits permitted by law from the personal data files of third parties, such as:
- the Population Register Centre and the address notification service of the post office
- Personal data files maintained by other authorities
- Credit information register controllers
- The joint claims and misuse register kept by insurance companies
- Hospitals/clinics, based on the data subject’s consent or under law
- Partners involved in managing insurance and losses
- Public information sources through which the data subject can reliably be verified
- Banks for TUPAS authentication
- Parties that maintain databases with information that is necessary to identify political exposure and parties subject to international sanctions followed by the controller
- Other customer data files of OP Financial Group entities
OP Insurance Ltd and A-Insurance Ltd collect information concerning taxation from the Finnish tax authorities for the purpose of using it in accordance with the Occupational Accidents, Injuries and Diseases Act (for example to resolve an insurance matter or to fulfil an insurance company’s supervisory obligations).
11. Data subject’s rights
Data subjects have the right to receive the controller’s confirmation of whether their personal data will be processed or not, or whether they have already been processed.
If the controller processes a data subject’s personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.
The controller may charge a reasonable administrative fee for additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.
The data subject also has the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.
After the application of the General Data Protection Regulation has begun, the data subject will, in certain cases, also have the right to request the controller to restrict the processing of their personal data or to otherwise oppose the processing. In addition, under the General Data Protection Regulation, the data subject may request that the data they have provided themselves be transferred in machine-readable format.
All of the above requests must be submitted to the abovementioned contact person of the controller.
If a data subject considers that his/her personal data is not processed legally, he/she has the right to file a complaint with the supervisory authority.
12. Right to cancel prior consent
If the controller processes the data subject’s personal data on the basis of consent, as is mostly the case in direct marketing using electronic channels, the data subject has the right to cancel such consent. The cancellation of consent does not affect the lawfulness of processing performed based on the consent prior to its cancellation. Such cancellation may, however, have an effect on the usability and functionalities of the service.
13. Protection methods regarding the data file
We process personal data securely in accordance with applicable laws. We have carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.
The controller has protected the data appropriately in technical and organisational terms. The data file is protected using, for example, the following tools:
- Protection of equipment and data files
- Access control
- User identity verification
- Access rights
- Registration of usage events
- Processing guidelines and supervision
The controller also requires of its suppliers the appropriate protection of personal data to be processed.