Processing of personal data in Posti online shop customer register is the joint responsibility of Posti Ltd and Posti Distribution Ltd (hereinafter Posti)
The respective responsibilites of joint controllers are based on the company offering the service. The company offering the service is defined in product terms, on Posti's website or in connection of the service.
Purpose and legal basis of personal data processing
Posti online shop customer register contains data on natural persons who have used Posti’s online services. The purpose of use of the data is the provision, development and maintenance of the services selected by the customer, as well as customer relationship management.
Data is needed for the operational business needs of Posti, such as implementation of the service process, delivery of products, invoicing and reporting.
Data can also be processed for quality control, security, system maintenance and development, as well as for analytical, statistical or market research purposes for planning and developing Posti’s business operations.
Customer data is also processed for informing about and marketing Posti’s and Posti Group’s services.
The processing of data is primarily based on the fulfillment of the contract with the customer, but also on the fulfillment of Posti’s statutory obligations (for example, the Accounting Act), or on Posti’s legitimate interests (for example, market research, maintenance and development and statistics) or on the customer’s consent (marketing).
Data processed in the online shop customer register and its retention
The online shop customer register contains the following data that is mandatory for providing the service:
Given name and surname
Address information
Telephone number
E-mail address
In addition, the register contains direct marketing options selected by the customer and any other data required for the services, such as the customer number, customer relationship start date, customer type, payment details for paid services, order history and campaign codes.
Data in the customer register will be retained for 3 years and 3 months after the delivery of the service. Data relating to payments will be retained for a maximum of 6 years.
Regular sources of data
The data in the register originates from the customer and additional data is accumulated as the services are used.
Safe disclosure of data
Customer data will not be disclosed for direct marketing purposes.
Personal data may be disclosed, with the customer’s consent, for the purpose of performing the services selected by the customer.
Data in the online shop register may also be processed by companies providing subcontracting services to Posti. Due to the technical processing of data, some of the data are physically situated on external subcontractor servers or hardware, through which they are processed via a technical remote connection. Personal data may in such cases be transferred to countries outside the European Union or the European Economic Area. In all cases, the precondition for disclosing and transferring data is that the parties receiving and processing the data have signed an agreement with Posti that includes the standard clauses approved by the EU Commission and ensures that the processing of data is carried out in compliance with the law.
Data protection principles
The online shop customer register and related systems are protected by personal usernames and passwords. Anyone to be given a username and password for the system must, before receiving these, attend training pertaining to the use of the system. The training also covers Posti Group’s instructions on handling business secrets and customer data.
All data is processed confidentially and may only be disclosed to persons who need it to perform their duties and who are bound by a non-disclosure obligation.