OK Perintä Oy is a data controller, in the meaning of the EU General Data Protection Regulation (EU 2016/679), to the personal data collected from the data subject when providing the account information service.
1. Data controller
OK Perintä Oy
Business ID: 0873725-0
Tiilitehtaankatu 7 A
2. Contact person for privacy matters
Data Protection Officer Jenni Vainionpää
OK Perintä Oy
Tiilitehtaankatu 7 A
3. Name of register
OK Perintä Oy´s account information service register.
4. Legal basis and purpose of processing data
The legal bases and purposes for processing data under the EU General Data Protection Regulation are the following:
The performance of a contract between the data controller and data subject (Article 6.1(b)) The data controller processes all personal data mentioned in section 6 for the performance of the contract between the data controller and data subject.
The execution of the legitimate interests of the data controller (Article 6.1 f). The data controller processes the personal data mentioned in section 6 a) to protect its service from fraudulent activities and attacks and to perform analysis of the service in order to improve the service. The data controller can also process the personal data mentioned in section 6 a) for the establishment, exercise or defence of legal claims, in situations where the processing of personal data is necessary to execute the legitimate interests of the data controller. The data controller can process the personal data mentioned in section 6 a), d) and e) in order to assess the quality of the service and document what has been agreed upon between the data controller and data subject, in situations where the data subject has contacted the data controller´s customer service;
The data processing is necessary for compliance with a legal obligation to which the controller is subject (Article 6.1 c). The data controller may process all personal data mentioned in section 6 in order to comply with its legal obligations (such as obligations related to the prevention of money laundering).
Since the provision of the account information service concerns the data subject´s bank transactions, the transactions in question may contain or provide clues on special categories of personal data as defined in article 9 of the EU General Data Protection Regulation, such as clues on the data subject´s political opinions based on membership payments to trade unions or clues on the data subject´s health based on healthcare payments. The explicit consent of the data subject is the legal basis for the processing of such personal data. Because the personal data is processed on the basis of the data subject´s explicit consent, the data subject has the right to withdraw its consent at any time, after which personal data will no longer be processed, if there is no other legal basis for the processing. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal in accordance with article 7.3 of EU General Data Protection Regulation.
The processing of personal data can be considered lawful and necessary on the aforementioned bases.
5. Category of data subjects
The category of data subjects comprises of the customers of the account information service.
Other personal data necessary for the purposes of providing the account information may also be stored in the account information service register. These may include the personal data of the client and the authorities.
6. Data content of the register
The following data on the data subject may be processed in the register:
The data subject´s name,
Name of the data subject´s bank, name of the bank account, bank account number, number of bank accounts to which the data subject has given its consent,
The data subject´s monthly income and outgoings (wages and expenses), details about transactions (payments, names of the payer and the recipient, amount, balance, date and time), overdrafts, opening and closing balances and other payment information from the thirty-six (36) months preceding the use of the account information service,
Information the data subject has given in connection with a complaint or other contact.
7. Regular sources of data
The personal data is primarily collected from the data subject´s internet bank, to which the data subject has given its consent (consent as defined in the Finnish Payment Service Act) in connection with the use of the account information service. Personal data may also be collected from the data subject itself, for an example if the data subject contacts the data controller´s customer service.
8. Regular categories of recipients
Personal data will be disclosed to the third party with whom the data subject has agreed to share the data with in accordance with the agreement between the data subject and data controller.
In addition, the data controller may make use of an external subcontractor or software service provider to process personal data on behalf of the data controller. In such cases, the data controller is responsible for ensuring the lawfulness of processing.
The data controller may disclose data to authorities to the extent permitted and required by from time to time applicable legislation, for an example when the data controller has to reply to requests from courts, law enforcement authorities, regulatory authorities and other authorities.
9. Transfer of data outside the EU or EEA
The company does not disclose or transfer personal data outside the EU or EEA.
10. Period of storing personal data
The data controller does store the financial information as defined in section 6 b) and c) any longer after the information has been transferred to the third party the data subject has agreed to share the information with.
The company will store call recordings of telephone conversations with data subjects as well as email correspondence with data subjects for a period of three years. If the errand is contested, call recordings may be stored until the resolution of the matter is legally valid.
The company does not use personal data for the purpose of profiling.
12. Description of technical and organisational protective measures
The processing of personal data is carried out with due diligence. Members of personnel who process personal data receive initial training and regular yearly training. Data in the register may only be processed by individuals entitled to do so by reason of their duties. Processors of personal data are subject to a non-disclosure obligation.
The company processes the personal data of the data subject in electronic form. The company has implemented the technical and organisational measures it has deemed necessary to protect the register from unauthorised access and use. Such measures are for an example different user-names and password-combinations as well as secure data connections.
13. Right of access and right to rectification
The data subject shall have the right to access their personal data stored in the filing system. The request for access must be made in writing and ensure that the company is able to verify the identity of the data subject. If necessary, the controller may ask the individual requesting access to prove their identity. Requests for access shall be presented to the Data Protection Officer (section 2). Rectification may be requested once each year without additional fee, after which the company shall charge an administrative fee of EUR 20 for each further request as compensation for the work caused. The company shall respond to the individual presenting the request within the period of time specified in the GDPR (usually one month from the request).
If a data subject finds their data to be inaccurate, they have the right to request that their data be rectified or erased, unless such data is necessary for the performance of debt collection. The controller must notify third parties with whom they have shared the data or from whom they have received the inaccurate data of the rectification unless this would require disproportionate effort. Requests for rectification shall be presented to the Data Protection Officer (section 2).
14. Other rights of data subjects
Data subjects have the right to request the restriction of processing until, for example, the controller has verified the accuracy of the data. Data subjects have the right to object to direct marketing at any time.
Data subjects have the right to file a complaint to the regulatory authorities on matters related to the processing of their personal data.