MPaketti customer interface: Commitment on the processing of personal data and data privacy
1. Purpose and objective
1.1. Matkahuolto’s MParcel system (“MPaketti”) enables the user of MParcel, i.e. Matkahuolto’s contract customer (“Customer”), to maintain a register of consignees in MPaketti.
1.2. This commitment on the processing of personal data and data privacy (“Privacy Commitment”) applies when Oy Matkahuolto Ab (“Matkahuolto”) processes, on behalf of the Customer, the personal data that the Customer has entered into MPaketti using the MPaketti customer interface (“Purpose”).
1.3. For this purpose, Matkahuolto needs to process the personal data entered in MPaketti. According to legislation (defined in section 3.1 below), the Customer is the controller of such personal data and Matkahuolto processes the personal data on behalf of the Customer. For the sake of clarity, it is stated that this Privacy Commitment does not apply to the processing of personal data for which Matkahuolto is an independent controller, such as the personal data of the consignee and the sender or their representatives processed in connection with Matkahuolto’s logistics services. The data for which Matkahuolto acts as an independent controller in connection with the provision of logistics services is processed in accordance with Matkahuolto’s Parcel Services Privacy Statement.
1.4. This Privacy Statement sets out the data protection principles that Matkahuolto adheres to. The terms “personal data”, “processing”, “controller” and “processor” used in this Privacy Statement shall have the same meaning as given to them in the Legislation (defined in section 3.1 below) and should be interpreted accordingly.
1.5. Matkahuolto may process, on behalf of the Customer, the following categories of personal data belonging to the Customer’s clients or other recipients of consignments sent by the Customer:
• Identifying information of the recipient or their contact person, such as their customer number and name;
• Contact details or data processed for the delivery of the consignment, such as the address, telephone number and email address;
• Invoicing or payment information, such as bank details;
• Consignment information, such as the consignment number and historical data, including when consignments were sent and what the content was.
2. Matkahuolto’s contact person for matters related to the Privacy Commitment
2.1. Any communication regarding this Privacy Commitment must be addressed to Matkahuolto’s Customer Service Centre:
Oy Matkahuolto Ab
Customer Service Centre
P.O. Box 100
3. Matkahuolto’s obligations
3.1. Compliance with legislation. When processing personal data for the Purpose, Matkahuolto undertakes to comply with the data protection legislation in force in Finland at the time of processing, including Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“Legislation”).
3.2. No independent rights to process personal data. Matkahuolto has the right to process personal data for the purposes necessary for the fulfilment of the Purpose, but not for other purposes. Matkahuolto processes the Customer’s personal data only in accordance with this Privacy Statement, unless otherwise required by EU or Finnish legislation.
3.3. Safeguards and backups Given the nature of the personal data and the Purpose, Matkahuolto has implemented and undertakes to maintain appropriate technical and organisational measures to ensure an adequate level of security in the processing of personal data. These measures include, but are not limited to, ensuring that the technical safeguards of Matkahuolto’s data systems are up to date and that access to personal data processed on behalf of the Customer is limited to specifically authorised and appropriately trained individuals, who need the personal data to perform their duties and who are bound by appropriate legal or contractual confidentiality obligations. Matkahuolto’s liability for loss of or damage to personal data is limited to Matkahuolto’s obligation to use reasonable commercial efforts to restore lost or damaged personal data from the most recent backup maintained by Matkahuolto or its service provider. For more information on the safeguards used by Matkahuolto, get in touch with the contact person mentioned in section 2.
3.4. Use of third parties for the processing of personal data Matkahuolto uses subcontractors and other service providers (collectively,“Service Provider”) to process personal data in connection with the Purpose. When using Service Providers, Matkahuolto enters into a written agreement with each Service Provider as required by the Legislation, which requires that (i) the Service Provider(s) undertakes to comply with obligations equivalent to Matkahuolto’s obligations specified in this Privacy Commitment and the obligations imposed on processors by the Legislation; and (ii) to the extent commercially reasonable, the Service Provider(s) provides the Customer with the same rights with respect to the Service Provider as the Customer has with respect to Matkahuolto.
3.5. The obligation to assist in the exercise of data subjects' rights and in the compliance with the legislation. Matkahuolto undertakes to assist the Customer (e.g. through appropriate technical and organisational measures) in the execution of the data subjects’ requests for the exercise of their rights under the Legislation for reasonable compensation. Matkahuolto also undertakes, for reasonable compensation, to assist the Customer in ensuring compliance with the Customer’s obligations under the Legislation and, for this purpose, to provide the Customer with such information in Matkahuolto’s possession as is necessary for the Customer to demonstrate its compliance with the Legislation. In order for the Customer to fulfil its obligations under this section 3.5, Matkahuolto undertakes to inform the Customer, without undue delay, of all inquiries and questions from data subjects, data protection authorities or other authorities without answering them, unless the Customer expressly instructs Matkahuolto otherwise.
3.6. Personal data breach. “Personal Data Breach” shall have the same meaning in this Privacy Commitment as given to it in the Legislation. Matkahuolto undertakes to inform the Customer of a Personal Data Breach without undue delay, and no later than within 36 hours of becoming aware of the personal data breach.
4.1. The Customer has the right, for reasonable compensation, to audit Matkahuolto’s facilities and practices, either itself or with the assistance of a third party, to ensure that the services provided by Matkahuolto meet the requirements set out in this Privacy Commitment and the Legislation. The details of the audit shall be agreed separately between the Parties.
4.2. The Customer is obliged to notify Matkahuolto of the audit at least thirty (30) days in advance, unless otherwise required by a mandatory administrative decision.
4.3. Matkahuolto undertakes to provide the party performing the audit with unhindered access to its premises and systems at a pre-agreed time during Matkahuolto’s normal office hours, so that the audit does not in any way compromise the security of Matkahuolto’s operations or services. Upon request, Matkahuolto must provide the party performing the audit with such information, documents and other material as may reasonably be required, as well as otherwise reasonably assist in the performance of the audit.
5. Other terms and conditions
5.1. This Privacy Commitment shall enter into force on the date of its signing and shall remain in full force and effect for as long as Matkahuolto processes personal data on behalf of the Customer for the Purpose. When the processing of personal data for the Purpose is no longer necessary, Matkahuolto undertakes, upon the Customer’s decision, to destroy or return to the Customer, for reasonable compensation, all personal data processed on behalf of the Customer, and to destroy all existing copies of such data, unless EU or Finnish law requires storage of copies of the data. Matkahuolto undertakes to delete copies of personal data from its backup servers at the time of periodic backup removal.
5.2. Matkahuolto may terminate this Privacy Commitment with thirty (30) days’ notice. Termination must be made in writing.
5.3. Matkahuolto has the right to change the contents of this Privacy Commitment by notifying the Customer of the changes thirty (30) days before the changes take effect.
5.4. Matkahuolto does not have the right to transfer this Privacy Commitment in whole or in part without the written consent of the Customer, unless MParcel is transferred in whole or in part to a third party in connection with a business transaction or otherwise.