Privacy Notice for OP Financial Group’s stakeholder communication

Updated on 29 November 2022

1. Overview

This Privacy Notice contains information required by the EU General Data Protection Regulation (hereinafter the General Data Protection Regulation) and the national legislation for a data subject, that is, for the controller’s customer, employees and other stakeholders as well as the supervisory authority.

2. Controller and its contact information

OP Cooperative
Postal address: P.O. Box 308, FI-00013 OP, FINLAND
Street address: Gebhardinaukio 1 00510 HELSINKI
Controller’s contact person: Lotta Ala-Kulju 
Email: lotta.ala-kulju@op.fi

3. Data Protection Officer’s contact information

OP Financial Group’s Data Protection Officer
OP Financial Group
Postal address: P.O. Box 308, FI-00013 OP, FINLAND
Email: dataprotection@op.fi

4. Name of the personal data file and data subjects

Privacy notice for OP Financial Group’s stakeholder communication

Data subjects include the representatives of OP's stakeholder groups from the media, education sector, scientific communities, affiliated entities, non-governmental organisations, industry associations, labour market organisations, policymakers, authorities and decisionmakers. Data subjects can be private individuals or representatives of their organisations.

In addition, data subjects can be persons who have published content, such as public social media posts or blogs related to OP Financial Group or its business.

5. Purpose of personal data processing and legal basis for processing

The purposes of use of personal data include the following:

  • maintenance, management and development of media and stakeholder relations
  • business development
  • opinion polls based on consent
  • media monitoring, which may also include monitoring and analysis of public content on social media

Profiling

Processing of personal data within the scope of the data file includes profiling. Profiling means the automated processing of personal data for evaluating certain personal aspects of an individual. In the context of media monitoring, we assess the tone of the published content to monitor whether the publicity is positive or negative. Further information about profiling is available in OP’s Privacy Statement at op.fi/dataprotection.

 


Legal basis
Example
Legitimate interests of the controller or a third party Personal data processing related to the purposes of use above is as a rule based on legitimate interests.

Media monitoring is based on legitimate interest.
Consent Personal data processing may also be based on consent requested from the data subject, such as an opinion poll based on consent.

 

6. Categories of personal data

Category Data content
Basic information Data subject’s name

Data subject's contact details, such as email address, organisation's postal address and social media account or pseudonym.
Background information Occupation, media, other position with societal significance or a significant role in a social dialogue.
Content of messages The content of communication with the data subject. Posts concerning OP Financial Group which the data subject has publicly posted on social media channels or published on other media.

 

7. Recipients and recipient groups of personal data

Any personal data obtained may be used within OP Financial Group as permitted by the law, such as for preparing a guest list for events.

Transfer of data to suppliers

The controller has suppliers which process personal data for its account. The controller concludes appropriate agreements on personal data processing with all such suppliers.

The controller’s suppliers provide the controller with, for example, information system services and communication tools. Some of the controller’s suppliers are other OP Financial Group entities. 

8. Transfer of personal data

The controller uses subcontractors for data processing, and data may be transferred outside the EU or EEA. When data is transferred outside the EU or EEA, the transfer is done using the European Commission’s standard contractual clauses or some other transfer mechanism in accordance with legislation. Further details on international transfers of personal data and standard contractual clauses are available from OP’s website at https://www.op.fi/dataprotection.

9. Personal data retention period or criteria for determining the period 

Personal data will be retained as long as the data subject holds an occupation belonging to OP's stakeholder group or holds a social position. The personal data retention period is also determined by how the data subject maintains contact with OP Financial Group and participates in OP Financial Group's activities and events related to public affairs.  The controller assesses the need to retain data subjects’ data in the data file on an annual basis.

Search results from social media posts and media content related to OP Financial Group will be retained for approximately 12 months.

10. Personal data sources and updates

Personal data is collected from the data subjects themselves and from public sources, such as websites of state and municipal actors and companies as well as from public social media profiles. Personal data is updated at regular intervals once a year.  This also involves checking whether the data subject still holds an occupation belonging to OP's stakeholder group or a social position.

11. Data subjects’ rights

Data subjects have the right to receive the controller’s confirmation of whether their personal data will be processed or not, or whether they have already been processed.

If the controller processes a data subject’s personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.

The controller may charge a reasonable administrative fee for any additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.

The data subject also has the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.

In certain circumstances, the data subject also has the right to request the controller to restrict the processing of their personal data or to otherwise object to processing. In addition, under the General Data Protection Regulation, the data subject may request that the data they have provided themselves be transferred in machine-readable format.

All requests mentioned herein must be submitted to the abovementioned contact person of the controller.

If a data subject considers that their personal data is not processed legally, they have the right to file a complaint with the supervisory authority.

12. Right to cancel prior consent

If the controller processes the data subject's personal data on the basis of consent, the data subject has the right to cancel such consent by contacting the controller. The cancellation of consent does not affect the lawfulness of processing performed prior to the cancellation.

13. Protection methods regarding the data file

The controller has taken appropriate technical and organisational measures to protect the data. The data file is protected using, for example, the following tools:

  • Protection of hardware and files
  • User identity verification
  • Account privileges
  • Processing guidelines and supervision

The controller also requires of its suppliers appropriate protection of any personal data to be processed.