Updated on 27 April 2022
1. General information
This Privacy Notice contains information required by the EU General Data Protection Regulation (hereinafter the General Data Protection Regulation) and the national law for a data subjects, that is, for the controller's customer, employees and for the supervisory authority.
2. Controller and its contact information
OP Life Assurance Company Ltd
Postal address: P.O. Box 308, 00013 OP
Street address: Gebhardinaukio 1, 00510 HELSINKI
The controller’s contact person: OP Financial Group’s Data Protection Team
Phone: 0100 0500
3. Data Protection Officer’s contact information
OP Financial Group’s Data Protection Officer
OP Financial Group
Postal address: P.O. Box 308, 00013 OP
4. Name of the personal data file
OP Life Assurance Company Ltd’s customer data file
The data subjects are natural persons who have or have had a customer relationship with OP Life Assurance Company Ltd, and customers deemed potential by the controller. With respect to entities, data subjects are natural persons acting on their behalf.
The data subjects include the policyholder, a person who has paid the premium on the policyholder’s behalf, the insured person, a person who has claimed or received compensation, as well as any person otherwise entitled to insurance compensation on the basis of the insurance contract (such as a beneficiary).
5. The purpose of personal data processing and legal basis for processing
Insurance operations require personal data processing. The data subject’s personal data is needed, for example, for concluding an insurance contract and for payment of compensation. Below is more detailed information on the purposes and legal bases of personal data processing.
Purposes of use of personal data
- Customer service and customer relationship management and development, including customer communications
- Providing services and products (insurance business, execution and maintenance of insurance contracts, claims settlement based on insurance contracts), development, automation and quality assurance as well as customer and user modelling
- Monitoring and analysis of product and service use and customer segmentation, for example, in order for the controller to be able to offer personalised product and service content to users
- Ensuring the security of services and investigating abuses
- Risk management
- Training purposes
- Direct marketing, opinion polls and market surveys, distance selling, targeting of marketing and advertising
- Fulfilling statutory obligations and any other official rules and regulations
- Conducting and developing other business
Automated decision-making and profiling
Automated decision-making means that the decision concerning the data subject is based solely on automatic data processing. Personal data processing within the scope of the data file involves automated decision-making. The purpose of automated decision-making is to reduce processing times and safeguard equitable decisions about granting insurance, for example. Automated decision-making occurs, for example, when you buy insurance online. If automated decision-making is included in the product or service to be acquired, this will be informed upon purchase of a product or service.
As a result of automated decision-making, the data subject can receive a decision about granting insurance, for instance. If a decision has been made on the basis of automated decision-making, a data subject may request reconsideration of the application through manual (non-automated) processing.
Processing of personal data within the scope of the data file includes profiling. Profiling means the automated processing of personal data for evaluating certain personal aspects of an individual. Profiling is utilised, for example, to determine the risk correlation of the price of the insurance, to target advertising and in customer selection in order to speed up the service.
General information about automated decision-making and profiling is available in OP’s Privacy Statement at op.fi/dataprotection.
Customer due diligence and preventing money laundering and terrorist financing
Know Your Customer information and the data subject’s other personal information may be used in the prevention, uncovering and investigation of money laundering and the financing of terrorism, and in bringing under investigation the money laundering and financing of terrorism as well as the crime committed to obtain the assets or proceeds of crime involved in the financing of the money laundering or financing of terrorism.
The data subject’s personal data may be used to investigate if the person is subject to international sanctions applied by the controller. Further information on OP Financial Group’s sanctions compliance is primarily available in the terms and conditions of the acquired product or service.
Legal basis of processing
We process personal data mainly based on a contractual relationship and the measures preceding it.
Personal data processing can also be based on
- the data subject’s consent, such as consent to acquire patient data from a hospital/clinic,
- the controller’s statutory obligations, such as requirements of Finnish tax legislation and the Insurance Companies Act, or
- the legitimate interests of the controller or a third party, such as use of data for direct marketing, providing that the data subject is aware of it and has not forbidden it, for business development and for preventing misuse and fraud. Disclosure of information between OP Financial Group entities too is often based on legitimate interests.
In most cases, the controller’s legitimate interests are based on the customer relationship or similar relationship between the controller and the customer. The controller ensures that such processing is proportionate to the data subject’s benefits and meets his/her reasonable expectations.
The processing of the data subject’s personal health data in the data file is based on legislation or the data subject’s consent.
The controller has the right to process data on the criminal activity, criminal charges or other criminal consequences of the policyholder, insured, claimant or beneficiary that are necessary for the insurance company to determine liability.
6. Categories of personal data
Data subjects are typically subject to processing under the categories of personal data and personal data described below. The data content to be processed depends, for example, on whether it involves the data of a private individual or a person acting on behalf of a company.
|Category of personal data
|Example of the Group’s data content
|Private person: Data subject’s name, personal identity code and contact information
Entity including entrepreneurs: Identification and contact details of persons acting on the behalf of an entity and information on connections to the entity
|Know Your Customer (KYC) information
|Statutory KYC information such as the information required to identify the customer and to determine their financial status and political exposure
|Customer relationship information
|Information that uniquely identifies and classifies the customer, such as customer code and policy code
|The consents given and withheld by the data subject concerning personal data processing
|Contract and product information
|The controller’s and data subject’s contract information
Information on products and services acquired by the data subject
|Customer activity data
|Tasks and transactions related to the management of the customer relationship, such as policy changes and claim handling information
|Details of the life situation and financial status of the data subject
Tax information, such as withholding tax information from the Tax Administration
|Areas of interest
|Information on the data subject’s areas of interest, such as interest in products and services of OP Financial Group entities
|Behavioural information (incl. information collected using cookies and other such technologies)
|Tracking of the data subject’s online behaviour and use of services using, for example, cookies. The collected information may include a website browsed by the user, the device model, unique device and/or cookie ID, channel such as an application, mobile browser or Web browser, browser version, IP address, session ID, session time and duration, and the display resolution and operating system.
|Recordings and content of messages
|Recordings and messages in various formats, in which the data subject is a party, such as call recordings
|Special categories of personal data
|The special categories of personal data laid down in Article 9 of the General Data Protection Regulation that include health, biometric data for the purpose of uniquely identifying a natural person, and trade union membership
|Technical verification data
|Identifier determined by a device or an application, with which the user of the device or application can be identified, using additional information if necessary
7. Recipients and recipient groups of personal data
Collected personal data may be distributed within OP Financial Group and other companies or entities of the financial amalgamation as permitted by law. In addition, personal data may be disclosed, for example, to:
- a hospital/clinic based on the data subject’s consent
- certain partners that are used in producing and providing services. These partners may therefore process personal data on the behalf of the controller or as independent controllers.
Personal data may be disclosed to authorities, including enforcement or social welfare authorities, the Finnish Tax Administration or the Finnish Financial Supervisory Authority, only within the limits permitted by law. An annual notification of the controller’s customers is sent to the tax authorities.
8. Transfer of personal data
The controller uses subcontractors for data processing, and data may be transferred outside the EU or EEA. When data is transferred outside the EU or EEA, the transfer is done using the European Commission’s standard contractual clauses or some other transfer mechanism in accordance with legislation. Further details on international transfers of personal data and standard contractual clauses are available from OP’s website at https://www.op.fi/dataprotection.
Some of the controller’s subcontractors are other OP Financial Group entities. They provide the controller with items such as IT and other support services.
9. Personal data retention period or criteria for determining the period
The controller determines the retention periods for the personal data taking into account the applicable laws and the functionality and efficiency of the business, for example claims settlement and managing insurance affairs. Personal data is usually stored for at least ten years from the termination of the contractual relationship.
After the contractual relationship has ended, the controller may process the personal data for direct marketing purposes in accordance with applicable legislation.
10. Personal data sources and updates
Personal data is collected primarily from the data subjects themselves. Personal data may also be collected when the data subject uses certain controller services, such as online services.
All calls to and from the controller may be recorded. We may use call recordings to verify customer transactions, assure the quality of customer service and develop our services and for training purposes.
Personal data can also be collected and updated within the limits permitted by law from the personal data files of third parties, such as:
- Digital and Population Data Services Agency
- Personal data files maintained by other authorities, such as the Finnish Tax Administration Incomes Register
- Credit information register controllers
- Hospitals/clinics, based on consent of the data subject
- Partners involved in managing insurance and losses
- Banks for identification
- Parties that maintain databases with information that is necessary to identify political exposure and parties subject to international sanctions followed by the controller
- Other customer data files of OP Financial Group entities
11. Data subject’s rights
Data subjects have the right to receive the controller’s confirmation of whether their personal data will be processed or not, or whether they have already been processed.
If the controller processes a data subject’s personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.
The controller may charge a reasonable administrative fee for additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.
The data subject also has the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.
In certain circumstances, the data subject also has the right to request the controller to restrict the processing of their personal data or to otherwise oppose the processing. In addition, under the General Data Protection Regulation, the data subject may request that the data they have provided themselves be transferred in machine-readable format.
All of the above requests must be submitted to the abovementioned contact person of the controller.
If a data subject considers that his/her personal data is not processed legally, he/she has the right to file a complaint with the supervisory authority.
12. Right to cancel prior consent
If the controller processes the data subject’s personal data on the basis of consent, as in direct marketing using electronic channels, the data subject has the right to cancel such consent. The cancellation of consent does not affect the lawfulness of processing performed based on the consent prior to its cancellation. Such cancellation may, however, have an effect on the usability and functionalities of the service.
13. Protection methods regarding the data file
We process personal data securely in accordance with applicable laws. We have carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.
The controller has protected the data appropriately in technical and organisational terms. The data file is protected using, for example, the following tools:
- Protection of equipment and data files
- Access control
- User identity verification
- Access rights
- Registration of usage events
- Processing guidelines and supervision
The controller also requires that its partners ensure appropriate protection of the personal data to be processed.