Processing of personal data at Posti electronic consumer services is the joint responsibility of Posti Ltd and Posti Distribution Ltd (hereinafter Posti)
The respective responsibilites of joint controllers are based on the company offering the service. The company offering the service is defined in product terms, on Posti's website or in connection of the service.
Purpose and legal basis of personal data processing
Posti’s register for electronic consumer services covers information about natural persons who are registered as users of Posti Group’s electronic services. Use of these services requires strong authentication of customers. Data is processed for the provision, development and maintenance of the services selected by the customer, as well as for customer relationship management.
Data is also needed for the operational business needs of Posti, such as implementation of the service process, invoicing and reporting, and for Posti's control information.
Data can also be processed for quality control, security, system maintenance and development, as well as for analytical, modeling, statistical or market research purposes for planning and developing Posti’s business operations. Statistical modeling based on personal data may be disclosed to Posti’s business customers in connection with data services.
Customer data is also processed for informing about and marketing Posti’s and Posti Group’s services. With the customer’s consent, data can be used by selected Posti partners for direct marketing purposes. Data is also processed for target marketing and offer personal recommendations for customers.
With the customer’s consent, the customer’s contact information can be updated automatically with the help of the customer register for Posti’s electronic consumer services for organizations and companies who already have the customer’s contact information because of, for instance, a customer or membership relationship or some other legal basis.
The processing of data is primarily based on the fulfillment of the contract with the customer, but also on the fulfillment of Posti’s statutory obligations (e.g. the Accounting Act, Payment Services Act), or on Posti’s legitimate interests (e.g. market research, maintenance and development and statistics as well as modeling and analyzing) or on the customer’s consent (e.g. electronic direct marketing, connecting customer data with cookie data).
Data processed in the consumer register and its retention
The consumer customer register contains the following data that is mandatory for uniquely identifying the customer and for providing the service:
Given name(s) and surname
Personal identity code/passport number/EU card number
Date of birth
Country that issued the passport/EU card
Technical data sent to Posti’s server by the browser, such as the IP address, server, server version or page from where the customer moved to Posti’s website, are also saved.
In connection with payment services, the information saved on payment transactions, such as invoices paid through a service and payment commissions, includes the sum of the invoice, the targeting information of the invoice, due date, date of payment and information on the payment method. In addition, the payment services will collect the information necessary to fulfill the requirements of identifying the customer and preventing money laundering and the financing of terrorism.
In addition, the register contains direct marketing options selected by the customer and any other data required for the services, such as the service start and end dates and other payment details for services. Information about the use of services are also collected, e.g. information about the use of different features of the services such as the buying feature, searches and other features. The register may also specify the preferred given name.
In order to create target groups, cookie data, external classifications and statistical information (such as the average type of housing or family in the customer’s postal code area) can be collected. Further information about the use and administration of cookies is available here.
The mobile postcard and payment services also store the credit card payment consent if the customer agrees to it. The credit card number is not stored at Posti in this context.
Based on the customer’s wish, the services can store data for shipments from other delivery companies that is based on the publicly available information of delivery companies.
In the My pickup location service, item IDs and item location data are also processed.
Data in the customer register is retained for the duration of the contract and, after that, for 3 years and 3 months at most. The technical data sent to Posti’s server by the browser are retained for 6 months. The need for storing the data is assessed regularly. After the termination of the contract, the information content of the services used by the customer, such as the electronic letters, will be retained for 14 days before erasure. Data relating to payments will be retained for a maximum of 6 years. The information collected to identify the customer and to prevent money laundering and the financing of terrorism will be retained for the duration of the customer relationship plus five years. In addition, Posti may be obligated to retain some personal data included in the register for longer than stated above in order to comply with the legislation or authoritative requirements.
Regular sources of data
Data in the register originates from the customer and from the bank or other third party that authenticates the data subject in connection with the sign-in. The customer’s name and address data will be updated using Posti’s address information system, and data can also be updated using Data & Marketing Association of Finland’s prohibition register and other similar public and private registers and databases (such as Traficom or Statistics Finland).
Safe disclosure of data
With the customer’s consent, target groups can be disclosed for marketing purposes to selected Posti partners for shared or independent direct marketing purposes.
Personal data may be disclosed, with the customer’s consent, for the purpose of conveying information on the distribution method chosen by the customer to the sender or forwarder of the letter or other message or item and to execute the services selected by the customer. If the customer uses Posti’s user interface in the payment services to conclude an agreement on a service offered by a third party, the customer’s information that is necessary to conclude the agreement can be disclosed to such third party with the customer’s consent. In addition, all information regarding the customer, invoice or payment necessary to realize the payment and authenticate the customer and payment can be disclosed to the invoicer or a third party, such as a bank, taking part in the payment event in services that include the payment transaction.
In mobile applications, an advertising identifier can be used to measure advertising performance. Posti will disclose the advertising identifier of the device to its partner. The advertising identifier can be removed and/or its use can be restricted in the device settings.
Data in the customer register may also be processed by companies providing subcontracting services to Posti. Due to the technical implementation of the processing of data, some data may be physically situated on external subcontractors’ servers or hardware, where they are processed through a technical interface.
Personal data will not be transferred outside the European Union or the European Economic Area, unless it is necessary for the technical implementation of the service, e.g. system maintenance. In all cases, the precondition for disclosing and transferring data is that the parties receiving and processing the data have signed, if necessary, an agreement with Posti that includes the standard clauses approved by the EU Commission and ensures that the processing of data is carried out in compliance with the law.
Data protection principles
The consumer customer register and related systems are protected by personal usernames and passwords. Anyone who is to be given a username and password for the system must, before receiving these, attend training pertaining to the use of the system. The training also covers Posti Group’s instructions on handling business secrets and customer data.
All data is processed confidentially and may only be disclosed to persons who need it to perform their duties and who are bound by a non-disclosure obligation.
Rights of data subjects, access to information, rectification and completion of data, restrictions
The data subject has the right to know about the processing of his or her personal data, to review his or her personal data and to request rectification of inaccurate data and completion of incomplete data. The data subject may request the erasure or transfer of personal data or request restriction of processing. When processing is based on consent, consent can be withdrawn at any time.
When logged in, data subjects can also submit a request for a review of personal data at www.posti.fi/yhteystietoni.
Data subjects may also submit requests for review, rectification and completion by personally visiting Posti’s HQ in Postintaival 7 A, Helsinki, or by sending the request form to Posti, P.O.Box 8030, 00002 Helsinki.
Requests will be handled on a case-by-case basis, as these rights may be subject to restrictions due to the circumstances.
All data subjects have the right to lodge a complaint with a supervisory authority, especially in the Member State where they have their habitual residence or place of work or where the alleged breach of the data protection regulation occurred (in Finland, the supervisory authority is the Data Protection Ombudsman).
Due to changes of Posti Group corporate structure, also the Controller has changed.
Posti Ltd (Business ID: 2344200-4) and Posti Distribution Ltd (Business ID: 0109357-9) PO Box 1, FI-00011 POSTI
Street address: Postintaival 7 A, Helsinki Tel. +358 (0)100 5577 (mpc/lnc, also while queueing)
Data Protection Officer: email@example.com