Your rights

Right to obtain information about the processing of your personal data

The General Data Protection Regulation brings openness and transparency to personal data processing. Thus, you have the opportunity to control the processing of your data and understand and exercise the rights associated with the processing. We will inform you about the processing of your personal data whenever we collect or obtain it and will tell you about the purposes of the processing of your personal data and about your rights associated with the processing.

In the Privacy Notice, we inform you in greater detail, for example, of which party is the controller, i.e. the OP party which collects data, the name and contact details of the controller, the name and contact details of the Data Protection Officer, the intended use of the collected data, matters related to retention periods, to whom the data are disclosed, and whether the data are processed outside the EU. We also tell you about the safeguards related to processing and your rights.

Right of access to your data

You can view the key information related to your customer relationship with OP Financial Group in My profile at op.fi. In My profile, you can also request data stored about you for yourself and save data in both PDF and XML format on your own computer or another device.

If you wish to get the data in printed form, please visit our branch. In certain cases, we also provide your with the opportunity to view the data in our branch. As a rule, exercising the right of access is free of charge to you, and you do not need to justify your request.

Right to transfer your data

You have the right to obtain certain personal data provided to us in a structured, generally used and machine-readable form. You can also transfer such data to another controller.

Right to rectify your data

We seek to keep your data up to date and, at your request, rectify without delay any incorrect, insufficient or outdated data related to you, such as your contact details. You can go to My profile yourself at op.fi to make a rectification to your contact details, such as a change in your phone number or email address. You can also do so by visiting an OP branch as always.

Right to restriction of processing your data

In certain cases, you may request a temporary restriction of the processing of your personal data, for example, when you deny the accuracy of the data. In such a case, we exclude the personal data from daily use whose processing you want to restrict. You must indicate such a restriction to the individual data to which your request for restriction applies.

Right to object to the processing of your personal data

You have the right to object to the processing of such personal data which are not based on special enactments, agreement or consent. You can always object to the processing of your personal data for direct marketing purposes. Furthermore, you can object to processing related to market surveys and opinion polls or voluntary customer communication, for example. The right to object to the processing of personal data does not mean a general right to object to all processing of personal data at OP.

Right not to be subject to automated individual decision-making that will have significant effects

Automated decision-making means that the decision concerning you is based solely on automatic data processing. You can find examples of situations in which we use automated decision-making under the heading “How we utilise automated decision-making”.

We implement automated decision-making to speed up the handling of you matter significantly. For example, you can receive an automated loan decision quickly, or your insurance policy can enter into force immediately after you have bought it.

In our services based on automated decision-making, we inform you clearly of the matter before acquiring the service concerned. If you are dissatisfied with an automated decision, you will have the right to request that the matter be handled by a natural person on behalf of the controller and the right to express your opinion and to contest the decision.

Right to have your personal data erased (“right to be forgotten”)

If you do not want your personal data to be processed at OP Financial Group, in certain cases, you will have the right to request your data to be erased in part or in full. For example, this is the situation when the processing of your data is based on your consent, and you want to cancel your consent, or if your data is no longer needed for the purpose for which it was originally collected.

If you request the erasure of your personal data, we will assess whether we can erase such data. OP Financial Group’s operations are subject to numerous special enactments (e.g. Accounting Act and tax legislation) which include obligations related to the retention of personal data.  For example, we cannot erase your personal data at your request if there is a specific legal obligation or another justified need to retain the data. Erasing personal data is mostly involved when the data retention period has expired, or the data are otherwise found unnecessary or groundless.

In My profile at op.fi, you can view and manage your personal data, consents you have given and other information related to your customer relationship related to your personal data processed by OP Financial Group's financial business, or banks, non-life insurance and wealth management.

In My profile, you can change your contact details yourself. You can also request data stored about you for yourself and save data in both PDF and XML format on your own computer or another device with just one click.

In My profile, you can submit a separate personal data request if you need additional information.

As a rule, exercising the rights is free of charge for you. You can also exercise your rights by visiting our branch.

Op.fi’s My profile service assembles the key information related to your customer relationship conveniently together in a single place.

In My profile, you can view and manage your personal data, consents you have given and other information related to your customer relationship related to your personal data processed by OP Financial Group’s financial business, or banks, non-life insurance and wealth management. You can see whether your data and settings are up to date and can change your contact details. According to your needs, you can also request data stored about you for yourself and save data in both PDF and XML format on your own computer or another device with just one click. In My profile, you can also submit a separate personal data request if you need additional information.

For example, in My profile, you also find information related to your daily finances, loans, insurance policies and savings and investments, information on powers of attorney you have granted, as well as information related to owner-customer membership and benefits. My profile also contains settings related to the Mobile key and security.

The content of My profile has been designed with our customers. Data that were previously in various locations have been put together in an easily discernible package. We have paid particular attention to the findability of the data.

OP Financial Group operates in sectors that require particular trust, and it is essential that OP Financial Group can ensure a high level of information security and data protection in all its operations. All personal data (including patient data) are processed carefully and in accordance with legislative obligations and good data processing practices. We respect bank and insurance secrecy and the confidentiality of patient data in all our operations.

We ensure that processing is based on lawful grounds. We will only use data for purposes defined in advance or for purposes compatible with such predefined use. Any unnecessary personal data will be deleted or anonymised.

In certain situations, OP’s entities may process the personal data of its corporate customer’s employees, such as the information about a corporate customer’s contact persons. As a general rule, an OP entity will act as a controller in these situations, in which case, the corporate customer’s employees are data subjects as defined in data protection legislation. For example, this could be the case in situations in which a corporate customer has acquired lease financing from OP for employees’ company cars or their occupational accident and occupational disease insurance.

Below you can find answers to the most common questions presented by our corporate customers and cooperation partners.

What measures has OP Financial Group taken to ensure that the obligations of data protection legislation are met?

In a separate data protection project, OP has analysed all its functions related to the processing of personal data. The project ensured that OP can meet the requirements of the new regulation and thus further improve customer services.

OP Financial Group has also appointed a Data Protection Officer for the Group level. The Officer is assisted by an extensive network of data protection professionals. OP Financial Group will also train all staff members so that each employee in the OP Financial Group is familiar with the requirements of data protection legislation to the extent required by their duties and can implement data protection by design and by default in their own operation.

Our employees are covered under the occupational accident and occupational disease insurance and health insurance by Pohjola Insurance Ltd. What should our company take into account?

Pohjola Insurance Ltd is the controller in these cases and thus responsible for obligations related to the processing of personal data. We always process all personal data with particular care and in accordance with data protection legislation and good data processing practices.
Our company has acquired lease financing from OP for our employees’ company cars. What should our company take into account?

OP Corporate Bank plc is the controller in these cases and is therefore responsible for obligations related to the processing of personal data. We always process all personal data with particular care and in accordance with data protection legislation and good data processing practices.

How can our employees check their personal data in this case?

In situations in which an OP entity processes the information about corporate customer’s employees as a controller, the persons in question are entitled to access their personal data. However, the right of access is a personal right, and our corporate customers may not therefore access the data on behalf of their employees.

How is OP Financial Group prepared for data security breaches and communicating about them?

OP Financial Group will make every effort to prevent all data security breaches. In the event of a data security breach, regardless of such measures, OP Financial Group has efficient operating models in place with the aid of which it can quickly react to such situations and minimise any adverse effects of the breach. OP Financial Group will make necessary notifications on data security breaches it has detected in accordance with legislation.

How is the processing of personal data agreed with corporate customers, and what is agreed in relation to processing?

In situations in which the General Data Protection Regulation requires that contracts must partly be updated, OP Financial Group will ensure that the contracts are updated. It may not be necessary to update contracts regarding OP Financial Group’s corporate customers.

Should an OP Financial Group’s corporate customer make an agreement with an OP Financial Group company in accordance with the so-called Art 28?

The General Data Protection Regulation requires that in certain situations, the processing of personal data is specified in an agreement made between a controller and the processor of personal data (agreement terms in accordance with the so-called Art 28).

For example, if statutory insurance for your employee has been acquired from OP, OP acts as the controller instead of a processor of personal data on behalf of your company, and it is therefore unnecessary to draft a data processing agreement in this connection in accordance with data protection legislation.

Does OP Financial Group transfer the personal data of corporate customers’ employees to third countries outside the European Economic Area?

Your data will only be processed by OP Financial Group entities and employees whose duties require the processing of your data.

We use subcontractors and partners for service production and provision. For this reason, your personal data may be transferred to such parties for processing commissioned by us. Such parties are only permitted to process your data in accordance with our instructions. They are not entitled to use your data for their own purposes, such as direct marketing.

We use various contractual and other arrangements to ensure that also our suppliers and partners process your data carefully and in accordance with good data processing practice.

As a rule, we process your data within the EEA. The EEA refers to EU Member States and Iceland, Liechtenstein, and Norway. If we transfer data to a country outside the EEA where the national regulations do not ensure data protection equal to the EU level of protection, we will ensure a sufficient level of personal data protection in the manner required by law and use data transfer mechanisms approved by the European Commission, primarily the European Commission's standard contractual clauses. We use standard contractual clauses for transfers to our IT service providers in India, for example.

The standard contractual clauses are available on the European Commission’s website:

We will start using the latest versions of the standard contractual clauses for transferring personal data outside the EEA in accordance with the deadline set by the European Commission, that is, by 27 December 2022.

In certain circumstances, such as when you make payments abroad, the personal details required for the payment can be transferred to a bank outside the EEA to implement an agreement you have signed with us or based on your consent (exceptional grounds for transfer). 

Who is responsible for providing information on the processing of personal data?

When an OP Financial Group company acts as a controller, it is responsible for providing appropriate information on the processing of personal data to its customers and other data subjects.

How will OP Financial Group ensure that its subcontractors operate appropriately?

When an OP Financial Group company uses suppliers in the processing of personal data, it may use only such suppliers that have adequate safeguards in place to protect personal data. OP Financial Group selects all subcontractors with particular care to ensure an appropriate level of data protection and information security in all its operations. If necessary, OP Financial Group may also audit the processors of personal data used to ensure that their operation complies with requirements.

OP Financial Group makes an agreement with subcontractors used regarding the processing of personal data in which the contracting party is required to operate in accordance with the General Data Protection Regulation.

How will OP Financial Group ensure the security of personal data?

We protect personal data with appropriate technical and organisational safeguards. Such methods include proactive and reactive risk management and the use of firewalls, encryption techniques, secure data centres, and access management and safety systems.

We also use security planning, grant and supervise user rights in a controlled manner, ensure the competences of personnel who process personal data, and choose our subcontractors carefully. We are continuously updating our in-house practices and guidelines.

Automated decision-making means that the decision concerning you is based solely on automatic data processing.

Automated decision-making speeds up the processing of your case considerably. For example, you can receive an automated loan decision quickly, or your insurance policy can enter into force immediately after you have bought it.

Bank cards, or debit cards

We can utilise an automated decision-making process when issuing cards. The decision is based on your customer details that OP Financial Group already has. Once you have received the decision, you may request the employee to process your details on behalf of the issuer if you wish.

Credit cards, secured loans and unsecured loans

We can utilise an automated decision-making process in loan decisions. The decision is based on information you have provided, as well as your customer details that OP Financial Group already has, and information obtained from the credit information register and Population Information System. 

Once you have received the loan decision, you may request the employee to process your details on behalf of the lender if you wish.

Buying insurance

We can utilise an automated decision-making process when you buy insurance online or through a mobile application. The decision is based on the information you have provided, your customer details that OP Financial Group already has, the Vehicular and Driver Data Register, the credit information register, and our customer and insurance instructions. We get information on registered vehicles from the Vehicular and Driver Data Register based on the vehicle registration number you have given. 

Once you have received the decision, you may request the employee to process your details again on behalf of the collateral provider if you wish.

Health declaration

We can utilise an automated decision-making process when you fill in a health declaration when applying for insurance, i.e. you give information on the insured person’s state of health. The decision is based on the information you have provided, our risk selection instructions, the selected scope of cover, and the selected maximum compensation or compensation. 

Once you have received the decision, you may request the employee to process your details again on behalf of the collateral provider if you wish.

Insurance benefits

We can utilise an automated decision-making process in claims settlement. The claim decision is based on the information in your loss report, the insurance terms and conditions, and your customer details OP Financial Group already has. 

Once you have received the decision, you may request the employee to process your details again on behalf of the collateral provider if you wish.

Termination of insurance

An insurance policy can be terminated automatically due to unpaid bills.

Accounts

We can utilise automated decision-making when opening an account. The decision is based on the information you have provided, your customer details that OP Financial Group already has and the information obtained from the Population Information System.

Once you have received the decision, you may request the employee to process your details again on behalf of the account provider if you wish.

How do cookies work?

Cookies are small text files that are stored in your device’s browser. They show us the type of device with which you are using OP eServices, and whether you have visited our websites earlier.

We use cookies only with the user’s consent

With your cookie settings, you can influence the purposes for which we can utilise the data we have collected. For example, we do not use the data for targeting and marketing without your consent.

Your cookie settings are used for the op.fi service and all its subsites, as well as on OP-mobile (version 31.0 and newer) and OP Business mobile (version 15.0 and newer). If necessary, we will ask for your consent to cookies when you visit these sites.

If you have only permitted necessary cookies, we will ask your consent again after six months. Your other cookie settings will remain valid for 12 months. If you clear cookies from the browser, we will ask for your consent again the next time you visit our website.

Cookies on public webpages

When visiting OP Financial Group’s public websites, your cookie settings are saved in your browser. If you use different browsers, each may have their own browser settings.

If several persons use the same device and browser, the cookie choices made by a single user will also apply to other users unless the cookies are cleared from the browser after use.

Learn more about browser-specific cookie settings

Cookies in OP eServices for private customers

If you log in to the op.fi service during the same session and within 15 minutes, your cookie settings for the public webpage will be saved in your customer information.

Learn more about cookie settings for private customers logged into OP eServices

When you are logged in, your cookie settings can also be found in your My profile.

Cookies in corporate eServices

When logging into op.fi with business user identifiers, your cookie settings are stored in your personal information. Consent to cookies is always tied to a natural person, not to the company.

Learn more about cookie settings for corporate customers logged into OP eServices

We use both session and persistent cookies:

• Session cookies exist only during a single session or visit. They are deleted automatically when you close the browser. With session cookies, you can move from one page to another, log in to the service, and use different types of calculators and online forms, for instance.
• Persistent cookies will remain on your browser or device for a fixed period, including after the session, unless you delete them from the browser settings. We use persistent cookies to improve the user experience. With persistent cookies, the website identifies your device and remembers your settings such as language choice when you visit the website again.

Tool list

List of tools used in the op.fi service and its subpages. OP-mobile and OP Business mobile only use Adobe Analytics and OP’s own cookies and tools. We list the maximum cookie-storage time for each tool.

Targeting cookies and third-party marketing cookies

Targeting cookies (Adform) and third-party (Facebook, Hubspot, Instagram, LinkedIn, Snapchat, Twitter and YouTube) marketing cookies allow us to target OP’s topical marketing at the user through various websites and social networking services. They also give us statistical data on marketing and target groups.

Third parties are responsible for the retention times of marketing cookies in accordance with their own privacy policies.

Embed codes

We use social extensions, i.e. third party embed codes, on OP Financial Group’s websites. You can view YouTube content with them.

Embed codes are downloaded from the social media service providers’ own servers. Your cookie choices do not for now affect the cookie policies related to social plugins. Embed codes can set their own cookies based on their principles and collect data from users in the way cookies do.

Your privacy is important to us

The data collected using cookies and different tools are owned by OP Financial Group’s data controllers. As a rule, our partners act as processors of personal data on behalf of OP.

However, concerning the use of the cookie placed based on targeting cookie consent, OP acts as a joint controller with its service provider Adform (link to Adform’s privacy notice) as far as ID data is concerned. ID data is a randomly created number series that OP uses to remember an individual browser that has visited its website and to send advertising to be shown in that browser also on other websites that sell advertising space to OP. The Adform targeting cookie is used on certain subpages of the op.fi website of which some are visible only to a logged-in user. Targeting cookies are never used on such op.fi website pages that show payment, account or insurance details. A targeting cookie's ID data is not connected to your customer information held by OP Financial Group.

ID data is disclosed to Adform, who uses the data to provide OP with targeting service for online marketing and to improve this service. Adform cannot connect ID data to you. In addition to the targeting service, Adform uses ID data as an independent controller in aggregated, or combined, form to prevent fraud and for statistical purposes. The information related to your customer relationship with OP Financial Group, such as information on your use of banking or insurance services, is not used to target marketing or sent to Adform.

We can disclose data to third parties with consent obtained through marketing cookies. Third parties are responsible for the use of such data as joint controllers with OP or as independent controllers in accordance with their own privacy policies.

We collect and use web analytics only with consent to development cookies.  Web analytics for OP’s digital services is provided by Adobe. With the aid of the Adobe Analytics tool, we make sure that our digital services function properly and flawlessly and meet our customers’ needs. We use the tool to analyse error situations, user volumes and traffic on OP’s own websites and mobile applications, for example. In developing our web analytics, we ensure the privacy of users.

Adobe is the processor of personal data in providing the Adobe Analytics tool to OP. Adobe is also the controller of technical data collected using Adobe Analytics cookies (IP address, browser and device type, settings, cookie ID, version, language settings) for the purposes of testing and developing its products. This data is in the form of pseudonymised personal data, but Adobe cannot identify individuals users of OP's websites and uses the data in aggregate form. Adobe also creates fully anonymous reports based on data collected using Adobe tools from its corporate customers, such as OP. You can block Adobe from using cookie data from the following link under Adobe Experience Cloud: Adobe Privacy Center  

As a responsible service provider, we are committed to protecting your privacy in compliance with data protection legislation. Read more about how OP processes your personal data 

OP Financial Group’s cookie practices and requests for consent to the use of cookies comply with the relevant legislation and the guidelines and resolutions issued by the authorities. In particular, we observe the following:

• Judgment of the European Court of Justice C-673/17 – Planet49 
• Decision of the Deputy Data Protection Ombudsman on giving consent to the use of cookies (in Finnish)

Read more about the privacy policies of our partners and social media services:

• Adform
• Adobe
• Facebook
• Google Ads
• Instagram
• LinkedIn
• Twitter
• YouTube

Deleting cookie history

You can clear the cookie history from your browser’s settings to delete all previous cookies saved by the browser. Deleting cookie history does not prevent the formation of new cookie data. For this, you must cancel your cookie consent on OP’s website. 

Disabling the use of previous targeting data

If you have previously allowed targeting cookies, your new cookie settings will not immediately remove old cookie data. You may see targeted marketing on our partners’ websites for 60 days after you have cancelled your consent. 

Disabling third-party web advertising

If you have previously disabled third party cookies, advertisers and advertisement networks will target advertising at you based on browser-based behavioural data previously collected from OP Financial Group’s pages. 

You can prevent web advertising from outside OP that is based on previously disclosed data, either completely or specific to the company.

Disable targeted web advertising on the Your Online Choices website

Disabling all cookies

If you wish to disable cookies completely, you can do it by changing your browser settings. For more information, see the instructions concerning your browser.

If you disable all cookies with software that blocks cookies or your browser’s settings, we cannot guarantee the functionality of the basic service functions such as language settings and login.