Privacy Notice
Created or edited on: 3 April 2024
1. General
This Privacy Notice contains information required by the EU General Data Protection Regulation (hereinafter the General Data Protection Regulation) and the national legislation for a data subject, that is, for the controller’s customer, employees and for the supervisory authority.
2. Controller and controller’s contact information
Each OP Financial Group cooperative bank
Postal address: P.O. Box 308, 00013 OP, Finland
Street address: Gebhardinaukio 1 00510 HELSINKI
Controller’s contact person: OP Financial Group’s Data Protection Team
Telephone: 0100 0500
Email: dataprotection@op.fi
3. Data Protection Officer’s contact information
OP Financial Group’s Data Protection Officer
OP Financial Group
Postal address: P.O. Box 308, 00013 OP, Finland
Email: dataprotection@op.fi
4. Name of the personal data file
OP cooperative bank customer data file
Every OP cooperative bank has its own customer data file. This Privacy Notice describes how personal data is processed in each OP cooperative bank’s customer data file.
The data subjects in the data file are an OP cooperative bank’s customers and potential customers. The data subject can be a private individual or a person acting on behalf of an entity and the entity they represent use some OP cooperative bank’s services, including an entrepreneur.
A potential customer relationship typically arises, when a person expresses their interest in OP cooperative bank services on the op.fi service or when visiting a bank branch. A potential customer relationship can also, for example, arise because a person is a customer of some other OP Financial Group entity and this entity releases the customer’s data to the OP cooperative bank for marketing purposes.
5. Purposes of personal data processing and legal basis for processing
5.1 Purposes of processing
Banking operations require personal data processing. The OP cooperative bank customer data file entails the processing of personal data necessary, for example, to credit and investment services. Below, you can find more detailed information on how personal data is utilised in the data file.
The purposes of personal data use include:
- Customer service and customer relationship management and development, including customer communications
- Provision, development and quality assurance of services
- Business development
- Monitoring and analysis of product and service use and customer segmentation in order for the controller to be able to offer personalised product and service content to the users, for example.
- Opinion polls and market surveys
- Direct marketing
- Targeted marketing and advertising
- Compliance with the requirements and obligations related to payment services
- Fulfilling statutory obligations and any other official rules and regulations
- Identification of insolvency
- Risk management and regulatory reporting
- Ensuring the security of services and investigating any fraud
- Training purposes
Automated decision-making and profiling
With regard to certain products and services, personal data processing within the scope of the data file involves automated decision-making. These products may include, for example, home loans applied for in digital channels and unsecured consumer loans. The purpose of automated processing is to reduce processing times and safeguard equitable decisions. Automated decision-making is used because the decision is necessary for entering into, or performance of, a contract between the data subject and the controller. If automated decision-making is included in a product or service, this will be informed upon purchase of the product or service. When the decision process is fully automated, the controller ensures that the matter can be submitted for manual processing and decision.
Processing of personal data within the scope of the data file includes profiling. Profiling means the automated processing of personal data for evaluating certain personal aspects of an individual.
The controller’s operations involve automated financing decisions. These include customer-specific profiling of data subjects with the purpose of assessing their creditworthiness in order to make loan decisions and sign loan agreements. In addition, data subjects are subject to profiling in order to identify insolvency. The requirement to assess creditworthiness and identification of insolvency is based on legislation.
Information on the loan applicant’s repayment capacity is used in support of automated loan decisions. This includes information on the loan applied for, information provided by the loan applicant during the loan application process, information from Suomen Asiakastieto Oy’s Consumer Credit Inquiry System, information from the Tax Administration’s Positive Credit Register, and OP Financial Group’s internal information on the applicant’s payment and credit history.
The consequence of automated processing and profiling to the data subject is either automated approval or automated refusal of the loan application. The terms and conditions of agreement, such as the interest rate on a loan or credit, may also be determined on the basis of automated processing and profiling. The system may also transfer the case directly to expert assessment, which means that a natural person processes the application and makes the decision. The transfer of the loan application to manual processing may be based, for example, on the applicant’s age of under 18 years or on the fact that the loan application could not have been approved through automated processing. Monitoring data subjects’ ability to pay and related classifications are profiling methods relevant to operations. Possible reasons for the refusal of a loan application include insufficient repayment capacity, negative credit entry in the credit report, registered payment default or non-fulfilment of OP’s agreements.
If the defined requirements do not pose an obstacle for granting a loan, the applicant can be subjected to a credit rating to measure their repayment capacity. The amount of loan applied for is then proportioned to the credit rating determined for the applicant. In addition to information provided in connection with the loan application process, aspects that may be taken into account in the decision-making include information on the loan applied for, the applicant’s young age and any delayed payments.
The method applied in making loan decisions is regularly assessed and monitored in order to ensure its reliability. If a decision has been made on the basis of automated decision-making, a data subject may request for reconsideration of the application through manual (non-automated) processing.
General information about automated decision-making and profiling is available in OP’s Privacy Statement at op.fi/dataprotection.
Preventing crimes
Know Your Customer (KYC) information and the data subject’s other personal data may be used in the prevention, uncovering and investigation of money laundering and terrorism financing, and in bringing under investigation money laundering and terrorism financing as well as the crime committed to obtain the assets or proceeds of crime involved in money laundering or terrorism financing.
The data subject’s personal data may be used to investigate whether the person is subject to international sanctions applied by the controller. Further information on OP Financial Group’s sanctions compliance is primarily available in the terms and conditions of the purchased product or service.
The controller may process personal data concerning crimes or suspected crimes made directly against the operations of the credit institution, if that is necessary in order to prevent and detect such crimes.
5.2 Legal basis for processing
The table below describes the legal bases for processing personal data contained in the data file and provides examples of processing performed on each basis.
Legal basis | Example |
---|---|
Contractual relationship or actions preceding the conclusion of a contract | Actions based on an agreement, such as account agreement, credit agreement or investment services agreement, or its conclusion |
Statutory obligations | Such as laws governing anti-money laundering and counter-terrorist financing, credit information legislation, the Act on the Positive Credit Register, consumer protection legislation, accounting provisions and the Act on Strong Electronic Identification and Electronic Trust Services |
Legitimate interests of the controller or a third party | In most cases, the controller’s legitimate interests are based on the customer relationship or similar relationship between the controller and the data subject. For instance, direct marketing or developing products and services, or typically disclosing information within OP Financial Group The controller ensures that such processing is proportionate to the data subject’s benefits and meets the data subject’s reasonable expectations. |
Consent | Direct marketing through an electronic channel is usually based on the consent of the data subject |
6. Categories of personal data
Categories of personal data concerning customers
Category | Data content |
---|---|
Basic information | Private customer: the data subject’s name, personal ID code and contact details such as address, phone number and email address Institutional customer: identification details of persons acting on the behalf of an entity and information on connections to the entity |
KYC information | Statutory KYC information, such as the information required to identify the customer and determine their financial status and political exposure |
Customer information | Information that uniquely identifies and classifies customer relationship, such as duration and nature of the customer relationship or borrower grade |
Consents | Any consents given or withheld by the data subject concerning personal data processing |
Contract and product information | Details of the contract between the controller and the data subject Information on products and services purchased by the data subject |
Customer activity data | Tasks and transactions related to the management customer relationship |
Background information | For instance, information on the data subject’s life situation, investment experience and knowledge, and on the data subject’s financial standing and goals |
Areas of interest | Information on the data subject’s areas of interest, for instance on interest towards a certain OP product or service |
Behavioural information (including information collected by means of cookies and other similar technologies) | Tracking of the data subject’s online behaviour and use of services using, for example, cookies. The collected information may include a website browsed by the user, the device model, unique device and/or cookie ID, channel such as an application, mobile browser or web browser, browser version, IP address, session ID, session time and duration, and the display resolution and operating system. |
Recordings and content of messages | Recordings and messages in various formats, to which the data subject is a party, for example voice call recordings |
Special categories of personal data | The special categories of personal data laid down in Article 9 of the General Data Protection Regulation, including health and trade union membership |
Technical identification data | Identifier determined by a device or an application, with which the user can be identified, using additional information if necessary |
Categories of personal data concerning potential customers
The data content to be processed is determined, for example, by the group of potential customers in question. Below is a description of the kinds of data content that the controller typically processes.
Category | Data content |
---|---|
Basic information | The data subject’s name, personal ID code and contact details such as address, phone number and email address |
Customer information | Information that uniquely identifies the customer, such as the start date and nature of customer relationship |
Contract and product information | Information on the controller’s offers to the data subject |
Customer activity data | Tasks and transactions related to the management customer relationship |
Behavioural information (including information collected by means of cookies and other similar technologies) | Tracking of the data subject’s online behaviour and use of services using, for example, cookies. The collected information may include a website browsed by the user, the device model, unique device and/or cookie ID, channel such as an application, mobile browser or web browser, browser version, IP address, session ID, session time and duration, and the display resolution and operating system. |
Recordings and their content | Various telephone recordings to which the data subject is a party |
Technical identification data | Identifier determined by a device or an application, with which the user can be identified, using additional information if necessary |
7. Recipients of personal data and recipient categories
When disclosing personal data included in the data file, the controller takes into account the requirements of mandatory legislation, including the credit institution’s confidentiality obligations. Below is a description of typical data disclosures from the data file.
Any personal data obtained may be used within OP Financial Group as permitted by law. Within investment services, data may be disclosed, for example, to an entity within the Group that manages securities custody.
Credit rating agencies may be provided with personal data via other companies in OP Financial Group, but in such cases the data set must not include data based on which a person can be directly identified.
When payments are transmitted, legislation requires that personal data concerning the payer or the payee is submitted at the same time when funds are transferred.
Information about credit granted to personal customers is filed with the Positive Credit Register kept by the Tax Administration’s Incomes Register Unit in accordance with the Act on the Positive Credit Register.
If the Act on Guaranties and Third-Party Pledges so requires, we will disclose collateral recipient information to the obligor and the guarantor.
Data is also disclosed to the sector’s shared customer default register.
In addition, personal data may be disclosed to Google with the data subject's consent, if the data subject has taken Google Pay in use.
Data may in statutory cases be disclosed to relevant authorities, such as the Financial Supervisory Authority, the police, the execution authorities and the Finnish Tax Administration. Annual notifications of the controller’s customers are sent to the tax administration. Moreover, the data may be disclosed to debt-collection agencies.
Due to certain financing and/or collateral arrangements, personal data can be provided for the European Central Bank, the Bank of Finland and other central banks in the European System of Central Banks, the European Investment Bank, the Nordic Investment Bank, Finnvera plc, the European Investment Fund or a similar party.
By law, the controller may disclose information under the Act on the Bank and Payment Accounts Monitoring System to competent authorities, such as the police, enforcement authority and the Customs. The Customs is responsible for transmitting the information pertaining to law to the competent authorities. Data subjects must direct their questions related to bank and payments accounts monitoring system to the Customs.
8. Transfer of personal data
The controller uses suppliers in data processing, and data may be transferred outside of the EU or EEA. When data is transferred outside of the EU or EEA, the transfer is done using the EU Commission’s standard contractual clauses or some other transfer mechanism in accordance with legislation. Read more about international transfers of personal data and the European Commission's standard contractual clauses at OP’s website: op.fi/dataprotection.
Some of the controller’s suppliers are other OP Financial Group entities. They offer, for example, credit, collateral and IT support services to the controller.
9. Personal data retention period or criteria for determining the period
Personal data may be processed within the validity of the customer and contractual relationship. Customer relationship refers to the data subject becoming an OP cooperative bank customer. The customer’s basic information and KYC information are collected to establish a customer relationship. A contractual relationship arises when a customer signs an agreement with an OP cooperative bank concerning a product or service.
Contractual information will be erased approximately ten years after the contract has terminated. Information on customer relationship, such as KYC information, will be erased or anonymised approximately ten years after the last contract has terminated. The information will be erased in accordance with the controller’s erasure processes.
Data concerning potential customers will mainly be stored for six months after establishing a potential customer relationship. If the potential customer relationship with an OP cooperative bank is based on customer data received from another OP Financial Group entity for this purpose, such customer relationship will remain in the register until the data subject is no longer a customer of the entity that disclosed the information.
The controller may process personal data for direct marketing purposes under applicable laws even after the end of a contractual relationship.
10. Personal data sources and updates
Personal data is primarily collected from the data subjects themselves. Personal data may also be collected when the data subject uses certain services of the controller, such as online services.
Personal data may be obtained from other OP Financial Group data files and entities as permitted by the law. This data can be used, for example, for risk management and marketing purposes.
All phone calls to and from the controller may be recorded. We may use call recordings to verify customer transactions, assure the quality of customer service and develop our services and for training purposes.
Personal data can also be collected and updated within the limits permitted by law from the personal data files of third parties, including the following:
- Registers maintained by public authorities, such as the Digital and Population Data Services Agency, the Tax Administration’s Positive Credit Register, the enforcement authorities and the police
- Credit data file controllers
- Shared customer default register of the financial sector
- Housing Finance and Development Centre of Finland (Ara)
- Obtaining information necessary to identify a person’s political exposure and whether they are subject to international sanctions observed by the controller, from parties maintaining databases containing such information
11. Data subjects’ rights
Data subjects have the right to receive the controller’s confirmation of whether their personal data will be processed or not, or whether they have already been processed.
If the controller processes a data subject’s personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.
The controller may charge a reasonable administrative fee for any additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.
Data subjects also have the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.
Data subjects also have, in certain circumstances, the right to request the controller to restrict the processing of their personal data or to otherwise object to processing. In addition, data subjects may request that the data they have provided themselves be transferred in a machine-readable format.
All requests mentioned herein must be submitted to the abovementioned contact person of the controller.
If a data subject considers that their personal data is not processed legally, they have the right to file a complaint with the supervisory authority.
12. Right to cancel prior consent
If the controller processes a data subject’s personal data on the basis of consent, the data subject has the right to cancel such consent. The cancellation of consent does not affect the lawfulness of processing performed on the basis of said consent prior to its withdrawal. Such cancellation may, however, have an effect on the usability and functionalities of the controller’s services.
13. Protection methods regarding the data file
The controller is committed to processing personal data securely and in a manner that fulfils the requirements of applicable laws. The controller has carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.
The controller has taken appropriate technical and organisational measures to protect the data. The data file is protected using, for example, the following tools:
- Protection of hardware and files
- Access control
- User identity verification
- Access rights
- Registration of usage events
- Processing guidelines and supervision
The controller also requires of its suppliers appropriate protection of any personal data to be processed.