OP Financial Group operates in sectors that require particular trust, and it is essential that OP Financial Group can ensure a high level of information security and data protection in all its operations. All personal data (including patient data) are processed carefully and in accordance with legislative obligations and good data processing practices. We respect bank and insurance secrecy and the confidentiality of patient data in all our operations.
We ensure that processing is based on lawful grounds. We will only use data for purposes defined in advance or for purposes compatible with such predefined use. Any unnecessary personal data will be deleted or anonymised.
In certain situations, OP’s entities may process the personal data of its corporate customer’s employees, such as the information about a corporate customer’s contact persons. As a general rule, an OP entity will act as a controller in these situations, in which case, the corporate customer’s employees are data subjects as defined in data protection legislation. For example, this could be the case in situations in which a corporate customer has acquired lease financing from OP for employees’ company cars or their occupational accident and occupational disease insurance.
Below you can find answers to the most common questions presented by our corporate customers and cooperation partners.
What measures has OP Financial Group taken to ensure that the obligations of data protection legislation are met?
In a separate data protection project, OP has analysed all its functions related to the processing of personal data. The project ensured that OP can meet the requirements of the new regulation and thus further improve customer services.
OP Financial Group has also appointed a Data Protection Officer for the Group level. The Officer is assisted by an extensive network of data protection professionals. OP Financial Group will also train all staff members so that each employee in the OP Financial Group is familiar with the requirements of data protection legislation to the extent required by their duties and can implement data protection by design and by default in their own operation.
Our employees are covered under the occupational accident and occupational disease insurance and health insurance by Pohjola Insurance Ltd. What should our company take into account?
Pohjola Insurance Ltd is the controller in these cases and thus responsible for obligations related to the processing of personal data. We always process all personal data with particular care and in accordance with data protection legislation and good data processing practices.
Our company has acquired lease financing from OP for our employees’ company cars. What should our company take into account?
OP Corporate Bank plc is the controller in these cases and is therefore responsible for obligations related to the processing of personal data. We always process all personal data with particular care and in accordance with data protection legislation and good data processing practices.
How can our employees check their personal data in this case?
In situations in which an OP entity processes the information about corporate customer’s employees as a controller, the persons in question are entitled to access their personal data. However, the right of access is a personal right, and our corporate customers may not therefore access the data on behalf of their employees.
How is OP Financial Group prepared for data security breaches and communicating about them?
OP Financial Group will make every effort to prevent all data security breaches. In the event of a data security breach, regardless of such measures, OP Financial Group has efficient operating models in place with the aid of which it can quickly react to such situations and minimise any adverse effects of the breach. OP Financial Group will make necessary notifications on data security breaches it has detected in accordance with legislation.
How is the processing of personal data agreed with corporate customers, and what is agreed in relation to processing?
In situations in which the General Data Protection Regulation requires that contracts must partly be updated, OP Financial Group will ensure that the contracts are updated. It may not be necessary to update contracts regarding OP Financial Group’s corporate customers.
Should an OP Financial Group’s corporate customer make an agreement with an OP Financial Group company in accordance with the so-called Art 28?
The General Data Protection Regulation requires that in certain situations, the processing of personal data is specified in an agreement made between a controller and the processor of personal data (agreement terms in accordance with the so-called Art 28).
For example, if statutory insurance for your employee has been acquired from OP, OP acts as the controller instead of a processor of personal data on behalf of your company, and it is therefore unnecessary to draft a data processing agreement in this connection in accordance with data protection legislation.
Does OP Financial Group transfer the personal data of corporate customers’ employees to third countries outside the European Economic Area?
Your data will only be processed by OP Financial Group entities and employees whose duties require the processing of your data.
We use subcontractors and partners for service production and provision. For this reason, your personal data may be transferred to such parties for processing commissioned by us. Such parties are only permitted to process your data in accordance with our instructions. They are not entitled to use your data for their own purposes, such as direct marketing.
We use various contractual and other arrangements to ensure that also our suppliers and partners process your data carefully and in accordance with good data processing practice.
As a rule, we process your data within the EEA. The EEA refers to EU Member States and Iceland, Liechtenstein, and Norway. If we transfer data to a country outside the EEA where the national regulations do not ensure data protection equal to the EU level of protection, we will ensure a sufficient level of personal data protection in the manner required by law and use data transfer mechanisms approved by the European Commission, primarily the European Commission's standard contractual clauses. We use standard contractual clauses for transfers to our IT service providers in India, for example.
The standard contractual clauses are available on the European Commission’s website:
We will start using the latest versions of the standard contractual clauses for transferring personal data outside the EEA in accordance with the deadline set by the European Commission, that is, by 27 December 2022.
In certain circumstances, such as when you make payments abroad, the personal details required for the payment can be transferred to a bank outside the EEA to implement an agreement you have signed with us or based on your consent (exceptional grounds for transfer).
Who is responsible for providing information on the processing of personal data?
When an OP Financial Group company acts as a controller, it is responsible for providing appropriate information on the processing of personal data to its customers and other data subjects.
How will OP Financial Group ensure that its subcontractors operate appropriately?
When an OP Financial Group company uses suppliers in the processing of personal data, it may use only such suppliers that have adequate safeguards in place to protect personal data. OP Financial Group selects all subcontractors with particular care to ensure an appropriate level of data protection and information security in all its operations. If necessary, OP Financial Group may also audit the processors of personal data used to ensure that their operation complies with requirements.
OP Financial Group makes an agreement with subcontractors used regarding the processing of personal data in which the contracting party is required to operate in accordance with the General Data Protection Regulation.
How will OP Financial Group ensure the security of personal data?
We protect personal data with appropriate technical and organisational safeguards. Such methods include proactive and reactive risk management and the use of firewalls, encryption techniques, secure data centres, and access management and safety systems.
We also use security planning, grant and supervise user rights in a controlled manner, ensure the competences of personnel who process personal data, and choose our subcontractors carefully. We are continuously updating our in-house practices and guidelines.