Examples of major changes in the new law include increased requirements regarding documentation, processes and information security, as well as the introduction of the role of data protection officer (DPO), which can be likened to the role of the personal data representative defined in the PUL but with increased requirements.
Because of this, a GDPR program has been running at PostNord since 2016, which covers relevant areas such as HR, sales, purchasing and IT.
As part of PostNord’s GDPR program, various inventories have been carried out in a number of areas, such as the processing of personal data, purchase agreements and IT systems. Activities relating to the updating of directories, procedures and policies are ongoing, while we are simultaneously planning and conducting analyses to ensure that the technical and organizational measures required are taken before the new regulation enters into force.
For the purpose of conducting various types of deliveries of, for example, parcels and letters, PostNord processes personal information that we receive from our customers. In most cases, this includes sender details and recipient details (e.g. name, address, phone number and email address). The processing of this personal information is carried out physically in our terminals, in our distribution hubs and at our partner outlets/distribution points, and electronically in our IT systems.
With regard to the retention of personal information, this is only saved for as long as is necessary to fulfill the agreement with PostNord customers, or as long as PostNord has a statutory obligation to retain the information. Normally, this retention period includes the warranty period for the particular service.
As a result of the introduction of the GDPR, PostNord is reviewing its general and special terms and conditions of service to ensure compliance with the new legal requirements. Changes to the terms and conditions of service will be communicated to PostNord customers in the usual manner before updates are implemented.
If you need to know what personal information PostNord has processed for a specific parcel or pallet recipient, this can be checked via PostNord’s Nordic customer portal.
PostNord uses external subcontractors and partners to execute tasks on behalf of PostNord, e.g. to provide IT services or help with marketing, analysis or statistics. The execution of these services may mean that subcontractors based in or outside the EU/EEA are granted access to personal information being processed by PostNord. Companies that handle personal information on behalf of PostNord always sign an agreement with PostNord to allow us to ensure a legal transfer of responsibility and a high level of protection for your personal data at our data processors.
PostNord’s project plan for the GDPR runs until June 30, 2018. PostNord’s goal is that the prioritized actions will have been implemented before the GDPR comes into force on May 25, 2018.
If you have any further questions about PostNord’s GDPR program, please contact our Data Protection Officer at the following email address: firstname.lastname@example.org
[*] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.