Personal data is information and assessments that can be directly or indirectly linked to an individual. Typical personal information that we process includes your name, address, national insurance number, phone number and email address.
We are the controller of personal data that we process. We think it is important that you know what data we collect and what we do to protect your privacy.
Below you see what data we collect and use, why we do so, how we collect it and how we protect it.
1. About the Posten Group
2. The framework for Posten’s processing of personal data
We process your personal data within the framework set by applicable Norwegian laws and regulations. Personal data is collected when necessary for our execution of the tasks and services we are required to perform in accordance with laws and/or agreements. For the foreign subsidiaries in the Posten Group, the personal data act applicable in the country the subsidiary in question is established applies.
When we use the term “processing” of personal data, this means any use of personal data, such as the collection, registration, compilation, storage and disclosure of data or a combination of these uses.
All processing of personal data requires that there is a legal basis for the processing. If there is no legal basis for the processing, for instance if no agreement has been entered that necessitates the processing of specific personal data, we will always ask for your consent before processing your personal data.
3. The purposes of the processing of personal data
The purpose of our processing of your personal data is primarily to administer the customer relationship and such other processing as is necessary to fulfil the obligations we have undertaken to you as a customer and/or post recipient. We also process personal data as required or permitted by legislation, or in cases where you have consented to the processing in question.
We also process personal data in connection with customer follow-up and marketing (see section 7), the prevention and identification of crime (see section 8), video and image monitoring (see section 9) and regular testing and updates of the operating and security systems of our customer and data systems (see section 10), among other things.
4. Which personal data is processed?
The personal data will generally be data we have received directly from you. If we collect information about you from third parties (for example, from a credit-information company), you are normally entitled to be informed about it.
Information we process may include: name, address, email, telephone number, date of birth, national insurance number, interests, work areas, job title, employer and which of our services you use or are interested in. For some of our services, it may be necessary to process other types of personal data. In such cases, this processing will be made clear in the terms for the service.
5. Disclosure of personal data to third parties
If there is a statutory requirement to disclose data to public authorities, the relevant personal data will be disclosed in accordance with the requirements stipulated by the authorities. Relevant personal data may also be disclosed to companies/organisations with whom we cooperate, including in locations outside the EEA and EU, in order for us to carry out the tasks and services we are legally required to perform. Under no circumstances will your personal data be transmitted without the necessary agreements having been entered to ensure that your rights are safeguarded. When data is transmitted to countries outside of the EU/EEA that the European Commission has not approved, we will always ensure that the transmission is made pursuant to warranties from the recipient, normally in the form of the EU standard agreement on transmission to third countries or according to the Privacy Shield scheme ( USA).
6. Group customer register - corporate market
Several of the companies in our Group have access to a shared customer registry. The purpose of the register is to administer the customer relationship in the best way possible, and to coordinate the services and advice offered by the various companies in the Group.
The corporate customer register contains information about the customer such as the company name, address, and information about the customer’s contact person, information about which of the companies in the Group the corporate customer is a customer of, and what services and products the corporate customer has agreements for.
7. Customer follow-up and marketing
When we have a customer relationship with you
We send you marketing information about our products and services in the product and service categories in which we already have a relationship with you. In that context, we can use the data we have registered on you, such as your name, contact information and which services or products we have an agreement for. For corporate clients, we collect this neutral information from our shared corporate customer register.
Other product and service categories or if we do not have a customer relationship with you
If we (i) are marketing products and services within a service category other than the one in which we have an agreement, or (ii) we do not have a customer relationship, we will not send you marketing information without your prior consent.
You can always opt out of the service when you receive marketing inquiries from us by email and SMS.
You may also demand that your name be blocked for marketing uses by contacting our customer service.
Even if you have said that you do not want marketing information, you will still receive other information related to your customer relationship, such as information about orders, sending information, etc.
As a private person, you will normally not receive marketing inquiries from us more than once a month, but this may vary.
Purpose and types of information. Where we base our processing of personal data on your consent, the consent form will clearly state the purpose(s) for which the consent has been obtained (for example, marketing of our various services).
Unless otherwise stated in the consent form, we will use the following personal information about you when marketing is sent based on your consent.
- Any areas of interest or preferences you have indicated
- Position (only applies to the corporate market)
- [Which of our other services you use]
Consent is voluntary
You are free to decide whether or not to consent and may withdraw your consent at any time.
Prevention and detection of crime/notice about money laundering
Among other things, we process personal data to comply with our investigation and reporting obligations for suspicious transactions under the Money Laundering Act. This is primarily applicable to bank services offered through post offices and ‘Post i Butikk’ (in-store postal service). We are required to report suspicious information and transactions to ØKOKRIM.
You have no right to access personal data recorded for the above purposes.
9. Video and image recording/video surveillance
We make video and image recordings, for example through video surveillance of post offices to prevent and identify crime. Video recordings are deleted no later than three months after the time the recording was made, unless the video is given to the police or we have the right to process the video recording for an extended period.
10. System testing and quality assurance
Your personal data is handled by several IT systems, all designed for specific and necessary operational purposes. To ensure both satisfactory operating stability and, not least, information security, it is necessary to do regular updates, testing, troubleshooting, etc. In this context, data may be cloned and individual systems may be duplicated. This will take place in a secure, dedicated environment, so that these operations do not affect the daily operation of the system. All information that we process as part of internal system testing and quality assurance, etc., is subject to the same requirements for information security and stringent routines as when the information is processed in other contexts. No copy or back-up of personal data will be stored any longer than necessary.
11. Access and corrections
Under the Personal Data Act, you are entitled to access the information we have registered about you. If the registered information is incorrect or incomplete, you can require that the information be updated. Please see the contact information below if you wish to use any of these rights.
12. Storage and deletion
We delete your personal data that is no longer required for the purposes for which they were stored. We store personal information in accordance with applicable law.
14. Questions or complaints
If you have questions about our processing of personal data or believe that we do not meet our obligations to you regarding how we process your personal data, we encourage you to contact us (see contact information below). You also have the right to complain to the Norwegian Data Protection Authority: https://www.datatilsynet.no/, but we encourage you to contact us first.
15. Controller and contact information
Norway Post AS is the parent company in the Posten Group and will in most cases be the controller or data processor for the data being processed.
Posten and Bring customer service, Post box 1883, N-4686 Kristiansand.