POP Mortgage Bank Privacy Statement

From April 1st 2024


The POP Mortgage Bank’s privacy statement provides the information required by the EU’s General Data Protection Regulation (GDPR) and the Data Protection Act to data subjects (customer) and the supervisory authorities.

Name of the register 

POP Mortgage Bank’s personal data register

The POP Mortgage Bank’s personal data register includes the personal data of the debtors of the loans used as security for the secured bonds issued by the POP Mortgage Bank and the cookie data of persons visiting POP Mortgage Bank’s website.

Controller and contact details of the data protection officer

The controller is POP Mortgage Bank Plc.

The data protection officer is POP Bank Centre coop’s data protection officer

POP Bank Centre coop
Data Protection Officer
Hevosenkenkä 3
02600 Espoo, Finland

Legal basis for the processing of personal data

The legal basis for the processing of personal data is the statutory obligation (mortgage bank regulation) and the data subject's consent (consent to the storage of cookies)

Purpose of processing personal data

The purpose of processing personal data is

  • Issue of covered bonds
  • Monitoring of website use (cookies)

Description of the categories of personal data

Categories of personal data applying to debtors

Basic information: The name, personal identity code and contact details of the data subject

Due diligence information: Statutory due diligence information to identify the customer and clarify the financial status

Customer relationship information: Information on the duration and nature of the debt relationship and credit rating

Product information: Information on agreements between the debtor and the debtor’s bank, information on products and services acquired by the debtor

Background information: Information on the debtor’s financial position

Categories of personal data for website guests

Data on interests and behaviour: Data on the data subject’s interests and monitoring of their use of websites and services by means of cookies or similar. The data collected may include, for example, pages browsed by the user; device model; individual device and/or cookie identifier; channel, such as an application or mobile or web browser; browser version; IP address; session identifiers; session time and duration; screen resolution; and operating system.

Transfers of personal data

Personal data can be transferred to the systems of our partners for performing mortgage banking operations. Our partners may only process personal data according to our purposes and only to the extent necessary.

If personal data is transferred outside the EU/EEA, we will ensure the protection of the personal data through appropriate safeguards, such as standard data protection clauses adopted by the EU Commission and other additional safeguards for data protection.

Disclosure of personal data

We are obliged to disclose personal data to the authorities in statutory situations such as the prevention of money laundering and terrorist financing and information requests by the authorities We may disclose personal data to entities that belong to the same consolidation group and to the same financial and insurance conglomerates, and associated entities, if it is necessary for risk management and internal control.

Storage periods for personal data

We process personal data for only as long as is necessary for the fulfilment of the purposes mentioned in this statement and the fulfilment of legal obligations.
Information on the prevention of money laundering is removed once the time required in the Act on Preventing Money Laundering and Terrorist Financing has elapsed.

Factors that ensure the security of personal data

The controller processes personal data in a secure manner that is required by legislation. Personal data can only be accessed by those employees and partners bound by a confidentiality agreement, who have the right to process these personal data due to their work. These people are also bound by a special data protection requirement for secure processing of personal data.

The databases are protected with passwords and firewalls. Access rights are issued in a controlled manner, and their use is monitored continuously. We train and instruct our personnel regularly on the processing of personal data and we require our subcontractors to observe EU-level personal data regulation and ensure that personal data are protected with appropriate data processing agreements and technical security measures.

Rights of the data subject

The data subject has the right to receive information on the processing of his/her personal data.

The data subject has the right to receive confirmation from the controller confirming whether the controller processes personal data concerning the data subject. If the data subject’s data is processed, the controller is required to provide the data subject with a copy of the personal data to be processed in machine-readable format, if possible.

The data subject has the right to data portability.

The data subject has the right to have personal data concerning him/her rectified. The data subject has the right to request from the controller rectification of any incorrect information relating to him/her. The data subject has the right to have incomplete personal data completed.

In certain situations, the data subject has the right to request the controller to erase personal data concerning the data subject, unless the bank is obliged to store the data in question due to a statutory obligation or for some other legitimate grounds.

In certain situations, the data subject may obtain from the controller restriction of processing of personal data concerning him/her. Restriction of processing means that such personal data subject to restriction may, with the exception of storage, only be processed with the data subject's consent for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

In certain situations, the data subject has the right to object to the processing of his/her personal data. The data subject has the right to request that the personal data is not processed at all. When data are processed for the performance of a task carried out in the public interest, to exercise the public powers of the controller or to carry out the legitimate interests of the controller or third party, the data subject shall have the right to object, on grounds relating to his or her particular situation

If the data subject is subject to automated decision-making, he/she has the right to request that the decision be processed again manually.


A cookie is a small file or text file on the website that is sent to and stored on the user's computer. We use cookies on our website to improve user-friendliness, efficiency and security.

Read more about the use of cookies in the POP Bank Group at https://www.poppankki.fi/evasteet

Personal data sources

We collect personal data from member credit institutions that belong to the POP Bank Group and from the data subjects themselves when they visit the website.

Exercising the rights of the data subject

Data subjects have the right to review what information has been stored about them in the POP Mortgage Bank personal data register. Review requests must be submitted to tietosuoja(at)poppankki.fi.

A data subject has the right to withdraw their consent. In some cases, the POP Mortgage Bank may store personal data based on a legal obligation or some other justified reason. A data subject has the right to obtain in a machine-readable format the personal data they have submitted to the POP Mortgage Bank. They also have the right to demand that their personal data be rectified or erased or that its processing be restricted.

A data subject has the right to file a complaint with the competent supervisory authorities if the POP Mortgage Bank fails to follow the applicable data protection regulations in its operations.

The processing of personal data complies with the procedure rules adopted by Finance Finland for the financial sector.

If necessary, the POP Mortgage Bank may ask the data subject to further specify their request in writing, and the identity of the data subject may be verified before any other measures are taken.

Supervisory authority

The bank’s operations as a controller are supervised by the Data Protection Supervisor. The customer has the right to refer a dismissed rectification claim to the supervisory authority for processing.

Data Protection Officer’s office

Contact information:
Visiting address: Ratapihantie 9. 6th floor 00520 Helsinki
Postal address: PO Box 800, 00521 Helsinki, Finland
Switchboard: +358 (0)29 56 66700
Registry: +358 (0)29 566 6768

Tervetuloa asiakkaaksi

Tervetuloa asiakkaaksi