Personal Data Processing

Processing your personal data carefully and cautiously is of primary importance to us at OP Financial Group. We process your personal data in compliance with data protection legislation and good information management and processing practice. We always act in accordance with good banking practices and ensure that your privacy is not in jeopardy.
We may provide additional information on privacy protection in agreements and other service related documents. Such additional information provided in these documents prevails over the information provided herein.
For what purposes and on what legal basis do we process your personal data?
We use your personal data to be able to answer your requests, process your orders, implement your agreements and perform similar functions. We also use your data for our risk management purposes and to fulfil our statutory obligations, such as identification of users, fulfilment of know-your-customer (KYC) and anti money laundering (AML) requirements.
The legal basis for processing by us of your personal data is usually either (i) performance of an agreement or taking steps to enter into an agreement or (ii) compliance with a legal obligation (these two are the most commonly used basis). We also may process your personal data (iii) based on your relevant consent (data subject’s consent) or (iv) if the processing is necessary for the purposes of our legitimate interests.
What personal data do we collect about you?
We provide services mainly to corporate customers and businesses. We do not, as a rule, provide services to natural persons. Therefore the main categories of data subjects (natural persons) who’s personal data we process, are: (i) representatives, shareholders, beneficial owners of corporate customers, (ii) sole entrepreneurs, (iii) collateral providers.
We collect only personal data which are relevant to the product or service concerned. Such data include for example:
  • data related to identification of a person, such as the name and personal ID code;
  • contact information, such as address, email address and phone number;
  • various information related to customer relationship and use of services;
  • data directly required to be collected by law, such as the data required for KYC and AML purposes.
Where do we obtain your personal data?
Above all, we obtain your data directly from you and from the corporate customer related to you (e.g. from a company who has appointed you as user of its accounts). We also get information by observing how you use our services. In addition, we obtain data from registers maintained by the authorities, credit information registers and other reliable sources.
Who processes your personal data?
Your data are processed by OP Financial Group entities and employees whose duties require the processing of such data. We also use subcontractors and partners for service provision. For this reason, your personal data may be transferred to such parties for processing commissioned by us. Such parties are only permitted to process your data in accordance with our instructions. They are not entitled to use your data for their own purposes, such as direct marketing.
We use various contractual and other arrangements to ensure that our subcontractors and partners process your data carefully and in accordance with good data processing practice.
As a rule, we process data within the EU. If we transfer data outside of the EU, we will ensure sufficient level of personal data protection as required by laws, such as by applying standard contractual clauses adopted by the European Commission.
Your rights as a data subject
You have the right to check information on yourself, demand correction of inaccurate data and deletion of data which are outdated or unnecessary for the processing purposes. You may also restrict processing of your personal data and exercise the right to data portability as provided for by the applicable legislation.
If you consider that we process your personal data not in compliance with data protection legislation, you may lodge a complaint with the Data Protection Inspectorate (
Profiling and automated decision-making
We do not use profiling and automated decision-making. All our decisions are made by designated decision-making bodies.
How do we protect your personal data?
We protect your personal data with appropriate technical and organisational safeguards. Such methods include proactive and reactive risk management and the use of firewalls, encryption techniques, secure data centres and access management and safety systems. We also make use of security planning, grant and supervise user rights in a controlled manner, ensure the competence of personnel who process personal data and choose our subcontractors carefully. We are continuously updating our in-house practices and guidelines.
How do we store your personal data and keep them up to date?
We retain your data for at least the duration of the customer relationship. After the end of the customer relationship, the length of the retention period depends on the data and its purpose of use. As a rule, we retain the data for ten years after the end of customer relationship. We comply with statutory obligations concerning the retention periods.
We seek to keep the personal data in our possession correct and up to date by deleting unnecessary data and updating outdated data. For this purpose we ask you to inform us of any substantial changes in your personal data, especially in the data that we have received directly from you or from a corporate customer related to you.
Who can I contact?
You can submit your queries and requests related to personal data processing to:
Our office is located at Tornimäe 5, 10145 Tallinn. If you are a NetBank user, you can also send us a message via NetBank.