OP Retail Customers Plc's customer data file

Privacy Notice

Created or edited on: 14 June 2021

1. Overview

This Privacy Notice contains information required by the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act for a data subject, such as for the controller’s customer and employees and for the supervisory authority.

2. Controller and its contact information

OP Retail Customers Plc

Postal address: P.O. Box 1020, FI-00013 OP

Controller’s contact person: OP Financial Group’s Data Protection Team  

Telephone: 010 253 1333 (in English), 0100 0500 (in Finnish)

Email: dataprotection(a)op.fi

3. Data Protection Officer’s contact information

OP Financial Group’s Data Protection Officer

OP Financial Group

Postal address: P.O. Box 308, 00013 OP, Finland

Email: dataprotection(a)op.fi

4. Name of the personal data file and data subjects

OP Retail Customers Plc’s customer data file

The data subjects are OP Retail Customers Plc's private customers and potential private customers.

A customer relationship arises following a contractual relationship. A potential customer relationship typically arises when a person expresses his/her interest  in OP Retail Customers Plc's products and services in various service channels, for example, by starting to fill in a credit application while being strongly identified. Services are offered both in OP's service channels and in vendor cooperation channels. A potential customer relationship can also arise because a person is a customer of some other OP Financial Group entity and this entity releases the customer’s data to OP Retail Customers Plc for marketing purposes.

5. Purposes of personal data processing and legal basis for processing

5.1 Purposes of processing

OP Retail Customers Plc mainly processes personal data in order to provide, offer and deliver services related to cards and unsecured credit. Below, you can find more detailed information on how personal data is utilised in the data file.

The purposes of personal data use include:

  • customer service and customer relationship management, including customer communications
  • provision, development and quality assurance of services
  • business development
  • customer categorisations and developments
  • ensuring the security of services, and preventing and investigating abuses
  • risk management
  • monitoring and analysis of service use and customer segmentation in order for the controller to be able to offer targeted services to the users
  • fulfilling statutory obligations and any other official rules and regulations
  • training purposes involving, for example, the use of telephone recordings
  • direct marketing, opinion polls and market surveys, targeting of marketing and advertising.

Automated decision-making and profiling

With regard to card and loan products, personal data processing within the scope of the data file involves automated decision-making. The purpose of automated processing is to reduce processing times and safeguard equitable decisions. Automated decision-making is used because the decision is necessary for entering into, or performance of, a contract between the data subject and the controller. If automated decision-making is included in a product or service, this will be informed upon purchase of the product or service. When the decision process is fully automated, the controller ensures that the matter can be submitted for manual processing and decision.

Processing of personal data within the scope of the data file includes profiling. Profiling means the automated processing of personal data for evaluating certain personal aspects of an individual.

The controller’s operations involve automated card and loan accepting decisions. These include the profiling of data subjects with the purpose of assessing their creditworthiness in order to make loan decisions and sign agreements. The requirement to assess customers’ creditworthiness is based on legislation. The method applied in decision-making is regularly assessed and monitored in order to ensure its reliability.

Information on the applicant’s repayment capacity can be used in support of automated decision-making. This includes information of the loan applied for, information provided by the loan applicant during the loan application process, information available from the query systems maintained by Suomen Asiakastieto Oy and Digital and Population Data Services Agency as well as OP Financial Group’s internal information on the applicant’s payment and credit history and other information supporting the assessment of granting eligibility.

The consequence of automated processing and profiling for the data subject is either automated approval or automated refusal of the card or loan. The system may also transfer the case to expert assessment for further inspection, which means that a natural person processes the application and makes the decision. In addition to information provided in connection with the loan application process, aspects that may be taken into account in the decision-making include information on the loan applied for, the applicant’s young age, and any delayed payments. It is possible to classify the applicant based on his/her repayment capacity which classification is used for decision-making and to which the amount of loan to be granted can be proportioned. Assessing data subjects’ ability to pay and related classifications are profiling methods relevant to operations. Possible reasons for the refusal of a loan application include insufficient repayment capacity, negative credit entry in the credit report, the applicant’s young age, the amount of credit exposure or failure to repay a previously granted loan. If a decision has been made on the basis of automated decision-making, a data subject may request reconsideration of the application through manual (non-automated) processing.

General information about automated decision-making and profiling is available in OP’s Privacy Statement at op.fi/dataprotection.

Preventing crimes

Know Your Client (KYC) information and other personal data of data subjects may be used to prevent, uncover and detect money laundering and terrorist financing as well as for other purposes required by the Act on Preventing and Detecting Money Laundering and Terrorist Financing.

The data subject’s personal data may be used to investigate whether the person is subject to international sanctions applied by the controller. Further information on OP Financial Group’s sanctions compliance is primarily available in the terms and conditions of the purchased product or service.

The controller may process personal data concerning crimes or suspected crimes made directly against the operations of the credit institution, if that is necessary in order to prevent or detect such crimes.

5.2 Legal bases for processing

The table below describes the legal bases for processing personal data contained in the data file and provides examples of processing performed on each basis.

Legal basis Example
Contractual relationship or actions preceding the conclusion of a contract Personal data is processed in the data file mainly on a contractual basis to provide and deliver services acquired by the data subject.
Consent The consents given and withheld by the data subject concerning personal data processing
Statutory obligation Industry-specific legislation, such as the Act on Credit Institutions
Anti-money laundering and counter-terrorist financing legislation
Legitimate interests of the controller or a third party Direct marketing, risk management, product and service development

The controller may disclose information to the other personal data files of OP Financial Group entities on the basis of legitimate interests.

In most cases, the controller’s legitimate interests are based on the customer relationship or similar relationship between the controller and the data subject. The controller ensures that the processing performed on this basis is proportionate to the data subject’s benefits and meets his/her reasonable expectations.

 

6. Categories of personal data

Category of personal data Data content of the category
Basic information Data subject’s name, personal identity code and contact details, such as address, telephone number and email address
Know Your Customer (KYC) information Statutory KYC information such as the information required to identify the customer and to determine their financial status and political exposure
Customer relationship information Information that uniquely identifies and classifies the customer
Consents The consents given and withheld by the data subject concerning personal data processing
Contract and product information The controller's and data subject's contract information

Information on products and services acquired by the data subject
Customer activity data The controller's and data subject's contract information

Information on products and services acquired by the data subject
Background information The data subject's life situation and financial standing
Areas of interest Information about the data subject's interests, for example, regarding products offered by the controller.
Behavioural information (incl. information collected using cookies and other such technologies) Tracking of the data subject's online behaviour and use of services using, for example, cookies. The collected information may include a website browsed by the user, the device model, unique device and/or cookie ID, channel such as an application, mobile browser or web browser, browser version, IP address, session ID, session time and duration, and the display resolution and operating system.
Recordings and content of messages Recordings and messages in various formats, in which the data subject is a party, such as call recordings
Special categories of personal data Special categories of personal data as referred to in Article 9 of the General Data Protection Regulation, such as data concerning health, can be processed in the data file for certain limited purposes, for example, when agreeing upon payment arrangements.
Technical verification data Identifier determined by a device or an application, with which the user of the device or application can be identified, using additional information if necessary

 

7. Recipients and recipient groups of personal data

7.1 Data recipients

Personal data may be disclosed to authorities, including the Finnish Tax Administration or the Finnish Financial Supervisory Authority, as permitted by law.

In addition, personal data may be disclosed, for example:

  • within OP Financial Group, as permitted by law
  • to partners, in order to implement any loyal customer scheme related to the product or to provide a value-added service
  • to dispute resolution bodies, in various dispute resolution situations
  • international card companies (such as Visa and Mastercard) to provide services related to card payments
  • debt collection firms in order to collect debt
  • credit information controllers, such as Suomen Asiakastieto Oy, for the purposes of monitoring and registering payment defaults

When disclosing personal data included in the data file, the controller takes into account the requirements of mandatory legislation, including the controller’s confidentiality obligations.

7.2 Transfer of data to suppliers

The controller has suppliers which process personal data for its account. The controller concludes appropriate agreements on personal data processing with all such suppliers.

The controller’s suppliers provide the controller with, for example, information system services. Some of the controller’s suppliers are other OP Financial Group entities.

7.3 International transfers of data

The controller uses suppliers to process personal data, and data are sometimes transferred to recipients established outside of the EU/EEA.

All transfers of data to recipients established outside of the EU/EEA are subject to standard contractual clauses based on data protection laws or another transfer mechanism permitted by law that guarantees appropriate protection of personal data. One of the transfer mechanisms that the controller uses is based on the standard contractual clauses adopted by the European Commission, which can be found at 

8. Personal data retention period or criteria for determining the period

The controller processes personal data during the validity of the contractual relationship. Once the contractual relationship has terminated, the controller will erase or anonymise the data, as a main rule, after around 10 years in accordance with the erasure processes it follows.

The controller processes potential customer personal data, as a main rule, for around one year calculated from the date when the data subject through his/her active action last showed interest in the products or services of the controller, or from the date when such personal data was last processed.

After the contractual relationship has terminated, the controller may process personal data for direct marketing purposes in accordance with applicable legislation.

The controller may be under an obligation to process some personal data in the data file for a period longer than stated above in order to comply with legislation or requirements set by the relevant authorities, such as capital adequacy measurement regulation.

9. Personal data sources and updates

Personal data is primarily collected from the data subjects themselves. Personal data may also be collected when the data subject uses certain services of the controller in, for example, OP web services.

Personal data may also be collected and updated within the limits permitted by law from the personal data files of third parties, including the following:

  • Digital and Population Data Services Agency
  • personal data files maintained by other authorities
  • credit data file controllers
  • databases of parties who keep information needed for identifying political exposure and individuals subject to the international sanctions observed by the controller
  • other customer data files of OP Financial Group entities.

10. Data subjects’ rights

Data subjects have the right to receive the controller’s confirmation of whether their personal data will be processed or not, or whether they have already been processed.

If the controller processes a data subject’s personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.

The controller may charge a reasonable administrative fee for any additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.

Data subjects also have the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.

Since the adoption of the GDPR, data subjects also have, in certain circumstances, the right to request the controller to restrict the processing of their personal data or to otherwise object to processing. In addition, under the GDPR, data subjects may request that the data they have provided themselves be transferred in a machine-readable format.

All requests mentioned herein must be submitted to the abovementioned contact person of the controller.

If a data subject considers that their personal data is not processed legally, they have the right to file a complaint with the supervisory authority.

11. Right to cancel prior consent

If the controller processes a data subject’s personal data on the basis of consent, the data subject has the right to cancel such consent. The cancellation of consent does not affect the lawfulness of processing performed on the basis of said consent prior to its withdrawal. Such cancellation may, however, have an effect on the usability and functionalities of the service or lead to contractual changes.

12. Protection methods regarding the data file

The controller is committed to processing personal data securely and in a manner that satisfies the requirements of the applicable laws. The controller has carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.

The controller has taken appropriate technical and organisational measures to protect the data. The data file is protected using, for example, the following tools:

  • Protection of hardware and files
  • Access control
  • User identity verification
  • Access rights
  • Registration of usage events
  • Processing guidelines and supervision

The controller also requires of its suppliers and other partners appropriate protection of any personal data they process.