Purpose and legal basis of personal data processing
Posti’s register for electronic consumer services covers information about natural persons who are registered as users of Posti Group’s electronic services. Use of these services requires strong authentication of customers. Data is processed for the provision, development and maintenance of the services selected by the customer, as well as for customer relationship management.
Data is also needed for the operational business needs of Posti, such as implementation of the service process, invoicing and reporting, and for Posti's control information.
Data can also be processed for quality control, security, system maintenance and development, as well as for analytical, modeling, statistical or market research purposes for planning and developing Posti’s business operations. Statistical modeling based on personal data may be disclosed to Posti’s business customers in connection with data services.
Processing of electronic communication transmission data is carried out to the extent necessary to transmit communication and implement the agreed service, as well as to ensure information security. Additionally, such data is processed to detect, prevent, and investigate technical faults or errors in the transmission of communication, misuse of the service, and for the technical development of communication services, billing, statistical analyses, and compliance with statutory obligations. With the customer’s consent, transmission data may be processed to market Posti’s own services.
Customer data is also processed for informing about and marketing Posti’s and Posti Group’s services. With the customer’s consent, data can be used by selected Posti partners for direct marketing purposes. Data is also processed for target marketing and offer personal recommendations for customers.
With the customer’s consent, the customer’s contact information can be updated automatically with the help of the customer register for Posti’s electronic consumer services for organizations and companies who already have the customer’s contact information because of, for instance, a customer or membership relationship or some other legal basis.
The processing of data is primarily based on the fulfillment of the contract with the customer, but also on the fulfillment of Posti’s statutory obligations (e.g. the Accounting Act, Payment Services Act), or on Posti’s legitimate interests (e.g. market research, maintenance and development and statistics as well as modeling and analyzing) or on the customer’s consent (e.g. electronic direct marketing, connecting customer data with cookie data).
Data processed in the consumer register and its retention
The consumer customer register contains the following data that is mandatory for uniquely identifying the customer and for providing the service:
Given name(s) and surname
Addresses
Personal identity code/passport number/EU card number
Phone number(s)
Email address
Language
Gender
Date of birth
Country that issued the passport/EU card
Technical data sent to Posti’s server by the browser, such as the IP address, server, server version or page from where the customer moved to Posti’s website, are also saved.
In connection with payment services, the information saved on payment transactions, such as invoices paid through a service and payment commissions, includes the sum of the invoice, the targeting information of the invoice, due date, date of payment and information on the payment method. In addition, the payment services will collect the information necessary to fulfill the requirements of identifying the customer and preventing money laundering and the financing of terrorism.
In the provision of an electronic mailbox, data necessary for providing the communication service, such as electronic communication transmission data, is processed. Transmission data consists of the technical information required for the transmission of communication, such as the sender and recipient of a message, its size, and the time of transmission.
In addition, the register contains direct marketing options selected by the customer and any other data required for the services, such as the service start and end dates and other payment details for services. Information about the use of services are also collected, e.g. information about the use of different features of the services such as the buying feature, searches and other features. The register may also specify the preferred given name.
In order to create target groups, cookie data, external classifications and statistical information (such as the average type of housing or family in the customer’s postal code area) can be collected. Further information about the use and administration of cookies is available here .
In addition, the answers of customers who responded to the customer satisfaction survey via electronic channels are collected in the register.
The mobile postcard and payment services also store the credit card payment consent if the customer agrees to it. The credit card number is not stored at Posti in this context.Based on the customer’s wish, the services can store data for shipments from other delivery companies that is based on the publicly available information of delivery companies.
In the My pickup location service, item IDs and item location data are also processed.Data in the customer register is retained for the duration of the contract and, after that, for 3 years and 3 months at most. The technical data sent to Posti’s server by the browser are retained for 6 months. The need for storing the data is assessed regularly. After the termination of the contract, the information content of the services used by the customer, such as the electronic letters, will be retained for 14 days before erasure. The answers to the customer satisfaction survey are kept for a maximum of 2 years from the end of the survey.
Data relating to payments will be retained for a maximum of 6 years. The information collected to identify the customer and to prevent money laundering and the financing of terrorism will be retained for the duration of the customer relationship plus five years. In addition, Posti may be obligated to retain some personal data included in the register for longer than stated above in order to comply with the legislation or authoritative requirements.
Regular sources of data
Data in the register originates from the customer and from the bank or other third party that authenticates the data subject in connection with the sign-in. The customer’s name and address data will be updated using Posti’s address information system, and data can also be updated using Data & Marketing Association of Finland’s prohibition register and other similar public and private registers and databases (such as Traficom or Statistics Finland).
Safe disclosure of data
With the customer’s consent, target groups can be disclosed for marketing purposes to selected Posti partners for shared or independent direct marketing purposes.
Personal data may be disclosed, with the customer’s consent, for the purpose of conveying information on the distribution method chosen by the customer to the sender or forwarder of the letter or other message or item and to execute the services selected by the customer. If the customer uses Posti’s user interface in the payment services to conclude an agreement on a service offered by a third party, the customer’s information that is necessary to conclude the agreement can be disclosed to such third party with the customer’s consent. In addition, all information regarding the customer, invoice or payment necessary to realize the payment and authenticate the customer and payment can be disclosed to the invoicer or a third party, such as a bank, taking part in the payment event in services that include the payment transaction.In mobile applications, an advertising identifier can be used to measure advertising performance. Posti will disclose the advertising identifier of the device to its partner. The advertising identifier can be removed and/or its use can be restricted in the device settings.
Data in the customer register may also be processed by companies providing subcontracting services to Posti. Due to the technical processing of data, some of the data are physically situated on external subcontractor servers or hardware, through which they are processed via a technical remote connection. Personal data may in such cases be transferred to countries outside the European Union or the European Economic Area. In all cases, the precondition for disclosing and transferring data is that the parties receiving and processing the data have signed, if necessary, an agreement with Posti that includes the standard clauses approved by the EU Commission and ensures that the processing of data is carried out in compliance with the law.
Data protection principles
The consumer customer register and related systems are protected by personal usernames and passwords. Anyone who is to be given a username and password for the system must, before receiving these, attend training pertaining to the use of the system. The training also covers Posti Group’s instructions on handling business secrets and customer data.
All data is processed confidentially and may only be disclosed to persons who need it to perform their duties and who are bound by a non-disclosure obligation.