1. General information
This Privacy Notice contains information required by the EU General Data Protection Regulation (hereinafter the General Data Protection Regulation) and the national data protection law for a data subject, that is, for the controller’s customer, employees and for the supervisory authority.
2. Controller and its contact information
For each OP Financial Group cooperative bank
The controller’s contact person: OP Financial Group’s Data Protection Team
Phone: 010 253 1333 (in English), 0100 0500 (in Finnish)
3. Data Protection Officer’s contact information
OP Financial Group's Data Protection Officer
OP Financial Group
Postal address: P.O. Box 308, FI-00013 OP, Finland
4. Name of the personal data file and data subjects
OP cooperative bank’s campaign data file
The data file includes all participants in activities, events, campaigns, competitions or prize draws organised by the controller (hereinafter ‘event’ refers to any of the above) as well as other individuals or representatives of organisations, such as businesses, who have expressed interest in services provided by the controller. The aforementioned individuals make up the data subjects included in the data file. Data subjects included in the data file may also include representatives of partners hosting events together with an OP cooperative bank.
The data contained in the data file are not linked to the customer data files of OP Financial Group companies.
5. Purposes of personal data processing and legal basis for processing
Purposes of processing
The purposes of personal data use include:
- running campaigns and keeping lists of participants in connection with events, more specifically customer service and correspondence related to the above as well as any other provision of information and communications
- grouping of event participants according to age or into categories
- choosing and verifying winners and publishing the information via the organiser’s internal channels, such as its website
- ensuring security at events
- planning and improving products and services and selecting target markets
- opinion polls and market surveys
- feedback and satisfaction surveys
- direct marketing
- targeted marketing and advertising in internal and external media
- Data concerning minors are never collected for marketing, sales or customer account management purposes.
Legal bases of processing
The table below describes the legal bases of processing personal data contained in the data file and provides examples of processing performed on each basis.
|Contractual relationship or actions preceding the conclusion of a contract||For example, the processing of data concerning a co-organiser’s representatives in the data file can be based on a contract.|
|Consent||Processing can be based on the data subject's consent. For example, data subjects can give their consent to having their name published among winners on a website, being photographed during an event and having the photographs published as well as to electronic direct marketing. In the case of minors, a guardian’s consent is sought.|
|Legitimate interests of the controller||The processing of personal data in connection with events, such as choosing winners and also direct marketing in certain circumstances, can be based on the controller’s legitimate interests. For example, data subjects can express their interest in OP Financial Group or its products and services in connection with an event.
The disclosure of data within OP Financial Group can also be based on the controller’s legitimate interests.
The controller has a responsibility to ensure that any processing performed on this basis is proportionate to the data subject’s interests and meets his/her reasonable expectations.
6. Categories of personal data
|Basic details||Data subject’s name
Data subject’s contact information, such as email address, telephone number and address
|Customer account information||Information that uniquely identifies and classifies a potential customer. Source of contact information|
|Consents||Any consents given and withheld by the data subject concerning personal data processing|
|Customer activity data||Contact details|
|Background information||Language in which the data subject prefers to communicate|
|Areas of interest||Information on the data subject’s areas of interest|
|Behavioural information concerning an event participant or his/her guardian (including information collected by means of cookies and other similar technologies)||Tracking of the data subject’s online behaviour and use of services using, for example, cookies. The collected information can include, for example, a website browsed by the user, the device model, unique device and/or cookie ID, channel such as an application, mobile browser or web browser, browser version, IP address, session ID, session time and duration, and the display resolution and operating system.|
|Technical identification data concerning an event participant or his/her guardian||Device or application IDs that allow the user of the device or application to be identified using additional information if necessary|
7. Recipients of personal data and recipient categories
Any personal data collected may be used within OP Financial Group and disclosed to the authorities as permitted by law.
Any personal data collected may be disclosed to any other partners involved in organising an event for the purpose of organising the event. Information about winners and photographs of participants may also be disclosed to the media with the data subjects’ consent.
The controller undertakes to ensure compliance with requirements arising from mandatory legislation whenever personal data included in the data file are disclosed.
Transfer of data to suppliers
The controller has suppliers who process personal data on the controller’s account. The controller undertakes to conclude appropriate agreements on personal data processing with all such suppliers.
The controller’s suppliers provide the controller with, for example, information system services. Some of the controller’s suppliers are other OP Financial Group entities.
International transfers of data
The controller uses suppliers to process personal data, and data are sometimes transferred to recipients established outside of the EU/EEA.
All transfers of data to recipients established outside of the EU/EEA are subject to standard contractual clauses based on data protection legislation or another transfer mechanism permitted by legislation that guarantees appropriate protection of personal data. The standard contractual clauses adopted by the European Commission that can be found
8. Personal data retention period or criteria for determining the period
The controller only processes the data subjects’ personal data for the duration of an event and deletes the data approximately six months after the end of the event. Lists of winners may be kept for a slightly longer period but usually for no longer than a few years.
The controller cannot be held liable for lists of participants or winners of a competition being kept available in channels other than the controller’s own channels (such as on the website of a local newspaper).
9. Personal data sources and updates
Personal data are collected primarily from the data subjects themselves or from the organisations they represent. Personal data may also be collected in connection with the use of online services. In addition, personal data may be pulled from OP Financial Group companies’ customer data files.
10. Data subjects’ rights
Data subjects have the right to receive confirmation from the controller as to whether or not their personal data will be, or have been, processed.
If the controller processes a data subject’s personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.
The controller may charge a reasonable administrative fee for any additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.
The data subject also has the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.
In certain circumstances, the data subject also has the right to request the controller to restrict the processing of their personal data or to otherwise object to processing. In addition, under the General Data Protection Regulation, the data subject may request that the data they have provided themselves be transferred in a machine-readable format.
All requests of this kind must be submitted to the aforementioned contact person of the controller.
If a data subject considers that their personal data are not being processed legally, they have the right to file a complaint with the supervisory authority.
11. Right to withdraw prior consent
If the controller processes the data subject’s personal data on the basis of consent, the data subject has the right to withdraw their consent. The withdrawal of consent does not affect the lawfulness of processing performed on the basis of said consent prior to its withdrawal. Such withdrawal may, however, have an effect on the usability and functionalities of the services.
12. Safeguards for the protection of the data file
The controller is committed to processing personal data securely and in a manner that satisfies the requirements of applicable laws. The controller has carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.
The controller has taken appropriate technical and organisational measures to protect the data. The data file is protected by, for example, the following means:
- Protection of hardware and files
- Access control
- User identity verification
- Access rights
- Registration of usage events
- Processing guidelines and supervision
The controller also requires of its suppliers and other partners appropriate protection of any personal data to be processed.