Posti item tracking is the joint responsibility of Posti Ltd and Posti Distribution Ltd (hereinafter Posti).
Posti collects, discloses and otherwise processes personal data relating to sent items in accordance with the Postal Act, data protection regulations and other applicable laws, and on the basis of the consent of the data subject, or by his or her assignment, or based on the customer relationship.
The respective responsibilities of joint controllers are based on the company offering the service. The company offering the service is defined in product terms, on Posti's website or in connection of the service.
Purposes and legal basis of the processing of data
In item tracking, Posti processes data related to sent items. The purpose of Posti item tracking is to track the progress of the delivery of items sent through Posti and enable correct delivery and any payment related to it. Furthermore, the aim is to collect and provide real-time event data on any deviations in mail delivery
in order to inform the recipient of the shipment of the arrival of the item for delivery or pick-up,
in order to inform the sender that the item has been handed over,
internally to Posti employees for process control, quality control, safety, as well as maintenance and development of the service and systems, and
to other postal and transport companies for process control, as well as to the authorities.
Item tracking data can also be used for customer surveys in order to develop Posti’s services and monitor their quality. In the above-mentioned cases, the legal grounds for processing personal data are the fulfillment of Posti’s statutory obligations (for example, the Postal Act and Accounting Act), compliance with the contract with the customer or Posti’s legitimate interest (for example, customer surveys, product development and statistics).
If the sender or recipient of a shipment is registered as a user of Posti’s electronic consumer services, the tracking information of the shipments (the name and contact details of the sender and recipient, the shipment’s unique identifier, delivery method, content and customs details, as well as information about the number and delivery of shipments) is processed together with other customer data for the planning, implementation and development of Posti’s business and services, for statistical and reporting purposes (based on Posti’s legitimate interest), for service communication and marketing (based on Posti’s legitimate interest or consent for electronic marketing), and for targeting services, personalized content and advertising using profiling (based on Posti’s legitimate interest). More information about the processing of personal data in connection with electronic consumer services is available here.
Data processed and its retention
Posti’s distribution and sorting processes produce personal data, including item-specific event and identification information on the recipient and image material used for this purpose. Data concerning individual items is stored in the system from the start of the delivery process up to the handing over of the item, as well as for the duration of the compensation claim time related to the delivery (18 months) for investigations conducted for the sender and the authorities. Information on the delivery of the item and digitized images of paper-based delivery documents are retained for 3 years and 3 months.
Information related to the delivery of the item may include:
unique identifier of the item
item classification (service and additional service) according to Posti’s service types
weight and any insured value of the item
recipient’s name and contact details, such as address, telephone number and/or e-mail address
name of the person who signed the delivery and image of the signature
personal identity number or its suffix and information on the document used for the verification of identity
item content and customs declaration information
A proxy given for receiving an individual item is stored for 3 years and 3 months, and a fixed-term proxy is stored for 6 years.
The following information related to items is stored in Item Tracking: Information on delivery:
unique identifier of the item
item classification (service and additional service) according to Posti’s service types
weight and value of the item
postal code of the delivery address
item content and customs declaration information
If the sender has provided the item reference data electronically, the following information is also stored:
recipient’s first name and last name and/or company’s or organization’s name and Business ID, mail address, telephone number and/or e-mail address for sending the electronic notice of arrival
sender’s first name and last name and/or company’s or organization’s name and Business ID, mail address, telephone number
delivery date and time
identifier of the party that delivered the item.
If the delivery service includes receipt confirmation, the following information is also stored:
recipient’s first name and last name, personal identity number or its suffix, signature. If the recipient has given a proxy, the name and personal identity number of the authorized person and information on the content of the proxy are also stored.
If delivering the item requires a payment (e.g. a cash-on-delivery item, shipments subject to customs), the register may contain the payee’s and payer’s bank account numbers or other banking details related to the payment. Data will be retained for a duration specified in the Accounting Act, six years at the most.
Sources of data
Posti’s process generates some of the information specified above. Some data is obtained from other postal and transport companies.
The sender of the item provides the data required for delivering the item on a case-by-case basis.
Upon delivering the item, if the service includes confirmation of receipt and verifying the recipient’s identity, the recipient provides the information specified above to Posti for archiving either on a paper receipt or electronically. The recipient may provide Posti with a proxy for receiving an individual item or mail in general. An image of the proxy is stored in Posti’s electronic archive.
Disclosure of data
Data on individual delivery transactions is disclosed from Posti’s item tracking system via a public web service only on the basis of the shipment code, without further detailed personal or identifying information.
Shipment control data is transmitted to other postal and transport companies (name and address details of the sender and recipient, telephone number and/or e-mail address) for the purpose of implementing the service. Investigating missing, damaged or delayed shipments may also require the transfer of personal data to other postal and transport companies. In addition, Posti discloses personal data to authorities based on legal requirements.
Information about the shipment may be disclosed to the sender, but not the personal identity number. The public web service can be accessed from any country. Real-time tracking information on deliveries is sent outside the EU or EEA when the item in question is sent from or to a country that is outside the EU or EEA. In connection with data transfer, personal data is not generally disclosed to countries outside the EU and EEA, but only registration data related to the shipment code (shipment code, date and time, registered by), unless otherwise required by legislation or international treaties. For example, in the case of shipment of goods to the United States, the sender and recipient data, as well as information on the weight and contents of the consignment has to be sent to the US for customs clearance. Such transfer of data will take place under conditions specified in the data protection legislation (exceptions for special situations).
In connection with the processing of shipments, data is also handled by Posti’s subcontracted delivery companies, partners operating Posti’s service points, and IT service providers. Due to the technical implementation of data processing, some data may be physically stored on servers or equipment owned by external subcontractors and accessed via technical interfaces. Personal data may therefore be transferred outside the European Union or the European Economic Area within the limits permitted by law. The disclosure and transfer of data requires that
the European Commission has decided that the country or organization in question ensures an adequate level of data protection,
the parties receiving and processing personal data have entered into an agreement with Posti containing the European Commission’s approved standard contractual clauses, ensuring the lawful processing of the data: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914, or
another data transfer mechanism permitted under data protection legislation applies, such as binding corporate rules approved by a supervisory authority for the company processing the data.
The data is safe
Posti stores the information in databases protected with firewalls, passwords, and other technological measures. The databases and their backups are located in locked and guarded premises, and the data can be accessed only by designated persons.
Paper receipts containing the delivery information collected from recipients upon delivery are immediately sent for archiving in a closed envelope in accordance with a process that has been audited for information security.
Posti’s personnel and subcontractors, as well as persons processing the archived delivery data, are bound by a confidentiality obligation with regard to what they learn about a customer or his/her affairs while performing their duties.
In the real-time online item tracking service for senders and recipients, data can only be accessed with a unique shipment code. That data only contains event data related to the progress of the item - no personal data related to the sender or recipient is available in the service. Data searches on deliveries cannot be made using the recipient’s or sender’s name or address.
Rights of the data subject
The data subject has the right to obtain information about the processing of his or her personal data and to know whether his or her personal data is being processed. In addition, the data subject has the right to access and receive a copy of his or her personal data undergoing processing, and to demand rectification of inaccurate or incorrect data and completion of the data. The data subject may request erasure or transfer of personal data or, in certain situations, request restriction of processing or object to the processing of personal data on grounds relating to his or her particular personal situation. When the processing is based on consent, the consent may be withdrawn at any time.
You can make a request for information about your personal data stored in Posti's personal registers and exercise your other rights by doing the following. We recommend that you make an information request with identification, as this will allow your request to be processed faster. Identification is possible both with Posti's username and with online banking codes or a mobile certificate. If you do not use our electronic services or you make a request, e.g. on behalf of your dependent or ward, we recommend using the printable form. Send the completed form in a stamped envelope to the address indicated on the form. You can also make a request by, for example, visiting Posti's head office in person at Postintaival 7A, Helsinki. You can also contact Posti's customer service.
We will process your request without undue delay and respond to it within one month of receiving your request. As a rule, you have the right to receive your personal data free of charge. If your request is clearly unfounded or unreasonable, especially if you submit such requests repeatedly, we may charge a reasonable fee to cover the administrative costs of providing the information.
If the data subject considers that the processing of personal data concerning him or her infringes data protection legislation, the data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State where the data subject has his or her habitual residence or place of work or where the alleged breach of the GDPR has occurred (in Finland, the Data Protection Ombudsman). Further information is available on the website of the Data Protection Ombudsman: tietosuoja.fi