Privacy Statement for the Posten Group
The Posten Group is a post- and logistics group that develops and provides post-, communications- and logistics services in Norway and the Nordic region. The services are marketed through the brands Posten (the private market in Norway) and Bring (the corporate market in the Nordic countries). The parent company of the Posten group is Posten Norge AS.
Our services are provided by different group companies depending on the service you receive and in which country. It is the individual group ("we") with which you have entered into an agreement, or that provides the digital channel you are using (for example websites, social media, apps and customer service) that is responsible for processing your personal data.
In this privacy statement you can read about how we process your personal data and what we do to safeguard your privacy. Exactly what personal data each company in the group processes and the purpose or purposes of the processing will vary depending on the service and/or digital channels you are using.
1. The framework for our processing of personal data
We process your personal data within the framework of applicable Norwegian laws and this privacy statement. Personal data is collected when necessary for our execution of the tasks and services we are required to perform in accordance with laws and/or agreements, or when you otherwise provide us with your personal data.
Personal information is information and assessments that can be directly or indirectly linked to an individual. Typical personal information that we process includes your name, address, ID number, phone number and email address.
When we use the term “processing” of personal information, this means any use of personal data, such as the collection, registration, compilation, storage and disclosure of data or a combination of these uses.
All processing of personal information requires that there is a legal basis for the processing. If there is no other legal basis for the processing, for instance if an agreement has been entered into that necessitates the processing of certain personal data, that we can process the personal data according to law, or that we have a justified interest in carrying out the processing, we will always ask for your consent before processing your personal data.
2. The purposes of processing of personal data
The purpose of our processing of your personal data is primarily to administer the customer relationship and such other processing as is necessary to fulfil the obligations we have undertaken for you as a customer and/or user of our services. We also process personal data as required or permitted by legislation, or in cases where you have consented to the processing in question.
In some cases we will receive information about you from others with whom you have signed an agreement and who want us to transport goods to you. Such information includes among others your name, address, phone number, email address and delivery time. We are the controller of such information.
In addition to this we process personal information among other things as described in sections 5 to 12 below.
3. Which personal information is processed?
In general, we process personal information that you provide to us or that is contained in registers that we have access to or administer. If we collect information about you from third parties (for example, from a credit inquiry agency), you are normally entitled to be informed about this.
Information we process may include: name, address, email, telephone number, date of birth, ID number, interests, work areas, job title, employer and which of our services you use or are interested in. For some of our services, it may be necessary to process other types of personal data, such as location. In such cases, this will be made clear in the terms for each service.
4. Recipients of personal information
If there is a statutory requirement to disclose data to public authorities, the relevant personal data will be disclosed in accordance with the requirements stipulated by the authorities.
We employ third parties who process personal information on our behalf ("Data Processor"). Before we give such data processors access to your personal information, we always enter into agreements that describe, among other things, what the data processor will do for us. Examples of the types of data processors that we use are suppliers of different systems, suppliers of analysis services, customer surveys, etc.
Transfer to third countries
Relevant personal data may also be disclosed to companies/organisations with whom we cooperate, including in locations outside the EEA and EU, in order for us to carry out the tasks and services we are required to perform according to law or agreement. Under no circumstances will your personal data be transferred without the necessary agreements having been entered into to ensure that your rights are safeguarded. If we use subcontractors to assist in the processing of personal data and these are located outside the EU/EEA-area, we will always ensure that data processor agreements are entered into and including guarantees from the recipient (e.g. EU standard agreement on transfer to third countries ), that provides an adequate level of protection of the personal data.
In some cases, your personal information may be transferred to or collected by third parties who are themselves responsible for their further processing of your personal information, such as when you visit our pages on services such as Facebook or LinkedIn. These services usually collect your personal information by placing cookies on the device(s) you use. You can read more about cookies further down in the privacy statement. Information collected includes, among other things, when you use the service and affiliated services. You can read more about which personal information is collected and how this is processed in the privacy statement for the respective service.
We will never transfer your personal information to any other third parties without having a legal basis for doing so, or if you have requested or otherwise authorised this.
We may make links to other websites available in our digital channels. If you click on such a link, the site will be able to record your personal information. This site is then responsible for processing your personal information. We therefore encourage you to familiarise yourself with how the website processes your personal information, for example by reading their privacy statement.
5. Group customer register - corporate market
Several of the companies in our corporate market have access to a shared corporate customer register. The purpose of the register is to administer the customer relationship in the best way possible, and to coordinate the services and advice offered by the various companies in the Group.
The corporate customer register contains information about the customer such as the company name, address, and information about the customer’s contact person, information about which of the companies in the Group the corporate customer is a customer of, and what services and products the corporate customer has agreements for.
6. Customer follow-up and marketing
When we have a customer relationship with you. We send you marketing information about our products and services in the product and service categories in which we already have a relationship with you. In that context, we can use the data we have registered on you, such as your name, contact information and which services or products we have an agreement for. For corporate clients, we collect this neutral information from our shared corporate customer register.
Other product- and service categories, or if we do not have a customer relationship with you. If we (i) are marketing products and services within a service category other than the one for which we have an agreement, or (ii) we do not have a customer relationship, we will not send you marketing information without your prior consent.
You can always opt out of the service when you receive marketing inquiries from us by email and SMS. Opting out only applies to the relevant service. Therefore, if you do not wish to receive marketing inquiries about other of our services, you must opt out of such marketing for each service.
You may also demand that your name be blocked for marketing purposes by contacting our customer service.
Even if you have said that you do not want to receive marketing information, you will still receive other information related to your customer relationship, such as information about orders, dispatch information, etc.
As a private person, you will normally not receive marketing inquiries from us more than once a month, but this may vary.
Purpose and types of information
Where we base our processing of personal data on your consent, the consent form will clearly state the purpose(s) for which the consent has been obtained (for example, marketing of our various services that require consent).
Unless otherwise stated in the consent form, we will use the following personal information about you when marketing information is sent based on your consent.
- Any areas of interest or preferences you have indicated
- Position (only applies to the corporate market)
- Which of our other services you use
Consent is voluntary
You are free to decide whether or not to consent and may withdraw your consent at any time.
We may send you marketing information tailored to your preferences or your usage patterns. Such tailoring takes place based on the information you have provided to us and information we collect in connection with your use of our services (profiling). You have the right to object to your information being used in this manner.
8. Prevention and detection of criminal acts/reporting of money laundering
Among other things, we process personal data to comply with our investigation- and reporting obligations for suspicious transactions under the Money Laundering Act. This applies first and foremost to where we offer banking services. We are required to report suspicious information and transactions to the Norwegian National Authority for Investigation and Prosecution of Economic and Environmental Crime (ØKOKRIM).
You are not entitled to access personal data recorded for the above purposes.
9. Camera surveillance
We operate camera surveillance in some locations in order to prevent and uncover criminal acts. Video recordings are deleted no later than three months after the time the recording was made, unless the video is given to the police or we, for other reasons, have the right to process the video recording for an extended period. In places where we use camera surveillance, information is clearly provided in accordance with the applicable rules.
10. System testing and quality assurance
Your personal information is handled by several IT systems, all designed for specific and necessary operational purposes. To ensure both satisfactory operating stability and, not least, information security, it is necessary to do regular updates, testing, troubleshooting, etc. In this context, data may be cloned and individual systems may be duplicated. This will take place in a secure, dedicated environment, so that these operations do not affect the daily operation of the main system. All information that we process as part of internal system testing and quality assurance, etc., is subject to the same requirements for information security and stringent routines as when the information is processed in other contexts. No copies or back-up of personal data will be stored any longer than necessary.
11. Customer satisfaction surveys
We conduct customer satisfaction surveys to provide a better understanding of how our customers experience us and how to improve our services. In this regard, we process names, emails, telephone numbers and the answers you give in the survey. It is voluntary to participate in customer satisfaction surveys. We employ third parties to conduct customer surveys on our behalf. If you participate in a customer survey, the survey information will be stored separately from other information that we have registered about you.
12. Statistics – analysis and insights
Your personal information, including information we receive about you in connection with transport assignments, is used to produce statistics which are then utilised to understand how our services are used, to improve and further develop our services, and to provide insights to our customers. Personal information is pseudonymised before being used to produce statistics. We may also obtain pseudonymous personal information from third parties in connection with the production of statistics. The pseudonymous data set is deleted as soon as it is incorporated in the statistics. You will never be able to be identified or otherwise recognised as part of the statistics.
13. Access and corrections
Under the Personal Data Act, you are entitled to access the information we have registered about you. If the registered information is incorrect or incomplete, you can require that the information be updated. Please contact customer service if you wish to use any of these rights. See the contact information below.
14. Storage and erasure
We delete your personal data that is no longer required for the purposes for which they were stored. We store personal information in accordance with currently applicable legislation.
16. Questions or complaints
If you have questions about our processing of personal data or believe that we do not meet our obligations to you regarding how we process your personal data, we encourage you to contact us (see contact information below). You also have the right to complain to the Norwegian Data Protection Authority: https://www.datatilsynet.no/, but we encourage you to contact us first.
17. Controller and contact information
It is the individual group company with which you have entered into an agreement, or that provides the digital channel you are using that is responsible for processing your personal data.
Posten and Bring Customer Service, P.O. Box 1883, N-4686 Kristiansand.
18. Privacy ombudsman
Email address of the Privacy Ombudsman in Posten Norge AS: email@example.com
19. Revision history
The following is an overview of when the privacy statement has been updated and the changes that were made.
May 25th, 2018 – Update according to the new Personal Data Act.
November 15th, 2018 – Update information about third party services.
January 23rd 2019 – New section 12 about statistics.