Privacy statement for Customer service

1.1.2023

Processing of personal data at Posti Customer Service is the joint responsibility of Posti Ltd and Posti Distribution Ltd (hereinafter Posti)

The respective responsibilities of joint controllers are based on the company offering the service. The company offering the service is defined in product terms, on Posti's website or in connection of the service.

Purpose and legal basis of personal data processing

Posti Customer Service processes personal data in order to handle and investigate contacts, customer feedback, claims for damages or inquiries for lost items in connection with consultations, orders and deployment of Posti Group’s products or services. Customers may contact Posti through several customer service channels (telephone, e-mail, chat or web service). Posti records telephone calls related to business or service transactions to verify the call content, if necessary. The recordings are used to ensure the rights and legal protection of the customer and Posti.

Data can also be processed for training, quality control, security and preventing abuse, maintenance and development of the service and systems, as well as for statistical purposes.

In that case, the processing of data is based on the fulfillment of Posti’s statutory obligations (for example, the Postal Act and Accounting Act), compliance with the contract with the customer or Posti’s legitimate interest (for example, customer surveys, product development and statistics).

Posti may admin fan pages or corporate pages on Facebook. Posti and Meta Platforms Ireland Limited (Facebook and Instagram) are joint controllers for these pages. Meta processes personal data in accordance with its Data Policy: https://www.facebook.com/privacy/explanation. Meta assumes the main responsibility for compliance with the applicable obligations under the general data protection regulation, including the exercise of the data subject's rights, in its service. More information on the processing of personal data and on the division of responsibilities between Meta and the page admins: https://www.facebook.com/legal/terms/page_controller_addendum.

Data processed in the customer service system and its retention

The customer service register includes the following information about persons who have claimed for damages, given customer feedback, made a lost item inquiry or contacted the customer service for product and service information.

  • Given name and surname

  • Personal identity code (when dealing with consignments subject to customs)

  • Contact details

  • ChatBot discussions and phone recordings

  • Identification information of social media profile and messages

  • Item information (for example, sender, addressee, mailing type, item ID)

  • Payment information (for example, bank account number)

  • Compensation claimed and postage fee

  • Compensation decision (justification and payment details)

In addition to the basic customer information, personal data may also include information on agreements, use of services and areas of service use disclosed in claims for compensation, customer feedback, product and service information and inquiries for lost items, as well as data required to produce and control services.

The event data in the customer service register will be retained for 3 years and 3 months. Data relating to compensation decisions will be retained for a maximum of 7 years. Information requests by authorities are retained for 5 years.

Data processed for recorded phone calls

The following data is stored on incoming calls to the customer service or telesales unit, and on outgoing calls to customers made by the customer service or telesales unit:

  • Start and end time of the call

  • Duration of the call

  • Telephone number of Posti customer service unit

  • Customer’s telephone number (last three digits hidden)

  • Name of Posti employee who answered or made the call

  • The telephone conversation in a voice recording

The recordings are retained for six months, after which they are automatically erased.

Regular sources of data

The data in the register is disclosed by the customer, for example, in a claim for damages, customer feedback, lost item inquiry or request for information either from customer calls to the Posti Group’s customer service numbers or from calls made by the customer service and telesales units to customers. Recording starts when the call is answered and ends when the call is terminated. In addition, the register may also contain relevant information that has emerged as a result of an investigation (obtained, for example, from Posti’s production units or Retail Network).

Safe disclosure of data

Customer data will not be disclosed for direct marketing purposes. Otherwise, data will be disclosed to third parties within the limits set forth in applicable legislation.

Data in the customer service register can also be processed by Posti’s subcontractors, such as debt collection companies. Due to the technical implementation of the processing of data, some data may be physically situated on external subcontractors’ servers or hardware, where they are processed through a technical interface.

Personal data will not be transferred outside the European Union or the European Economic Area unless it is necessary for the technical implementation of the service, e.g. system maintenance. In all cases, the precondition for disclosing and transferring data is that the parties receiving and processing the data have signed an agreement with Posti that includes the standard clauses approved by the EU Commission and ensures that the processing of data is carried out in compliance with the law.

Data protection principles

The customer service register is part of a system holding the data of the customers of Posti Group and the data of the customers’ contact persons. The system is protected through the use of personal usernames and passwords. Anyone to be given a username and password for the system must, before receiving these, attend training pertaining to the use of the system. The training also covers Posti Group’s instructions on handling business secrets and customer data.

Data in the register for recorded customer calls can only be accessed by designated persons who maintain the customer call management system, as well as customer call operators and telemarketers together with their supervisors. Posti’s customer service operators and telemarketers can listen to their own recorded calls, and supervisors can listen to the recorded calls of all their subordinates. The recordings show the customer’s telephone number with the last three digits hidden.

System administrators and customer service operators, as well as their supervisors, must attend training pertaining to the use of the system.

All data is processed confidentially and may only be disclosed to persons who need it to perform their duties and who are bound by a non-disclosure obligation.

Rights of data subjects, access to information, rectification and completion of data, restrictions

The data subject has the right to know about the processing of his or her personal data, to review his or her personal data and to request rectification of inaccurate data and completion of incomplete data. The data subject may request the erasure or transfer of personal data or request restriction of processing. When processing is based on consent, consent can be withdrawn at any time.

When logged in, data subjects can also submit a request for a review of personal data at www.posti.fi/yhteystietoni.

Data subjects may also submit requests for review, rectification and completion by personally visiting Posti’s HQ in Postintaival 7 A, Helsinki, or by sending the request form to Posti, P.O.Box 8030, 00002 Helsinki.

Requests will be handled on a case-by-case basis, as these rights may be subject to restrictions due to the circumstances.

All data subjects have the right to lodge a complaint with a supervisory authority, especially in the Member State where they have their habitual residence or place of work or where the alleged breach of the data protection regulation occurred (in Finland, the supervisory authority is the Data Protection Ombudsman).

Changes

1.1.2023

Due to changes of Posti Group corporate structure, also the the Controller has changed.

A separate privacy statement for phone recordings has now been included in Customer service privacy statement

Joint Controllers

Posti Ltd (Business ID: 2344200-4) and Posti Distribution Ltd (Business ID: 0109357-9) PO Box 1, FI-00011 POSTI

Street address: Postintaival 7 A, Helsinki Tel. +358 (0)100 5577 (mpc/lnc, also while queueing)

Consumerservice@posti.com

Data Protection Officer: tietosuoja@posti.com