Updated on 17 April 2023
1. Overview
This Privacy Notice contains information required by the EU General Data Protection Regulation (hereinafter the General Data Protection Regulation) and the national legislation for a data subject, that is, for the controller’s customer, employees and for the supervisory authority.
2. Controller and its contact information
A data file shared by OP Financial Group (hereinafter also OP) companies (including OP Cooperative and its subsidiaries and the Group's cooperative banks).
Postal address: P.O. Box 308, FI-00013 OP, FINLAND
Street address: Gebhardinaukio 1, 00510 Helsinki
Controller’s contact person: OP Financial Group’s Data Protection Team
Telephone: 0100 0500
Email: dataprotection@op.fi
3. Data Protection Officer's contact information
OP Financial Group’s Data Protection Officer
OP Financial Group
Postal address: P.O. Box 308, FI-00013 OP, FINLAND
Email: dataprotection@op.fi
4. Name of the personal data file
OP Financial Group’s privacy notice for campaigns, newsletters and social media
The data file covers those who have demonstrated an interest in services provided by OP Financial Group companies as well as subscribers to the newsletter, those participating in a campaign or competition, and those who have produced content in the web services. The data file also covers those who have reacted to OP Financial Group’s content on social media, sent private messages to OP Financial Group and followed OP Financial Group. The data subjects are OP Financial Group’s potential customers who have not been identified by means of strong electronic identification.
The data concerned has not been included in the customer data files of OP Financial Group companies.
5. Purpose of personal data processing and legal basis for processing
Purposes of processing
The purposes of use of personal data include the following:
- newsletter services (for example, OP Media) and arranging campaigns, for example, in connection with events and competitions, the related customer service, in particular, and customer relationship management, including notifications and communications
- producing content in the services, such as commenting on blogs
- planning and developing OP Financial Group's product and service offerings as well as targeting these offerings
- business development
- monitoring and analysis of service use and segmentation of users and subscribers, for example, in order for the controller to be able to offer personalised service content to the users
- opinion polls and market surveys
- direct marketing
- targeted marketing and advertising in internal and external media
- training purposes
- monitoring and analysis of the reactions received by OP Financial Group’s social media content to develop communications and business
- customer service on social media channels, such as responding to private messages and reacting to comments received on public posts
Profiling
Processing of personal data within the scope of the data file includes profiling. Profiling means the automated processing of personal data for evaluating certain personal aspects of an individual. Marketing involves carrying out target group sampling, and targeting is based on various segments. Further information about profiling is available in OP’s Privacy Statement at op.fi/dataprotection.
Legal bases of processing
| Legal basis | Example |
|---|---|
| Consent | Processing may be based on the data subject's consent, for example, on a consent to direct electronic marketing given by the data subject. Data subjects may also subscribe to newsletters with their consent. |
| Legitimate interests of the controller | Direct marketing or participation in a competition may also be based on legitimate interests. The data subject can demonstrate interest in OP Financial Group or its products and services in connection with events, for example. Using customised target groups in social media services. Business development. Monitoring and analysis of the reactions received by OP Financial Group’s social media content to develop communications and business. |
| Agreement | Responding to messages and comments directed to OP Financial Group in social media channels. |
6. Categories of personal data
Data subjects are typically subject to processing under the personal data categories and personal data described below. The data content to be processed depends, for example, on whether it involves the data of a private individual or a person acting on behalf of a company.
| Category | Data content |
|---|---|
| Basic information | Data subject’s name Data subject’s contact information, such as email address, telephone number and address |
| Customer relationship information | Data that uniquely identifies and classifies a potential customer relationship, such as the source of contact information and a pseudonym. Your profile name and contact details on social media platforms administered by OP Financial Group companies as well as the communication and other content shared there with us by you. |
| Consents | Any consents given or withheld by the data subject concerning personal data processing |
| Customer activity data | Contact details |
| Background information | Language |
| Areas of interest | Information on the data subject’s areas of interest |
| Recordings and content of messages | Messages that you have sent to OP Financial Group on social media channels. Reactions to OP Financial Group’s posts on social media channels. Posts concerning OP Financial Group that you have publicly posted on social media channels. |
| Behavioural information (incl. information collected using cookies and other such technologies) | Tracking of the data subject's online behaviour and use of services on websites and mobile apps and in OP Financial Group’s channels on social media platforms by using, for example, cookies. The collected information may include a website browsed by the user, the device model, unique device and/or cookie ID, channel such as an application, mobile browser or web browser, browser version, IP address, session ID, session time and duration, and the display resolution and operating system. |
| Technical identification data | Identifier determined by a device or an application, with which the user of the device or application can be identified, using additional information if necessary |
7. Recipients and recipient groups of personal data
Transfer of data to suppliers
The controller has suppliers which process personal data for its account. The controller concludes appropriate agreements on personal data processing with all such suppliers.
The suppliers produce for the controller IT and other support services and tools for the management of communication and marketing, among other things. Some of the controller’s suppliers are other OP Financial Group entities.
International transfers of data
The controller uses subcontractors for data processing, and data may be transferred outside the EU or EEA. When data is transferred outside the EU or EEA, the transfer is done using the European Commission’s standard contractual clauses or some other transfer mechanism in accordance with legislation. Further details on international transfers of personal data and standard contractual clauses are available from OP’s website at https://www.op.fi/dataprotection.
8. Joint controller system
- Facebook, Meta Platforms Ireland Limited
- Instagram, Meta Platforms Ireland Limited
- LinkedIn, LinkedIn Ireland Unlimited Company
- Tiktok, TikTok Technology Limited (Ireland)
9. Personal data retention period or criteria for determining the period
Personal data collected in competitions and campaigns will be retained for approximately 6 months, after which the data will be erased in accordance with the erasure processes followed by the controller.
Messages processed in social media channels will be retained for approximately 12 months, after which the data will be erased in accordance with the erasure processes followed by the controller.
In connection with subscription to newsletters, personal data will be retained according to the validity period of the subscription. However, the data retention period after the data subject has terminated their subscription is a maximum of around 2 years. Thereafter, the data will be erased according to the controller's erasure process unless the data subject expresses their willingness to continued data processing.
Content produced in the service and data associated with it will be retained for the existence of the service. The user can delete content they have submitted to the service by contacting the administration of the service.
10. Personal data sources and updates
Personal data are primarily collected from the data subjects themselves.
Personal data may also be collected when the data subject uses the controller’s services, apps, websites or channels on social media platforms. Personal data is collected, for example, on websites on the basis of the visitors’ movements by using cookies if the data subject has accepted the use of cookies. Social media platforms may share your personal data with us, depending on your personal privacy and cookie settings in the channels in question.
11. Data subject’s rights
Data subjects have the right to receive the controller’s confirmation of whether their personal data will be processed or not, or whether they have already been processed.
If the controller processes a data subject’s personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.
The controller may charge a reasonable administrative fee for any additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.
The data subject also has the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.
In certain circumstances, the data subject also has the right to request the controller to restrict the processing of their personal data or to otherwise object to processing. In addition, under the General Data Protection Regulation, the data subject may request that the data they have provided themselves be transferred in machine-readable format.
All requests mentioned herein must be submitted to the abovementioned contact person of the controller.
If a data subject considers that their personal data is not processed legally, they have the right to file a complaint with the supervisory authority.
12. Right to cancel prior consent
If the controller processes a data subject’s personal data on the basis of consent, the data subject has the right to cancel such consent. The cancellation of consent does not affect the lawfulness of processing performed on the basis of said consent prior to its withdrawal. However, such cancellation may have an effect on the usability and functionalities of the controller’s services. Every newsletter contains a cancellation link. Additional information is available from the person in charge of the data file.
13. Protection methods regarding the data file
The controller has taken appropriate technical and organisational measures to protect the data. The data file is protected using, for example, the following tools:
- Protection of hardware and files
- Access control
- User identity verification
- Access rights
- Registration of usage events
- Processing guidelines and supervision
The controller also requires of its suppliers appropriate protection of any personal data to be processed.