Privacy Notice for Private Customers

On this page, we explain how we process personal data relating to the following individuals: 

• Existing private customers who use the bank's services or products 
• Prospective private customers who have contacted the bank, for example by requesting a loan offer or submitting a contact request 
• Other private individuals connected to private customers, such as guarantors, legal guardians, authorised representatives and agents, whose personal data is processed when carrying out banking services. 

The personal data we process varies depending on whether you are an existing customer or a prospective customer and which services you use. For example: 

• If you have a bank account and online banking credentials with OmaSp, the bank stores your basic personal details, identification data and information relating to your agreements and products.  
• If you have taken out a loan from OmaSp, the bank also keeps background information relating to your financial situation, as well as documents such as promissory notes.  
• If you have contacted our customer service, the phone calls or chat conversations may have been recorded.  

The categories of personal data that we process are described in more detail in section 5 of the Privacy Notice, which is available here

We process personal data in order to provide services to our individual customers, manage our operations, and fulfil our legal and contractual obligations. 

This includes:  

• Identifying and verifying customers 
• Communicating with customers and their representatives  
• Managing customer relationships and providing customer service 
• Managing risks and ensuring security 
• Complying with legal obligations and requirements from the authorities 
• Developing our services 
• Marketing our products and services 

Performance of a contract 
We collect and process personal data in order to perform contracts between us and the data subject, as well as to take necessary steps before entering into contracts. Such contracts include account agreements, online banking agreements and card agreements.  

Compliance with legal obligations 
We are required to process personal data to comply with legal obligations and decisions issued by the authorities. These obligations include e.g. customer due diligence requirements and obligations arising from legislation governing specific services or products, such as loans, investment funds and collateral arrangements.  

Legitimate interest 
Some personal data is processed based on OmaSp's legitimate interests. We always ensure that such processing is proportionate and does not override the interests or the fundamental rights and freedoms of the data subject. Our legitimate interests include conducting customer satisfaction and marketing surveys, and ensuring security at our branches. 

Consent 
We may also process your personal data on the basis of your specific consent. For example, we may request your consent for us to send you electronic direct marketing.  

Automated decision-making means that our systems make decisions based on information about you without human intervention. In addition to the information we already have, information from public registers and other public sources can also be used in automated decision-making. 

We will always let you know clearly if a decision is made automatically without human involvement. If such a decision has legal effects concerning you, or if the decision otherwise significantly affects you, you have the right to express your opinion on the matter and to require human participation in the decision-making process.

We collect your personal data from the following sources: 

• Directly from you, e.g. when you visit one of our branches, use our online banking services, contact our customer service or submit a loan application 
• From a representative who is taking care of your banking matters for you (e.g. an authorised representative or legal guardian) 
• From official registers, such as the Population Information System, the Positive Credit Register and other registers maintained by the Finnish Tax Administration 
• From national and international registers relating to politically exposed persons, sanctions regulations and asset-freezing decisions. 

We implement appropriate technical and organisational measures to ensure that all personal data is processed securely and in compliance with applicable legislation. 

We also require our subcontractors to apply appropriate safeguards to any personal data that they process for us. 

We keep your personal data only for as long as it is needed for the purposes for which it was collected, or for as long as we are legally required to keep it. Once this period expires, your personal data is deleted or anonymised. 

Examples of retention periods: 

• Information relating to customer relationships and contractual arrangements is generally kept for ten years after the end of the customer relationship. 
• Information collected for customer due diligence purposes is kept for five years after the end of the contractual relationship, as required by law. 

We only share your personal data with other data controllers with your consent or if disclosure of the data is specifically provided for in law. We never share your personal data without a justified reason. 

We regularly share personal data with: 

• Authorities such as the police, enforcement authorities, Finnish Financial Supervisory Authority and Finnish Tax Administration 
• External business partners and service providers, such as payment card issuers, merchants accepting card payments and payment service intermediaries. 

In addition to our employees, your personal data may be processed by our partners and subcontractors, such as various IT service providers. 

We always use appropriate contractual arrangements to ensure that all these partners and subcontractors follow our instructions for processing data and handle your personal data carefully and in compliance with applicable legislation. 

As a rule, we process personal data within the European Economic Area (EEA), consisting of the EU countries, Iceland, Liechtenstein and Norway. If we transfer your personal data outside the EEA, we always ensure that your data is adequately protected in accordance with applicable legislation, and we always use the necessary transfer mechanisms, such as the European Commission's Standard Contractual Clauses. 

As a data subject, you have the rights described below under applicable data protection legislation.  

Right to access 
You have the right to access the personal data that OmaSp has about you. However, this right may be limited by law, the privacy rights of other individuals or the need to protect OmaSp's trade secrets. 

Right to rectification 
You have the right to request that we correct, delete or complete inaccurate or incomplete personal data that we have about you, unless restricted by applicable legislation.  

Right to object to processing 
If we are processing your personal data on the basis of our legitimate interests, you have the right to object to such processing for reasons relating to your particular situation. You also have the right to object at any time to the use of your personal data for direct marketing.  

Right to restrict processing 
If you have informed us that some of your personal data is inaccurate, you have the right to request that we restrict the processing of your personal data while requests relating to the accuracy of the data are being investigated or resolved.  

Right to erasure 
You have the right to request that we delete your personal data, e.g. if you object to the processing of your data and there are no overriding legitimate grounds for continuing to process your data, or if the processing is unlawful.  

However, due to financial regulations, OmaSp is often required to keep personal data throughout the customer relationship and, in some cases, after it has ended if it is necessary to process the data to comply with legal obligations or to establish, exercise or defend legal claims.  

Right to data portability
You have the right to receive personal data that you have provided to us in a structured, commonly used and machine-readable format, or to request that the data is transferred to another data controller where its processing is based on a contract or consent and the transfer is technically feasible and can be carried out by automated means.  

Right to withdraw consent 
Where we process your personal data on the basis of your consent, you have the right to withdraw that consent at any time. Withdrawing your consent does not affect the lawfulness of any processing carried out before the consent was withdrawn. 

If you have any questions about the processing of your personal data or if you want to exercise any of the rights described above, you can do so by visiting one of our branches, through online banking or by contacting our Data Protection Officer:  

OmaSp Data Protection Officer 
Address: Valtakatu 32, 53100 Lappeenranta 
Email: tietosuojaomasp.fi (tietosuoja[at]omasp[dot]fi) 

If you believe that the processing of your personal data is not lawful, you have the right to lodge a complaint with the Data Protection Ombudsman. Contact details are available at tietosuoja.fi/en/home.