Privacy notice
1. General information
This Privacy Notice contains information required by the EU General Data Protection Regulation (hereinafter the General Data Protection Regulation) and the national data protection law for a data subject, such as for the controller’s customer, employees and for the supervisory authority.
2. Controller and its contact information
Controller: OP Corporate Bank plc
Postal address: P.O. Box 308, 00013 OP
Street address: Gebhardinaukio 1 00510 HELSINKI
The controller's contact person: OP Financial Group’s Data Protection Team
Telephone: 010 253 1333 (in English), 0100 0500 (in Finnish)
Email: dataprotection@op.fi
3. Data Protection Officer's contact information
OP Financial Group's Data Protection Officer
OP Financial Group
Postal address: P.O. Box 308, 00013 OP
Email: dataprotection@op.fi
4. Name of the personal data file and data subjects
Obtaining business ID at op.fi customer data file
Data subjects include natural persons of an entity/some entities of OP Financial Group, who want to establish a company by obtaining a business ID issued by the Finnish Tax Administration. Insofar as the data is processed after the Tax Administration has issued the business ID, data subjects are persons acting on behalf of the company.
5. Purposes of personal data processing and legal basis for processing
Purposes of processing
Obtaining the business ID at op.fi provides the opportunity to establish a business name. The process of establishing a company requires the processing of personal data. The controller mainly processes data included in data files to enable the data subject to file an application for the business ID with the Finnish Tax Administration and a new entrepreneur the provision of the necessary services by giving data for use by other OP Financial Group's service providers. Below you can find more detailed information on how personal data is used in the data file.
The purposes of personal data use include:
- customer service and customer relationship management and development, including customer communications
- production and delivery of services, and development and quality assurance of services
- business development
- monitoring and analysis of service use and customer segmentation, for example, in order for the controller to be able to offer personalised service content to the users
- direct marketing
- targeted marketing and advertising
- fulfilling statutory obligations and any other official rules and regulations
- risk management
Legal bases of processing
The table below describes the legal bases of processing personal data used by the data file and provides examples of processing performed on each basis.
| Legal basis | Example |
|---|---|
| Contractual relationship or actions preceding the conclusion of a contract | Personal data in the data file is mainly processed based on the contract. |
| Legitimate interests of the controller or a third party | The controller may disclose information to the other personal data files of OP Financial Group entities on the basis of legitimate interests with the purpose of use being selling, marketing and business development. In most cases, the controller's legitimate interests are based on the customer relationship or similar relationship between the controller and the data subject. The controller ensures that the processing performed on this basis is proportionate to the data subject’s benefits and meets his/her reasonable expectations. |
6. Categories of personal data
| Category of personal data | Data content of the category |
|---|---|
| Basic information | Data concerning the data subject as a person: Name, date of birth, phone number and email address Information on the company to be established: Name, contact details, domicile, business line, estimated net sales and other information on business required to apply for the business ID |
| Behavioural information (incl. information collected using cookies and other such technologies) | Tracking of the data subject's online behaviour and use of services using, for example, cookies. The collected information may include a website browsed by the user, the device model, unique device and/or cookie ID, channel such as an application, mobile browser or web browser, browser version, IP address, session ID, session time and duration, and the display resolution and operating system. |
| Recordings and content of messages | Recordings and messages in various formats, in which the data subject is a party, for example, call and chat recordings |
7. Recipients and recipient groups of personal data
Data recipients
Any personal data obtained may be used within OP Financial Group as permitted by the law.
As part of the service, personal data will be given to the Finnish Tax Administration which decides on granting the business ID to the data subject.
Transfer of data to suppliers
The controller uses suppliers which process personal data for its account. The controller concludes appropriate agreements on personal data processing with such suppliers.
The suppliers provide the controller with information system services, among other things. Some of the controller's suppliers are other OP Financial Group entities.
International transfers of data
As a rule, the controller does not transfer data in this data file outside of the EU / EEA. However, if the data were transferred outside of the EU / EEA in an individual case, the controller will always apply transfer mechanisms permitted by law, such as standard contractual clauses based on data protection legislation, that guarantee appropriate protection of personal data.
The standard contractual clauses adopted by the EU Commission can be found at this address.
8. Personal data retention period or criteria for determining the period
The controller will process personal data for a period required to render the service. The controller will erase or anonymise the data in compliance with its erasure processes after five years it has been informed of the decision related to the business ID by the Tax Administration.
9. Personal data sources and updates
Personal data is collected from the data subjects themselves. Personal data can also be collected from the personal data files of other OP Financial Group entities and in case the data subject uses certain services provided by the controller, such as online services.
The controller obtains the data on the established companies approved by the Finnish Tax Administration from Suomen Asiakastieto Oy.
10. Data subject's rights
Data subjects have the right to receive the controller's confirmation of whether their personal data will be processed or not, or whether they have already been processed.
If the controller processes a data subject's personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.
The controller may charge a reasonable administrative fee for additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.
The data subject also has the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.
After the application of the General Data Protection Regulation has begun, the data subject will, in certain cases, also have the right to request the controller to restrict the processing of their personal data or to otherwise oppose the processing. In addition, under the General Data Protection Regulation, the data subject may request that the data they have provided themselves be transferred in machine-readable format.
All of the above requests must be submitted to the abovementioned contact person of the controller.
If a data subject considers that his/her personal data is not processed legally, he/she has the right to file a complaint to the supervisory authority.
11. Protection methods regarding the data file
The controller processes personal data securely and in a manner fulfilling the requirements of applicable laws. It has carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.
The controller has protected the data appropriately in technical and organisational terms. The data file is protected using, for example, the following tools:
- Protection of equipment and files
- Access control
- User identity verification
- Access rights
- Registration of usage events
- Processing guidelines and supervision
The controller also requires that its suppliers and other partners ensure appropriate protection of the personal data to be processed.