Privacy Notice
1. General information
This Privacy Notice contains information required by the EU General Data Protection Regulation (hereinafter the General Data Protection Regulation) and the national legislation for a data subject, that is, for the controller’s customer, employees and for the supervisory authority.
2. Controller and its contact information
OP Asset Management Ltd
Postal address: P.O. Box 1068, FI-00013 OP
Street address: Gebhardinaukio 1, 00510 HELSINKI
Controller’s contact person: OP Financial Group’s Data Protection Team
Phone number: 0100 0500
Email: dataprotection@op.fi
3. Data Protection Officer’s contact information
OP Financial Group's Data Protection Officer
OP Financial Group
Postal address: PL 308, FI-00013 OP
Email: dataprotection@op.fi
4. Name of the personal data file
OP Asset Management Ltd’s customer data file
The data subjects of the data file are the controller's customers and potential customers. Data subjects include private individuals and the contact persons, persons in charge and owners of corporate and institutional customers (hereinafter the company).
5. Purposes of personal data processing and legal basis for processing
Purposes of use of personal data
In this customer data file, personal data is used primarily to produce, offer, deliver and develop the controller’s individual asset and wealth management services. Purposes of use can be divided into the following categories:
- Customer service and customer relationship management and development, including customer communications
- Provision, development and quality assurance of services
- Business development
- Monitoring and analysis of product and service use and customer segmentation, for example, in order for the controller to be able to offer personalised product and service content to users
- Opinion polls and market surveys
- Direct marketing
- Targeted marketing and advertising
- Fulfilling statutory obligations and any other official rules and regulations
- Identification of default
- Risk management
- Ensuring the security of services and investigating abuses
- Training purposes
Profiling
Processing of personal data within the scope of the data file may include profiling. Profiling means the automated processing of personal data in order to evaluate certain personal characteristics. Further information about profiling is available at op.fi/dataprotection. Another example of profiling performed within the scope of the data file is assessing the risk tolerance of a customer receiving investment advice and determining a suitable target market for the customer based on their investor profile. A controller who provides investment advice services has a statutory obligation to perform such an assessment.
Preventing crimes
Know Your Client (KYC) information and other personal data of data subjects may be used to prevent, uncover and detect money laundering and terrorist financing, as well as for other purposes required by the Act on Preventing Money Laundering and Terrorist Financing. The data subject’s personal data may be used to investigate whether the person is subject to international sanctions applied by the controller. Further information on OP Financial Group’s sanctions compliance is primarily available in the terms and conditions of the purchased product or service.
Legal bases for processing
The table below describes the legal bases for processing personal data contained in the data file, and provides examples of processing performed on each basis.
| Legal Basis | Examples |
|---|---|
| Contractual relationship or actions preceding the conclusion of a contract | Actions based on an agreement, such as an individual investment services agreement, or its conclusion |
| Legal obligation |
Processing to comply with the MiFID II / MiFIR regulatory framework applicable to the sector and with legislation governing anti-money laundering and counter-terrorist financing, for example. Other statutory personal data processing, such as cooperation with the police or tax authorities, and obligations related to regulatory reporting. |
| Legitimate interests of the controller or a third party |
Personal data may be processed based on legitimate interests, such as direct marketing or business development. Disclosing personal data within OP Financial Group and establishing a potential customer and offering services to a potential customer may be based on a legitimate interest. In most cases, the controller’s legitimate interests are based on the customer relationship or a similar relationship between the controller and the data subject. The controller also ensures that such processing is proportionate to the data subject’s benefits and meets their reasonable expectations. |
| Consent | Direct marketing through electronic channels is usually based on the consent of the data subject. |
6. Categories of personal data
| Category | Example of the Group's Data Content |
|---|---|
| Basic information | Data subject’s name The data subject’s address, telephone number and email address Data subject’s tax status Private individual: personal ID, place of birth, domicile, nationality, job title /profession, level of education, legal competence Entity: identification details of persons acting on the behalf of an entity and information on connections to the entity |
| Know Your Customer (KYC) information | Statutory KYC information such as the information required to identify the customer and to determine their financial status and political exposure |
| Customer relationship information | Information that uniquely identifies and classifies the customer, such as investor profile information |
| Consents | Any consents given or withheld by the data subject concerning personal data processing |
| Contract and product information | Details of the contract between the controller and the data subject Information on products and services purchased by the data subject |
| Customer activity data | Tasks and transactions related to the management of customer relationship |
| Background information | For example, details of the life situation and financial status of the data subject |
| Behavioural information (incl. information collected using cookies and other such technologies) | Tracking of the data subject's online behaviour and use of services using, for example, cookies. The collected information may include a website browsed by the user, the device model, unique device and/or cookie ID, a channel such as an application, mobile browser or web browser, a browser version, IP address, session ID, session time and duration, and the display resolution and operating system. |
| Areas of interest | Information on the data subject’s areas of interest |
| Recordings and content of messages | Recordings and messages in various formats, in which the data subject is a party, for example, call recordings and e-mails |
| Technical identification data | Identifier determined by a device or an application, with which the user of the device or application can be identified, using additional information if necessary |
7. Recipients and recipient groups of personal data
Any personal data obtained may be used within OP Financial Group as permitted by law. Data is disclosed within the Group to, among others, the entity providing securities custody services.
Data may in statutory cases be disclosed to relevant authorities, such as the Financial Supervisory Authority and the Tax Administration. An annual notification of the controller’s customers, among other things, is sent to the Tax Administration.
8. Transfer of personal data
The controller uses subcontractors for data processing, and data may be transferred outside the EU or EEA. When data is transferred outside the EU or EEA, the transfer is done using the European Commission’s standard contractual clauses or some other transfer mechanism in accordance with legislation. Further details on international transfers of personal data and standard contractual clauses are available from OP’s website at https://www.op.fi/dataprotection.
Some of the controller’s subcontractors are other OP Financial Group entities. They provide the controller with items such as IT and other support services.
9. Personal data retention period or criteria for determining the period
Personal data may be processed within the validity of the contractual relationship. Once the contractual relationship / customer relationship has ended, the data will be erased or anonymised after ten years in accordance with the erasure processes followed by the controller. The personal data of potential customers is primarily erased or anonymised after one (1) year calculated from the date when the data subject through their active action last showed interest in the products or services of the controller, or from the date when such personal data was last processed.
After the contractual relationship has terminated, the controller may process personal data for direct marketing purposes in accordance with applicable legislation.
10. Personal data sources and updates
Personal data are primarily collected from the data subjects themselves. Data may be collected when the data subject uses certain services of the controller, such as online services. Personal data may also be obtained from other OP Financial Group entities as permitted by law.
Personal data can also be collected and updated as permitted by law from the personal data files of third parties, such as the Digital and Population Data Services Agency (Finnish Digital Agency), the Trade Register and other registers maintained by the authorities, as well as from credit information register controllers.
Information necessary to identify political exposure and parties subject to international sanctions followed by the controller may be collected from third parties that maintain such data files.
11. Data subject’s rights
Data subjects have the right to receive the controller’s confirmation of whether their personal data will be processed or not, or whether they have already been processed.
If the controller processes a data subject’s personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.
The controller may charge a reasonable administrative fee for any additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.
The data subject also has the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.
In certain circumstances, the data subject also has the right to request the controller to restrict the processing of their personal data or to otherwise object to processing. In addition, under the GDPR, data subjects may request that the data they have provided themselves be transferred in a machine-readable format.
All requests mentioned herein must be submitted to the abovementioned contact person of the controller.
If a data subject considers that their personal data are not being processed legally, they have the right to file a complaint with the competent supervisory authority.
12. Right to revoke consent
If the controller processes a data subject’s personal data on the basis of consent, the data subject has the right to cancel such consent. The cancellation of consent does not affect the lawfulness of processing performed on the basis of said consent prior to its withdrawal. However, such cancellation may have an effect on the usability and functionalities of the controller’s services.
13. Protection methods regarding the data file
The controller has taken appropriate technical and organisational measures to protect the data. The data file is protected using, for example, the following tools:
- Protection of hardware and files
- Access control
- User identity verification
- Access rights
- Registration of usage events
- Processing guidelines and supervision
The controller also requires of its suppliers appropriate protection of any personal data to be processed.