Privacy Notice
Updated on 16 April 2024
1. Overview
This Privacy Notice contains information required by the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act for a data subject, such as for the controller’s customer and employees and for the supervisory authority.
2. Controller and its contact information
OP Retail Customers Plc
Postal address: P.O. Box 1020, FI-00013 OP
Controller’s contact person: OP Financial Group’s Data Protection Team
Telephone: 010 253 1333 (in English), 0100 0500 (in Finnish)
Email: dataprotection(a)op.fi
3. Data Protection Officer’s contact information
OP Financial Group’s Data Protection Officer
OP Financial Group
Postal address: P.O. Box 308, 00013 OP, Finland
Email: dataprotection(a)op.fi
4. Name of the personal data file and data subjects
OP Retail Customers Plc’s customer data file
The data subjects are OP Retail Customers Plc's private customers and potential private customers.
A customer relationship arises following a contractual relationship. A potential customer relationship typically arises when a person expresses his/her interest in OP Retail Customers Plc's products and services in various service channels, for example, by starting to fill in a credit application while being strongly identified. Services are offered both in OP's service channels and in vendor cooperation channels. A potential customer relationship can also arise because a person is a customer of some other OP Financial Group entity and this entity releases the customer’s data to OP Retail Customers Plc for marketing purposes.
5. Purposes of personal data processing and legal basis for processing
5.1 Purposes of processing
OP Retail Customers Plc mainly processes personal data in order to provide, offer and deliver services related to cards and unsecured credit. Below, you can find more detailed information on how personal data is utilised in the data file.
The purposes of personal data use include:
- customer service and customer relationship management, including customer communications
- provision, development and quality assurance of services
- business development
- customer categorisations and developments
- ensuring the security of services, and preventing and investigating abuses
- risk management
- monitoring and analysis of service use and customer segmentation in order for the controller to be able to offer targeted services to the users
- fulfilling statutory obligations and any other official rules and regulations
- training purposes involving, for example, the use of telephone recordings
- direct marketing, opinion polls and market surveys, targeting of marketing and advertising.
Automated decision-making and profiling
With regard to card and loan products, personal data processing within the scope of the data file involves automated decision-making. The purpose of automated processing is to reduce processing times and safeguard equitable decisions. Automated decision-making is used because the decision is necessary for entering into, or performance of, a contract between the data subject and the controller. If automated decision-making is included in a product or service, this will be informed upon purchase of the product or service. When the decision process is fully automated, the controller ensures that the matter can be submitted for manual processing and decision.
Processing of personal data within the scope of the data file includes profiling. Profiling means the automated processing of personal data for evaluating certain personal aspects of an individual.
The controller’s operations involve automated card and loan accepting decisions. These include the profiling of data subjects with the purpose of assessing their creditworthiness in order to make loan decisions and sign agreements. The requirement to assess customers’ creditworthiness is based on legislation. The method applied in decision-making is regularly assessed and monitored in order to ensure its reliability.
Information on the applicant’s repayment capacity can be used in support of automated decision-making. This includes information of the loan applied for, information provided by the loan applicant during the loan application process, information available from the query systems maintained by Suomen Asiakastieto Oy, information from the Tax Administration’s Positive Credit Register and Digital and Population Data Services Agency as well as OP Financial Group’s internal information on the applicant’s payment and credit history and other information supporting the assessment of granting eligibility.
The consequence of automated processing and profiling for the data subject is either automated approval or automated refusal of the card or loan. The terms and conditions of agreement, such as the interest rate on a loan or credit, may also be determined on the basis of automated processing and profiling. The system may also transfer the case to expert assessment for further inspection, which means that a natural person processes the application and makes the decision. In addition to information provided in connection with the loan application process, aspects that may be taken into account in the decision-making include information on the loan applied for, the applicant’s young age, and any delayed payments. It is possible to classify the applicant based on his/her repayment capacity which classification is used for decision-making and to which the amount of loan to be granted can be proportioned. Assessing data subjects’ ability to pay and related classifications are profiling methods relevant to operations. Possible reasons for the refusal of a loan application include insufficient repayment capacity, negative credit entry in the credit report, the applicant’s young age, the amount of credit exposure or failure to repay a previously granted loan. If a decision has been made on the basis of automated decision-making, a data subject may request reconsideration of the application through manual (non-automated) processing.
General information about automated decision-making and profiling is available in OP’s Privacy Statement at op.fi/dataprotection.
Preventing crimes
Know Your Client (KYC) information and other personal data of data subjects may be used to prevent, uncover and detect money laundering and terrorist financing as well as for other purposes required by the Act on Preventing and Detecting Money Laundering and Terrorist Financing.
The data subject’s personal data may be used to investigate whether the person is subject to international sanctions applied by the controller. Further information on OP Financial Group’s sanctions compliance is primarily available in the terms and conditions of the purchased product or service.
The controller may process personal data concerning crimes or suspected crimes made directly against the operations of the credit institution, if that is necessary in order to prevent or detect such crimes.
5.2 Legal bases for processing
The table below describes the legal bases for processing personal data contained in the data file and provides examples of processing performed on each basis.
| Legal basis | Example |
|---|---|
| Contractual relationship or actions preceding the conclusion of a contract | Personal data is processed in the data file mainly on a contractual basis to provide and deliver services acquired by the data subject. |
| Consent | Any consents given or withheld by the data subject concerning personal data processing |
| Statutory obligation | Industry-specific legislation, such as the Act on Credit Institutions Anti-money laundering and counter-terrorist financing legislation The Act on the Positive Credit Register |
| Legitimate interests of the controller or a third party | Direct marketing, risk management, product and service development The controller may disclose information to the other personal data files of OP Financial Group entities on the basis of legitimate interests. In most cases, the controller's legitimate interests are based on the customer relationship or similar relationship between the controller and the data subject. The controller has a responsibility to ensure that any processing performed on this basis is proportionate to the data subject’s interests and meets his/her reasonable expectations. |
6. Categories of personal data
| Category | Data content |
|---|---|
| Basic information | Data subject’s name, personal identity code and contact details, such as address, telephone number and email address |
| KYC information | Statutory KYC information such as the information required to identify the customer and to determine their financial status and political exposure |
| Customer relationship information | Information that uniquely identifies and classifies the customer |
| Consents | Any consents given or withheld by the data subject concerning personal data processing |
| Contract and product information | Details of the contract between the controller and the data subject Information on products and services purchased by the data subject |
| Customer activity data | Tasks and transactions related to the management customer relationship Transaction data related to the use of card or credit |
| Background information | The data subject's life situation and financial standing |
| Areas of interest | Information about the data subject's interests, for example, regarding products offered by the controller. |
| Behavioural information (incl. information collected using cookies and other such technologies) | Tracking of the data subject's online behaviour and use of services using, for example, cookies. The collected information may include a website browsed by the user, the device model, unique device and/or cookie ID, channel such as an application, mobile browser or web browser, browser version, IP address, session ID, session time and duration, and the display resolution and operating system. |
| Recordings and content of messages | Recordings and messages in various formats, to which the data subject is a party, for example voice call recordings |
| Special categories of personal data | Special categories of personal data as referred to in Article 9 of the General Data Protection Regulation, such as data concerning health, can be processed in the data file for certain limited purposes, for example, when agreeing upon payment arrangements. |
| Technical verification data | Identifier determined by a device or an application, with which the user of the device or application can be identified, using additional information if necessary |
7. Recipients and recipient groups of personal data
7.1 Data recipients
Personal data may be disclosed to authorities, including the Finnish Tax Administration or the Finnish Financial Supervisory Authority, as permitted by law.
By law, the controller may disclose information under the Act on the Bank and Payment Accounts Monitoring System to competent authorities, such as the police, enforcement authority and the Customs. The Customs is responsible for transmitting the information pertaining to law to the competent authorities. Data subjects must direct their questions related to bank and payments accounts monitoring system to the Customs.
In addition, personal data may be disclosed, for example:
- within OP Financial Group, as permitted by law
- to partners, in order to implement any loyal customer scheme related to the product or to provide a value-added service
- to dispute resolution bodies, in various dispute resolution situations
- international card companies (such as Visa and Mastercard) to provide services related to card payments
- to Google with the data subject's consent, if the data subject has taken Google Pay in use
- debt collection firms in order to collect debt
- credit information controllers, such as Suomen Asiakastieto Oy, for the purposes of monitoring and registering payment defaults and for the Tax Administration’s Positive Credit Register
When disclosing personal data included in the data file, the controller takes into account the requirements of mandatory legislation, including the controller’s confidentiality obligations.
7.2 Transfer of data to suppliers
The controller has suppliers which process personal data for its account. The controller concludes appropriate agreements on personal data processing with all such suppliers.
The controller’s suppliers provide the controller with, for example, information system services. Some of the controller’s suppliers are other OP Financial Group entities.
7.3 International transfers of data
The controller uses suppliers in data processing, and data may be transferred outside of the EU or EEA. When data is transferred outside of the EU or EEA, the transfer is done using the EU Commission’s standard contractual clauses or some other transfer mechanism in accordance with legislation. Read more about international transfers of personal data and the European Commission's standard contractual clauses at OP’s website: op.fi/dataprotection.
Some of the controller’s suppliers are other OP Financial Group entities. They provide the controller with information system and other support services, among other things.
8. Personal data retention period or criteria for determining the period
The controller processes personal data during the validity of the contractual relationship. Once the contractual relationship has terminated, the controller will erase or anonymise the data, as a main rule, after around 10 years in accordance with the erasure processes it follows.
The controller processes potential customer personal data, as a main rule, for around one year calculated from the date when the data subject through his/her active action last showed interest in the products or services of the controller, or from the date when such personal data was last processed.
After the contractual relationship has terminated, the controller may process personal data for direct marketing purposes in accordance with applicable legislation.
The controller may be under an obligation to process some personal data in the data file for a period longer than stated above in order to comply with legislation or requirements set by the relevant authorities, such as capital adequacy measurement regulation.
9. Personal data sources and updates
Personal data is primarily collected from the data subjects themselves. Personal data may also be collected when the data subject uses certain services of the controller in, for example, OP web services.
Personal data may also be collected and updated within the limits permitted by law from the personal data files of third parties, including the following:
- Digital and Population Data Services Agency
- the Tax Administration’s Positive Credit Register
- personal data files maintained by other authorities
- credit data file controllers
- databases of parties who keep information needed for identifying political exposure and individuals subject to the international sanctions observed by the controller
- other customer data files of OP Financial Group entities.
10. Data subjects’ rights
Data subjects have the right to receive the controller’s confirmation of whether their personal data will be processed or not, or whether they have already been processed.
If the controller processes a data subject’s personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.
The controller may charge a reasonable administrative fee for any additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.
Data subjects also have the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.
Data subjects also have, in certain circumstances, the right to request the controller to restrict the processing of their personal data or to otherwise object to processing. In addition, data subjects may request that the data they have provided themselves be transferred in a machine-readable format.
All requests mentioned herein must be submitted to the abovementioned contact person of the controller.
If a data subject considers that their personal data is not processed legally, they have the right to file a complaint with the supervisory authority.
11. Right to cancel prior consent
If the controller processes a data subject’s personal data on the basis of consent, the data subject has the right to cancel such consent. The cancellation of consent does not affect the lawfulness of processing performed on the basis of said consent prior to its withdrawal. Such cancellation may, however, have an effect on the usability and functionalities of the service or lead to contractual changes.
12. Protection methods regarding the data file
The controller is committed to processing personal data securely and in a manner that satisfies the requirements of the applicable laws. The controller has carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.
The controller has taken appropriate technical and organisational measures to protect the data. The data file is protected using, for example, the following tools:
- Protection of hardware and files
- Access control
- User identity verification
- Access rights
- Registration of usage events
- Processing guidelines and supervision
The controller also requires of its suppliers and other partners appropriate protection of any personal data they process.