This is the Obsido Group Privacy Policy, which complies with the EU’s General Data Protection Regulation (GDRP). This Privacy Policy applies to all individuals who are:
- Obsido Group customers
- individuals otherwise associated with the customer relationship such as the actual beneficiary or authorized representative
- possible future Obsido customers or
- individuals to whom marketing is targeted
(All hereinafter the ”data subject”).
This privacy policy aims to provide Obsido Group customers with a comprehensive description of what personal data Obsido Group collects on them, for what purpose this data is used, and to which parties the data may be disclosed. This privacy policy applies to services and marketing provided by the Obsido Group. This privacy policy also provides data on the obligations and legislation that the Obsido Group follows in the processing of personal data.
Created April 19, 2018. Last updated June 18, 2018.
1. Controller
Obsido Group Oy, Rautatienkatu 14 A 7, 33100 Tampere
2. Controller officer contact information
Mari Virtanen, +358 41 4686 351, mari.virtanen@obsido.fi
3. Personal data groups processed
The Obsido Group collects and processes the following personal data: name of the individual, personal identification number, category, country of taxation, nationality, contact information (telephone number, email address, postal address), financial data, educational background and data on the individual’s professional background, data associated with customer relationship management such as email and telephone calls, data on the financial instruments owned by the individual and changes in these instruments, account number, possible representatives and possible other customer relationship data.
Data is stored for five complete calendar years after the customer relationship ends. When the storage period for personal data has expired, the data is deleted within a reasonable time.
4. Legal basis and purpose of personal data processing
In accordance with the EU’s GDPR regulations, the legal basis for processing personal data are the obligations set forth in the special laws applying to companies in the Obsido Group.
As a member of the financial industry, Obsido Group Oy and its subsidiaries are obliged to follow the following laws and regulations, for example:
- Investment Services Act
- Act on Common Funds
- Act on Alternative Funds Managers
- Act on Credit Institutions
- Act on the Prevention of Money Laundering and Terrorism Financing
- Securities Markets Act
The legal basis for processing other data is the legitimate interest of the controller in staying in contact with the data subject.
The purpose of the personal data processing is:
- the marketing of services, include direct marketing
- customer relationship management and governance
- providing services to customers and service maintenance
- informing customers of services
- risk management and prevention of abuse
- fulfilling obligations arising from legislation
The data is not used for profiling or the automation of decision making.
5. Data sources
The data stored in the register is collected from the data subjects either from agreements made with companies in the Obsido Group or from application and claims forms and their appendices.
6. Personal data recipients
The data is disclosed to the following third parties, among others:
- The authorities, such as the Finnish Tax Administration and the Finnish Financial Supervisory Authority, to fulfill the legal requirements regarding the right to receive information.
Data is disclosed to the following processors, among others:
- Svenska Handelsbanken Ab
- Aito Säästöpankki
Obsido may also have to disclose the personal data of data subjects in emergencies or other unexpected situations to protect the life and health of individuals and to protect property. In addition, Obsido may have to disclose the personal data of data subjects if Obsido is a party to a legal proceeding or a proceeding of some other dispute settlement body.
If Obsido is part of a merger, business transaction or other business arrangement, it may have to disclose the personal data of data subjects to third parties.
The disclosure of data to third parties mainly occurs via digital data transfer, but data may also be disclosed in other manners such as by phone or by letter.
7. Regular disclosure and transfer of data outside the EU or the EEA
Data is not disclosed regularly to other parties than the Finnish Tax Administration and the Finnish Financial Supervisory Authority. Data is not transferred by the controller outside the EU or EEA.
8. Principles of the protection of the registry
Due diligence is taken in the processing of the registry, and data processed with data systems is protected appropriately. The digital data security of the data is also handled appropriately. The controller ensures that the stored data, the access rights to the software, and other data critical for the security of the personal data is handled in a confidential manner and that access to the data is only granted to those employees whose duties require it.
9. Rights to inspect the data and to request corrections to the data
Individuals in the registry have the right to inspect the data about them stored in the registry and to request corrections in eventual incorrect or incomplete data. If individuals wish to inspect the data stored about them or to request corrections to the data, the request must be sent in writing to the controller. When presenting this request, individuals must prove their identity to the controller. The controller shall respond to the customer within the month specified in the EU data protection legislation. To the extent that the data includes trade secrets or the personal data of other individuals, the data shall not be delivered. Rather, the customer is told of the existence of the data and can then request that the data be deleted, if desired.
On its own initiative or at the request of a data subject or as required for processing, Obsido deletes and corrects incorrect, unnecessary, incomplete or out-of-date personal data in the registry.
Right to transfer data and to limit processing
In accordance with the current data protection legislation, data subjects have the right to request that personal data delivered by them be transferred to another controller.
In situations where personal data suspected to be incorrect cannot be corrected or deleted or if the request for removal is unclear, Obsido shall limit access to the data.
11. Other rights associated with personal data processing
Individuals in the registry generally have the right to request that the personal data about them be removed from the registry (“the right to be forgotten”). However, the rights stemming from this data protection legislation are superseded by financial industry legislation, which obligates the group to retain data.
12. The right to appeal to supervisory authorities
Data subjects have the right to appeal to supervisory authorities if a data subject believes that personal data about them has been processed in contravention of the current legislation. In the European Union, appeals may be made to data protection authorities, particularly to the data protection authorities of the state in which the subject lives or works or to the data protection authorities of the state in which the claimed infraction has occurred. The data protection authority in Finland is the Office of the Data Protection Ombudsman: tietosuoja.fi/en/home
13. Changes in the privacy policy
Obsido may change or update this data protection policy as necessary. Changes may also be based on changes in the relevant legislation on data protection. Data subjects are notified of significant changes by email.
This privacy policy was issued on June 18, 2018, version 1.1.