OP cooperative bank customer data file

Privacy notice

1. General information

This Privacy Notice contains information required by the EU General Data Protection Regulation (hereinafter the General Data Protection Regulation) and the national law for a data subjects, that is, for the controller's customer, employees and for the supervisory authority.

2. Controller and its contact information

For each OP Financial Group cooperative bank
The controller’s contact person: OP Financial Group’s Data Protection Team
Phone: 010 253 1333 (in English), 0100 0500 (in Finnish)
E-mail: dataprotection@op.fi

3. Data Protection Officer’s contact information

OP Financial Group’s Data Protection Officer
OP Financial Group
Postal address: P.O. Box 308, 00013 OP
Email: dataprotection@op.fi

4. Name of the personal data file

OP cooperative bank customer data file

Every OP cooperative bank has its own customer data file. This Privacy Notice describes how personal data is processed in each OP cooperative bank’s customer data file.

The data subjects of the data file are OP cooperative bank’s customers and potential customers. The data subject can be a private individual or an entity, including an entrepreneur.

A potential customer relationship typically arises, when a person expresses his/her interest for the services of OP cooperative bank in the op.fi service or when visiting a bank branch. A potential customer relationship can also, for example, arise because a person is a customer of some other OP Financial Group entity and this entity releases the customer’s data to OP cooperative bank for marketing purposes.

5. The purpose of personal data processing and legal basis for processing

5.1 The purposes of the processing

Banking operations require personal data processing. The OP cooperative bank customer data file entails processing of personal data necessary to, for instance, account, credit and investment services. Below you can find more detailed information on how personal data is utilised in the data file.

The purposes of personal data use include:

  • customer service and customer relationship management and development, including customer communications
  • provision, development and quality assurance of services
  • business development
  • monitoring and analysis of product and service use and customer segmentation, for example, in order for the controller to be able to offer personalised product and service content to the users
  • opinion polls and market surveys
  • direct marketing
  • targeted marketing and advertising
  • fulfilling statutory obligations and any other official rules and regulations
  • risk management
  • ensuring the security of services and investigating abuses
  • training purposes

Automated decision-making and profiling

Personal data processing within the scope of the data file involves automated decision-making. If automated decision-making is included in the product or service that you have acquired, this is informed upon purchase of the product or service. When the decision process is fully automated, the controller ensures that you can submit the matter for manual processing and decision. Processing of personal data within the scope of the data file includes profiling. Profiling means automated processing of personal data where certain aspects relating to a natural person are evaluated by utilising this data.

For example, automated loan decisions are made within the scope of the data file. They involve profiling that is performed to assess the customer’s creditworthiness. Another example of profiling performed within the scope of the data file is assessing the risk tolerance of a customer receiving investment advice and determining a suitable target market for the customer based on his/her investor profile. A controller providing investment advice or credit has a statutory obligation to perform such an assessment. Further information on automated decision-making and profiling is available in OP’s Privacy Statement at op.fi/dataprotection.

Preventing crimes

Know Your Customer information and the data subject’s other personal information may be used in the prevention, uncovering and investigation of money laundering and the financing of terrorism, and in bringing under investigation the money laundering and financing of terrorism as well as the crime committed to obtain the assets or proceeds of crime involved in the financing of the money laundering or financing of terrorism.

The data subject’s personal data may be used to investigate if the person is subject to international sanctions applied by the controller. Further information on OP Financial Group’s sanction compliance is primarily available in the terms and conditions of the acquired product or service.

The controller may process personal data concerning crimes or suspected crimes made directly against the operations of the credit institution, if that is necessary in order to prevent and solve such crimes.

5.2 Legal bases of processing

The table below describes the legal bases of processing personal data used by the data file and provides examples of processing performed on each basis.

Legal basis Example
Contractual relationship or actions preceding the conclusion of a contract Actions based on an agreement, such as account agreement, credit agreement or investment services agreement, or its conclusion
Statutory obligation For example, legislation on the prevention of money laundering and financing of terrorism
Industry-specific legislation, such as Act on Credit Institutions and Act on Investment Services
Legitimate interests of the controller or a third party For instance, direct marketing or developing products and services, or typically disclosing information within OP Financial Group

In most cases, the controller’s legitimate interests are based on the customer relationship or similar relationship between the controller and the customer. The controller ensures that this processing is proportionate to the data subject’s benefits and meets his/her reasonable expectations.
Consent Direct marketing through an electronic channel is usually based on the consent of the data subject


6. Categories of personal data

Categories of personal data concerning customers

Category of personal data Data content of the category
Basic information Private customer: The data subject’s name, personal ID code and contact details such as address, telephone number and email address

Institutional customer: Identification details of persons acting on the behalf of an entity and information on connections to the entity
Know Your Customer (KYC) information Statutory KYC information such as the information required to identify the customer and to determine their financial status and political influence
Customer relationship information Information that uniquely identifies and classifies the customer relationship, such as duration and nature of customer relationship or borrower grade
Consents The consents given and withheld by the data subject concerning personal data processing
Contract and product information The controller’s and data subject’s contract information
Information on products and services acquired by the data subject
Customer activity data Tasks and transactions related to the management of the customer relationship
Background information For instance, information on the data subject’s life situation, investment experience and knowledge, and on his/her financial standing and goals
Areas of interest Information on the data subject’s areas of interest, for instance on an interest for a certain OP product or service
Behavioural information (incl. information gathered using cookies and other corresponding technologies) Tracking of the data subject’s online behaviour and use of services using, for example, cookies. The gathered information may include a web page browsed by the user, the device model, unique device and/or cookie ID, channel such as an application, mobile browser or Web browser, browser version, IP address, session ID, session time and duration, and the display resolution and operating system.
Recordings and content of messages Recordings and messages in various formats, in which the data subject is a party, for example, call recordings
Special categories of personal data The special categories of personal data laid down in Article 9 of the Data Protection Regulation, including health and trade union membership
Technical verification data Identifier determined by a device or an application, with which the user can be identified, using additional information if necessary


Categories of personal data concerning potential customers

The data content to be processed is determined by, for instance, the group of potential customers in question. Below is a description of the kinds of data content that the controller typically processes.

Category of personal data Data content of the category
Basic information The data subject’s name, personal ID code and contact details such as address, telephone number and email address
Customer relationship information Information that uniquely identifies the customer, such as the start date and nature of customer relationship
Contract and product information Information on the controller’s offers to the data subject
Customer activity data Tasks and transactions related to the management of the customer relationship
Behavioural information (incl. information gathered using cookies and other corresponding technologies) Tracking of the data subject’s online behaviour and use of services using, for example, cookies. The gathered information may include a web page browsed by the user, the device model, unique device and/or cookie ID, channel such as an application, mobile browser or Web browser, browser version, IP address, session ID, session time and duration, and the display resolution and operating system.
Recordings and their content Various telephone recordings to which the data subject is a party
Technical verification data Identifier determined by a device or an application, with which the user can be identified, using additional information if necessary

   

7. Recipients and recipient groups of personal data

When delivering personal data contained by the data file, the controller takes into account the demands of binding legislation, including the credit institution’s confidentiality obligations. Typical cases where data is disclosed from the data file are described in the following.

Any personal data collected may be used within OP Financial Group as permitted by the law. Within investment services, data may be disclosed to, for example, an entity within the Group that manages securities custody.

When payments are transmitted, legislation requires that personal data concerning the payer or the payee is submitted at the same time when funds are transferred.

Data is also disclosed to the sector’s shared customer default register.

Data may in statutory cases be disclosed to relevant authorities, such as the Financial Supervisory Authority, the police, the execution authorities and the Finnish Tax Administration. Annual notifications of the controller’s customers are sent to the tax administration.

8. Transfer of personal data

The controller uses suppliers in data processing, and data will be transferred outside of the EU or EEA to a limited extent. When data is transferred outside of the EU or EEA, the transfer is done using the EU Commission’s standard contractual clauses or another transfer mechanism in accordance with legislation.

Some of the controller’s subcontractors are other OP Financial Group entities. They offer, for example, credit, collateral and IT support services to the controller.

9. Personal data retention period or criteria for determining the period

Personal data may be processed within the validity of the customer and contractual relationship. Customer relationship refers to the data subject becoming an OP cooperative bank customer. The customer’s basic information and KYC information are collected to establish a customer relationship. A contractual relationship arises when a customer signs an agreement concerning a product or service with an OP cooperative bank.

Contractual information will be erased approximately ten years after the contract has terminated. Information on customer relationship, such as KYC information, will be erased or anonymised approximately ten years after the last contract has terminated. The information will be erased in accordance with the controller’s erasure processes.

Data concerning potential customers will mainly be stored for six months after establishing a potential customer relationship. If the potential customer relationship in an OP cooperative bank is based on customer data received from another OP Financial Group entity for this purpose, such customer relationship will remain in the data file until the data subject is no longer a customer at the entity that disclosed the information.

After the contractual relationship has ended, the controller may process the personal data for direct marketing purposes in accordance with applicable legislation.

10. Personal data sources and updates

Personal data is collected primarily from the data subjects themselves. Personal data may also be collected when the data subject uses certain services of the controller, such as online services.

Personal data may be obtained from other OP Financial Group data files and entities as permitted by the law. This data can be used, for example, for risk management and marketing purposes.

Personal data can also be collected and updated within the limits permitted by law from the personal data files of third parties, examples including:

  • registers maintained by authorities such as the Population Register Centre, execution authorities and the police
  • credit information register controllers
  • the shared customer default register of the financial sector
  • obtaining information necessary to identify a person’s political exposure and whether he/she is subject to international sanctions respected by the controller, from parties maintaining databases containing such information

11. Data subject’s rights

Data subjects have the right to receive the controller’s confirmation of whether their personal data will be processed or not, or whether they already have been processed.

If the controller processes a data subject’s personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.

The controller may charge a reasonable administrative fee for additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the information will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.

The data subject also has the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.

After the application of the General Data Protection Regulation has begun, the data subject, in certain cases, will also have the right to request the controller to restrict the processing of their personal data or to otherwise oppose the processing. In addition, under the General Data Protection Regulation, the data subject may request that the data they have provided themselves is transferred in machine-readable format.

All of the above requests must be submitted to the above-mentioned contact person of the controller.

If a data subjects considers that his/her personal data is not processed legally, he/she has the right to file a complaint to the supervising authority.

12. Right to cancel prior consent

If the controller processes the data subject’s personal data on the basis of consent, the data subject has the right to cancel such consent. The cancellation of consent does not affect the lawfulness of processing performed based on the consent prior to its cancellation. Such cancellation may, however, have an effect on the usability and functionalities of the service.

13. Protection methods regarding the data file

The controller handles personal data securely in accordance with applicable laws. It has carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.

The controller has protected the data appropriately in technical and organisational terms. The data file is protected using, for example, the following means:

  • protection of equipment and data files
  • access control
  • user identity verification
  • access rights
  • registration of usage events
  • processing guidelines and supervision

The controller also requires of its suppliers the appropriate protection of personal data to be processed.