Processing of personal data

Privacy statement

Updated January 30th 2018

Processing your personal data carefully and cautiously is of primary importance to us at OP Financial Group. We process your personal data in compliance with data protection legislation and good information management and processing practice. We always act in accordance with good insurance and banking practices and ensure that your privacy is not in jeopardy.

Processing your personal data helps us provide you with better service. We collect and use personal data to produce products and services and to develop and provide completely new types of services. This is how we can better respond to your needs.

Please note that our website may include links to the website or services of other companies which have their own specific privacy protection practices. In such cases, we recommend reading the privacy protection practices of the third parties concerned.

We provide additional information on privacy protection in connection with most individual services, products, sites and applications. Such additional information provided in these cases prevails over this text.

Our privacy practices may change slightly when we develop services or legislation changes. Up-to-date information on our practices can be found on this website.

If you wish to know more about the processing of our corporate customers’ personal data, please scroll down.

We process your personal data to be able to provide you with high-quality and personalised products and services and better customer service. We are determined to continuously improve and enhance quality and functionality. We may use your personal data to further develop our products, services, customer service as well as sales and marketing. We may use your personal data to offer products and services, answer your requests and questions, execute agreements, process orders and performing similar functions. We also use your data for OP Financial Group’s risk management purposes and to fulfil the obligations based on laws and regulations and instructions issued by the authorities, such as authenticating users and ensuring data security as well as preventing and investigating fraud.

We also use your personal data for customer communication purposes. For example, we can send you newsletters as well as notifications of changes related to our products and services. We may use your personal data for product and service marketing and market research with your consent, or when it is otherwise permitted. Furthermore, we may also use your personal data to target our products and services to you, for example, by recommending or demonstrating targeted content on our service. This may include showing the content of OP and third parties. Processing personal data also helps us to allocate our investments in service development.

With your permission and within the limits permitted by law, we may also combine information collected in connection with certain of our products and/or services with information collected in connection with our other products and/or services.

We obtain your data directly from you. The data may be observed in the use of services or derived from their use. In addition, we obtain data from registers maintained by the authorities, credit information and customer default registers as well as other reliable registers.

Those processing your data include only OP Financial Group entities, or service providers and their employees, with the right to process personal data.

The Group’s service providers may disclose your data not only within the Group but also outside of the Group directly for certain purposes based on law as well as with your con-sent. Your data will always be processed exercising due care and complying with good data processing practices.

We collect your personal data, for instance, when you become our customer, in connection with selling and using products and services, during marketing campaigns or surveys and during your other transactions with us. We collect only data about you relevant to the purpose of use of the product and service concerned. You provide us with information, for example, when you request services, participate in surveys or campaigns or answer questions in connection with the services we provide. We also get information by observing how you use our services.

Such personal data we collect include:

  • Details related to identifying and verifying the identity of a person, such as the name and personal ID code;
  • Contact information, such as address, email address and phone number;
  • Various information related to customer relationship and its management;
  • Information required for the fulfilment of obligations laid down in laws;
  • Information related to the adoption of products and services; and
  • information about the use of products and services, such as usage and browsing data on services that we, for example, collect on our website and mobile services. The personal data we collect is determined by the product and service concerned.

We use cookies (small text files stored on a device) to provide and further develop our services. We also use cookies to personalise the content and target marketing efforts. Through cookies, we can, for example, better provide real-time and personalised services by showing the content that interests the user. They also enable, for example, login and authentication, saving personal settings and specifications, analysing the performance of our website as well as preventing fraud. When you use our online services, they collect, for example, the following information: IP address, links you use, what advertisements or other contents you have viewed, from what page you come and what page you visit, time of browsing, type of your browser or application and other similar information. Our website and services may contain third-party cookies.

We use session and persistent cookies. Session cookies exist only during a session, or a single visit, and are deleted automatically when the browser is closed. Permanent cookies exist for a specified period and remain on your computer after the expiry of the session unless you delete them yourself before that. Cookies do not harm your device or files in any way.

You can manage cookies, for example, through the browser’s management functions. More information about cookies can be found in the privacy protection or instructions documentation of each browser. Given that the features of certain services are determined according to cookies, disabling and deleting cookies (browser and other selections) may weaken the functionality and user experience of the online or mobile application service concerned provide by OP Financial Group. For example, you cannot necessarily authenticate yourself on the online service or use all features and you may lose specified settings.

We disclose your data, within the limits permitted by law, within OP Financial Group and to a company or entity belonging to the same amalgamation, for customer relationship management and marketing. In addition, we disclose data for risk management purposes within OP Financial Group.

OP Financial Group uses suppliers in the provision of services and discloses personal data, for example, to the authorities to fulfil its statutory obligations (such as the tax, enforcement or social welfare authorities), to the Population Register Centre for address updates and to Suomen Asiakastieto Oy for monitoring payment defaults. To prevent crime against banks and insurance companies, we hand over your personal data to registered maintained jointly by banks and insurance companies.

As a rule, we process data within the EU and EEA. If we transfer data outside of the EU or EEA, we will ensure the sufficient level of personal data protection as required by legislation, such as by applying the standard contractual clauses adopted by the European Commission.

You have the right to check information on yourself, demand correction of stored false or insufficient data and demand deletion of data in the register unnecessary or outdated for processing purposes.

You also have the right to forbid the use of your data for both marketing and opinion surveys and direct marketing purposes by contacting the controller or by changing settings on the online service. You can also opt out of receiving targeted advertisements based on your behaviour on the online service. Following the opt-out, you will see as many advertisements as before but these are not targeted based on subjects that interest you.

We protect your personal data exercising special care by using appropriate data protection and data security methods. These methods include proactive and reactive risk management, use of fire walls, encryption techniques and secure IT areas as well as access control and security systems, security planning, controlled granting and monitoring of access/user rights, ensuring skills through training for personnel involved in processing personal data and through assessments as well as careful selection of suppliers. We are continuously updating our in-house practices and guidelines in an appropriate manner.

We collect and process data about children under 15 years of age mainly with the consent of their parents or guardians. Without their consent, we collect such data only for certain, specifically defined and limited purposes (for example, a minor may be named a beneficiary in an insurance policy without the consent of the guardian/parent).

We retain your data for at least the time you are our customer. After the customer relationship ends, the retention period depends on the data and its purpose of use. For example, we retain your KYC information for five years of the end of the customer relationship and, as a rule, retain data on potential customers for six months of its collection. We comply with statutory obligations in retaining data.

We seek to keep the personal data in our possession correct and up to date by deleting unnecessary data and updating outdated data. However, we ask you to check every now and then whether your data is up to date.

Please, in the first place send your queries and requests related to personal data processing to the controller. The controller is determined on the basis of the customer relationship. If you are an OP cooperative bank customer, your own cooperative bank is the controller. For insurance customers, the controller is the insurance company which granted the insurance policy.

For more information on privacy and data protection, please visit an OP cooperative bank or call our telephone service, tel. 010 253 1333.

We are also pleased to answer any questions related to personal data processing and privacy protection at: dataprotection(a)

Data file descriptions of Group member cooperative banks

In order to prevent insurance fraud, Finnish insurers have a joint claims register, which contains certain data on claims with the aim of thwarting multiple claims filed for the same damage or loss with several insurance companies. Likewise, information on a person who has committed insurance fraud is recorded in a joint fraud register. The Data Protection Board has granted specific permission to keep these joint registers.

OP Financial Group operates in sectors that require particular trust, and it is essential that OP Financial Group can ensure a high level of information security and data protection in all of its operations. All personal data (including patient data) is processed carefully and in accordance with legislative obligations and good data processing practices. We respect bank and insurance secrecy and the confidentiality of patient data in all of our operations.

We ensure that processing is based on lawful grounds. We will only use data for purposes defined in advance or for purposes compatible with such predefined use. Any unnecessary personal data will be deleted or anonymised.

In certain situations, the companies of OP Financial Group may process the personal data of its corporate customer’s employees, such as the information of a corporate customer’s contact persons. As a general rule, an OP Financial Group company will act as a controller in these situations in which case the corporate customer’s employees are data subjects as defined in data protection legislation. This could be the case, for example, in situations in which a corporate customer has acquired lease financing from OP for employees’ company cars or their occupational accident and occupational disease insurances.

Below you can find answers to the frequently asked questions presented by our corporate customers and cooperation partners.

What kinds of measures has OP Financial Group taken to ensure that the obligations of data protection legislation are met?

The EU General Data Protection Regulation will be applied as of 25 May 2018. A project is underway at OP Financial Group in which all of its operations related to the processing of personal data are reviewed. The project will ensure that OP is able to meet the requirements of the new regulation and, in this way, further improve customer services.

OP Financial Group has also appointed a Data Protection Officer for the Group level. The Officer is assisted by an extensive network of data protection professionals. There is also a separate Data Protection Officer in Pohjola Health Ltd. OP Financial Group will also train all staff members so that each employee in the OP Financial Group is familiar with the requirements of data protection legislation to the extent required by their duties and able to implement data protection by design and by default in their own operation.

Our employees are covered under the occupational accident and occupational disease insurance and health insurance by OP Insurance Ltd. What should our company take into account?

OP Insurance Ltd is the controller in these cases and thus responsible for obligations related to the processing of personal data. We always process all personal data with particular care and in accordance with data protection legislation and good data processing practices.

Our company has acquired lease financing from OP to our employees’ company cars. What should our company take into account?

OP Corporate Bank plc is the controller in these cases and thus responsible for obligations related to the processing of personal data. We always process all personal data with particular care and in accordance with data protection legislation and good data processing practices.

How can our employees check their personal data in this case?

In situations in which an OP Financial Group company processes the information of corporate customer’s employees as a controller, the persons in question are entitled to access their personal data. However, the right of access is a personal right and therefore, our corporate customers may not access the data on behalf of their employees.

How is OP Financial Group prepared for data security breaches and communicating about them?

OP Financial Group will make every effort to prevent all data security breaches. In the event of a data security breach regardless of such measures, OP Financial Group has efficient operating models in place with the help of which it can quickly react to such situations and minimise any adverse effects of the breach. OP Financial Group will make necessary notifications on data security breaches it has detected in accordance with legislation.

How is the processing of personal data agreed with corporate customers and what is agreed related to processing?

In situations in which the General Data Protection Regulation requires that contracts must partly be updated, OP Financial Group will ensure that the contracts are updated. It may not be necessary to update contracts with regard to OP Financial Group’s corporate customers.

Should an OP Financial Group’s corporate customer make an agreement with an OP Financial Group company in accordance with the so-called Art 28?

The General Data Protection Regulation requires that in certain situations the processing of personal data is specified in an agreement made between a controller and the processor of personal data (agreement terms in accordance with the so-called Art 28). For example, if statutory insurances for your employee have been acquired from OP, OP acts as the controller instead of a processor of personal data on behalf of your company, and therefore, it is not necessary to draft a data processing agreement in this connection according to data protection legislation.

Does OP Financial Group transfer the personal data of corporate customer’s employees to third countries outside the European Economic Area?

We use subcontractors and partners for service provision. Personal data can be transferred in connection with service provision to an OP Financial Group’s subcontractor located in a third country, for example. OP Financial Group always follows the obligations of data protection legislation when data is being transferred. We use various contractual and other arrangements to ensure that our subcontractors and partners process personal data carefully and in accordance with good data processing practice.

When any personal data is transferred outside the European Economic Area, the transfer mechanism used must comply with data protection legislation, such as model contractual clauses approved by the European Commission.

Who is responsible for providing information on the processing of personal data?

When an OP Financial Group company acts as a controller, it is responsible for providing appropriate information on the processing of personal data to its customers and other data subjects.

How will OP Financial Group ensure that its subcontractors operate appropriately?

When OP Financial Group uses subcontractors for the processing of personal data, it is responsible for the operation of the subcontractors. OP Financial Group selects all subcontractors with particular care in order to ensure an appropriate level of data protection and information security in all of its operations. If necessary, OP Financial Group may also audit the processors of personal data used in order to ensure that their operation complies with requirements.

OP Financial Group makes an agreement with subcontractors used regarding the processing of personal data in which the contracting party is required to operate in accordance with the General Data Protection Regulation.

How will OP Financial Group ensure the security of personal data?

We protect personal data with appropriate technical and organisational safeguards. Such methods include proactive and reactive risk management and the use of firewalls, encryption techniques, secure data centres and access management and safety systems. We also make use of security planning, grant and supervise user rights in a controlled manner, ensure the competence of personnel who process personal data and choose our subcontractors carefully. We are continuously updating our in-house practices and guidelines.