This includes fair and transparent processing, and acknowledging and complying with the principles of data protection. The rights of the data subject are respected and data is only processed on legal grounds and to the extent that is necessary for providing the services offered by Posti.

Posti’s aim is to comply with all the data protection legislation, including but not limited to the European General Data Protection Regulation, applicable to its business and this Policy is intended to summarize such key requirements as applied with Posti.

Processing of personal data is made transparent so that the data subject has the right to gain knowledge of the processing of their data in Posti. Transparency also requires that, if necessary, the decisions, choices and implementations and the grounds for them can be shown from documents in connection to the processing of personal data.

The safeguards and controls for protecting the personal data processed by Posti are selected based on a risk assessment. This way, risks are assessed based on the needs of the business as well as based on the data subjects and the information regarding them.

When a subcontractor processes Posti’s personal data for Posti, Posti is responsible for ensuring that the subcontractor processes data according to the same principles as Posti.

Any misuse or malpractice of personal data or a threat posed to them are investigated, and they are reported and communicated according to the severity of the case.

Posti’s target is to always comply with the following data protection principles when processing personal data at Posti:

Lawfulness, fairness and transparency

Personal data must be used in a lawful, fair and transparent manner from the perspective of the data subject.

Purpose limitation

Personal data must be collected for a specified, explicit and legitimate purpose and not processed further in a manner that is incompatible with the original purpose.

Data minimization

Personal data must be adequate, relevant and limited to what is necessary for those purposes for which the data is processed.

Accuracy

Personal data to be processed must be valid, accurate and updated, if necessary.

Storage limitation

Personal data can only be stored for as long as is necessary for fulfilling the purpose.

Authenticity, integrity and confidentiality

Personal data must be processed in a manner that ensures appropriate data security, including protection from unlawful or unauthorized processing and accidental destruction, loss or damage (data security).

Source: Posti