Personal data


What do personal data and data protection mean?

In practice, all information from which a person can be identified either directly or when combined with other data constitutes personal data. In addition to your name, address, personal identity code and telephone number, information such as your bank account number, or health details or, typically, other data related to your customer relationship are also personal data. The purpose of data protection is to safeguard personal data.

We will keep your data safe and process it in the manner required by law

Handling your personal data carefully and cautiously is of primary importance to us. We will only use your data for purposes defined in advance or for purposes compatible with such predefined use. Our privacy policies provide information on such predefined purposes of data processing. We process your personal data in compliance with the law and good data processing practice.

We always make sure that there are legal grounds for the processing of your data. The most common legal grounds used by us are agreement, consent, binding legislation and legitimate interest. At OP Financial Group, we use legitimate interest as a reason for data processing in connection with, for example, marketing or client categorisation.

We monitor access to and the handling of your personal data closely. Our personnel is under a confidentiality obligation not to disclose the information of our customers. We ensure the competence of our personnel who process personal data through regular training and evaluations. We also monitor the use, access rights and log data of systems that contain personal data. If we notice something wrong, we make an immediate intervention.

The relationship of this Privacy Statement to other information provided to users

This Privacy Statement describes our principles of personal data processing in the manner required by law. The purpose is to give an overview of the methods with which OP Financial Group processes personal data.

More information on the processing of your personal data is provided in connection with most services, products, sites and applications, as well as in dedicated privacy policies. Such detailed information takes precedence over this text.

Our website may include links to the websites or services of other companies which have their own privacy protection practices independent of OP Financial Group. We recommend that you take the time to familiarise yourself with such practices when necessary.

Our practices may change with service development or amendments to legislation. We will notify you of such changes openly in this statement and in connection with each service, site, etc. Material changes to data protection information are communicated in a visible manner, such as by highlighting them in the Topical issues section of this site.

Typically, we will collect personal data when you become our customer, use our products and services, take part in marketing campaigns or surveys or otherwise use our services. We only collect data relevant to the purpose in question.

The data collected by us includes

  • personal data related to identification and authentication, such as your name and personal identity code;
  • contact details, such as your address, e-mail address and telephone number;
  • various details related to the customer relationship and its management, such as your customer number and category and various information related to service use;
  • data directly required by law, such as the certain data required for Know Your Customer purposes. These include information on your being a beneficial owner or you, your family member or close business associate performing in an important public function. Read more ›
  • information on products and services, such as the details of investment services, vehicles and amounts, or information on the use of online services.

The personal data we collect is determined by the service channel and product or service concerned.

In the first instance, we obtain your information directly from you. Data may be obtained and derived from service use. In addition, we obtain data from registers maintained by the authorities, the credit information register, the common registers of banks and insurance companies, as well as from other reliable registers. For address updates, we also obtain information from the Digital and Population Data Services Agency (Finnish Digital Agency).

You disclose your data to us when you purchase our services, participate in our surveys or campaigns or answer questions in connection with services provided by us. We also get information by observing how you use our services.

When you use OP’s services, visit our online bank or a branch office, sign an insurance contract or apply for a mortgage, you are also providing us with your personal data. The data can include information on your family, state of health or employment. For online services, such data can consist of information on the services and documents you have browsed.

We also collect your personal data when you contact us by phone or when we call you. All calls to and from OP may be recorded. We may use call recordings to verify customer transactions, assure the quality of customer service and develop our services and for training purposes.

How do we protect the privacy of children?

We collect and handle data concerning children under 15 years of age mainly with the consent of their guardians. Without their consent, we only collect such data for specifically defined and limited purposes, such as naming a minor as a beneficiary in an insurance policy without the consent of the guardian.

We use your personal data to be able to answer your requests and questions, process your orders and manage matters specified in the agreement. We may also use your personal data in the further development of our products, services, customer service and sales and marketing.

We process your personal data in order to be able to offer and develop even better services and a better customer experience. In addition to day-to-day customer service, we use your personal data when automating our business processes and developing services in accordance with the Payment services legislation. Your data will also be used for customer communications and the fulfilment of our statutory obligations.

We analyse your personal data, for example, when performing the required client and risk categorisations, such as for granting credit or pricing insurance policies, or when determining the suitability of investment products for you. By means of your personal data, we create various profiles through which we develop our services further. By means of your data, we also seek to provide you with products and services that better meet your needs. In some cases, profiling may be based on requirements prescribed by law.

To create a profile, we use, for example, the following information: what age of people live in your household and whether you use one or more OP's services. We also receive information on your areas of interest when you visit OP's website if you have not restricted the collection of data.  We combine various data we have received and thus seek to assess, for example, whether you are an active OP customer, whether we can present you new OP's products and how you would you like us to serve you as our customer. We also use classified data to enhance customer insight, for example, in internal reporting and in analysing customer relationships. Some of our operations also utilise automated decision-making, without human influence on the decision.

We use your personal data in OP Financial Group’s risk management and to fulfil obligations based on laws and official regulations and instructions, such as authenticating users and ensuring data security as well as preventing and investigating fraud.

We also use your personal data for customer service and communication purposes. We may send you announcements or notifications concerning our products and services or use your data for various marketing purposes, either subject to your consent or when explicitly permitted by law. In addition, we can use your personal data to recommend content or display personalised content for you in our online services. Such content can be created by OP Financial Group or reliable third parties.

When permitted by law or with your consent, we may also combine data collected in connection with a specific product and/or service with data gathered in other connections.

The disclosure of personal data refers to situations in which we give your personal data to other data controllers for their own, independent purposes. We can disclose your data, within the limits permitted by law, for example within the financial and insurance conglomerate of OP Financial Group and to entities belonging to the same amalgamation for the purposes of customer service, customer relationship management and marketing. We may also disclose your data within the financial and insurance conglomerate of OP Financial Group for risk management purposes.

We can also disclose your personal data to the authorities to fulfil a statutory obligation (e.g. to the tax, enforcement or social welfare authorities) and to the shared registers of banks and insurance companies in order to prevent crimes targeted at banks and insurance companies.

We can disclose your information to parties outside OP Financial Group subject to your consent or when the disclosure constitutes a part of the product or service you use.

Your data will only be processed by OP Financial Group entities and employees whose duties require the processing of your data.

We use subcontractors and partners for service production and provision. For this reason, your personal data may be transferred to such parties for processing commissioned by us. Such parties are only permitted to process your data in accordance with our instructions. They are not entitled to use your data for their own purposes, such as direct marketing.

We use various contractual and other arrangements to ensure that also our suppliers and partners process your data carefully and in accordance with good data processing practice.

As a rule, we process your data within the EEA. The EEA refers to EU Member States and Iceland, Liechtenstein, and Norway. If we transfer data to a country outside the EEA where the national regulations do not ensure data protection equal to the EU level of protection, we will ensure a sufficient level of personal data protection in the manner required by law and use data transfer mechanisms approved by the European Commission, primarily the European Commission's standard contractual clauses. We use standard contractual clauses for transfers to our IT service providers in India, for example.

The standard contractual clauses are available on the European Commission’s website:

We will start using the latest versions of the standard contractual clauses for transferring personal data outside the EEA in accordance with the deadline set by the European Commission, that is, by 27 December 2022.

In certain circumstances, such as when you make payments abroad, personal data required for the payment can be transferred to a bank outside the EEA in order to implement an agreement you have signed with us or on the basis of your consent (derogations for transfer).