Principles of processing customer data
The personal data controller Omniva LT, UAB (commercial registry code: 300087912), also known under the trademark Omniva (hereinafter ‘Omniva’) is a private company owned by AS Eesti Post. Omniva LT, UAB is a part Omniva Group consisting of AS Eesti Post as the parent company and Finbite OÜ, Omniva LT, UAB in Lithuania, and Omniva SIA in Latvia as subsidiaries.
We hereby present the information required by Articles 12–14 of the General Data Protection Regulation on how Omniva processes personal data. This information applies to the personal data of natural persons, including individuals who are associated with legal persons and institutions, but not other data of commercial undertakings or institutions. Processing the personal data of the employees of Omniva and persons applying for a position at Omniva is described in a separate policy, and for this reason, these principles are called the Principles of Processing Customer Data (hereinafter also ‘the principles’).
The principles apply when Omniva processes personal data as a controller. When Omniva processes personal data as a processor (see clause 3.3), then the controller decides on the purposes and means for the processing of personal data and discloses them.
Personal data is processed pursuant to the Personal Data Protection Act, the Postal Act, the General Data Protection Regulation, and other legislative acts, these principles, and/or contracts concluded with specific customers, including standard terms and conditions applying to individual services.
The principles also apply to data that has been collected before the principles take effect. Omniva is entitled to amend the principles unilaterally by informing customers on its website at www.omniva.lt through social media, or via some other channel.
Omniva ensures the confidentiality of customer data and the legality of the processing thereof pursuant to the applicable law and implements appropriate technical and organisational measures for the protection of customer data from unauthorised access, unlawful processing or disclosure, and accidental loss, alteration, or destruction.
The data subject is a natural person, regarding whom Omniva holds data that allows to identify them. Data subjects include possible future, existing, and former customers, representatives, representatives of partners, persons submitting queries, and visitors.
Personal data is any data about an identified or identifiable natural person, regardless of the form or format of the data.
The customer in the context of these principles is any natural or legal person who uses or has expressed their will to use services that Omniva provides or mediates, for whose benefit a service contract has been concluded, who is otherwise associated with using any services or with a user or who has any other relationship with Omniva (except for a professional relationship or applying for a job).
Postal secrecy is information concerning the content of a parcel item and the parcel traffic of a specific person.
Processing is any activity involving customer data (including collection, saving, storage, alteration, granting access, erasure, making queries, transmission, organisation, use, dissemination, etc.).
3. PURPOSES FOR PROCESSING CUSTOMER DATA
3.1. Omniva processes personal data when providing services to customers.
Omniva is primarily known as parcel service provider. However, through international network and parcel machine network, we also help people with other processes:
Our e-service is a convenient way for preparing to send a parcel and paying for it, managing preferences for receiving parcels, tracking shipments, A parcel machine can be used for returning parcels to online stores that have joined our returns system (grazinimai.omniva.lt).
We offer the following to businesses and institutions:
- the global delivery of goods to customers who have made a purchase in an online shop (forwarding from the country of dispatch to the country of destination) and return of the items;
- bilateral parcel exchange service (parcel is delivered to the location of the company or institution and parcels to be sent are collected at that location);
- database organisation: we remove repeating addresses from the company’s database of the recipients, review postal codes, correct and harmonise them to comply with the postal standard;
- advertising opportunities on surfaces belonging to Omniva, such as vehicles and parcel machine displays;
- customs agency services: we conduct customs procedures and communicate with the customs officers as well as offer temporary storage;
- identification: we identify customers when they call to customer care centre;
- financial services: card on delivery when receiving a parcel.
3.2. Some of the data processing operations are not related to a specific service; instead, they take place under the following circumstances or for the following purposes:
- a customer calls us or our employee calls a customer and the call is recorded;
- a customer contacts us, for example through the ‘Contact us’ form on the website or email; the query and the process of replying to it are recorded in the customer management program;
- security cameras are installed on parcel machines, and in other buildings of Omniva to prevent, detect, and process acts of vandalism, theft, and damage, settle complaints regarding shipments, search missing shipments, support ensure our staff safety;
- we conduct feedback surveys among our customers to understand their satisfaction with our services and customer expectations better;
- we organise campaigns (including in cooperation with partners) and consumer games and disclose the names of winners;
- we analyse our business customer portfolio to identify which other services would also be useful for our business customers
- we introduce our activities and communicate with social media users on social media platforms;
- we prepare contracts to be concluded with customers; in the case of services involving an option to pay by instalments, we assess the creditworthiness of customers and the reliability of business customers;
- invoice management, accounting, debt collection;
- we store data on transactions during the limitation period of claims arising from the transactions to settle possible claims;
- we resolve complaints, shipment tracking requests, and requests for compensation for damage;
- we request for compensation for damage to our partners and parties who have caused the damage (for example when someone damages a parcel machine), we collect debts from our contractual partners and customers, we send information on the debts of a business customer to the Payment Default Register;
- we analyse our business activities comprehensively on the basis of our business customers as well as the structural units of the organisation, regions, distribution channels, positions, and activities; this includes the volume of services we have provided, the speed and quality of providing the services (for example, what is required by law regarding the UPS), the volume and profiles of our business customers, errors and incidents, compensations for damage, financial analysis (such as expenses, income, profitability), risk assessment (such as market risks, liquidity, risks related to profits, credit, capital and financing, unforeseeable expenses), and prepare forecasts;
- we use data for regular controls to identify and prevent (internal and external) fraud and theft;
- we process data for complying legal obligations – for more details, please read clause 6;
- we manage and organise (correct, update, delete) our customer database to deliver shipments even when the sender has added the details of the recipient incorrectly, added incomplete details, or the details have been accidentally altered in delivery chain
- we process data when recruiting new employees and due to an employment relationship with Omniva (however, separate principles for processing the personal data of employees and candidates have been established for that).
3.3. Omniva processes personal data as a processor while providing the following services:
Mix and match system. In these cases the controller decides the circumstances for processing personal data. In addition, data processing rules are included in the data processing agreement concluded between the controller and Omniva.
4. CATEGORIES OF DATA SUBJECTS AND SOURCES OF PERSONAL DATA
4.1. Omniva collects and processes the personal data of the following natural persons:
- users of a service and third parties, for whose benefit a contract has been concluded (such as the recipients of a shipment);
- legal and authorised representatives;
- persons who seek information about a service or want to use a service (for example, someone visits the Omniva website or calls to ask about the service prices);
- individuals associated with other legal persons (business customers of Omniva, contractual partners, and other services providers), such as their shareholders, partners, members of the Management Board, representatives and contact persons of a company, other employees, beneficial owners;
- persons who have caused damage, offenders, and victims;
- representatives of state authorities that communicate with Omniva;
- social media followers of Omniva;
- visitors of the premises of Omniva and participants in events organised by Omniva.
We collect personal data regarding business customers from public sources – the commercial register, the register of court decisions, , the list of persons subjected to international sanctions.
From third parties – for example, from the registrar of the payment default register, state authorities (if they submit a query).
5. TYPES OF PERSONAL DATA PROCESSED BY OMNIVA
Personal data of the customer: name, personal identification code, details of an identity document, signature, new name and/or surname in case the name/surname has been changed;
Details of a legal or authorised representative: document proving the right of representation, name of the representative, personal identification code, signature, information on the scope of the right of representation;
Contact information: address, phone number, email address;
Information about an invoice, payment order, money transfer and bank account: number and owner of a bank account (related to bank transfers), contents of the invoice, details of the payment order and money transfer order (payer, recipient, reference number, amount, date, reason, bank, bank account no., contact information of money transfer recipient);
Communication details and recordings: language used for communication; camera recordings when a customer visits a , parcel machine, and other locations where Omniva provides its services; call recordings when a client communicates with Omniva via telephone; contents of written communication conducted through email and other communication environments, such as social media, the ‘Contact us’ form on the website and chat window;
Login applications of social media and third parties: username, identification code exchanged with a login application;
Information regarding the use of services, transactions and related contracts: the service that was used, contracts that have been concluded and/or terminated, agreements which have been entered into, submitted applications and requests, information on contractual violations;
Data regarding parcel items: name, address, phone number, email address of the sender and the recipient (including the name of a representative of a legal person); the personal identification code (in case “delivery to a specific person only”), identity document number, signature, letter of authorisation or a document proving the legal right of representation; age in the case of an 18+ service; payment amount, date of payment, card transaction data bank account number or in case person claiming compensation for damage. The dimensions, weight, photos of the shipment (photos from the sorting line and the courier, when opening the shipment, or from a claimant of compensation for damage), logistical data of the shipment (including the bar code of the shipment, notification of the arrival of the shipment, name of the parcel machine, date of collection and delivery), value, description of the content of the shipment, country of origin of the shipment, category of the goods (according to customs declarations);
Information on online store returns: online store (where goods were ordered), order number and date of placing the order, phone number, email address and address of the sender, name and quantity of the goods to be returned, the reason for returning, photo of the goods, manner of returning the purchase price, bank account number, details of registration as a returns centre user;
Data in the self-service environment of registered user: name, address, e-mail address, password, personal identification number, preferred delivery channel, when sending mail from the e-service saved mail drafts, files and details of sent and received mail, name and address of the recipient of the mail, in case of registered e-mails, name of the recipient, personal identification number, e-mail address, confirmation of delivery, details of payment for the service;
Information on customer satisfaction: answers to a customer satisfaction survey;
Information regarding participation in consumer games and promotional campaigns: consent to the processing of personal data related to participation, data regarding the content of a game or a campaign, the prizes that individuals have won;
Consents and opt-outs: consents and opt-outs of newsletters and promotional offers, opt-outs from unaddressed direct mail, other consents to the processing of personal data if the processing is based on consent;
Information regarding debt and causing damage: for example, payment defaults of business customers, a customer’s debt to Omniva, information about damage caused to Omniva or a customer or a partner of Omniva (person who caused the damage, circumstances of causing the damage, its amount, information gathered during the proceedings);
Information about violations, accidents, and insurance cases: for example, information about theft or vandalism of property belonging to Omniva or the customers or partners of Omniva, fraud or theft discovered when using the services of Omniva, information related to a traffic accident if employees of Omniva are involved in a traffic accident (including the details of other parties, incl. the aggrieved party), insurance cases (incl. liability insurance) involving shipments or Omniva’s vehicles;
Information collected or received when fulfilling legal obligations: such as information received from queries made by investigative bodies or courts, data regarding subject of international sanctions, information collected when complying with the Money Laundering and Terrorist Financing Prevention Act.
6. LEGAL BASES FOR PROCESSING CUSTOMER DATA
- For the provision of services, i.e. for the performance of a contract (Article 6 (1) b) of the GDPR);
- when preparing a contract (Article 6 (1) b) of the GDPR);
- based on the consent – newsletters and advertisements through emails or text messages, cookies on the website, for forwarding data to the login applications of third parties, promotional games (including sending information from the game to a partner who participates in the promotional campaign), taking photographs or filming a video for marketing materials;
- for complying with a legal obligation (Article 6 (1) c) of the GDPR):
- for compiling an address register pursuant to Postal Act;
- for handling a parcel (incl. for forwarding data electronically to another postal institution), data about the sender, the recipient, and the shipment pursuant to the Postal Act and the UPU Convention (an international agreement that is binding on Lithuania);
- details of the customs declaration of a postal item to comply with the requirements of the European Union Customs Code and the UPU Convention;
- for identifying prohibited items in shipments pursuant to the Postal Act and the UPU Convention, and for reporting them to relevant authorities;
- pursuant to the Money Laundering and Terrorist Financing Prevention Act;
- for documenting and storing transactions and payments pursuant to the Accounting Act;
- for submitting data required by law to state authorities (for example, information on shipments from third countries to the Tax and Customs Board for tax calculations) and replying to legal queries of state authorities (for example, the police requesting a recording from a surveillance camera for a criminal case);
- for auditing pursuant to the Commercial Code;
- for the internal control of financial services of Omniva pursuant to the Payment Institutions and E-money Institutions Act;
- for examining tenderers pursuant to the Public Procurement Act;
- for the checking of international sanctions;
- for settling the claims of data subjects, processing data protection breaches, and for monitoring data processing by a data protection specialist pursuant to the General Data Protection Regulation.
- Majority of the personal data processing listed in clause 3.2 takes place based on legitimate interest (Article 6 (1) f) of the GDPR), except cases listed above as being based on other legal grounds. In order to provide a service as quickly and conveniently as possible, in a timely manner, and at the lowest viable cost, the company must do a lot of analytical and organisational work in the background. Although entirely aimed at providing services, such activities are not covered by Art 6 (1) b of the GDPR. In legal terms, it is classified as a legitimate interest of the company. Our legitimate interests include:
- organising the necessary processes for providing the services of Omniva in a costeffective and professional manner (this entails data exchange with contractual partners that are independent controllers; see the list of controllers in clause 7);
- offering additional value to a customer when providing services, for example by adding functionalities to a service which are not directly necessary for achieving the objectives PRINCIPLES OF PROCESSING CUSTOMER DATA AT OMNIVA LT, UAB Category: A of the contract but which increase convenience for a customer (including a business customer);
- promoting Omniva’s economic activities through advertisement, marketing, loyalty programmes, campaigns, competitions, etc.;
- ensuring the organisation and functionality of work processes (for all work processes to function without a glitch and as quickly as possible; this could entail the digitalisation of data, measuring and weighing shipments, searching missing shipments, but also measuring work processes and analyses for optimisation purposes);
- ensuring a high level of customer service and customer satisfaction (including recording calls and storing and analysing queries). This includes monitoring, assessing, and analysing customer experience and the quality of customer service, asking for feedback as well as implementing follow-up measures; statistical analysis and temporal comparison of customer service (changes, trends);
- the development of services and products. This includes the statistical data and analysis of the use of services, monitoring trends, feedback surveys, and resolving issues revealed by complaints;
- determining the prices of services and conducting a cost-benefit analysis (includes all components of a service and an analysis of the cost of risks);
- analysing the economic indicators of the company and the group comprehensively (including the statistical data of services) and reporting;
- ensuring high-quality and up-to-date customer data for delivering shipments as quickly and smoothly as possible and for enabling customers to communicate with us easily and conveniently (for example, the quality of data is a prerequisite for providing an overview of the used services to a customer);
- developing and maintaining (including testing) the information systems of Omniva;
- protecting the information systems and information assets of Omniva (network and information security, cyber security, ensuring the security of data);
- ensuring (primarily with the help of security cameras) customers and Omniva emploees safety and protecting the assets of Omniva and its customers (shipments);
- replying to requests and settling claims (incl. establishing the facts related to it);
- settling legal disputes (contractual disputes; tort that is caused), including establishing the facts related to the dispute and protecting the rights and claims of Omniva (incl. in court);
- preventing fraud and the misuse or disruption of services; identifying, assessing, mitigating, and avoiding risks (risk management);
- collecting and assigning debts and disclosing information on the debts of a business customer to third parties to enforce a debt and to protect third parties;
- assessing the reliability of business customers and partners (to avoid entering into a contractual relationship with a company which cannot perform their obligations and has not complied with important legal requirements, incl. not paid taxes, or which is involved in violations of the law);
- managing the data of representatives and employees of business customers and partners to have up-to-date and correct details of a representative or employee available when needed by an authorised employee of Omniva.
7. CATEGORIES OF RECIPIENTS
Often, many different parties are involved in a single activity from the perspective of a customer, each of whom performs their part for the benefit of the latter. For example, the act of purchasing an item from an online store could include the owner of the platform of the store, the merchant, the provider of a payment service, the bank accepting the transfer, Omniva delivering the item to the buyer’s home – each of them having their own providers of software and data hosting services and other auxiliary services. Many parties participate in the global postal traffic (including in delivering parcels from online stores) who collect the shipments, organise logistics, transport, store, sort, and finally deliver them to the homes or mailboxes of customers.
Below is a list of partners that Omniva relies on for providing the best possible services to our customers or to whom we must disclose data pursuant to law.
- Data processors – they provide services for us: providers of parcel machine services; transportation companies (all manners of transportation); providers of courier services; providers of off-the-shelf software and data hosting services (such as managing and hosting call recordings, managing website cookies, survey environments, online store); the provider of the email and text message service; the call centre; the software developer; parties conducting surveys; advertising, marketing, and design bureaus; mediators of targeted advertisement in social media; maintenance and repairs of technological equipment; the provider of printing services; the provider of e-invoice management services; the debt collection company.
- Independent controllers – other providers of postal and freight forwarding services (for example, when sending a parcel to that country, the local postal operator delivers a parcel in that country; several forwarding companies participate when delivering items from foreign online stores to the buyer); the bank that accepts or transfers payments; provider of payment services; social media platforms (they are also partly joint controllers) and providers of login services (such as Google Sign-In); senders and recipients of shipments (for example forwarding payment info to the sender in case of card on delivery); a promotional campaign partner with whom we are conducting a joint campaign (for example, it is possible to earn bonus points with our partner when using the services of Omniva, so we forward to the partner data that is needed for calculating the bonus points); security company; other third parties if they have legal grounds for receiving the data (including legitimate interest, such as insurance providers, other obligated persons pursuant to the Money Laundering and Terrorist Financing Prevention Act); attorney offices, bailiffs, state authorities.
In the Omniva Group, the development, management, and hosting of information systems is mostly consolidated, which means that the companies in the Omniva Group are in a controller-processor or joint controllers relationship with each other, depending on who develops, manages, and hosts a particular information system.
8. GEOGRAPHICAL AREA OF PROCESSING
The data of the sender and the recipient (and the shipment itself), as presented by the sender, move together with an international shipment. For example, if the country of destination is the US, then the data is forwarded to the US. In order to make the route of a shipment traceable, the providers of postal services exchange electronic messages, which includes informing the sender of a shipment or the postal operator that the shipment has been delivered.
The Universal Postal Union (UPU) is an international organisation consisting of postal operators of 192 countries and operating under the authority of the UN. The UPU has adopted the Universal Postal Convention, which is an international agreement ratified in Lithuania – i.e. it has the same legal force as the laws of the Lithuania(in the event of contradictions with Lithuania laws, the international agreement prevails). The UPU Convention stipulates that the members forward shipment details to each other in the course of providing universal postal services (a specific format and process have been established). This way, the unique code of the shipment, the details of the sender and the recipient, and details of customs declarations are automatically electronically sent from one postal operator to another.
Omniva itself hosts data in the European Union. When Omniva’s data processor processes data outside the European Union or the European Economic Area, Omniva verifies that the processor complies with the requirements of Articles 46–49 of the General Data Protection Regulation.
Certain third-party login applications (such as Google Sign-in, Meta Log-in) and some cookies used on the website may forward data to the United States of America. Google and Meta both use the standard data protection clauses approved by the European Commission when sending data to the US, and Meta applies additional protective measures.
9. AUTOMATED PROCESSING
Pursuant to Article 22 (1) and (4) of the GDPR, an automated decision means a decision based only on automated processing without human involvement. Omniva does not make such decisions.
We follow the expectations of the customers and market developments and update our services, systems, and automated solutions constantly (for example, our business customers can rely on the functions of the automatic data exchange when forwarding shipment details and letter files to us and receiving the delivery details of shipments). However, we do not make decisions regarding people in the context of Article 22 of the GDPR.
10. DATA RETENTION PERIOD
The retention period is based on contracts concluded with customers, legitimate interests of Omniva, or the applicable law (such as legislation related to accounting, anti-money laundering or limitation period, and other private law).
- Pursuant of the Accounting Act, information on transactions and the accompanying original documents must be preserved for ten years as of the end of the financial year when a business transaction was recorded in the accounting registry.
- The address register required by the Postal Act is kept indefinitely, but it only includes up-todate information.
- Pursuant to the Post act, the details of a shipment must be stored for six months.
- In case of transactions for which special rules have not been laid down, the General Part of the Civil Code Act stipulates a general limitation period of ten years for claims arising from a transaction; details of such transactions shall be stored for this period. The limitation period of claims related to tort is also three years.
- Activities for which a data retention period has been determined and is complied with:
- recordings of cameras on parcel machines – up to six months (related to the term for submitting claims under the established postal services rules, during which it might be necessary to search missing parcels);
- phone call recordings – one or two years (depending on whether caller is registered in client database);
- Retention period has been determined:
- accounting documents – ten years according to the law;
- customer files, including the complaints of customers (i.e. the contents of CRM) – three years from the end of a customer relationship;
- shipment details – not less then six months.
11. RIGHTS OF THE DATA SUBJECT
11.1. Access to personal data
Everyone has a right to find out whether Omniva processes their data and if it does, then the purposes of processing, the types of data, the source of data, parties to whom data is disclosed, whether it is transfered to third countries, and the possible retention period of the data. Everyone has the right to receive a copy of their personal data that is processed (i.e. copy of the data, not of documents).
Omniva must ensure that the data is disclosed only to the correct data subject; due to this, we must identify the data subject and whether the information we are holding is indeed associated with this person (taking into account persons with the same name; that we might know only the name and the postal address of the person; that the name of the sender could be misspelled, etc.). For this reason, we might have to ask additional questions from the data subject (for example, about the phone number or email address they use). You can fill in an application PRAŠYMAS SUSIPAŽINTI SU TVARKOMAIS ASMNES DUOMENIMIS.pdf (omniva.lt). A copy of the data is issued on paper or electronically in an encrypted format to the data subject (except for when the data subject does not want encryption), as preferred by the data subject.
The right to access one’s personal data could be limited by certain legislative acts (for example, by the Money Laundering and Terrorist Financing Prevention Act or the Code of Criminal Procedure), other persons’ right to privacy, and the business secrets of Omniva.
If Omniva processes data based on the consent or an contract with the customer and data processing is automated, the customer has a right to an electronic machine-readable copy of the data that they have submitted.
11.3. Rectification and erasure
If the data of a customer is not correct, is incomplete or out of date, then the customer is entitled to request that the data be rectified or deleted, taking into account restrictions arising from legislative acts and rights related to data processing.
In particular, erasure cannot be requested when Omniva has a legal obligation to process data (incl. to store it) or when the data is required for carrying out a contract (for example, a sender cannot erase data while a shipment is en route).
In addition, Omniva does not have to delete data if it is necessary for preparing or defence of legal claims (for example, when Omniva is having a compensation dispute with a customer or when the limitation period of claims related to transactions conducted with a customer has not expired and Omniva is not convinced that the client is not going to submit a claim against Omniva).
When Omniva processes personal data based on legitimate interest, the data subject is entitled to submit their objection related to his/her specific situation and to require that the processing of data be restricted for the duration of the review of the objections and that the data be erased. In this case, Omniva re-assesses based on the reasoning of the data subject whether continuing with data processing is based on a compelling legitimate reason which outweighs the interests, rights, and freedoms of the data subject or whether the data is necessary for preparing, submitting, or defending legal claims.
11.5. Restriction of the use of data
If a customer believes that data collected about them by Omniva is incorrect or if a customer has submitted an objection in accordance with clause 11.4, then the customer can request that Omniva only store the data under dispute for the duration of reviewing the request (i.e. would not use the data for other purposes). Use is limited only to storage until it is possible to verify the correctness of data or determine whether the legitimate interests of Omniva outweigh the interests of the customer.
If a customer has the right to request the erasure of data, then the customer can instead require that Omniva limit the use of the data to storage. When Omniva needs data collected about the customer only for enforcing or protecting legal claims, the customer can request that the data only be stored and not used in any other way.
11.6. Withdrawal of consent
When the processing of personal data is based on the consent of the data subject, the data subject is entitled to withdraw the consent at any time. After a withdrawal of consent, data processing that is based on consent is terminated; however, the withdrawal of consent does not affect data processing which has been conducted by that time.
12. CONTACT DETAILS OF OMNIVA AS A CONTROLLER AND THE DATA PROTECTION OFFICER
Omniva LT, UAB, commercial registry code:
300087912 Savanoriu pr. 5-1, Vilnius, Lithuania
email: [email protected]
Contact information of the data protection officer of Omniva: [email protected]
In addition, customers can submit complaints about the use of personal data to the Lithuania Data
Protection Inspectorate (website Asmens duomenų apsauga | Valstybinė duomenų apsaugos inspekcija (lrv.lt)) if they believe that the processing of their personal data infringes on their rights and interests pursuant to applicable law.