Introduction
PostNord AB (publ) and its Group companies, referred to jointly as “PostNord” or “we” below, respect your personal privacy. The present privacy notice sets out how we collect and make use of your personal data. It also details your rights in relation to us, and how you can exercise these rights.
Our objective is to ensure you feel confident that your personal privacy is respected and that your personal data are being processed correctly. All processing of personal data within PostNord is performed in compliance with the prevailing personal data legislation. For the EU/EEA, this means the General Data Protection Regulation (GDPR)[1] and supplementary national legislation.
What are personal data, and what is the processing of personal data?
Personal data is any information which, directly or indirectly in combination with other information, can be linked to a living natural person. This means that many different types of information, including name, contact details and video recordings are classed as “personal data”.
Processing of personal data means all actions performed in connection with personal data, for example, collection, storage, processing and use for different purposes, as well as the modification and destruction of personal data.
Who is responsible for processing personal data?
The Data Controller responsible for processing your personal data is the PostNord company stated in the terms and conditions for the service used, on the digital channel you visit, or for any other type of interaction with us. Please note that it is the sender – not PostNord – who is the Data Controller with regard to personal data in letters and parcels. If you have any questions about how PostNord processes your personal data, or you would like information about and contact details for other PostNord Group companies, you are welcome to contact PostNord’s Data Protection Officer by email or by regular mail to:
PostNord AB
Data Protection Officer
SE−105 00 Stockholm
Email: dataprotectionofficer@postnord.com
Deletion of personal data
We only process your personal data for as long as it is necessary to fulfil the purposes of the processing or to meet PostNord’s legal obligations. Thereafter, your personal data is erased in accordance with our erasure policy or internal guidelines for deletion of data. We state the applicable retention time for each form of processing.
Legal grounds for processing your personal data
PostNord must have a legal basis for processing your personal data. The type of processing we utilize is stated in the description of the respective processing. PostNord uses the following legal bases:
Legitimate interest: We may process your personal data when this is necessary to fulfil our legitimate interest, assuming that this interest outweighs your personal rights and interests. This basis covers processing for purposes such as providing customer service, developing or improving our products and services, and security interests.
Legal obligation: We also process your personal data when we have a legal obligation to do so, for example pursuant to the Swedish Postal Services Act (SFS 2010:1045) (“The Postal Services Act”).
Which personal data about you do we process, and for what purposes?
Camera surveillance
Purpose:
To prevent abuse of a service, to hinder, prevent and investigate crimes against the company and employees, or to investigate accidents that have occurred.
Categories of personal data: Video recordings
Legal ground:
PostNord bases the processing of your personal data on a legitimate interest. The processing is necessary to accommodate our legitimate interest in preventing abuse of a service, hindering, preventing and investigating crimes, or investigating accidents that have occurred. Information about breaches of the law that encompass crimes will only be processed if such processing is necessary in order to allow legal claims to be established, exercised or defended in a specific case.
Retention time:
We store images from our surveillance cameras for a maximum of 60 days, except in the case of ongoing investigations.
How we protect your personal data
PostNord takes extensive steps to safeguard your personal data, including applying appropriate technical and organizational security measures to protect the data from unauthorized access, modification, dissemination or destruction.
With whom do we share your personal data?
PostNord may engage external partners and suppliers to carry out certain tasks on behalf of PostNord, including providing IT services and payment solutions, or assisting with marketing, analyses or statistics. The performance of these services may entail PostNord’s partners, both within and outside the EU/EEA, being given access to your personal data.
Personal data for Camera Surveillance are shared with PostNord’s IT supplier for camera surveillance, and the processing is performed within the EU.
Companies that process personal data on PostNord’s behalf always sign an agreement with PostNord in order to assure a high level of protection of your personal data. Special security measures are taken in relation to partners outside the EU/EEA, including agreements that contain standardized model clauses for data transfer that have been adopted by the EU Commission and are published on the EU Commission website.
PostNord may disclose personal data to a third party such as the police or other authorities in cases concerning the investigation of a crime, or if we otherwise have an obligation to provide such information under law or pursuant to a decision by a public authority.
Your rights in connection with our processing
You have the following rights with regard to the companies that process your personal data:
- Right to access (register extract) – a right to confirmation of and information about the processing of your personal data.
When you request access to surveillance material, you should specify when you were at the location monitored, stating the date and the time. You must also be able to identify yourself.
You are not entitled to access images of other people or materials that are designated “confidential” pursuant to the Swedish Public Access to Information and Secrecy Act, even if you appear in the images yourself. - Right to rectification – a right to have incorrect personal data corrected.
- Right to erasure – a right to have your personal data erased. This right is, however, limited to such information about you which, under law, may only be processed with your consent, if you withdraw your consent and object to the processing.
- Right to object – a right to object against our processing of your personal data if it is carried out on the basis of a balancing of interests or used for direct marketing purposes.
- Right to restricted processing – a right to request that the processing of your personal data to be restricted; if you have a complaint about the correctness of the information, for instance. During the time that the correctness is being investigated, PostNord’s access to the information will be restricted.
- Right to data portability – a right to have your personal data transferred from one Data Controller to another. This right is limited to the information with which you have personally provided us.
In order to exercise any of these rights, see the contact information under the header below.
Contact information
If you have any questions or opinions concerning the delivery of parcels or letters, contact PostNord’s Customer Service.
To exercise any of your rights, contact us at:
PostNord Sverige AB
Customer Service
SE−105 00 Stockholm
Email: registerutdrag@postnord.com
Please note that as a general rule, PostNord does not allow anyone to exercise rights on behalf of another person through power of attorney. The person who wishes to exercise his/her rights must therefore file the request himself/herself.
If you are a corporate customer, please contact PostNord’s Customer Service or your key account manager.
If you believe that PostNord is not processing your data in accordance with the applicable data protection legislation, you also have the right to submit a complaint to the relevant supervisory authority.
Personal data that PostNord does not process
PostNord does not process personal data in letters or parcels delivered by PostNord, and is therefore not the Data Controller nor the Data Processor for personal data in letters or parcels. You need to contact the sender of the letter or parcel to request information about the processing of such personal data.
Amendments to this privacy policy
PostNord may amend this privacy policy at any time. The most recent version of the privacy policy is always available on the PostNord websites.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.