Privacy notice
1. General information
This Privacy Notice contains information required by the EU General Data Protection Regulation (hereinafter the General Data Protection Regulation) and the national data protection law for a data subject, that is, for the controller's customer, employees and for the supervisory authority.
2. Controller and its contact information
OP Corporate Bank plc
Postal address: P.O. Box 308, 00013 OP
Street address: Gebhardinaukio 1 00510 HELSINKI
The controller's contact person: OP Financial Group’s Data Protection Team
Phone: 0100 0500
Email: dataprotection@op.fi
3. Data Protection Officer's contact information
OP Financial Group's Data Protection Officer
OP Financial Group
Postal address: P.O. Box 308, 00013 OP
Email: dataprotection@op.fi
4. Name of the personal data file
OP Corporate Bank plc's customer data file
The data subjects of the data file are the controller's customers and potential customers. Data subjects include private individuals and the contact persons, persons in charge and owners of corporate and institutional customers (hereinafter the company).
5. Purposes of personal data processing and legal basis for processing
5.1 Purposes of use of personal data
In this customer data file, personal data is used primarily to produce, offer, deliver and develop the controller's services, such as account, financing and investment services. Below you can find more detailed information on how personal data is used in the data file.
- Customer service and customer relationship management and development, including customer communications
- Provision, development and quality assurance of services
- Business development
- Monitoring and analysis of service use, and customer and user modelling in order for the controller to be able to offer personalised service content to the users
- Opinion polls and market surveys
- Direct marketing
- Targeted marketing and advertising
- Compliance with statutory obligations and any other official rules and regulations and fulfilment of corporate responsibility obligations
- Identification of insolvency
- Risk management
- Ensuring the security of services, and preventing and investigating abuses
- Training purposes
Automated decision-making and profiling
With regard to products and services provided by finance companies, personal data processing within the scope of the data file involves automated decision-making. The purpose of automated processing is to reduce processing times and safeguard equitable decisions. Automatic decision-making is used because the decision is necessary for entering into, or performance of, a contract between the data subject and the controller.
The controller’s operations involve automated financing decisions. These include customer-specific profiling of data subjects with the purpose of assessing their creditworthiness in order to make loan decisions and sign loan agreements. In addition, data subjects are subject to profiling in order to identify insolvency. The requirement to assess creditworthiness and identification of insolvency is based on legislation.
Information on the loan applicant’s repayment capacity is used in support of automated loan decisions. This includes information on the loan applied for, information provided by the loan applicant during the loan application process, information from Suomen Asiakastieto Oy’s Consumer Credit Inquiry System, information from the Tax Administration’s Positive Credit Register, and OP Financial Group’s internal information on the applicant’s payment and credit history.
Processing of personal data within the scope of the data file includes profiling. Profiling means the automated processing of personal data for evaluating certain personal aspects of an individual.
The consequence of automated processing and profiling to the data subject is either automated approval or automated refusal of the credit application. The terms and conditions of agreement, such as the interest rate on a loan or credit, may also be determined on the basis of automated processing and profiling. The system may also transfer the case directly to expert assessment, which means that a natural person processes the application and makes the decision. Monitoring data subjects' ability to pay and related classifications are profiling methods relevant to operations. Possible reasons for the refusal of a credit application include insufficient repayment capacity, a payment default entry, a registered payment default in corporate connections, age below 21 years, the amount of credit exposure or the poor management of existing loans, hire purchase agreements or other contractual obligations. If the defined requirements do not pose an obstacle for granting a credit, the applicant can be subjected to a credit rating to measure their repayment capacity. The amount of credit applied for is then proportioned to the credit rating determined for the applicant. In addition to information provided in connection with the credit application process, aspects that may be taken into account in the decision-making include information on the credit applied for, the applicant’s young age and any delayed payments.
The method applied in making credit decisions is regularly assessed and monitored in order to ensure its reliability. If a decision has been made on the basis of automated decision-making, a data subject may request for reconsideration of the application through manual (non-automated) processing.
General information about automated decision-making and profiling is available in OP's Privacy Statement at op.fi/dataprotection.
Preventing crimes
KYC information and other data subject's personal data may be used to prevent, uncover and detect money laundering and terrorist financing as well as for other purposes required by the Act on Preventing and Detecting Money Laundering and Terrorist Financing.
The data subject's personal data may be used to investigate if the person is subject to international sanctions applied by the controller. Further information on OP Financial Group's sanctions compliance is primarily available in the terms and conditions of the product or service.
The controller may process personal data concerning crimes or suspected crimes made directly against the operations of the credit institution, if that is necessary in order to prevent and detect such crimes.
5.2 Legal bases of processing
Personal data is processed in the data file on the basis of several legal grounds, the application of which is described with illustrative examples below.
1. Contractual relationship or actions preceding the conclusion of a contract, such as
a. Establishing a customer account
b. Personal data processing necessary for contract enforcement
2. Statutory obligation, such as
a. Anti-money laundering and counter-terrorist financing legislation
b. Industry-specific legislation, such as the Act on Credit Institutions (610/2014)
c. Act on Guaranties and Third-Party Pledges (361/1999)
d. Act on the Positive Credit Register (739/2022)
e. Other statutory personal data processing, such as cooperation with the police or tax authorities, and obligations related to reporting to the authorities
3. Consent
a. Electronic direct marketing and certain disclosure of data to the controller's partners may be based on consent by the data subject
4. Legitimate interests
a. Establishing a potential customer and offering services to a potential customer may be based on a legitimate interest.
b. Direct marketing and business development may be carried out on the basis of the controller’s legitimate interest.
c. The processing of information on the responsible persons, representatives or employees of corporate customers for ESG purposes is based on legitimate interest.
d. Data disclosure within OP Financial Group may be based on a legitimate interest.
In most cases, the controller’s legitimate interests are based on the customer relationship or similar relationship between the controller and the customer. The controller also ensures that such processing is proportionate to the data subject’s benefits and meets his/her reasonable expectations.
6. Categories of personal data
Data subjects are typically subject to processing the categories of personal data and personal data described below. The data content to be processed depends, for example, on whether it is the question of the data of a private individual or of a person acting on behalf of the company.
Category of personal data | Example of the Group's data content |
---|---|
Basic information | Data subject's name, personal identity code / business ID, data subject's postal address, phone number, email address The name and contact details of corporate customers' contact persons, persons in charge and owners, and information on the person’s position with regard to the entity |
Know Your Customer (KYC) information | Statutory KYC information such as the information required to identify the customer and to determine their financial status and political exposure |
Customer relationship information | Information that uniquely identifies and categorises the customer relationship, such as tax code, nationality, language used for communication, profession or position |
Consents | The consents given and withheld by the data subject concerning personal data processing |
Contract and product information | The controller's and data subject's contract information Information on products and services acquired by the data subject |
Customer activity data | Tasks and transactions related to the management of customer relationship |
Background information | For instance, information on the data subject's life situation and financial standing, and experience and knowledge, The processing of information on the responsible persons, representatives or employees of corporate customers for ESG purposes is based on legitimate interest. |
Behavioural information (incl. information collected using cookies and other such technologies) | Tracking of the data subject's online behaviour and use of services using, for example, cookies. The collected information may include a website browsed by the user, the device model, unique device and/or cookie ID, channel such as an application, mobile browser or Web browser, browser version, IP address, session ID, session time and duration, and the display resolution and operating system. |
Recordings and content of messages | Recordings and messages in various formats, in which the data subject is a party, for example, call recordings |
Technical verification data | Identifier determined by a device or an application, with which the user of the device or application can be identified, using additional information if necessary |
7. Recipients and recipient groups of personal data
Any personal data obtained may be used within OP Financial Group as permitted by the law. In addition, personal data may be disclosed, for example, to:
- Relevant authorities, such as the Financial Supervisory Authority, European Central Bank, and, in statutory cases, to the Finnish Tax Administration. Annual notifications of the controller's customers are sent to the tax administration.
- Market participants, such as Finnish Central Securities Depository
- Partner banks for the execution of payment orders
- Credit information controllers, such as Suomen Asiakastieto Oy, for the purposes of monitoring payment defaults and for the Tax Administration’s Positive Credit Register
- Parties to which the controller has the right to transfer or pledge financing agreements or promissory notes
- Parties that serve as guarantors in connection with financing or collateral arrangements
- The European Central Bank, other central banks in the European System of Central Banks, European Investment Bank, Nordic Investment Bank, Finnvera plc, European Investment Fund or a similar party in connection with financing and/or collateral arrangements
By law, the controller may disclose information under the Act on the Bank and Payment Accounts Monitoring System to competent authorities, such as the police, enforcement authority and the Customs. The Customs is responsible for transmitting the information pertaining to law to the competent authorities. Data subjects must direct their questions related to bank and payments accounts monitoring system to the Customs.
Vendors operating as the controller's partners can be given such data subjects' personal data which the vendor has submitted to OP Corporate Bank plc when acting as its agent.
8. Transfer of personal data
The controller uses suppliers in data processing, and data may be transferred outside of the EU or EEA. When data is transferred outside of the EU or EEA, the transfer is done using the EU Commission’s standard contractual clauses or some other transfer mechanism in accordance with legislation. Read more about international transfers of personal data and the European Commission's standard contractual clauses at OP’s website: op.fi/dataprotection.
Some of the controller’s suppliers are other OP Financial Group entities. They provide the controller with information system and other support services, among other things.
When receiving financing applications, identifying customers and concluding financing documentation, the controller uses vendors as agents.
9. Personal data retention period or criteria for determining the period
Personal data may be processed within the validity of the customer and contractual relationship. It will also be processed after the end of the customer and contractual relationship for a period deemed necessary at any given time and what is stated below.
Contractual information will be erased approximately ten years after the contract has terminated. Information on customer relationship, such as KYC information, will be erased or anonymised approximately ten years after the last contract has terminated. The information will be erased in accordance with the controller's erasure processes.
Potential customers' data will be retained as long as the retention is necessary to establish a potential customer relationship.
After the contractual relationship has terminated, the controller may process the personal data for direct marketing purposes in accordance with applicable legislation.
The controller may be under an obligation to process some personal data in the data file for a period longer than stated above in order to comply with legislation or requirements set by the relevant authorities, such as capital adequacy measurement regulation.
10. Personal data sources and updates
Personal data is collected primarily from the data subjects themselves or, on a case-by-case basis, from the entity on behalf of which they act. Personal data may also be collected when the data subject uses certain controller services, such as online services. Personal data may, within the limits permitted by law, also be obtained from other OP Financial Group entities for risk management or marketing purposes, for example.
Personal data can also be collected and updated within the limits permitted by law from the personal data files of third parties, examples including:
- Digital and Population Data Services Agency
- Registers maintained by other authorities, such as the Finnish Transport Safety Agency (Trafi), the Trade Register and Foundations Register, Virallinen lehti, the Title and Mortgage Register and the Tax Administration’s Positive Credit Register
- Credit information register controllers
- The customer default register of the financial sector
- Parties that maintain databases with information that is necessary to identify political exposure and parties subject to international sanctions followed by the controller
- From databases provided by external service providers, including information in the public domain
11. Data subject's rights
Data subjects have the right to receive the controller's confirmation of whether their personal data will be processed or not, or whether they have already been processed.
If the controller processes a data subject's personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.
The controller may charge a reasonable administrative fee for additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.
The data subject also has the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.
After the application of the General Data Protection Regulation has begun, the data subject will, in certain cases, also have the right to request the controller to restrict the processing of their personal data or to otherwise oppose the processing. In addition, under the General Data Protection Regulation, the data subject may request that the data they have provided themselves be transferred in machine-readable format.
All of the above requests must be submitted to the abovementioned contact person of the controller.
If a data subject considers that his/her personal data is not processed legally, he/she has the right to file a complaint with the supervisory authority.
12. Right to cancel prior consent
If the controller processes the data subject's personal data on the basis of consent, the data subject has the right to cancel such consent. The cancellation of consent does not affect the lawfulness of processing performed based on the consent prior to its cancellation. Such cancellation may, however, have an effect on the usability and functionalities of the service.
13. Protection methods regarding the data file
The controller processes personal data securely and in a manner fulfilling the requirements of applicable laws. It has carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.
The controller has protected the data appropriately in technical and organisational terms. The data file is protected using, for example, the following tools:
- Protection of equipment and files
- Access control
- User identity verification
- Access rights
- Registration of usage events
- Processing guidelines and supervision
The controller also requires of its suppliers the appropriate protection of personal data to be processed.