Unifiedpost Group offers a variety of services. Depending on which service you opt in and where you are located , the contracting entity is different. However the DPO Office of Unifiedpost takes a centralized approach by defining global policies and procedures and by opting for the most stringent approach.
Unifiedpost takes its responsibility to protect and secure its stakeholders information seriously and strives for complete transparency around its privacy and security practices.
Because of our duty of care towards our customers and our obligations to comply with data protection legislations, e.g. EU General Data Protection Regulation (GDPR) and local data protection laws, Unifiedpost has implemented suitable technical and organizational security measures in order to protect the personal data against unauthorized or unlawful access, processing, disclosure, copying, alteration, storage, reproduction, display, or distribution; and against loss, destruction, or damage, whether accidental or otherwise.
Here below you will find all you need to know about Unifiedpost’s data protection compliance.
Unifiedpost Group has appointed a Data Protection Officer who is responsible for monitoring compliance with data protection regulations and advising on the processing of personal data. The DPO is supported by the DPO Office and reports to an internal Privacy Committee. If you have any questions regarding the processing of personal data, you can go through our relevant privacy notice or contact our DPO office via email@example.com.
From a privacy perspective, the customer is most likely the data controller. This means that when a customer subscribes to our services, the customer retains ownership and control over its data. Unifiedpost will be acting as data processor regarding the processing of personal data of the customer and will only act upon your instructions. This means that we will only process the personal data which we receive from you for the purpose and means defined by you. As a customer you are also responsible for transparency requirements.
Please make sure you have a look at our Data Processing Agreement (DPA) before subscribing to our services. The DPA facilitates your compliance with your obligations under the (EU) data protection laws and contains strong privacy commitments. Unfortunately we do not allow customers to impose their own DPA, as the DPA is specific to Unifiedpost’s services and privacy practices. Should you have any questions regarding the DPA please contact us via firstname.lastname@example.org.
Even though Unifiedpost is acting as data processor in the majority of the cases, we may act as data controller in relation to certain services which are offered by some of the Unifiedpost Group entities or its branch offices for the purpose of complying with our legal obligations like our KYC, AML, e-IDAS obligations.
In some circumstances we may share certain of your data. Such sharing can be internally, i.e. with other affiliates of Unifiedpost to provide you with certain services offered by our affiliates, or externally, i.e. with other third parties.
Unifiedpost has established a Privacy Program to enhance its compliance with data protection legislations and ensure the same privacy standards apply throughout the group.
Unifiedpost uses well established public cloud providers, private data centers and local server rooms.
Depending on where you are located and which products you are using, we store your data in one or more different data centers in the region where you are located. If your company is located in the EU, your data will be hosted in the EU.
Unifiedpost ensures that its storage of personal data conforms with best industry practice such that the media on which personal data is recorded (including paper records and records stored electronically) are stored in secure locations and access by personnel to personal data is strictly monitored and controlled.
Unifiedpost pays attention to international data transfers. We only process data in the European Economic Area and we make sure our data processors are storing and processing the data in the EEA. However it might be possible that a limited amount of data are accessible from a country outside the EEA, in this case we make sure that any transfer of personal data to a third country or international organization may only take place in accordance with the principles set out in the applicable Data Protection Legislation and our DPA. We make sure we have appropriate safeguards mechanisms in place to transfer personal data to a data processor outside of the EEA.
To the extent you are located outside the EEA and not subject to the GDPR, we will take the similar necessary precautions in accordance with the applicable local data protection laws.
A sub-processor is a third party engaged by Unifiedpost, including entities from within the Unifiedpost Group, who has or potentially will have access to or process personal data. Unifiedpost engages different types of sub-processors to perform various functions.
We secure our customers' data by choosing reliable sub-processors with whom we are entering into carefully revised contractual provisions. This entails that:
We work with general authorization from our customers in accordance with applicable data protection legislation. Consequently, we will not ask your specific authorisation before engaging a new sub-processor. In the event we would engage a new sub-processor, we will inform you of this. We allow you to keep the control of the sub-processors by providing you the opportunity to object to the use of a certain sub-processor within 5 days by writing to our DPO Office (email@example.com)and eventually terminate the agreement with us in case we are unable to find a reasonable solution to your concern.
When engaging new sub-processors and/or replacing existing sub-processors, we will notify you at least 5 days in advance before it becomes applicable. Please subscribe to our mailing list to be kept informed (firstname.lastname@example.org ).
To the extent the relevant data protection legislation would require you to notify the data protection authority, you will be given sufficient time.
Despite best efforts, no method of transmission over the internet and no method of electronic storage is perfectly secure. As any other organization, Unifiedpost cannot guarantee absolute security. However, if a personal data breach occurs, Unifiedpost will notify affected users/customers without undue delay so that they can take appropriate protective steps. Unifiedpost’s breach notification procedure is consistent with good industry practices and complies with the applicable laws and regulations. This will allow you to comply with your own obligations.
We have a procedure instructing employees how to handle data subjects requests for our customers. If Unifiedpost receives a data subject request from a customer’s End-User (i.e., a user of the services to whom a customer has provided our services), Unifiedpost is the data processor, and Unifiedpost will, to the extent that applicable legislation does not prohibit Unifiedpost from doing so, promptly inform the end-user to contact our customer (i.e. the data controller) and we promptly inform our customer directly about any request. Unifiedpost will not further respond to a data subject request without customer’s prior consent.
Unifiedpost has a documented process to support and implement the instruction of the customer and requirements around personal data retention and destruction. If you want to have your data deleted we invite you to contact the DPO Office (email@example.com).
We make sure that personal data records are destroyed, disposed of or transferred back to business partners, in a manner that prevents improper access, disclosure or destruction. Upon your request, we delete or transfer back the customer data at the end of the business relationship.
We don’t need to retain customer personal information pursuant to legal obligations, except when we are acting as Data Controller.