Personal Data Processing at OP

Processing your personal data carefully and cautiously is of primary importance to us at OP Financial Group. We process your personal data in compliance with data protection legislation and good information management and processing practice. We always act in accordance with good banking practices and ensure that your privacy is not in jeopardy.

We may provide additional information on privacy protection in agreements and other service related documents. Such additional information provided in these documents prevails over the information provided herein.

For what purposes and on what legal basis do we process your personal data?

We use your personal data to be able to answer your requests, process your orders, implement your agreements and perform similar functions. We also use your data for our risk management purposes and to fulfil our statutory obligations, such as identification of users, fulfilment of know-your-customer (KYC) and anti money laundering (AML) requirements.

The legal basis for processing by us of your personal data is usually either (i) performance of an agreement or taking steps to enter into an agreement or (ii) compliance with a legal obligation (these two are the most commonly used basis). We also may process your personal data (iii) if the processing is necessary for the purposes of our legitimate interests.

What personal data do we collect about you?

We provide services mainly to corporate customers and businesses. We do not, as a rule, provide services to natural persons. Therefore the main categories of data subjects (natural persons) who’s personal data we process, are: (i) representatives, shareholders, beneficial owners of corporate customers and other persons data connected to our customers representatives (ie PEP family members or close associates), (ii) sole entrepreneurs, (iii) collateral providers.

We collect only personal data which are necessary for us to provide our products and services Such data include for example:

• data related to identification of a person, such as the name and personal ID code;
• contact information, such as address, email address and phone number;
• various information related to customer relationship and use of services;
• data directly required to be collected by law, such as the data required for KYC and AML purposes.
• various data which has come into being during the use of OP services, ie on-line identificators while using our websites and internet banking application, correspondence, use of services;
• call recordings in order to prove transactions made via telephone;
• data related to participating in polls and surveys.

Where do we obtain your personal data?

Above all, we obtain your data directly from you and from the corporate customer related to you (e.g. from a company who has appointed you as representative and/or user of its accounts). We also get information by observing how you use our services. In addition, we obtain data from public registers maintained by the authorities, credit information registers and other publicly available reliable sources.

Who processes your personal data?

Your data is processed by OP Financial Group entities and employees whose duties require the processing of such data. We also use subcontractors and partners for service provision, ie IT-development undertakings in order to develop and maintain our IT-systems, partners for distributing invoices etc. For this reason, your personal data may be transferred to such parties for processing commissioned by us. Such parties are only permitted to process your data in accordance with instructions given by OP Financial Group. They are not entitled to use your data for any other purposes not requested by us.

Additionally, we may be subject to legal obligations to disclose your data to national end EU/EEA regulatory and state authorities in order to fulfil the obligations set by law, ie anti-money laundering and countering terrorist financing related obligations, information related to tax residency etc.

We use various contractual and other arrangements to ensure that our subcontractors and partners process your data carefully and in accordance with good data processing practices.

As a rule, we process data within the EU. If we transfer data outside of the EU, we will ensure sufficient level of personal data protection as required by applicable laws and regulations, such as by applying standard contractual clauses adopted by the European Commission.

Profiling and automated decision-making

We do not use profiling and automated decision-making. All our decisions are made by designated decision-making bodies.

How do we protect your personal data?

We protect your personal data with appropriate technical and organisational safeguards. Such methods include proactive and reactive risk management and the use of firewalls, encryption techniques, secure data centres and access management and safety systems. We also make use of security planning, grant and supervise user rights in a controlled manner, ensure the competence of personnel who process personal data and choose our subcontractors carefully. We are continuously updating our in-house practices and guidelines.

How do we store your personal data and keep them up to date?

We retain your data for at least the duration of the customer relationship. After the end of the customer relationship, the length of the retention period depends on the data and its purpose of use. As a rule, we retain the data for ten years after the end of customer relationship. We comply with statutory obligations concerning the retention periods.

We seek to keep the personal data in our possession correct and up to date by deleting unnecessary data and updating outdated data. For this purpose we ask you to inform us of any substantial changes in your personal data, especially in the data that we have received directly from you or from a corporate customer related to you.

Your rights as a data subject

You have a right to get information on whether your data has been or is being processed by the data controller and if it is or has been, then information regarding the processing activities.

You also have a right to request the controller to rectify the data being processed, restrict data processing, object to specific data processing and request for erasure of personal data in certain cases. You also have the right for data portability which means transferring machine readable data directly to other service providers.

All of the data processing related requests must be submitted to the contacts referred to below in writing or signed with electronic signature.

We will reply to your request within thirty (30) calendar days as of receipt of the request. in exceptional circumstances which require additional time to gather requested information, we have a right to extend the deadline up to sixty (60) calendar days.

If you consider that we process your personal data not in compliance with data protection legislation, you may lodge a complaint with the Data Protection Inspectorate (www.aki.ee).

Who can I contact?

You can submit your written (signed or electronically signed) queries and requests related to personal data processing to the controllers: