Skip navigation

Privacy statement for Posti corporate customer register

25.9.2024

The controller responsible for processing personal data in Posti’s corporate customer register is Posti Group Corporation (“Posti”).

Posti’s corporate customer register contains personal data of existing and potential corporate and organizational customers of Posti Group, including sole traders and other stakeholders. 

Posti processes personal data within Posti and its group companies for the following purposes, depending on the nature of the service in question:

  • Management of customer relationships and the implementation of related tasks (e.g., order management, invoicing, complaint handling, and inquiries about lost shipments), customer support and counseling, as well as the maintenance of data about customer contact persons.

  • Management, development, targeting, and monitoring of sales, marketing, and communications (e.g., newsletters, customer magazines, announcements).

  • Conducting and analyzing market research, opinion polls, and customer surveys.

  • Organizing competitions and delivering prizes.

  • Analysis, segmentation, reporting, and statistics related to customer relationships, as well as other purposes linked to the development of Posti’s overall business.

  • Management of postal control data and customer reporting for operational needs.

  • Collection and processing of customer feedback.

  • Organizing events related to stakeholder operations.

  • Delivery, performance assurance, user management, and monitoring of digital services offered to customers.

  • Ensuring the quality and safety of operations, as well as safeguarding the legal rights of parties involved.

  • Preventing, detecting, and resolving misuse and problematic situations.

  • Fulfilling legal obligations, ensuring compliance and risk management purposes (e.g., in the case of competitions, in accordance with accounting laws and tax regulations, and enforcing sanctions as required by law).

  • Anonymization and secure destruction of personal data.

The processing of personal data is based on the data subject’s consent, Posti’s or a third party’s legitimate interest, compliance with legal obligations (e.g., the Postal Act, Accounting Act, or tax legislation), or the performance of a contract with the data subject.

Posti ensures that processing based on legitimate interest is proportional and in line with the data subject’s reasonable expectations. Processing may be based on legitimate interest in the following situations:

  • Managing a contractual or customer relationship and maintaining contact person data.

  • Customer service and handling of customer feedback.

  • Management, development, targeting, and monitoring of sales, marketing, and communications.

  • Conducting market research, surveys, competitions, and events, as well as delivering prizes.

  • Analyzing, segmenting, reporting, and providing statistics on customer relationships.

  • Developing business operations.

  • Delivery, performance assurance, user management, and monitoring of digital services.

  • Ensuring quality and security in operations, and safeguarding the legal rights of parties involved.

  • Ensuring compliance and managing risks.

  • Preventing, detecting, and resolving misuse and problematic situations.

Data processed in the corporate customer register and retention period

The corporate customer register contains personal data of contact persons, other stakeholders, and potential owners at Posti’s existing and potential corporate and organizational customers (including sole traders). The data processed, depending on the nature of the service, may include:

  • First name and surname.

  • The organization represented, job title, role, and department/unit of the individual.

  • Contact person identifier/customer number (identifies the contact person).

  • Contact details.

  • Direct marketing consents and restrictions.

  • Other expressions of consent or will.

  • Information related to the purchase and use of services.

  • Interests.

  • Contact history.

  • Participation in surveys, questionnaires, and competitions.

  • Responses, discussions, and comments provided in surveys or questionnaires, including any audio or video recordings.

  • Invitation and participation information for events (including dietary restrictions, if applicable).

  • Information required for delivering prizes in competitions (e.g., clothing size).

  • Personal identification number (if necessary for digital service identification and/or for taxation purposes related to competition prizes).

  • User rights and roles in digital services.

  • Identifiers used for strong authentication.

  • Data related to the use of services and applications (e.g., log data, IP address, browser version, session ID, session duration, and data collected via cookies or other tracking methods). More information on the use of cookies can be found here.

  • Ownership share, control, and/or actual beneficiary status in the customer organization, information about sanctions, date of birth, and nationality.

Posti only retains data necessary for its business operations and for the purposes of processing personal data. The retention period of personal data is determined by the purpose of the processing and the type of data. Legal obligations, such as statutory retention periods (e.g., limitation periods for legal claims), also affect how long data is retained. Basic personal data is generally retained as long as the individual acts as a contact person for a customer organization. Data related to the purchase and use of services, as well as customer feedback and contacts, are typically retained for 3 years and 3 months. Compensation decision data is retained in accordance with accounting laws for the current year and the following six years.

Data collected from surveys and competitions is generally retained for up to one year after data collection or the conclusion of continuous data collection. Competition records are retained for the current year and the following five years. Statutory data related to competitions is retained for six years in accordance with accounting laws. Participant information from events is retained as part of accounting records for the current year and the following six years.

Information about sanctions checks is retained for up to five years after the end of the customer relationship or individual transaction. Information from authorities’ inquiries and responses to such inquiries is retained for up to five years. Posti may also be required to retain some personal data for a longer period to comply with laws or regulatory requirements.

Where the processing of personal data is based on consent, the data will be deleted when the consent is withdrawn.

Regular sources of data

Data in the corporate customer register comes from the customer organization, the individual in question, or as a result of their activities. Basic contact person data may also be collected from public sources, such as the customer organization’s website. Data may also be obtained from Posti Group companies and their subcontractors, public sources (e.g., business registers), services used to investigate sanctions, authorities, and external providers such as directory service companies. When using digital services, data is received from the identification service provider that performs the identification.

Safe disclosure of data

The corporate customer register is used by all companies in Posti Group. The contact information of customer representatives is not disclosed to external parties for direct marketing purposes.

Posti discloses personal data to other data controllers, such as authorities, as required by applicable law.

Data may also be processed by companies acting as subcontractors for Posti, such as IT service providers, media and communications services, marketing and event service providers, and debt collection companies. Due to the technical processing of data, some data may physically reside on servers or devices belonging to external subcontractors, where they are processed through a technical connection. In such cases, personal data may be transferred outside the European Union or the European Economic Area, within the limits permitted by law. In all cases, the condition for disclosing and transferring data is that the recipient parties have signed an agreement with Posti that includes standard contractual clauses approved by the EU Commission or that another mechanism permitted under data protection laws is used to ensure lawful processing of the data.

Data protection principles

Posti’s IT systems, where personal data is stored, are protected with personal usernames and passwords. Only Posti Group employees and authorized persons who require access to personal data to perform their duties have access to it. Posti expects both its staff and partners to handle personal data confidentially.

Data subject rights, access, rectification, and objections

The data subject has the right to obtain information about the processing of their personal data, to review their personal data, and to request the rectification of inaccurate or incomplete data. The data subject may request the deletion or transfer of personal data, or demand restriction of processing or object to the processing of personal data based on a particular personal situation. When the processing is based on consent, the consent may be withdrawn at any time.

You can submit a request for a review of personal data and exercise other rights by logging into the service. (Strong authentication is done via the "Notification of change of address" page).

If you are a customer of the OmaPosti service, you can check and correct your data in the Your information section. When logged into the service, you can also withdraw your consent to marketing.

Requests for review, rectification, and completion can also be made by visiting Posti’s head office in person at Postintaival 7 A, Helsinki, or by sending a request form to Posti, P.O.Box 8030, 00002 Helsinki.

Requests are handled on a case-by-case basis, as there may be restrictions on the exercise of these rights depending on the situation and circumstances.

If the data subject believes that the processing of their personal data violates data protection legislation, they have the right to file a complaint with a supervisory authority, particularly in the Member State where the data subject has their habitual residence or place of work, or where the alleged infringement of the GDPR has occurred (in Finland, the Data Protection Ombudsman). More information is available on the Data Protection Ombudsman's website: tietosuoja.fi

Changes

25.9.2024 Updated wording, combined separate privacy statements of Posti Group, clarified processing based on legitimate interest, and added information on competitions and events.

Controller

Posti Group Corporation (business ID: 1531864-4) PO Box 1, FI-00011 POSTI

Street address: Postintaival 7 A, Helsinki Tel. +358 (0)100 5577 (mpc/lnc, also while queueing)

Customer service

Data Protection Officer: tietosuoja@posti.com