OP Retail Customers Plc's customer data file for payment services

Privacy Notice

Updated 31.5.2022

1. General information

This Privacy Notice contains information required by the EU General Data Protection Regulation (hereinafter the General Data Protection Regulation) and the national data protection law for a data subject, such as for the controller’s customer, employees and for the supervisory authority.

2. Controller and its contact information

OP Retail Customers plc
Postal address: P.O. BOX 909, 00013 OP
Street address: Gebhardinaukio 1, 00510 HELSINKI
Controller’s contact person: OP Financial Group’s Data Protection Team
Telephone: 0100 0500
Email: dataprotection@op.fi

3. Data Protection Officer's contact information

OP Financial Group's Data Protection Officer
OP Financial Group
Postal address: P.O. Box 308, 00013 OP
Email: dataprotection@op.fi

4. Name of the personal data file and data subjects

OP Retail Customers plc’s customer data file for payment services

Data subjects include private customers who use a payment service / some payment services provided by OP Retail Customers plc. Data subjects also include customers, who act on behalf of an entity, and the entity they represent use a payment service / some payment service provided by OP Retail Customers plc.  Payment services provided by the controller include Pivo payment (consumer service), Pivo Payment button (merchant service), OP Yrityssiirto (merchant service) and OP-mobile Siirto payment (consumer service). Data subjects also include private customers who use the Pivo Account Information Service (consumer service) provided by OP Retail Customers plc.

5. Purposes of personal data processing and legal basis for processing

5.1 Purposes of processing

Providing payment services and the Pivo Account Information Service requires processing personal data. The controller processes data included in the data file mainly for producing, providing and delivering payment services and the Pivo Account Information Service. Below you can find more detailed information on how personal data is used in the data file.

The purposes of use of personal data include the following: If any purpose of use of personal data concerns only a certain service / certain services, this matter is mentioned separately below.

  • Executing payment services to private and corporate customers
  • Providing and delivering the Pivo Account Information Service to private customers
  • Customer service and customer relationship management and development, including customer communications
  • Provision, development and quality assurance of services
  • For consumer services, monitoring and analysis of service use and customer segmentation, for example, in order for the controller to be able to offer personalised service content to the users
  • Business development
  • For consumer services, opinion polls and market surveys
  • Direct marketing in respect of Pivo payment, Pivo Payment button, and Pivo Account Information Service
  • Targeted marketing and advertising in respect of Pivo payment, Pivo Payment button, and Pivo Account Information Service
  • Fulfilling statutory obligations and any other official rules and regulations
  • Risk management
  • Ensuring the security of services and investigating abuses

Automated decision-making and profiling

Automated decision-making is involved when a decision is made automatically only in such a way that a person does not participate in making an individual decision and when such a decision has legal effects on the data subject and considerably affects the data subject in a similar manner.

Personal data processing within the scope of the data file involves automated decision-making performed when the customer acquires payment services. By means of a sanctions list review which is included in decision-making, the controller can determine, for example, whether services provided by the controller are used for terrorist financing or money laundering.

If automated decision-making is included in the service that you have acquired, this is informed upon purchase of the service in greater detail. When the decision process is fully automated, the controller ensures that the data subject can submit the matter for manual processing and decision.

Processing of personal data within the scope of the data file includes profiling. Profiling means automated processing of personal data where certain aspects relating to a natural person are evaluated by utilising this data.

The controller performs profiling when reviewing the sanctions list in order to be able to identify whether payment services are sued for terrorist financing or money laundering. Profiling is also performed in customer segmentation for private customers using payment services provided on the Pivo application so that the controller is able to provide customers, for example, with personalised content in the services. Private customers are also profiled based on the services they use to implement targeted marketing efforts.

General information about automated decision-making and profiling is available in OP Financial Group’s Privacy Statement at op.fi/dataprotection.

Anti-money laundering and counter-terrorist financing, and sanctions monitoring

KYC information and other data subject's personal data may be used to prevent, uncover and detect money laundering and terrorist financing as well as for other purposes required by the Act on Preventing and Detecting Money Laundering and Terrorist Financing.

The data subject's personal data may be used to investigate whether the person is subject to international sanctions applied by the controller. Further information on OP Financial Group's sanctions compliance is primarily available in the terms and conditions of the acquired product or service.

The controller may process personal data concerning crimes or suspected crimes made directly against the operations of the credit institution, if that is necessary in order to prevent and detect such crimes.

5.2 Legal bases of processing

Below is a description of the legal bases of processing used by the data file. If any legal basis concerns only a certain service / certain services, this matter is mentioned separately below.

Legal basis

Example

Contractual relationship or actions preceding the conclusion of a contract

Personal data is processed in the data file mainly on a contractual basis to provide and deliver payment services as well as Pivo and the Account Information Service acquired by the data subject or the entity represented by the data subject.

Applies to the following data subjects: private customers and persons acting on behalf of entities

Consent

The processing of personal data related to the provision of payment services is based on consent under the Payments Services Act.

Direct marketing through an electronic channel is based on the data subject's consent that is collected relating to the payment services on the Pivo application

Applies to the following data subjects: private customers

Statutory obligation

The provision of payment services requires a legal basis for personal data processing based on the Payment Services Act.

For payment services, personal data is processed in the data file based on the Act on Preventing and Detecting Money Laundering and Terrorist Financing and on sanctions legislation.

Payment services require strong electronic authentication, in which case the Act on Strong Electronic Identification and Electronic Signatures applies to identity verification. 

The controller processes personal data in the data file to safeguard security and detect fraud.

Applies to the following data subjects: private customers and persons acting on behalf of entities

Legitimate interests of the controller or a third party

Direct marketing and business development are based on the controller's legitimate interest. International sanctions monitoring performed by the controller is partly based on a legitimate interest.

The controller's legitimate interests are based on the customer relationship or similar relationship between the controller and the data subject. The controller ensures that the processing performed on this basis is proportionate to the data subject's benefits and meets his/her reasonable expectations.

Applies to the following data subjects: private customers and persons acting on behalf of entities

6. Categories of personal data

Below is a description of the personal data categories processed in the data file. If some data content is processed only in a certain service / certain services, this matter is mentioned separately below.

Category of personal data

Data content of the category

Basic information

Data subject’s name and personal identity code
Data subject’s contact information:
address, phone number, mobile phone number, email address and language for transactions

Applies to the following data subjects: private customers
Applies to all consumer services

Data subject’s name and personal identity code
Data subject’s contact information:
job title, workplace address, work phone number, mobile phone number, email address

Applies to the following data subjects: persons acting on behalf of entities
Applies to all merchant services

KYC information

For payment services, statutory KYC information such as the information required to identify the customer and to determine their financial status and political exposure

Customer relationship information

Information that uniquely identifies and classifies the customer

Applies to the following data subjects: private customers and persons acting on behalf of entities

Consents

The consents given and withheld by the data subject concerning personal data processing

Applies to the following data subjects: private customers

Contract and product information

Information on contracts between the controller and data subject / the entity represented by the data subject

Information on services and/or products acquired by the data subject

Applies to the following data subjects: private customers and persons acting on behalf of entities

Customer activity data

Tasks and transactions related to managing the customer relationship, including information on payment transactions

Bank accounts and payment instruments used in the service

Applies to the following data subjects: private customers and persons acting on behalf of entities

Behavioural information (incl. information collected using cookies and other such technologies)

Tracking of the data subject's online behaviour and use of services using, for example, cookies. The collected information may include a website browsed by the user, the device model, unique device and/or cookie ID, channel such as an application, mobile browser or web browser, browser version, IP address, session ID, session time and duration, and the display resolution and operating system.

Applies to the following data subjects: private customers and persons acting on behalf of entities

Recordings and content of messages

Recordings and messages in various formats, in which the data subject is a party, for example, photographs and call recordings

Applies to the following data subjects: private customers and persons acting on behalf of entities

Technical verification data

Identifier determined by a device or an application, with which the user of the device or application can be identified, using additional information if necessary

Applies to the following data subjects: private customers and persons acting on behalf of entities

7. Recipients and recipient groups of personal data

7.1 Data recipients

Personal data may be disclosed to the authorities within the limits permitted by law, such as the police in connection with fraud.

When disclosing personal data included in the data file, the controller takes into account the requirements of mandatory legislation, including the controller's confidentiality obligations.

7.2 Transfer of data to suppliers

The controller uses suppliers which process personal data for its account. The controller concludes appropriate agreements on personal data processing with such suppliers.

The controller uses suppliers, for example, when performing payments services. Some of the used suppliers include other OP Financial Group entities.

7.3 International transfers of data

The controller uses suppliers in data processing, and data may be transferred outside of the EU or EEA. When data is transferred outside of the EU or EEA, the transfer is done using the EU Commission’s standard contractual clauses or some other transfer mechanism in accordance with legislation. Read more about international transfers of personal data and the European Commission's standard contractual clauses at OP’s website: op.fi/dataprotection

Some of the controller’s suppliers are other OP Financial Group entities. They provide the controller with information system and other support services, among other things. 

8. Personal data retention period or criteria for determining the period

The controller processes personal data during the validity of the contractual relationship. Once the contractual relationship has terminated, the controller will erase the personal data after around ten years in accordance with the erasure processes it follows.

The controller will retain personal data needed to execute a payment transaction for 6 years after the execution of the payment transaction, after which the controller will erase the data in accordance with the erasure processes it follows. The controller retains other personal data processed in payment transactions, such as photos taken by data subjects themselves, for 2 years of the date of the execution of the payment transaction.

After the contractual relationship has terminated, the controller may process the personal data for direct marketing purposes in accordance with applicable legislation.

The controller may be under an obligation to process some personal data in the data file for a period longer than stated above in order to comply with legislation or requirements set by the relevant authorities, such as capital adequacy measurement regulation.

9. Personal data sources and updates

Personal data is collected primarily from the data subjects themselves. Personal data may also be collected when the data subject uses certain controller services, such as online services.

Personal data can also be collected and updated within the limits permitted by law from the personal data files of third parties, examples including:

  • Digital and Population Data Services Agency
  • personal data files maintained by other authorities
  • credit information register controllers
  • other customer data files of OP Financial Group entities.

10. Data subject's rights

Data subjects have the right to receive the controller's confirmation of whether their personal data will be processed or not, or whether they have already been processed.

If the controller processes a data subject's personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.

The controller may charge a reasonable administrative fee for additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.

The data subject also has the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.

After the application of the General Data Protection Regulation has begun, the data subject will, in certain cases, also have the right to request the controller to restrict the processing of their personal data or to otherwise oppose the processing. In addition, under the General Data Protection Regulation, the data subject may request that the data they have provided themselves be transferred in machine-readable format.

All of the above requests must be submitted to the abovementioned contact person of the controller.

If a data subject considers that his/her personal data is not processed legally, he/she has the right to file a complaint with the supervisory authority.

11. Right to cancel prior consent

If the controller processes the data subject's personal data on the basis of consent, the data subject has the right to cancel such consent. The cancellation of consent does not affect the lawfulness of processing performed based on the consent prior to its cancellation. Such cancellation may, however, have an effect on the usability and functionalities of the service.

12. Protection methods regarding the data file

The controller processes personal data securely and in a manner fulfilling the requirements of applicable laws. It has carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.

The controller has protected the data appropriately in technical and organisational terms. The data file is protected using, for example, the following tools:

  • Protection of equipment and files
  • Access control
  • User identity verification
  • Access rights
  • Registration of usage events
  • Processing guidelines and supervision

The controller also requires that its suppliers and other partners ensure appropriate protection of the personal data to be processed.