Privacy statement for address information system

1.1.2023

Posti’s address information system is the responsibility of Posti Distribution Ltd

Posti Distribution Ltd (hereinafter Posti) collects, discloses and otherwise processes personal data in the address information system in accordance with the Postal Act, the data protection regulations and other applicable laws, and on the basis of the consent of the data subject, or by his or her assignment, or based on the customer relationship.

Purposes and legal basis of the processing of personal data in the address information system

The purpose of the address information system is to provide communications services and other related services. Data is processed for postal operations under the Postal Act and for the production of services to the senders and recipients of mail and other messages in connection with sending, controlling, forwarding and receiving parcels, goods deliveries, publications and other physical deliveries as well as e-mail messages, text messages, telephone calls and other electronic communications.

In Posti's address information system, regarding forwarding, mail delivery interruption and corresponding Posti services, the customer relationship is created between Posti and the subscriber and all persons of age to whom the subscriber has subscribed the service at the same time. No customer relationship is created if the person only informs Posti of a change of address for physical deliveries without ordering supplementary services.

Customer data is processed in accordance with data protection regulations to manage, analyze and develop Posti’s customer relationships, and for invoicing, reporting, informing and marketing of products and services of companies in Posti Group and Posti’s partners, as well as for market research. For example, for customers receiving the summer address service, Posti can offer delivery to the summer dwelling instead of a mailbox, and the summer locality or village shop acting as Posti’s partner can send advertisements and announcements.

Data in the address information system is also processed in order to identify the parties of mail communication services, take care of the information security of the services, detect, prevent and deal with cases of misuse, detect and repair technical faults and defects, give customer support to senders and recipients and to maintain and develop mail communication services and systems.

In the above-mentioned cases, the legal grounds for processing are the fulfillment of Posti’s statutory obligations (for example, the Postal Act and Accounting Act), compliance with the contract with the customer or Posti’s legitimate interests (for example, in connection with marketing).

Only information necessary for mail communication services is maintained in the address information system

The address information system contains the name, address and other contact details of persons belonging to the groups described below, information necessary for sending, controlling and forwarding messages, delivering messages to the recipient, receiving messages and information necessary for managing the customer relationship:

  • person’s basic information (names, personal identity number, language)

  • address information

    • physical address and location information

    • building information

    • other address information

      • telephone numbers

      • e-mail addresses

  • message control information and technical specification and auxiliary information needed for maintaining contact details and implementing mail communication services

  • permits and bans issued by the person for the processing of information in the address information system

  • customer information (e.g. agreement, order, service provision and invoicing information)

The personal identity number required to distinguish between people with the same name. The number is also used to ensure the reliability and controllability of the system as well as the accuracy of Posti’s mail delivery and address services.

Reliable sources of data

  • Posti obtains the basic information from the population register based on Section 38 of the Postal Act, the Population Data Act and decision of the Population Register Centre.

  • Posti collects address information from the persons themselves based on Section 38 of the Postal Act and in accordance with data protection legislation.

  • Physical addresses are also maintained based on information received from delivery operations and from housing and real property companies. Posti obtains building information from the building and apartment register based on Section 38 of the Postal Act, the Population Data Act and decision of the Population Register Centre. Posti obtains information on new addresses generated as a result of land use planning, and map and location data, from the Population Register Centre, municipalities, the Finnish Transport Agency, the National Land Survey of Finland and other corresponding entities.

  • Posti obtains control information from the senders and recipients of messages and from the mail communication process.

  • Posti registers bans and consents based on the notification issued by the person. In addition, advertising ban information is also maintained by delivery operations.

  • Customer information is generated in connection with agreements, orders and the use of ordered services.

Safe disclosure of information

Posti forwards people’s contact information from the address information system for mail communication as follows:

  • contact information corrections only to companies, authorities and organizations that already have the person’s contact information e.g. for managing customer and member relationships or based on other legal grounds: - the person’s name and address information based on the Postal Act; - the person’s consent or assignment; - based on a legitimate interest, advertising ban information; and - based on the Postal Act, name and address information and information on assignments related to changes to delivery for another postal company for the implementation of postal operations

  • otherwise only based on the consent or assignment separately issued by the person

The data subject may refuse the disclosure of his personal information in connection with the address checking and correction services.

An updated list of organizations using the contact details service can be found at www.posti.fi.

The Finnish Transport and Communications Agency (Traficom) maintains a register of postal operations, listing postal companies that have the right to receive address information.

Posti does not disclose personal identity numbers.

Target groups are not selected from the address information system for direct marketing campaigns. Direct marketing by different companies can be prohibited by notifying the prohibition directly to the companies in question. In addition, a direct marketing ban can be made with the Finnish Direct Marketing Association concerning its member companies.

Posti can disclose customer data in the address information system within the limits permitted and required by applicable legislation (e.g. name and address information of the summer address service and for advertisements and announcements of a summer locality or village shop that is a partner of Posti). In connection with the processing of items, address information may also be viewed by delivery companies subcontracting for Posti or partners that operate Posti’s outlets.

Due to the technical processing of data, some of the data may be physically situated on external subcontractor servers or hardware, through which they are processed via a technical interface. Personal data is not transferred outside the European Union or the European Economic Area, unless it is necessary for the technical implementation of the service.

In all situations, the precondition for disclosing and transferring data is that the companies, authorities and organizations receiving and processing the data have signed an agreement with Posti to ensure the lawful processing of the data. When transferring data outside the EU or EEA countries and, based on the EU Commission’s assessment, the country in question does not have a sufficient level of data protection, personal data protection is obtained through the use of model agreements approved by the EU Commission.

Personal data protection principles and retention

Posti stores the data in databases protected with firewalls, passwords, and other technological means. The databases and their backups are located in locked and guarded premises, and the data can be accessed only by pre-appointed persons. Internet use in the address information system is protected and secured in accordance with the principles of the Personal Data Act. Persons processing data are bound by a non-disclosure obligation.

Data in the address information system will be erased in accordance with the Postal Act no later than 20 years after Posti received information about a change in the data (the retention period was 10 years until September 15, 2017). In compliance with the Accounting Act, customer data will be retained for a maximum period of 6 years after termination of the customer relationship.

Rights of data subjects, access to information, rectification and completion of data, restrictions

The data subject has the right to know about the processing of his or her personal data, to review his or her personal data and to request rectification of inaccurate data and completion of incomplete data. The data subject may request the erasure or transfer of personal data or request restriction of processing. When processing is based on consent, consent can be withdrawn at any time.

When logged in, data subjects can also submit a request for a review of personal data at www.posti.fi/yhteystietoni.

Data subjects may also submit requests for review, rectification and completion by personally visiting Posti’s HQ in Postintaival 7 A, Helsinki, or by sending the request form to Posti, P.O.Box 8030, 00002 Helsinki.

Requests will be handled on a case-by-case basis, as these rights may be subject to restrictions due to the circumstances.

All data subjects have the right to lodge a complaint with a supervisory authority, especially in the Member State where they have their habitual residence or place of work or where the alleged breach of the data protection regulation occurred (in Finland, the supervisory authority is the Data Protection Ombudsman).

Changes

1.1.2023

Due to changes of Posti Group corporate structure, also the name of the Controller has changed.

Controller

Posti Distribution Ltd (Business ID: 0109357-9) PO Box 1, FI-00011 POSTI

Street address: Postintaival 7 A, Helsinki Tel. +358 (0)100 5445 (mpc/lnc, also while queueing)

Consumerservice@posti.com

Data Protection Officer: tietosuoja@posti.com