Privacy statement for Posti corporate customer register

Processing of personal data in Posti corporate customer register is the responsibility of Posti Group Corporation

Purpose and legal basis of personal data processing

Posti’s corporate customer register contains information about companies that are customers or potential customers of Posti Group or who have submitted to Posti a claim for damages, customer feedback or a lost item inquiry. In addition to company information, the system maintains data on the companies’ contact persons.

Posti processes the contact person data in companies belonging to Posti Group for the following purposes:

• Customer accounts management, such as - sales/contact management - marketing - market research - communications - customer support and counseling - customer relationship management, as well as development and maintenance of Posti’s operations and products

• Operational needs of Posti’s business, such as - customer reporting - mail control information

Data can also be processed for training, quality control, security and statistics. In such cases, the processing of data is based on the fulfillment of Posti’s statutory obligations (for example, the Postal Act and Accounting Act), compliance with the contract with the customer or Posti’s legitimate interests (for example, marketing, customer surveys, product development and statistics).

Data processed in the corporate customer register and its retention

The register contains the following information about contact persons at Posti’s customer companies, sole traders and potential customers:

• Contact person identifier/customer number (identifies the contact person

• The person’s position at the company (role and/or decision maker category)

• Title

• Given name and surname

• Direct marketing restriction

• Contact details

• Mailing lists (e.g. customer magazine or newsletter)

• Customer data related to the purchase of services

• Contact person’s interests

In addition to the customer’s basic data, information may also be accumulated on agreements, use of services and locations of service use. Data in the corporate customer register will be retained for the duration of the contractual relationship and, after that, as potential customer accounts unless the contact person requests the erasure of the data or cancels the newsletter subscription.

Regular sources of data

Data in the register originates from the customer company or the contact person him/herself. Data may also be obtained from companies in Posti Group and their subcontractors, from website tracking systems, publicly-available sources and from external suppliers such as directory service providers.

Safe disclosure of data

The corporate customer register is in use in all companies in Posti Group. Customers’ contact person data will not be disclosed to third parties for direct marketing purposes. Data may also be processed by companies providing subcontracting services to Posti, such as debt collection companies. Due to the technical processing of data, some of the data are physically situated on external subcontractor servers or hardware, through which they are processed via a technical remote connection. Personal data may in such cases be transferred to countries outside the European Union or the European Economic Area. In all cases, the precondition for disclosing and transferring data is that the parties receiving and processing the data have signed an agreement with Posti that includes the standard clauses approved by the EU Commission and ensures that the processing of data is carried out in compliance with the law.

Data protection principles

Posti’s IT systems containing the customers’ personal data are protected through the use of personal usernames and passwords. The system is used across Posti Group. Anyone to be given a username and password for the system must, before receiving these, attend training pertaining to the use of the system. The training also covers Posti Group’s instructions on handling business secrets and customer data.

All data related to contact persons of Posti’s customers will be processed confidentially and may only be disclosed to persons who need them at work and are bound by a non-disclosure obligation.

In addition to the employees of Posti Group companies, the personal data contained in the register will be accessible only to designated employees of subcontractors who are bound by non‑disclosure agreements

Rights of the data subject

The data subject has the right to obtain information about the processing of his or her personal data and to know whether his or her personal data is being processed. In addition, the data subject has the right to access and receive a copy of his or her personal data undergoing processing, and to demand rectification of inaccurate or incorrect data and completion of the data. The data subject may request erasure or transfer of personal data or, in certain situations, request restriction of processing or object to the processing of personal data on grounds relating to his or her particular personal situation. When the processing is based on consent, the consent may be withdrawn at any time.

If you are a customer of the OmaPosti service, you can check and correct your own information in the Your information section. When logged into the service, you can also change your marketing concents.

You can make a request for information about your personal data stored in Posti's personal registers and exercise your other rights by doing the following. We recommend that you make an information request with identification, as this will allow your request to be processed faster. Identification is possible both with Posti's username and with online banking codes or a mobile certificate (Strong authentication takes place on the "Notification of change of address" page). If you do not use our electronic services or you make a request, e.g. on behalf of your dependent or ward, we recommend using the printable form. Send the completed form in a stamped envelope to the address indicated on the form. You can also make a request by, for example, visiting Posti's head office in person at Postintaival 7A, Helsinki. You can also contact Posti's customer service.

We will process your request without undue delay and respond to it within one month of receiving your request. As a rule, you have the right to receive your personal data free of charge. If you request multiple copies of the information or make repeated requests, the reasonable costs of providing the information may be charged

If the data subject considers that the processing of personal data concerning him or her infringes data protection legislation, the data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State where the data subject has his or her habitual residence or place of work or where the alleged breach of the GDPR has occurred (in Finland, the Data Protection Ombudsman). Further information is available on the website of the Data Protection Ombudsman: tietosuoja.fi

Controller

Posti Group Corporation (business ID: 1531864-4) PO Box 1, FI-00011 POSTI

Street address: Postintaival 7 A, Helsinki Tel. +358 (0)100 5577 (mpc/lnc, also while queueing)

Customer service

Data Protection Officer: tietosuoja@posti.com