Privacy notice
1. General information
This privacy notice contains information required by the EU General Data Protection Regulation (hereinafter the GDPR) and national data protection laws and intended for data subjects, such as the controller’s customers, and for the supervisory authority.
2. Controller and its contact information
Name: OP Osuuskunta
Street address: Gebhardinaukio 1, 00510 Helsinki
The controller’s contact person: Valtter Rajakannas
Telephone: +358 40 660 9858
3. Data Protection Officer’s contact information
OP Financial Group’s Data Protection Officer
OP Financial Group
Postal address: P.O. Box 308, 00013 OP
Email address: tietosuoja@op.fi
4. Personal data file
Marketing personal data file applicable to those interested in the Developer Portal channel.
5. The purpose of personal data processing and legal basis for processing
Those interested in the OP Developer Portal channel can both order an info letter through the page and register themselves as users of the OP Developer Portal. On the basis of either of these ‘subscriptions’, OP will email up-to-date information on topical matters concerning the developer channel.
The purpose of use of personal data:
- Newsletter
- Email marketing
- Information and communication
6. Personal data groups
| Personal data group | Basic information | Consent |
|---|---|---|
| Content of group information | Data subject's name | Consent and prohibitions issued by the data subject governing personal data processing |
| Data subject's contact information |
7. Recipients or groups of recipients of personal data
Any personal data obtained may be used within OP Financial Group as permitted by law. In addition, personal data may be disclosed for example to:
- the authorities in statutory cases and in compliance with official rules and regulations
OP’s suppliers and partners, who assist with the arrangement of communication and events related to developer cooperation. When disclosing personal data included in the data file, the controller will take account of the requirements of mandatory legislation, including the controller’s confidentiality obligations.
8. Transfer of personal data
The controller uses suppliers in data processing, and data may be transferred outside of the EU or EEA. When data is transferred outside of the EU or EEA, the transfer is done using the EU Commission’s standard contractual clauses or some other transfer mechanism in accordance with legislation. Read more about international transfers of personal data and the European Commission's standard contractual clauses at OP’s website: op.fi/dataprotection.
Some of the controller’s suppliers are other OP Financial Group entities. They provide the controller with information system and other support services, among other things.
9. Personal data retention period or criteria for determining the period
The data will be retained for three years, after which it will be deleted in accordance with controller’s deletion processes.
The controller may process personal data for direct marketing purposes in accordance with the applicable legislation, for example by transferring personal data to a direct marketing personal data file.
10. Personal data sources and updating personal data
Personal data is primarily collected from the data subjects themselves.
11. Data subject’s rights
Data subjects have the right to receive the controller’s confirmation of whether or not their personal data is being, or has been, processed.
If the controller processes a data subject’s personal data, the data subject has the right to obtain the information contained in this document and a copy of the personal data in question.
The controller may charge a reasonable administrative fee for copies of processed personal data requested by the data subject in addition to the initially provided copy of such data.
If the data subject submits a request electronically and requests no other delivery format, the data will be delivered in a commonly used electronic format, provided that the data can be delivered in a secure manner.
The data subject also has the right to ask the controller to rectify or erase the data subject’s personal data.
In certain cases, the data subject has the right to request that the controller restrict the processing of the data subject’s personal data, or to otherwise oppose such processing.
On the basis of the General Data Protection Regulation, the data subject may also request the transfer of data, previously provided by the data subject, from one system to another. Data subjects may forbid the processing of their personal data for direct marketing purposes.
All the above requests must be submitted to the above-named contact person of the controller.
Data subjects who believe that their personal data is not being processed legally have the right to file a complaint thereof with the supervising authority.
12. Right to cancel prior consent
If the controller processes the data subject’s personal data with the data subject’s consent, the data subject has the right to withdraw such consent. Such a cancellation may, however, affect the use and functioning of the service. Cancelling consent and forbidding communication must be performed by contacting the controller. Cancellation of consent will not affect the lawfulness of processing performed prior to cancellation.
13. Protection of the data file
The controller processes personal data securely, in accordance with applicable laws and has made the appropriate technical and organisational arrangements to protect the data. The tools used to protect the data file system include:
- protection of equipment and data files
- access control
- user identity verification
- access rights
- registration of usage events
- processing guidelines and supervision
The controller also requires that its suppliers and other partners ensure that the appropriate protection is arranged for any personal data being processed.