Your rights


What are your rights as our customer?

You have, among others, the right to receive open and transparent information on the processing of your personal data, check your information, demand correction of inaccurate or incomplete data and demand the deletion of unnecessary or out-of-date data. Read more about all your rights below.

Right to obtain information about the processing of your personal data

The General Data Protection Regulation brings openness and transparency to personal data processing. Thus, you have the opportunity to control the processing of your data, understand the rights associated with the processing and also exercise them. We will inform you about the processing of your personal data whenever we collect or obtain it and will tell you about the purposes of the processing of your personal data and about your rights associated with the processing.

In the Privacy Notice, we inform you in greater detail, for example, of what party is the controller, i.e. the OP party which collects data, the name and contact details of the controller, the name and contact details of the Data Protection Officer, purposes of use of collected data, matters related to retention periods, to whom the data is disclosed and whether the data is processed outside of the EU. We also tell you about the safeguards related to processing and your rights.

Right of access to your data

You can view the key information related to your customer relationship with OP Financial Group in My profile at op.fi (in Finnish). In My profile, you can also request data stored from you to yourself and save data in both PDF and XML format to your own computer or other device. If you wish to get the data in printed form, please visit our branch. In certain cases, we also provide you with the opportunity to view the data in our branch. Exercising the right of access is, as a rule, free of charge to you and you do not need to justify your request.

Right to transfer your data

You have the right to obtain certain personal data provided to us in a structured, generally used and machine-readable form. You can also transfer such data to another controller.

Right to rectify your data

We seek to keep your data up to date and also, at your request, rectify without delay any incorrect, insufficient or outdated data related to you, such as your contact details. You can yourself go to My profile at op.fi to make a rectification to you contact details, such as change in your phone number or email address. You can also do so by visiting an OP branch as always.

Right to restriction of processing your data

In certain cases, you may request a temporary restriction of the processing of your personal data, for example when you deny the accuracy of the data. In such a case, we exclude the personal data from daily use whose processing you want to restrict. You must indicate such restriction to the individual data to which your request for restriction applies.

Right to object to the processing of your personal data

You have the right to object to the processing of such personal data which is not based on special enactments, agreement or consent. You can always object to the processing of your personal data for direct marketing purposes. Furthermore, you can object, for example, to the processing related to market surveys and opinion polls or voluntary customer communication. The right to object to the processing of personal data does not mean a general right to object to all processing of personal data at OP.

Right not to be subject to automated individual decision-making that will have significant effects

Automated decision-making means that the decision concerning you is based solely on automatic data processing. Under heading "How do we utilise automated decision-making?" you will find examples of situations where we use automated decision-making. We implement automated decision-making in order to speed up the handling of your matter significantly. For example, you can receive an automated loan decision quickly or your insurance policy can enter into force immediately after you have bought it. In our services based on automated decision-making, we inform you clearly of the matter before acquiring the service concerned. If you are dissatisfied with an automated decision, you will have the right to request that the matter be handled by a natural person on behalf of the controller and the right to express your opinion and to contest the decision.

Right to have your personal data erased (“right to be forgotten”)

If you do not want your personal data to be processed at OP Financial Group, in certain cases you will have the right to request your data to be erased in part or in full. This is the situation when, for example, the processing of your data is based on your consent and you want to cancel your consent, or if your data is no longer needed for the purpose it was originally collected.

If you request the erasure of your personal data, we will assess whether we can erase such data. OP Financial Group's operations are subject to numerous special enactments (e.g. Accounting Act and tax legislation) which include obligations related to the retention of personal data.  For example, we cannot erase your personal data at your request if there is a specific legal obligation or another justified need to retain the data. Erasing personal data is mostly involved when the data retention period has expired or the data is otherwise found unnecessary or groundless.

In My profile at op.fi, you can view and manage your personal data, consents you have given and other information related to your customer relationship that relate to your personal data processed by OP Financial Group's financial business (banks, non-life insurance and wealth management).

In My profile, you can yourself change your contact details. You can also request data stored from you to yourself and save data in both PDF and XML format to your own computer or other device with just one click.

In My profile, you can submit a separate personal data request in case you need additional information.

Exercising the rights is, as a rule, free of charge for you. You can also exercise your rights by visiting our branch.

Op.fi's My profile service puts conveniently together the key information related to your customer relationship in a single place.

In My profile, you can view and manage your personal data, consents you have given and other information related to your customer relationship that relate to your personal data processed by OP Financial Group's financial business (banks, non-life insurance and wealth management). You can see whether your data and settings are up to date and you can change your contact details. You can, according to your needs, also request data stored from you to yourself and save data in both PDF and XML format to your own computer or other device with just one click. In My profile, you can also submit a separate personal data request in case you need additional information.

In My profile, you also find, for example, information related to your daily finances, loans, insurance policies and savings and investments, information on powers of attorney you have granted as well as information related to owner-customer membership and benefits. My profile also contains settings related to the Mobile key and security.

The content of My profile has been designed together with our customers. Data that was previously in various locations has been put together in an easily discernible package. We have paid particular attention to the findability of the data.

OP Financial Group operates in sectors that require particular trust, and it is essential that OP Financial Group can ensure a high level of information security and data protection in all of its operations. All personal data (including patient data) is processed carefully and in accordance with legislative obligations and good data processing practices. We respect bank and insurance secrecy and the confidentiality of patient data in all of our operations.

We ensure that processing is based on lawful grounds. We will only use data for purposes defined in advance or for purposes compatible with such predefined use. Any unnecessary personal data will be deleted or anonymised.

In certain situations, OP's entities may process the personal data of its corporate customer’s employees, such as the information of a corporate customer’s contact persons. As a general rule, an OP entity will act as a controller in these situations in which case the corporate customer’s employees are data subjects as defined in data protection legislation. This could be the case, for example, in situations in which a corporate customer has acquired lease financing from OP for employees’ company cars or their occupational accident and occupational disease insurances.

Below you can find answers to the frequently asked questions presented by our corporate customers and cooperation partners.

What kinds of measures has OP Financial Group taken to ensure that the obligations of data protection legislation are met?

In a separate data protection project, OP has reviewed all of its operations related to the processing of personal data. The project ensured that OP is able to meet the requirements of the new regulation and, in this way, further improve customer services.

OP Financial Group has also appointed a Data Protection Officer for the Group level. The Officer is assisted by an extensive network of data protection professionals. There is also a separate Data Protection Officer in Pohjola Hospital Ltd. OP Financial Group will also train all staff members so that each employee in the OP Financial Group is familiar with the requirements of data protection legislation to the extent required by their duties and able to implement data protection by design and by default in their own operation.

Our employees are covered under the occupational accident and occupational disease insurance and health insurance by OP Insurance Ltd. What should our company take into account?

OP Insurance Ltd is the controller in these cases and thus responsible for obligations related to the processing of personal data. We always process all personal data with particular care and in accordance with data protection legislation and good data processing practices.

Our company has acquired lease financing from OP to our employees’ company cars. What should our company take into account?

OP Corporate Bank plc is the controller in these cases and thus responsible for obligations related to the processing of personal data. We always process all personal data with particular care and in accordance with data protection legislation and good data processing practices.

How can our employees check their personal data in this case?

In situations in which an OP entity processes the information of corporate customer’s employees as a controller, the persons in question are entitled to access their personal data. However, the right of access is a personal right and therefore, our corporate customers may not access the data on behalf of their employees.

How is OP Financial Group prepared for data security breaches and communicating about them?

OP Financial Group will make every effort to prevent all data security breaches. In the event of a data security breach regardless of such measures, OP Financial Group has efficient operating models in place with the help of which it can quickly react to such situations and minimise any adverse effects of the breach. OP Financial Group will make necessary notifications on data security breaches it has detected in accordance with legislation.

How is the processing of personal data agreed with corporate customers and what is agreed related to processing?

In situations in which the General Data Protection Regulation requires that contracts must partly be updated, OP Financial Group will ensure that the contracts are updated. It may not be necessary to update contracts with regard to OP Financial Group’s corporate customers.

Should an OP Financial Group’s corporate customer make an agreement with an OP Financial Group company in accordance with the so-called Art 28?

The General Data Protection Regulation requires that in certain situations the processing of personal data is specified in an agreement made between a controller and the processor of personal data (agreement terms in accordance with the so-called Art 28). For example, if statutory insurances for your employee have been acquired from OP, OP acts as the controller instead of a processor of personal data on behalf of your company, and therefore, it is not necessary to draft a data processing agreement in this connection according to data protection legislation.

Does OP Financial Group transfer the personal data of corporate customer’s employees to third countries outside the European Economic Area?

We use subcontractors and partners for service provision. Personal data can be transferred in connection with service provision to an OP Financial Group’s subcontractor located in a third country, for example. OP Financial Group always follows the obligations of data protection legislation when data is being transferred. We use various contractual and other arrangements to ensure that our subcontractors and partners process personal data carefully and in accordance with good data processing practice.

As a rule, we process personal data within the EEA. The EEA refers to EU Member States and Iceland, Liechtenstein and Norway. If we transfer data outside the EEA, such as to the United States, we will ensure a sufficient level of personal data protection in the manner required by law and use data transfer mechanisms approved by the European Commission, primarily the European Commission's standard contractual clauses.

The standard contractual clauses on the European Commission's website:

Who is responsible for providing information on the processing of personal data?

When an OP Financial Group company acts as a controller, it is responsible for providing appropriate information on the processing of personal data to its customers and other data subjects.

How will OP Financial Group ensure that its subcontractors operate appropriately?

When an OP Financial Group company uses suppliers in the processing of personal data, it may use only such suppliers which have adequate safeguards in place to protect personal data. OP Financial Group selects all subcontractors with particular care in order to ensure an appropriate level of data protection and information security in all of its operations. If necessary, OP Financial Group may also audit the processors of personal data used in order to ensure that their operation complies with requirements.

OP Financial Group makes an agreement with subcontractors used regarding the processing of personal data in which the contracting party is required to operate in accordance with the General Data Protection Regulation.

How will OP Financial Group ensure the security of personal data?

We protect personal data with appropriate technical and organisational safeguards. Such methods include proactive and reactive risk management and the use of firewalls, encryption techniques, secure data centres and access management and safety systems. We also make use of security planning, grant and supervise user rights in a controlled manner, ensure the competence of personnel who process personal data and choose our subcontractors carefully. We are continuously updating our in-house practices and guidelines.

How do we use cookies and web analytics

We use different analytics services to collect data on the usage of our website and services and to target advertising. Cookies enable us to link collected data to a unique browser. We can link data on the usage of services and websites to a customer only when the visitor logs into OP’s services using his/her own OP username and password.

We aim to provide a better and more personal customer experience

By analysing our website usage  and by using cookies, we aim to provide more personal services and to maintain and develop our websites.

Cookies are small text files that are stored on the user’s device. We use cookies to uniquely identify browsers and to verify browsers used by our website visitors. In other words, cookies show whether the user has visited our website previously with the same browser.

Cookies and analytics provide us with information, for example, on which pages visitors go to, what applications they use and how they navigate between pages or sites. In order to develop our website, we collect data on, for example, what kind of website content is most efficient and functional.

You can disable the use of cookies for statistical purposes or for targeted advertising on op.fi. You can edit your choices here. If you want to disable cookies altogether you can do it in the browser settings. You can also disable cookies from the browser and disable targeted advertising and messages based on your historical behavioural data.

Automated decision-making means that the decision concerning you is based solely on automatic data processing. Automated decision-making speeds up the processing of your case considerably. For example, you can receive an automatic loan decision quickly or your insurance policy can enter into force immediately after you have bought it.

Bank cards, or debit cards

We may use automated decision-making when issuing cards. The decision is based on your customer details that OP Financial Group already has. Once you have received the decision, you may, if you like, request the employee to process your details on behalf of the issuer.

Credit cards, secured loans and unsecured loans

We may use automated decision-making in loan decisions. The decision is based on information you have provided, your customer details that OP Financial Group already has as well as information obtained from the credit information register and the Population Information System. Once you have received the loan decision, you may, if you like, request the employee to process your details on behalf of the lender.

Buying insurance

We may use automated decision-making when you buy insurance online or through a mobile application. The decision is based on the information you have provided, your customer details that OP Financial Group already has, the Vehicular and Driver Data Register, the credit information register as well as our customer and insurance instructions. We get information on registered vehicles from the Vehicular and Driver Data Register based on the vehicle registration number you have given. Once you have received the decision, you may, if you like, request the employee to process your details on behalf of the insurer.

Health declaration

We may use automated decision-making when you fill in a health declaration while applying for insurance, i.e. you give information on the insured person’s state of health. The decision is based on the information you have provided, our risk selection instructions, selected scope of cover as well as selected maximum compensation or compensation. Once you have received the decision, you may, if you like, request the employee to process your details on behalf of the insurer.

Insurance claims

We may use automated decision-making process in claims settlement. The claim decision is based on information in your loss report, the insurance terms and conditions and your customer details OP Financial Group already has. Once you have received the decision, you may, if you like, request the employee to process your details on behalf of the insurer.

Termination of insurance policy

An insurance policy can be terminated automatically due to unpaid bills.

Accounts

We may use automated decision-making when opening an account. The decision is based on information you have provided, your customer details that OP Financial Group already has as well as information obtained from the Population Information System. Once you have received the decision, you may, if you like, request the employee to process your details again on behalf of the account provider.