This privacy statement describes how we process personal data of individuals who have registered as users of Posti’s electronic consumer services.
Posti Ltd and Posti Jakelu Ltd are joint controllers responsible for the processing of personal data in Posti’s electronic consumer services (together referred to as “Posti”)
Posti Ltd (Business ID: 2344200-4) Posti Jakelu Ltd (Business ID: 0109357-9)
P.O. Box 1, FI-00011 POSTI Visiting address: Postintaival 7 A, Helsinki Tel. 0100 5577 (local/mobile network rate, including queue time)
Data Protection Officer: tietosuoja@posti.com
The responsibilities of the joint controllers are divided based on which company provides the service. The service provider is specified in the product terms, on Posti’s website, or in connection with the service. You may exercise your rights under data protection legislation by contacting either of the controllers.
Purpose of processing, legal basis, and retention times
Purpose of processing | Legal basis |
|---|---|
Provision and maintenance of services Creating and maintaining an electronic user account, logging into services, and implementing user account functionalities and other electronic consumer services. When registering for the service, Posti automatically verifies the customer’s age via an identification service and makes an automated decision necessary for concluding the contract. The customer has the right to request that the decision be made by a person instead, as well as to express their point of view and contest the decision. Transmission data for electronic communication is processed to the extent necessary to transmit communications and deliver the agreed service. | Contract: Taking steps prior to and for the performance of a contract between Posti and the customer. Legitimate interest: Reliable and appropriate functioning of the service. |
Customer relationship management Managing the customer relationship (e.g. maintaining basic and contact information) and carrying out communications. | Contract: Measures related to maintaining the customer relationship, such as keeping records and communicating with the customer. Legal obligation: Mandatory communications (e.g. data breach notifications). Legitimate interest: Other customer communications. Consent: Notifications within the application (push notifications). |
Execution and development of services and Posti’s business Operational needs such as service delivery processes, mail routing/forwarding, billing, and reporting. Transmission data for electronic communication is processed for invoicing purposes. Planning and development of Posti’s business, including analytics, profiling, opinion and market research, and related activities. Transmission data for electronic communication is also processed to develop communication services. | Legal obligation: Bookkeeping and document retention. Legitimate interest: Efficient operation and guidance of Posti’s business. Development of services and customer experience. |
Service security and quality, and system maintenance and development Quality assurance and security of services, as well as system maintenance and development. Transmission data for electronic communication is processed to maintain and develop the technical aspects of the service. Ensuring service security and detecting, preventing, and investigating technical failures, errors, and misuse (including processing of transmission data for electronic communication). | Legal obligation: Legal requirements related to safe use of the service. Legitimate interest: Ensuring the security and quality of the service. Technical maintenance and development. Ensuring the legal protection of the customer and Posti. Consent: Information collected through non-essential cookies or other online identifiers. |
Analytics and statistics Analyzing, compiling statistics, and reporting for planning, executing, and developing Posti’s business. Statistical models based on personal data may be shared with business customers as part of data services. Transmission data for electronic communication is processed for statistical analyses. | Legitimate interest: Planning, executing, and developing services and business operations, as well as strategic planning. |
Marketing and targeted advertising Informing and marketing services of Posti and other group companies. With the customer’s consent, transmission data for electronic communication may be processed for marketing Posti’s own services. Survey responses may be used for marketing purposes without identifying the respondent. With the customer’s consent, personal data may be used for direct marketing by Posti’s partners. Targeted advertising and personalized recommendations. Measuring the effectiveness of advertising. | Consent: Electronic direct marketing (email and SMS) generally requires the customer’s consent. Use of cookies/online identifiers for targeted advertising. Use of transmission data for electronic communication for marketing. Legitimate interest: Other direct marketing. Electronic direct marketing may be sent without consent to an electronic contact obtained in connection with a product or service sale, provided that the marketing concerns similar products or services. Targeted advertising within Posti services. Measuring advertising effectiveness. |
Personalization and profiling Tailoring services to match the customer’s individual preferences and delivering personalized content and advertising. Profiling refers to the automated processing of personal data to assess certain personal characteristics, such as interests or usage of services. The goal is to improve the customer experience and ensure relevant and meaningful recommendations. | Legitimate interest: Personalization and profiling to enhance customer understanding and experience and to tailor services. Consent: Certain targeting activities or technologies (e.g. cookie tracking). |
Ensuring legal protection Ensuring the legal rights of the customer and Posti, and fulfilling legal and regulatory obligations. Transmission data for electronic communication is processed to comply with legal obligations. | Legitimate interest: Ensuring the legal protection of the customer and Posti. Posti’s right to defend or pursue legal claims. Legal obligation: Retaining personal data to comply with legal or regulatory requirements. |
Disclosure of data to other controllers Personal data is disclosed to authorities based on legal requirements. Personal data is disclosed to service providers such as providers of identification, payment, financial, or debt collection services (e.g. MobilePay, Neonomics). For electronic mailbox services, delivery information and electronic letter transmission details are shared with participating senders and intermediaries. For letters with electronic acknowledgment of receipt, the sender receives a receipt of delivery and the recipient’s acknowledgment with the delivery timestamp. With the customer’s consent, contact information can be automatically updated to organizations or companies that already possess the customer’s contact details based on a customer or membership relationship or other lawful basis. With the customer’s consent, target groups can be shared with Posti’s partners for direct marketing purposes. Based on cookie consent, data collected via cookies or similar methods is shared with third parties. Based on customer consent, name, email address, phone number, postal code and/or customer ID may be shared with digital marketing partners for targeted advertising. For more information on how Meta Platforms Ireland Limited and Google Ireland Limited process personal data, see: https://www.facebook.com/privacy/policy, https://privacycenter.instagram.com/policy, and https://business.safety.google/privacy/. Posti and Adform A/S are joint controllers for the ID used in cooperation, which enables identification of the customer’s browser or device and targeted advertising outside Posti’s services. More information on the joint controllership is available here: https://www.posti.fi/en/customer-service/terms-and-statements/cookies and https://site.adform.com/privacy-center/platform-privacy/product-and-services-privacy-policy/. | Legal obligation: Statutory right of access for authorities. Contract: Sharing with service providers based on a contract with the customer. Legitimate interest: Disclosing data related to electronic letter forwarding to partners. Consent: Sharing contact information for marketing purposes. Sharing cookie-collected data with partners. Sharing customer ID with marketing partners to enable targeted advertising outside Posti’s services. |
Data collected via cookies and other tracking methods is used to enable service functionality, improve and develop the services, analyze and report service usage, and deliver targeted content and advertising. When the service is used while logged in, data collected via cookies and other tracking methods is linked to the customer relationship for electronic consumer services and processed in accordance with this privacy statement. More information about cookies and how to manage them is available here.
Posti only retains personal data that is necessary for Posti’s operations and processing purposes and for which there is a lawful basis. The retention period is determined based on the purpose of the processing and/or the nature of the data. Retention may also be influenced by legal requirements for storing data and other time limits (e.g. statutory limitation periods) for taking legal or other actions. If processing is based on consent, such personal data will be deleted once the customer withdraws their consent.
Customer’s basic and contact information and data related to the contractual relationship are retained for the duration of the contract and for a maximum of 3 years and 3 months thereafter. Data related to service usage is generally retained for up to 3 years and 3 months. The content of the services used by the customer, such as electronic letters, is deleted when the contract ends. Payment-related data required by the Accounting Act is retained for up to 7 years. Responses to customer satisfaction surveys and research surveys are retained for up to 2 years after the survey has ended. Log data is retained for up to 3 years.
Posti may also retain personal data deemed necessary for the establishment, exercise, or defense of legal claims until the matter has been resolved. In addition, Posti may be required to retain certain data for longer than stated above to comply with legal or regulatory obligations. Data that is no longer necessary for its purpose, outdated, or otherwise lacking a legal basis for processing is anonymized or securely deleted.
Processed personal data
For users registered to Posti’s electronic consumer services, the following personal data is processed, which is necessary to sufficiently identify the customer and to deliver the service:
First and last names
Personal identity code
Information related to the use of authentication and verification tools and services
Service activation and termination dates
Address
Phone number
Email address
Preferred language
Customer-specific identifiers
Username and password for accessing the services
Login information for electronic services (e.g. timestamps, IP address, network connection information) and other log data
Information about the device, browser, and operating system
Depending on the service and/or the purpose of data processing, the following additional personal data may also be processed:
Preferred name
Personal PIN or other service usage identifier
Data generated from the use of service functionalities (e.g. purchases, searches)
Order and payment information for products and services, such as bank connection, account number, card identifiers and numbers
Data necessary for providing a digital mailbox (communication service), including transmission data for electronic communication (sender, recipient, size, and timestamp of the message)
Acknowledgments of receipt for electronic registered letters
Payment transaction data (e.g. payee, invoice amount, due date, payment date, payment amount and method)
Delivery and handover information for tracked shipments transported by Posti, such as sender’s and recipient’s names and contact details, unique shipment ID, delivery method, customs and content data, number of shipments and handover data
Consent and opt-out information related to marketing and data processing
Cookie consent information and similar data collection preferences
Advertising identifiers of mobile devices used for targeted marketing
Content and website behavior during service use and volume of transferred data
Data change/update history
Communication and marketing contact history
Customer satisfaction survey responses
Participation in research and responses, conversations, comments and possible audio and video recordings given in connection with the research
Personalized information and preferences voluntarily provided by the customer
Classification and profiling data linked to the customer, and other insights generated via analytics
To create target groups, external classifications and statistical data may also be stored (e.g. average housing type or family structure based on the customer’s postal code).
If the customer so wishes, information about shipments delivered by other delivery companies may also be stored, based on publicly available data provided by these companies.
Regular sources of information
The personal data originates from the customer, for example during service activation or usage. During service activation, data is also obtained from the entity performing customer identification. In connection with the digital mailbox service, the customer’s contact details are verified against Posti’s address information system. In connection with the provision of the digital mailbox service, data related to the transmission of communications is also generated by the senders and intermediaries connected to the service.
The customer’s name and address details are updated from Posti’s address information system. In addition, data may be updated from opt-out registers maintained by the Finnish Customer Marketing Association (ASML) and from other similar public and private registers and databases (such as Traficom or Statistics Finland). Customers are responsible for keeping their electronic contact information up to date with Posti to ensure proper functioning of the services and to allow Posti to reach them if necessary, for example in the event of service disruptions.
Recipients of personal data
Personal data is processed by Posti and its group companies for administrative purposes (e.g. centralized customer service, relationship management, marketing). Posti uses service providers that process personal data on its behalf. These include:
IT service providers delivering server and maintenance services, systems, and other technical support
Providers of analytics, statistical, and personalization services
Advertising, communication, and research service providers conducting marketing campaigns, communications, and customer surveys
Communication service providers (e.g. email and SMS)
Digital marketing partners targeting ads on websites, social media, and apps
Customer information updating service providers
Consulting firms supporting service development and related operations
To enable service delivery, customer-specific identifiers defined by Posti may be shared with partners to ensure unambiguous customer identification.
Through the services, customers may also access or order products or services from third parties. In such cases, necessary personal data is shared with these third-party service providers, who act as independent data controllers, such as identity verification, payment, and financial service providers. The customer will be informed of this data sharing at the latest at the time of processing. In services involving payments, necessary information about the customer, invoice, and payment may be shared with the invoicer, involved third parties (e.g. banks), and debt collection service providers.
When providing the digital mailbox service, the delivery method selected by the customer and information related to the transmission of electronic letters are forwarded to the senders and intermediaries connected to the service. For electronic registered letters, the sender receives a receipt for the item, along with the recipient’s acknowledgment of receipt and the delivery timestamp.
With the customer’s consent, target groups may be disclosed for direct marketing by Posti’s partners.
Based on cookie consent provided by the customer, data collected via cookies or similar technologies may be shared with third parties.
Based on customer consent, an identifier generated about the customer may be shared with Posti’s digital marketing partners to show advertising on digital platforms and measure effectiveness. In this cooperation, Posti and Adform A/S act as joint controllers for the ID used. This identifier is a random string that allows the identification of the customer’s browser or device and enables targeted advertising and content delivery outside of Posti’s services. More information is available at: https://www.posti.fi/en/customer-service/terms-and-statements/cookies, https://site.adform.com/privacy-center/platform-privacy/product-and-services-privacy-policy/
Posti discloses personal data to authorities as required by law.
Personal data may be transferred outside the European Union or the European Economic Area in limited cases for service delivery, technical maintenance, and support, as permitted by law. Transfers require that:
The European Commission has decided the recipient country or organization ensures an adequate level of data protection
The recipient has signed an agreement with Posti containing the EU Commission’s standard contractual clauses to ensure lawful processing: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914
Another data transfer mechanism permitted under data protection law applies, such as binding corporate rules approved by a supervisory authority.
Data subject rights
The data subject has the right to receive information about the processing of their personal data and to know whether their data is being processed. They also have the right to access their personal data, obtain a copy of it, and request the correction or completion of inaccurate or incomplete data. The data subject may request the deletion or transfer of data, or in certain cases, request restriction of processing or object to processing based on their specific personal situation. When processing is based on consent, it may be withdrawn at any time.
As a logged-in user of Posti’s consumer services, you can view and correct your data in the “My Data” section. While logged in, you can also change your marketing consents and object to processing based on legitimate interest (such as certain profiling activities, email newsletters, and customer survey invitations). You can also manage your data processing preferences via functionalities in received emails or by contacting Posti’s customer service. Cookie-related consents can be managed via the “Cookie Settings” button at the bottom of Posti’s website or through the settings section in the OmaPosti app. You can also restrict targeted advertising based on cookies via the Your Online Choices website.
You can request access to your data stored in Posti’s registers and exercise other rights as follows. We recommend submitting your request with authentication, as this enables faster processing. Authentication can be done via your Posti user account or with online banking credentials or a mobile certificate (strong authentication is done via the address change service page). If you do not use our electronic services or are submitting a request on behalf of someone else (e.g. a dependent or ward), we recommend using a printable form. Send the completed form in a stamped envelope to the address provided in the form. You may also submit your request in person at Posti’s head office, Postintaival 7 A, Helsinki. Alternatively, you can contact Posti’s customer service.
We will process your request without undue delay and respond within one month of receiving it. You generally have the right to receive your data free of charge. If your requests are clearly unfounded or excessive—particularly if made repeatedly—we may charge a reasonable fee to cover the administrative costs.
If you have any questions about the processing of your personal data or feel that we have not carried out the actions you requested, you can contact Posti’s Data Protection Officer at: tietosuoja@posti.com. You also have the right to lodge a complaint with a supervisory authority, particularly in the EU country where your permanent residence or workplace is located, or where the alleged violation of the General Data Protection Regulation has occurred (in Finland: the Data Protection Ombudsman). More information: tietosuoja.fi/en