Alisa

Personal Data

Personal Data

Alisa Bank is committed to protecting your privacy and keeping your personal data safe. We process personal data in compliance with the EU General Data Protection Regulation (GDPR) and specific legislation for the financial industry and ensure the implementation of privacy protection and banking secrecy in all processing of personal data. With «you», we refer to our customers, potential customers, a customer’s employee, or other relevant parties, such as beneficial owners, authorized representatives, and responsible persons.

On this page we describe the collection, usage, storage and sharing practices of personal data in Alisa Bank. At the end of this page, you will find the data protection notices for the client register, the work applicant register, and the register for the annual general meeting. Within the Alisa Bank group, the data controller will be Alisa Bank Plc and/or the Alisa Bank company that you have a relationship with.

Collection of Personal Data

We process personal data for several reasons and the collected personal data can be divided into the following data categories (including examples):

  • Identification data (name, social security number)
  • Contact data (address, phone number)
  • Financial data (agreement type, transaction data & credit history)
  • Data related to legal requirements (taxation, customer due diligence and anti-money laundering obligations)
  • Special categories of data (e.g. health data is needed for Alisa Bank’s insurance product)

Personal data is in most cases collected directly from you or generated as part of the use of our services and products. Data may also be collected from publicly available and other external sources, such as the population register, tax register, company registration office and credit-rating register.

In connection with payments, we collect data from remitters, banks, payment service providers and other entities in the Alisa Bank Group or other entities which we collaborate with.

Usage of Personal Data

We use your personal data primarily to comply with our legal and contractual obligations as well as to provide you with offers and services. Personal data is also processed in the context of marketing, product and customer analyses in order to improve our product range and optimize our customer offerings.

There are situations when we will ask for your consent to process your personal data. The consent will contain data on that specific processing activity. If you have given consent to processing of your personal data, you can always withdraw such consent. We may in some cases use automated decision-making, for example in automated credit intermediation and approval process in the online channels, provided that this is permitted by legislation, or you have provided an explicit consent or if it is necessary for the performance of the contract. You can as a rule always request a manual decision-making process instead of an automated one.

We may disclose your personal data to authorities, Alisa Bank companies, suppliers, payment service providers and business partners. The disclosure of data is based on regulatory obligations, providing of services, performance of agreement, as well as your consent. Before sharing we will always ensure that we respect relevant secrecy obligations.

Protecting of Personal Data

Protecting of Personal Data is at the very core of our business. We use appropriate technical, organizational, and administrative security measures to protect any data we hold from loss, misuse, unauthorized access, disclosure, alteration, and destruction.

Rights of Data Subjects

As a data subject you have the following rights in respect of your personal data controlled by Alisa Bank:

  • Right to obtain information on the processing of personal data, e.g. whether Alisa Bank is processing your personal data, and if yes, in what manner.
  • Right of access to the personal data we are keeping about you, unless restricted by legislation. In many cases this data is already present to you in the online services of Alisa Bank.
  • Right to retification of inaccurate or incomplete data, within legislative restrictions.
  • Right to erasure (right to be forgotten) means that in certain situations you do have the right to ask for your data to be erased without undue delay. We have legislative obligations to retain your personal data during your customer relationship, and even after that.
  • Right to restriction of processing of your personal data in certain situations.
  • Right to object to processing is the right to object to your data being processed at all in certain situations. You always have the right to object to processing of your personal data for direct marketing and profiling in connection to such marketing.
  • Right to data portability means that when possible, you have the right to receive the personal data that you have provided to us in a machine-readable format. Where secure and technically feasible the data can also be transmitted to another data controller from us
  • Right not to be subject to a decision based solely on automated processing means that you can generally always demand human involvement in decisions concerning you when such decisions have legal effects for you or similarly significantly affect you

Your request to exercise your rights as listed above will be assessed given the circumstances in the individual case. Please note that we may also retain and use your data as necessary to comply with legal obligations, resolve disputes, and enforce our agreements.

Data Retention

We will keep your data for as long as needed for the purposes for which your data was collected and processed or as long as required by regulation. The retention times may differ from country to country, due to local legislation.

The Authority

The data protection authority in Finland is the Data Protection Ombudsman, whose contact information can be found at www.tietosuoja.fi You can also contact or make a complaint to the data protection authority in any country where Alisa Bank is offering you products or services.

Contact information

If you want to exercise your registered rights, you can contact Alisa Bank's Data Protection Officer via email: dataprotectionofficer@alisapankki.fi

In case of any different interpretation of the texts of the Data Notices in Finnish or other languages, the Finnish wording shall be decisive.

General – to whom this privacy policy applies

Alisa Bank Oyj and all companies belonging to the same group (including the subsidiary Puro Finance Oy), hereinafter "Alisa Bank" or "we" are committed to protecting the rights of individuals and keeping your personal data safe in accordance with the General Data Protection Regulation (EU) 2016/679 ("Data Protection regulation") and in accordance with other applicable legislation that binds Alisa Bank.

Alisa Bank processes personal data for many different reasons and this privacy policy describes how Alisa Bank collects, uses, retains and protects your personal data. In this privacy policy “data subject” or “you” means clients, potential clients, employees of our clients or other relevant parties, such as beneficial owners, authorized representatives and associated parties.

Controller

Alisa Bank Plc Address: Bulevardi 21 A, 00180 Helsinki Phone number: 0203 80101 Email: asiakaspalvelu@alisapankki.fi

Contact person for matters concerning the register

Data Protection Officer

Purpose of the processing of personal data and lawful basis

We mainly process your personal data to fulfil our legal and contractual obligations and to market interesting products and offer services to you. The purpose and legal basis for the processing are detailed below:

  • Identifying and knowing you. Lawful basis: our legal obligation to identify and know our client, which requires the processing of personal data.
  • Concluding and managing agreements with clients. Lawful basis: performance of a contract or our legitimate interest if the client is a legal entity.
  • Performance of payment services. Lawful basis: consent in accordance with the Act on Payment Services.
  • Opening and managing services (other than payment services) for you. Lawful basis: performance of a contract.
  • Execution and verification of business transactions. Lawful basis: performance of a contract
  • Marketing, product and client analysis (this may include profiling (see below)). Lawful basis: our legitimate interest to market our products and services and using profiling, for example, for client analysis for marketing purposes and your consent to receive electronic direct marketing.
  • Calls and chats can be recorded and retained for confirming transactions or for purposes relating to documentation, quality control and development. Lawful basis: our legitimate interest to strengthen the quality of our services and to develop our services and to demonstrate compliance with legal obligations related to the services.
  • Carrying out obligations based on law and authority regulations. Legal basis: our legal obligation that requires the processing of personal data. These are, for example, the following:

(i) compliance with accounting laws; (ii) measures to combat and detect money laundering, fraud and terrorist financing; (iii) comparing personal data with sanctions lists; and (iv) reporting to tax, police and enforcement authorities as well as the Financial Supervisory Authority and other Finnish and foreign authorities.

We will ensure that processing of personal data carried out based on our legitimate interest is proportionate to your interests.

Automated decision making and profiling

We may use your personal data for analysis and profiling so that we can create profiles of you to support the development of our services, products and concepts, as well as for marketing purposes, client and risk ratings.

We may use automated decision-making if permitted by law or with your express consent, or if necessary for the performance of an agreement. You can always request a manual decision-making procedure instead of an automated one, express your opinion or challenge a decision based solely on automated processing, such as profiling, if that decision entails legal effects for you or otherwise has an equivalent significant effect on you. Please contact asiakaspalvelu@alisapankki.fi for further information about the logic involved with the processing as well as the significance and possible consequences of such processing.

Categories of data subjects

Persons who have/have had:

  • A client relationship with us or who have submitted an application to enter into such a relationship with us.
  • A client relationship -based interest, obligation or other right in a contract, service or transaction, such as possible beneficiaries or persons acting by proxy (person authorised to use the account, trustees, beneficial owners, persons authorized within a company, guarantor, pledgor or other).
  • Persons who have otherwise contacted us (for example, through our website).
  • Persons, whose personal data we have a statutory obligation to process.

Contents of the register

The data we collect can be categorized as follows:

A. Basic data, for example:

  • Identification data (client ID, personal identity code or date of birth, name, nationalities, taxation countries, language, fiscal residence) and a copy of an identification document (for example passport or driver’s license).
  • Contact data (addresses, telephone numbers, email addresses, contact persons and their identification details).
  • Entry stating whether you are employed by Alisa Bank.

B. Data required by the industry regulation such as, for example, information for purposes of combatting money laundering and terrorist financing and information relating to customer due diligence (i.a. KYC).

C. Client classification data, for example:

  • Information relating to the commencement of the client relationship.
  • Type of contract.
  • Contact person.
  • Client history.
  • Information on the corporate entity you represent.
  • Information on payment defaults, credit ratings and information on assets and debts.

D. Client business data:

  • Identifiers, identification method and identification date.
  • Bank contact data (contra accounts).
  • Accounts, portfolios, loans (basic data and control data).
  • Control data for reporting and client communications.
  • Collateral and pledge related data.
  • Price lists.
  • Contracts and applications.
  • Permission to electronic data exchange with normal email, client contact and thereto related information.
  • Service language.
  • Client complaints.

E. Marketing data:

  • Consent/prohibition for direct marketing.
  • Information given by yourself (areas of interest for direct marketing).
  • Marketing measures targeted at you.
  • Data relating to the use of electronic services (for example cookies).
  • Event invitations and thereto related data.
  • Data relating to communication with you (for example email).
  • Profiling information.

F. Personal data related to institutional clients:

  • Identification data (name, address, telephone number, email).
  • Position within the corporation represented by you.
  • Employment and occupational data.
  • Services offered or description of collaboration.
  • Project schedules.

The list is illustrative and non-exhaustive. The information collected may vary depending on the purpose of use and applicable category of data subjects. The information collected is limited to what is necessary in relation to the purposes for which it is processed.

Regular sources of data

Data is primarily obtained directly from you or from your representative, from public registers kept by the authorities, from sanctions list (EU and UN sanctions list as well as from lists maintained by national organizations such as the Office of Foreign Assets Control (OFAC), from credit information registers (Suomen Asiakastieto Oy ja Bisnode (Dun & Bradstreet Finland Oy)) and from other commercial information providers (for example information on beneficial owners and politically exposed persons).

We also collect payment order related data from other banks, payment service providers and other corresponding parties as well as from such other entities within the group with which we collaborate.

Data is also formed in connection with performing the services used by you. With your consent, data can also be obtained from other parties, such as your asset manager or employer.

Data recipients or group of recipients

To the extent allowed by the GDPR and other applicable legislation we may disclose data to other entities within our group as well as to our partners.

We may also use third party service providers. The service providers we use may process data on our behalf and on our instructions and only to the extent necessary to provide the service in question. These service providers are processors in accordance with the GDPR, with whom we have entered into GDPR-compliant data processing agreements.

In certain situations, we also provide information to authorities for them to be able to carry out their statutory duties.

Transfer of data outside of the EU or the EEA

As a rule, data is not transferred outside of the EU or the EEA.

If the purpose of the processing of personal data or the technical implementation of the processing so requires, personal data may be transferred outside the EU and the EEA. In this case, we (and the service providers we use) will comply with the requirements of the GDPR and the primary transfer tool used are the standard contractual clauses of the European Commission, provided that the European Commission has not adopted an adequacy decision for the receiving third country.

Principles of register security

Protecting your privacy is important to us and responsible processing of your personal data is an essential part of our business. We have appropriate technical, organizational and security procedures in place to protect all information in our possession from loss, misuse, unauthorized use, disclosure, alteration and destruction. We also set similar requirements for our partners.

Your rights

To the extent permitted by the GDPR you have the following rights:

  • Right of access: You have the right to access the personal data we hold about you. Some of the information we hold about you is already visible in the online services provided by us. However, the right of access may be restricted due to legal requirements.
  • Right to require your personal data to be rectified: If your personal data is incorrect or incomplete you have the right to request that the data is corrected, unless restricted by law.
  • Right to request erasure of personal data: You have the right to have your personal data erased, for example, if you withdraw your consent to the processing of your data or object to the processing and there are no other justified reasons for further processing, or the processing of your data is unlawful. However, we may be required by law to retain your personal data during the client relationship and after such relationship has ended.
  • Right to request restriction of processing: You may request us to restrict the processing of your personal data, for example, if you believe that your personal data is incorrect, there is no legal basis for processing or if you have objected to the processing of your data (see below). For example, processing may be limited only to the retention of your personal data.
  • Right to object: You have the right to object to the processing of your personal data based on our legitimate interests. In this case, however, we may continue the processing if, for example, we have a compelling legitimate interest to the processing which overrides your interests. You can always object to direct marketing and related profiling.
  • Right to request personal data be transmitted from one system to another: You have a right to receive personal data that you have provided to us in a machine-readable format. This right applies to personal data processed only by automated means, on the basis consent or for the purposes of fulfilling a contract. Where secure and technically feasible the data can also be transmitted to another data controller by us.
  • Right to withdraw consent: If the processing of your personal data is based solely on consent and not on, for example, a client relationship or similar relationship, you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of the processing of personal data prior to the withdrawal.

Requests to exercise the above rights should be made to the following address: asiakaspalvelu@alisapankki.fi.

Data retention period

As a general rule, personal data is processed as long as it is necessary to fulfill the processing purposes mentioned in this statement. Your data will be stored for at least the duration of the customer relationship. The data retention period may depend on various factors, such as anti-money laundering laws, specific laws related to services or products, solvency requirements, tax legislation, accounting regulations, and general statutes of limitations. These requirements may also apply simultaneously. After the end of the customer relationship, information about the customer relationship is generally kept for 10 years. Regarding potential customers, information is mainly kept for two years from the establishment of the potential customer. After the end of the customer relationship, we can process personal data in accordance with applicable legislation for direct marketing purposes. We delete stored personal data when there is no longer a legal basis for processing it.

Complaint

If you believe that we process your personal data in breach of applicable data protection legislation you have the right to lodge a complaint with the Office of the Data Protection Ombudsman. The contact details of the Office of the Data Protection Ombudsman are:

Address: Lintulahdenkuja 4, 00530 Helsinki Phone number: 029 566 6700 email: tietosuoja@om.fi

Obligation to provide us with personal data

If you do not provide all of the requested personal data we may not be able to establish, maintain and develop a client relationship with you or the legal entity you represent or communicate about our services with you.

This policy

We reserve the right to amend and to update this privacy policy. An up-to-date version of the policy is always found on our website www.alisapankki.fi/yleiset/henkilotiedot.

In case of any different interpretation of the texts of the Data Notices in Finnish or other languages, the Finnish wording shall be decisive.