Updated on 1 October 2020
This Privacy Notice contains information required by the EU General Data Protection Regulation (hereinafter the General Data Protection Regulation) and the national legislation for a data subject, that is, for the controller's customer, employees and for the supervisory authority.
This Privacy Notice also observes Guidelines 3/2019 on processing of personal data through video devices by the European Data Protection Board.
2. Controller and controller’s contact information
Each OP Financial Group entity engaged in video surveillance
OP Financial Group’s Data Protection Team
Phone: 010 253 1333 (in English), 0100 0500 (in Finnish)
3. Data Protection Officer's contact information
OP Financial Group's Data Protection Officer
OP Financial Group
Postal address: P.O. Box 308, 00013 OP
4. Name of the personal data file
Video surveillance data file
Data subjects include persons moving about in the controller’s locations, including temporary ones, who are subject to video surveillance, such as the controller’s customers, employees and partners moving about this particular area.
5. Purpose of personal data processing, legal basis for processing and balancing test
5.1 Purposes of processing
In its operations, the controller processes confidential information and frequently handles cash. The operations of OP Financial Group also frequently involve threatening situations. Under the Occupational Safety and Health Act (738/2002), employers are responsible for employees’ safety at work. At OP Financial Group, video surveillance is primarily used for safety purposes.
Below is a list of purposes for which the controller uses information in the data file:
- Ensuring the personal safety of data subjects, such as the controller’s employees and customers
- Supervising the appropriate and secure functioning of service processes
- Protecting data and property of the controller and data subjects, such as the controller’s employees
- Preventing and investigating situations endangering safety, property or the service process
- Managing risks related to physical security.
The data subject’s personal data may be used in the prevention, uncovering and investigation of money laundering and terrorist financing, and in bringing under investigation the money laundering and terrorism financing as well as the crime committed to obtain the assets or proceeds of crime involved in the financing of the money laundering or terrorism financing.
5.2 Legal basis of processing
The processing measures listed in the Notice are performed as based on the controller’s legitimate interest. Video surveillance is necessary so that the controller is able to prevent events that endanger, for example, security, property, production processes and, in general, business continuity. The controller has taken account of special legal requirements for video surveillance, such as the Act on the Protection of Privacy in Working Life.
5.3 Balancing test
In order for personal data to be processed based on a legitimate interest, data subjects’ interests and rights must be taken into account with a particularly high degree of care. The results of the balancing test for video surveillance are described below in a breakdown that complies with guidelines by the Finnish Data Protection Ombudsman and EU data protection authorities (such as Guideline “WP217”).
1. Is legitimate interest the most appropriate basis for processing?
Legitimate interest is the most appropriate basis for processing. Other basis for processing, such as consent, are not appropriate for universal video surveillance at the controller’s business locations.
2. Are the basic requirements met?
The controller’s interest is legitimate as it involves the need to ensure the safety of customers and employees. The use of video surveillance is standard practice in the financial sector and customers expect that premises such as banks use video surveillance. The use of video surveillance is not exceptional from the perspective of data subjects.
In particular, banks are locations that involve situations that pose an imminent danger as described in Guidelines 3/2019 by the European Data Protection Board. As threatening situations occur regularly in the operations of OP Financial Group, particularly in customer service, the interest to process personal data is real and present. The interest is not speculative in nature.
With respect to employees, Chapter 5 of the Act on the Protection of Privacy in Working Life (759/2004) must be observed when assessing the prerequisites for video surveillance. In practice, employers may only carry out video surveillance at the workplace to: (i) ensure the personal safety of employees and other persons on the premises; (ii) protect property; (iii) ensure the appropriate function of production processes; or (iv) prevent or investigate situations that threaten safety, property or production processes These basic requirements are met.
3. Is personal data processing necessary to achieve the interest pursued?
OP Financial Group operates in hundreds of business locations across Finland. In practice, it is impossible to replace video surveillance with measures such as security personnel or locks, as listed in the European Data Protection Board’s guidelines as alternative security measures. Video surveillance footage also facilitates more effective investigation of threatening situations and other security incidents. The same end result cannot be achieved by alternative means. For the same reasons, so-called real-time monitoring is also not a viable alternative.
4. Does the controller’s interest override the interests and rights of data subjects?
The controller’s legitimate interest clearly overrides data subjects’ interests and rights. Video surveillance is used at the controller’s business locations in which threatening situations occur. Video surveillance is used for safety purposes and also serves the interests and rights of data subjects. Video footage is stored for a limited period of time and the data are retrieved only if a specific incident must be investigated, such as by the request of the police.
Data subjects can also be reasonably assumed to expect that the controller processes personal data collected through video surveillance. This is stated in item 37 of Guidelines 3/2019 by the European Data Protection Board. Processing is also not unforeseen or unexpected from the perspective of data subjects.
Video surveillance is also carried out only in connection with standard customer service and work situations. As such, video surveillance is not intended for processing special categories of personal data. Even if the footage were to include children, for example, the processing does not negatively impact their status. In other words, video surveillance is used to also safeguard the interests and rights of these vulnerable groups.
Abstaining from the use of video surveillance would have a negative impact on data subjects. For example, crimes and threatening situations could not necessarily be reliably investigated. Naturally, video surveillance can be used to more efficiently investigate possible crimes committed by data subjects. Although this can be seen as having a negative impact from the perspective of an individual data subject, such impact should not be taken into consideration when assessing the controller’s legitimate interest. In other words, the negative impact on the data subject is not disproportionate.
5. Ensure additional safeguards for data protection
The controller has implemented appropriate additional safeguards. The retention period of video footage is short, and access rights to the systems are restricted.
With respect to employees, the matter has been discussed in a Consultation of Employees process.
6. Demonstrate compliance and ensure transparency
To ensure transparency, the balancing test for video surveillance has been included in the Privacy Notice.
6. Categories of personal data
The content of the data file consists of visual and audio recordings that contain recorded video image and possible voice of the data subject in the video surveillance area and information on the time of recording.
7. Recipients of personal data and recipient categories
Any personal data obtained may be used within OP Financial Group as permitted by law. In addition, personal data may in statutory cases be disclosed to relevant authorities, such as the police.
8. Transmitting of personal data
The controller may use subcontractors for data processing, but no data will be regularly transferred outside of the EU or the EEA.
9. Personal data retention period or criteria for determining the period
Personal data will be retained for the period required for fulfilling the purposes determined for the data in the data file. Data subjects’ data are erased automatically after approximately three months of collection at the latest,
with the exception of data needed to clear up offences that may have to be retained longer than that, due to a pre-trial investigation performed by the relevant authority / court proceedings.
10. Personal data sources and updates
Personal data is collected when the data subject moves on the premises under the video surveillance system.
11. Rights of data subjects
Data subjects have the right to receive the controller’s confirmation of whether their personal data will be processed or not, or whether they have already been processed.
If the controller processes a data subject’s personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.
The controller may charge a reasonable administrative fee for any additional copies requested by the data subject.
As a rule, data subjects exercising their right to access data may view the footage or a summary of the footage at the business location. The controller will not disclose any part of the footage that contains other data subjects. As such, the data accessible to data subjects is often a collection of still images.
Data subjects have the right to request that the controller rectify or delete their personal data.
All requests mentioned herein must be submitted to the abovementioned contact person of the controller.
If a data subject considers that their personal data is not processed legally, they have the right to file a complaint with the supervisory authority.
12. Protection methods regarding the data file
The controller is committed to processing personal data securely and in a manner that satisfies the requirements of applicable laws. The controller has carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.
The controller has taken appropriate technical and organisational measures to protect the data. The data file is protected using, for example, the following tools:
- Restricted access, access control / locking
- User identity verification
- Account privileges
- Processing guidelines and supervision
The controller also requires of its suppliers appropriate protection of any personal data to be processed.