Privacy Notice
1. Overview
This Privacy Notice contains information required by the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act for data subjects, such as the controller’s customers and employees, and for the supervisory authority.
2. Controller and its contact information
Each OP Financial Group entity under an obligation to maintain a personal data file for whistle blowing (later, the Whistle Blowing register)
Postal address: PL 308, FI-00013 OP
Street address: Gebhardinaukio 1, 00510 HELSINKI
The controller’s contact person: Rami Kinnala
Email: rami.kinnala@op.fi
Each entity in the Group that is under the obligation to keep a Whistle Blowing register is an independent controller responsible for the register in question. This is a shared Privacy Notice describing the processing of personal data in each separate register of the entities acting as controllers.
3. Data Protection Officer’s contact information
OP Financial Group's Data Protection Officer
OP Financial Group
Postal address: PL 308, FI-00013 OP
Email: dataprotection@op.fi
4. Name of the personal data file and data subjects
Whistle Blowing register
Data subjects include people who have or have had an employment relationship with the controller or another relationship with them that is based on a contract, assignment or cooperation equivalent to an employment relationship, or who act as the controller’s agent, and who will report or have reported a violation as meant in legislation or are or have been the target of such a report. Data subjects can also include the controller’s customers, potential customers or other people who will report or have reported a violation as meant in legislation or are or have been the target of such a report.
You can submit the report anonymously.
5. Purposes of personal data processing and legal basis for processing
5.1 Purposes of processing
Regulation on the financial sector stipulates that the entities concerned must have procedures in place by which its employees can report violations of bylaws and regulations governing financial markets, investment services, investment funds and insurance activities through an independent internal channel.
The purposes of personal data use include:
- following the obligations concerning reporting violations under chapter 7, section 6 of the Act on Credit Institutions (610/2014), section 150 of the Act on Common Funds (48/1999), chapter 6 b, section 13 of the Act on Investment Services (747/2012), chapter 12, section 3 of the Securities Markets Act (746/2012), chapter 6, section 17 a of the Insurance Companies Act (521/2008), chapter 9, section 72 of the Act on Insurance Distribution (234/2018), and following the obligations under chapter 7, section 8 of the Act on Preventing Money Laundering and Terrorist Financing and following the Act on the Protection of Persons Reporting Infringements of European Union and National Law (1171/2022)
- investigating suspected violations of the rules and regulations concerning the financial markets and activities of investment services, funds and insurance companies
- investigating suspected action against the values of OP Financial Group
- fulfilling the obligations of custody, reporting and reporting in accordance with official regulations and instructions based on law
- risk management.
5.2 Legal bases for processing
The table below describes the legal bases for processing personal data contained in the data file, and provides examples of processing performed on each basis.
| Legal basis | Example |
|---|---|
| Legal obligation | The register is for processing personal data based on the Act on Credit Institutions, the Act on Common Funds, the Act on Investment Services, the Securities Markets Act, the Act on Preventing Money Laundering and Terrorist Financing, the Insurance Companies Act, the Act on Insurance Distribution and the Act on Whistleblower Protection. |
| Legitimate interest of the controller | The register is for processing personal data for investigating suspicions of operations against the values of the OP Financial Group with the purpose of promoting the general trust in markets and those acting in them. For example, the whistleblowing channel may receive false requests, which will then be deleted and directed to the correct channel. |
6. Categories of personal data
| Category | Data content |
|---|---|
| Basic information | On a case-by-case basis: Data subject’s name Data subject’s contact information Name and address of the reported organisation The whistle blower’s information is not collected and any unnecessary personal data shall be cleared from the report. |
| The event the report concerns | Heading-level description of the event and a further free-form description of the reported suspicion of a violation or infringement. |
| Messages and channel information | Channel through which the report was received. Message content, what was discussed in the reporting channel. |
7. Recipients and recipient groups of personal data
7.1 Data recipients
We may disclose personal data to the authorities and to other OP Financial Group entities to the extent permitted by law.
When disclosing personal data included in the data file, the controller takes into account the requirements of mandatory legislation, including the controller’s confidentiality obligations.
7.2 Transferring personal data to subcontractors
The controller has suppliers which process personal data for its account. The controller concludes appropriate agreements on personal data processing with all such suppliers.
The controller’s suppliers provide the controller with, for example, information system services. Some of the controller’s suppliers are other OP Financial Group entities.
7.3 International transfers of data
Personal data shall not be transferred outside the EU or EEA countries.
8. Personal data retention period or criteria for determining the period
The controller shall remove the data in five years after the report is submitted unless the further storage of data is necessary for a criminal investigation, pending trial, official investigation or to protect the rights of the whistle blower or the person the report concerns. The need for further storage of data must be reviewed no later than one year after the previous review.
9. Personal data sources and updates
The main source of personal data is the Whistle Blowing system.
information may be collected from the controller’s employees as further action following a report or from any other person whose relationship with the controller is based on an agreement, order or other cooperation or from the controller’s systems.
The whistle blower submits their report anonymously.
10. Data subject’s rights
A data subject who is the target of a report shall have no right to access information that might impede the investigation of the suspected people’s violations. The realisation of the data subject’s rights mentioned later shall be assessed on a case-by-case basis by acknowledging the special regulations applying to processing the register’s data.
Data subjects have the right to receive the controller’s confirmation of whether their personal data will be processed or not, or whether they have already been processed.
If the controller processes a data subject’s personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed.
The controller may charge a reasonable administrative fee for any additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.
Data subjects also have the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes.
Since the adoption of the GDPR, data subjects also have, in certain circumstances, the right to request the controller to restrict the processing of their personal data or to otherwise object to processing. In addition, under the GDPR, data subjects may request that the data they have provided themselves be transferred in a machine-readable format.
All requests mentioned herein must be submitted to the abovementioned contact person of the controller.
If a data subject considers that their personal data are not being processed legally, they have the right to file a complaint with the competent supervisory authority.
11. Protection methods regarding the data file
The controller is committed to processing personal data securely and in a manner that satisfies the requirements of the applicable laws. The controller has carefully assessed the risks that may be associated with the processing and taken the necessary measures to manage these risks.
The controller has taken appropriate technical and organisational measures to protect the data. The data file is protected using, for example, the following tools:
- Protection of hardware and files
- Access control
- User identity verification
- Access rights
- Registration of usage events
- Processing guidelines and supervision
The controller also requires that its suppliers and other partners engage in appropriate protection of any personal data they process.