Your rights

Right to obtain information about the processing of your personal data

The General Data Protection Regulation brings openness and transparency to personal data processing. Thus, you have the opportunity to control the processing of your data, understand the rights associated with the processing and also exercise them. We will inform you about the processing of your personal data whenever we collect or obtain it and will tell you about the purposes of the processing of your personal data and about your rights associated with the processing.

In the Privacy Notice, we inform you in greater detail, for example, of what party is the controller, i.e. the OP party which collects data, the name and contact details of the controller, the name and contact details of the Data Protection Officer, purposes of use of collected data, matters related to retention periods, to whom the data is disclosed and whether the data is processed outside of the EU. We also tell you about the safeguards related to processing and your rights.

Right of access to your data

You can view the key information related to your customer relationship with OP Financial Group in My profile at op.fi (in Finnish). In My profile, you can also request data stored from you to yourself and save data in both PDF and XML format to your own computer or other device.

If you wish to get the data in printed form, please visit our branch. In certain cases, we also provide you with the opportunity to view the data in our branch. Exercising the right of access is, as a rule, free of charge to you and you do not need to justify your request.

Right to transfer your data

You have the right to obtain certain personal data provided to us in a structured, generally used and machine-readable form. You can also transfer such data to another controller.

Right to rectify your data

We seek to keep your data up to date and also, at your request, rectify without delay any incorrect, insufficient or outdated data related to you, such as your contact details. You can yourself go to My profile at op.fi to make a rectification to you contact details, such as change in your phone number or email address. You can also do so by visiting an OP branch as always.

Right to restriction of processing your data

In certain cases, you may request a temporary restriction of the processing of your personal data, for example when you deny the accuracy of the data. In such a case, we exclude the personal data from daily use whose processing you want to restrict. You must indicate such restriction to the individual data to which your request for restriction applies.

Right to object to the processing of your personal data

You have the right to object to the processing of such personal data which is not based on special enactments, agreement or consent. You can always object to the processing of your personal data for direct marketing purposes. Furthermore, you can object, for example, to the processing related to market surveys and opinion polls or voluntary customer communication. The right to object to the processing of personal data does not mean a general right to object to all processing of personal data at OP.

Right not to be subject to automated individual decision-making that will have significant effects

Automated decision-making means that the decision concerning you is based solely on automatic data processing. Under heading "How do we utilise automated decision-making?" you will find examples of situations where we use automated decision-making.

We implement automated decision-making in order to speed up the handling of your matter significantly. For example, you can receive an automated loan decision quickly or your insurance policy can enter into force immediately after you have bought it. In our services based on automated decision-making, we inform you clearly of the matter before acquiring the service concerned.

If you are dissatisfied with an automated decision, you will have the right to request that the matter be handled by a natural person on behalf of the controller and the right to express your opinion and to contest the decision.

Right to have your personal data erased (“right to be forgotten”)

If you do not want your personal data to be processed at OP Financial Group, in certain cases you will have the right to request your data to be erased in part or in full. This is the situation when, for example, the processing of your data is based on your consent and you want to cancel your consent, or if your data is no longer needed for the purpose it was originally collected.

If you request the erasure of your personal data, we will assess whether we can erase such data. OP Financial Group's operations are subject to numerous special enactments (e.g. Accounting Act and tax legislation) which include obligations related to the retention of personal data.  For example, we cannot erase your personal data at your request if there is a specific legal obligation or another justified need to retain the data. Erasing personal data is mostly involved when the data retention period has expired or the data is otherwise found unnecessary or groundless.

In My profile at op.fi, you can view and manage your personal data, consents you have given and other information related to your customer relationship that relate to your personal data processed by OP Financial Group's financial business (banks, non-life insurance and wealth management).

In My profile, you can yourself change your contact details. You can also request data stored from you to yourself and save data in both PDF and XML format to your own computer or other device with just one click.

In My profile, you can submit a separate personal data request in case you need additional information.

Exercising the rights is, as a rule, free of charge for you. You can also exercise your rights by visiting our branch.

Op.fi's My profile service puts conveniently together the key information related to your customer relationship in a single place.

In My profile, you can view and manage your personal data, consents you have given and other information related to your customer relationship that relate to your personal data processed by OP Financial Group's financial business (banks, non-life insurance and wealth management). You can see whether your data and settings are up to date and you can change your contact details. You can, according to your needs, also request data stored from you to yourself and save data in both PDF and XML format to your own computer or other device with just one click. In My profile, you can also submit a separate personal data request in case you need additional information.

In My profile, you also find, for example, information related to your daily finances, loans, insurance policies and savings and investments, information on powers of attorney you have granted as well as information related to owner-customer membership and benefits. My profile also contains settings related to the Mobile key and security.

The content of My profile has been designed together with our customers. Data that was previously in various locations has been put together in an easily discernible package. We have paid particular attention to the findability of the data.

OP Financial Group operates in sectors that require particular trust, and it is essential that OP Financial Group can ensure a high level of information security and data protection in all of its operations. All personal data (including patient data) is processed carefully and in accordance with legislative obligations and good data processing practices. We respect bank and insurance secrecy and the confidentiality of patient data in all of our operations.

We ensure that processing is based on lawful grounds. We will only use data for purposes defined in advance or for purposes compatible with such predefined use. Any unnecessary personal data will be deleted or anonymised.

In certain situations, OP's entities may process the personal data of its corporate customer’s employees, such as the information of a corporate customer’s contact persons. As a general rule, an OP entity will act as a controller in these situations in which case the corporate customer’s employees are data subjects as defined in data protection legislation. This could be the case, for example, in situations in which a corporate customer has acquired lease financing from OP for employees’ company cars or their occupational accident and occupational disease insurances.

Below you can find answers to the frequently asked questions presented by our corporate customers and cooperation partners.

What kinds of measures has OP Financial Group taken to ensure that the obligations of data protection legislation are met?

In a separate data protection project, OP has reviewed all of its operations related to the processing of personal data. The project ensured that OP is able to meet the requirements of the new regulation and, in this way, further improve customer services.

OP Financial Group has also appointed a Data Protection Officer for the Group level. The Officer is assisted by an extensive network of data protection professionals. There is also a separate Data Protection Officer in Pohjola Hospital Ltd. OP Financial Group will also train all staff members so that each employee in the OP Financial Group is familiar with the requirements of data protection legislation to the extent required by their duties and able to implement data protection by design and by default in their own operation.

Our employees are covered under the occupational accident and occupational disease insurance and health insurance by Pohjola Insurance Ltd. What should our company take into account?

Pohjola Insurance Ltd is the controller in these cases and thus responsible for obligations related to the processing of personal data. We always process all personal data with particular care and in accordance with data protection legislation and good data processing practices.

Our company has acquired lease financing from OP to our employees’ company cars. What should our company take into account?

OP Corporate Bank plc is the controller in these cases and thus responsible for obligations related to the processing of personal data. We always process all personal data with particular care and in accordance with data protection legislation and good data processing practices.

How can our employees check their personal data in this case?

In situations in which an OP entity processes the information of corporate customer’s employees as a controller, the persons in question are entitled to access their personal data. However, the right of access is a personal right and therefore, our corporate customers may not access the data on behalf of their employees.

How is OP Financial Group prepared for data security breaches and communicating about them?

OP Financial Group will make every effort to prevent all data security breaches. In the event of a data security breach regardless of such measures, OP Financial Group has efficient operating models in place with the help of which it can quickly react to such situations and minimise any adverse effects of the breach. OP Financial Group will make necessary notifications on data security breaches it has detected in accordance with legislation.

How is the processing of personal data agreed with corporate customers and what is agreed related to processing?

In situations in which the General Data Protection Regulation requires that contracts must partly be updated, OP Financial Group will ensure that the contracts are updated. It may not be necessary to update contracts with regard to OP Financial Group’s corporate customers.

Should an OP Financial Group’s corporate customer make an agreement with an OP Financial Group company in accordance with the so-called Art 28?

The General Data Protection Regulation requires that in certain situations the processing of personal data is specified in an agreement made between a controller and the processor of personal data (agreement terms in accordance with the so-called Art 28).

For example, if statutory insurances for your employee have been acquired from OP, OP acts as the controller instead of a processor of personal data on behalf of your company, and therefore, it is not necessary to draft a data processing agreement in this connection according to data protection legislation.

Does OP Financial Group transfer the personal data of corporate customer’s employees to third countries outside the European Economic Area?

Your data will only be processed by OP Financial Group entities and employees whose duties require the processing of your data.

We use subcontractors and partners for service production and provision. For this reason, your personal data may be transferred to such parties for processing commissioned by us. Such parties are only permitted to process your data in accordance with our instructions. They are not entitled to use your data for their own purposes, such as direct marketing.

We use various contractual and other arrangements to ensure that also our suppliers and partners process your data carefully and in accordance with good data processing practice.

As a rule, we process your data within the EEA. The EEA refers to EU Member States and Iceland, Liechtenstein, and Norway. If we transfer data to a country outside the EEA where the national regulations do not ensure data protection equal to the EU level of protection, we will ensure a sufficient level of personal data protection in the manner required by law and use data transfer mechanisms approved by the European Commission, primarily the European Commission's standard contractual clauses. We use standard contractual clauses for transfers to our IT service providers in India, for example.

The standard contractual clauses are available on the European Commission’s website:

We will start using the latest versions of the standard contractual clauses for transferring personal data outside the EEA in accordance with the deadline set by the European Commission, that is, by 27 December 2022.

In certain circumstances, such as when you make payments abroad, personal data required for the payment can be transferred to a bank outside the EEA in order to implement an agreement you have signed with us or on the basis of your consent (derogations for transfer). 

Who is responsible for providing information on the processing of personal data?

When an OP Financial Group company acts as a controller, it is responsible for providing appropriate information on the processing of personal data to its customers and other data subjects.

How will OP Financial Group ensure that its subcontractors operate appropriately?

When an OP Financial Group company uses suppliers in the processing of personal data, it may use only such suppliers which have adequate safeguards in place to protect personal data. OP Financial Group selects all subcontractors with particular care in order to ensure an appropriate level of data protection and information security in all of its operations. If necessary, OP Financial Group may also audit the processors of personal data used in order to ensure that their operation complies with requirements.

OP Financial Group makes an agreement with subcontractors used regarding the processing of personal data in which the contracting party is required to operate in accordance with the General Data Protection Regulation.

How will OP Financial Group ensure the security of personal data?

We protect personal data with appropriate technical and organisational safeguards. Such methods include proactive and reactive risk management and the use of firewalls, encryption techniques, secure data centres and access management and safety systems. We also make use of security planning, grant and supervise user rights in a controlled manner, ensure the competence of personnel who process personal data and choose our subcontractors carefully. We are continuously updating our in-house practices and guidelines.

Automated decision-making means that the decision concerning you is based solely on automatic data processing. Automated decision-making speeds up the processing of your case considerably. For example, you can receive an automatic loan decision quickly or your insurance policy can enter into force immediately after you have bought it.

Bank cards, or debit cards

We may use automated decision-making when issuing cards. The decision is based on your customer details that OP Financial Group already has. Once you have received the decision, you may, if you like, request the employee to process your details on behalf of the issuer.

Credit cards, secured loans and unsecured loans

We may use automated decision-making in loan decisions. The decision is based on information you have provided, your customer details that OP Financial Group already has as well as information obtained from the credit information register and the Population Information System.

Once you have received the loan decision, you may, if you like, request the employee to process your details on behalf of the lender.

Buying insurance

We may use automated decision-making when you buy insurance online or through a mobile application. The decision is based on the information you have provided, your customer details that OP Financial Group already has, the Vehicular and Driver Data Register, the credit information register as well as our customer and insurance instructions. We get information on registered vehicles from the Vehicular and Driver Data Register based on the vehicle registration number you have given.

Once you have received the decision, you may, if you like, request the employee to process your details on behalf of the insurer.

Health declaration

We may use automated decision-making when you fill in a health declaration while applying for insurance, i.e. you give information on the insured person’s state of health. The decision is based on the information you have provided, our risk selection instructions, selected scope of cover as well as selected maximum compensation or compensation.

Once you have received the decision, you may, if you like, request the employee to process your details on behalf of the insurer.

Insurance claims

We may use automated decision-making process in claims settlement. The claim decision is based on information in your loss report, the insurance terms and conditions and your customer details OP Financial Group already has.

Once you have received the decision, you may, if you like, request the employee to process your details on behalf of the insurer.

Termination of insurance policy

An insurance policy can be terminated automatically due to unpaid bills.

Accounts

We may use automated decision-making when opening an account. The decision is based on information you have provided, your customer details that OP Financial Group already has as well as information obtained from the Population Information System.

Once you have received the decision, you may, if you like, request the employee to process your details again on behalf of the account provider.

How do cookies work?

Cookies are small text files that are stored in your device’s browser. They show us the type of device with which you are using OP eServices and whether you have visited our websites earlier.

We use cookies only with the user’s consent

With your cookie settings, you can influence the purposes for which we can utilise the data we have collected. For example, we do not utilise the data for targeting and marketing without your consent.

Your cookie settings are used in the op.fi service and all its subpages as well as on OP-mobile from version 31.0 and OP Business mobile from version 15.0. If necessary, we will ask for your consent to cookies when you visit these pages.

If you have only permitted necessary cookies, we will ask your consent again after 6 months. Your other cookie settings will remain in force for 12 months. If you remove cookies from the browser, we will ask your consent again the next time you visit our website.

Cookies on public webpages

When visiting public webpages of OP Financial Group, your cookie settings are stored in your browser. If you use different browsers, each may have their own browser settings.

If several persons use the same device and browser, the cookie choices made by a single user will also apply to other users, unless the cookies are deleted from the browser after use.

Learn more about browser-specific cookie settings

Cookies in OP eServices for private customers

If you log into the op.fi service during the same session and within 15 minutes, your cookie settings for the public webpage will be saved to your customer information. 

Learn more about cookie settings for private customers logged into OP eServices

When you are logged in, your cookie settings can also be found in your My profile.

Cookies in corporate eServices

When logging into op.fi with business user identifiers, your cookie settings are stored in your personal information. Consent to cookies is always tied to a natural person, not to the company.

Learn more about cookie settings for corporate customers logged into OP eServices

We use both session and persistent cookies. Tools can set several cookies with different retention times. We indicate the maximum cookie retention time for each tool. 

• Session cookies exist only during a single session, or visit. They are deleted automatically when you close the browser. With session cookies, you can move from one page to another, log into the service and use different types of calculators and on-line forms, for instance. 
• Persistent cookies remain on your browser or device for a fixed period, also after the session, unless you delete them from the browser settings. We use persistent cookies to improve the user experience. With persistent cookies, the website identifies your device and remembers your settings, such as language choice, when you visit the website again.

Tool list

List of tools used in the op.fi service and its subpages. OP-mobile and OP Business mobile only use Adobe Analytics. In addition to these, OP uses internal cookies and tools. The maximum time which we store cookies is listed for each tool.

Third party marketing cookies 

Third party marketing cookies allow us to target OP’s topical marketing to the user through various websites and institutional services. They also give us statistical data on marketing and target groups. 

This website uses the marketing cookies of Facebook, Instagram, LinkedIn, Snapchat, Sumo, Twitter and YouTube.

Third parties are responsible for the retention times of marketing cookies in accordance with their own privacy policies.

Embed codes

We use social extensions, i.e. third party embed codes, on OP Financial Group’s websites. They allow you to view social media content and videos on the website. This website uses the embed codes of YouTube.

Embed codes are downloaded from the social media service providers’ own servers. Your cookie choices do not for now affect the cookie policies related to social plugins. Embed codes can set their own cookies based on their principles. With the cookies, service providers can collect information on the users for their own purposes. 

Your privacy is important to us 

The data collected using cookies and different tools are owned by OP Financial Group’s data controllers, and can only be accessed by OP. Our partners act as processors of the data for and on behalf of OP, and do not use the data for their own purposes. 

We can only disclose data to third parties with consent obtained through marketing cookies. Third parties are responsible for the use of such data as joint controllers with OP or as independent controllers in accordance with their own privacy policies. 

As a responsible company, we are committed to protecting your privacy in compliance with data protection legislation. Read more about how OP processes your personal data 

OP Financial Group’s cookie practices and requests for consent to the use of cookies comply with the relevant legislation and the guidelines and resolutions issued by the authorities. In particular, we observe the following:

• Judgment of the European Court of Justice C-673/17 – Planet49 
• Decision of the Deputy Data Protection Ombudsman on giving consent to the use of cookies (in Finnish)

Read more about the privacy policies of our partners and social media services: 

• Adform
• Adobe
• Facebook
• Google Ads
• Instagram
• LinkedIn
• Salesforce DMP
• Twitter
• YouTube

Erasing cookie history

You can erase the cookie history from your browser’s settings to remove all previous cookies saved by the browser. Erasing cookie history does not prevent the formation of new cookie data.

Disabling the use of previous targeting data

If you have previously allowed targeting cookies, your new cookie settings will not immediately remove old cookie data. You may see targeted marketing on our partners’ websites for 30 days after you have cancelled your consent.

Disabling third-party web advertising

If you have previously disabled third party cookies, advertisers and advertisement networks will target advertising to you, based on browser-based behavioural data previously collected from OP Financial Group’s pages.

You can prevent web advertising from outside OP that is based on previously disclosed data, either completely or specific to the company.

Disable targeted web advertising on the Your Online Choices website

Disabling all cookies

If you wish to disable cookies completely, you can do it by changing your browser settings. For more detailed information, see the instructions of your browser.

If you disable all cookies, we cannot guarantee the functionality of the basic service functions, such as language settings and log-in.