Welcome to our Unifiedpost Group website! We, and third parties, use cookies on our websites. We use them to enhance site navigation, analyse site usage and assist in our marketing efforts. You can read more about our cookies and change your preferences by clicking on ‘Change my settings'. By clicking on 'Accept all cookies’, you agree to the use of all cookies as described in our Privacy cookie policy.

Privacy Trust Center

Unifiedpost Group offers a variety of services. Depending on which service you opt in and where you are located , the contracting entity is different. However the DPO Office of Unifiedpost takes a centralized approach by defining global policies and procedures and by opting for the most stringent approach.

Unifiedpost takes its responsibility to protect and secure its stakeholders information seriously and strives for complete transparency around its privacy and security practices.

Because of our duty of care  towards our customers and our obligations to comply with data protection legislations, e.g. EU General Data Protection Regulation (GDPR) and local data protection laws, Unifiedpost has implemented suitable technical and organizational security measures in order to protect the personal data against unauthorized or unlawful access, processing, disclosure, copying, alteration, storage, reproduction, display, or distribution; and against loss, destruction, or damage, whether accidental or otherwise.

Here below you will find all you need to know about Unifiedpost’s data protection compliance.

Who’s taking care of privacy compliance within Unifiedpost Group?

Unifiedpost Group has appointed a Data Protection Officer who is responsible for monitoring compliance with data protection regulations and advising on the processing of personal data. The DPO is supported by the DPO Office and reports to an internal Privacy Committee. If you have any questions regarding the processing of personal data, you can go through our relevant privacy notice or contact our DPO office via gdpr@unifiedpost.com.

Who owns and controls the data?

From a privacy perspective, the customer is most likely the data controller. This means that when a customer subscribes to our services, the customer retains ownership and control over its data. Unifiedpost will be acting as data processor regarding the processing of personal data of the customer and will only act upon your instructions. This means that we will only process the personal data which we receive from you for the purpose and means defined by you. As a customer you are also responsible for transparency requirements.

Please make sure you have a look at our Data Processing Agreement (DPA) before subscribing to our services. The DPA facilitates your compliance with your obligations under the (EU) data protection laws and contains strong privacy commitments. Unfortunately we do not allow customers to impose their own DPA, as the DPA is specific to Unifiedpost’s services and privacy practices. Should you have any questions regarding the DPA please contact us via gdpr@unifiedpost.com.

Even though Unifiedpost is acting as data processor in the majority of the cases, we may act as data controller in relation to certain services which are offered by some of the Unifiedpost Group entities or its branch offices for the purpose of complying with our legal obligations like our KYC, AML, e-IDAS obligations.

In some circumstances we may share certain of your data. Such sharing can be internally, i.e. with other affiliates of Unifiedpost to provide you with certain services offered by our affiliates, or externally, i.e. with other third parties.

How does Unifiedpost comply with data protection legislations?

Unifiedpost has established a Privacy Program to enhance its compliance with data protection legislations  and ensure the same privacy standards apply throughout the group.

  • Privacy by design and by default are integrated into Unifiedpost’s products and services. Data protection by design (and default) means data protection is taken into account from the start when a new product, service, system or procedure is set up or significant changes are made to existing products, services, systems and procedures. When we are acting as data controller, we also perform DPIA’s (data protection impact assessment) to document, tackle or at least mitigate the privacy risks related to the use of our systems and products.
  • Unifiedpost has also established a uniform policy and procedure to handle data subject rights and data breaches.
  • Continued compliance requires awareness from the staff within the company. Only by changing people can a true change be made. We organize specific privacy training sessions (e.g. for product, marketing, sales, HR, customer support). Our staff also receive guidelines on how to process personal data in their specific function. In addition, each new employee is required to follow a generic GDPR training. All our collaborators must follow strict privacy group policies.
  • Our employees, agents, and sub-processors who may have access to personal data are informed of the confidential nature of personal data, and subject to confidentiality undertakings (e.g. non-disclosure agreement).
Where is your data stored ?

Unifiedpost uses well established public cloud providers, private data centers and local server rooms.

Depending on where you are located and which products you are using, we store your data in one or more different data centers in the region where you are located. If your company is located in the EU, your data will be hosted in the EU.

Unifiedpost ensures that its storage of personal data conforms with best industry practice such that the media on which personal data is recorded (including paper records and records stored electronically) are stored in secure locations and access by personnel to personal data is strictly monitored and controlled.

Do we transfer your data internationally ?

Unifiedpost pays attention to international data transfers. We only process data in the European Economic Area and we make sure our data processors are storing and processing the data in the EEA. However it might be possible that a limited amount of data are accessible from a country outside the EEA, in this case we make sure that any transfer of personal data to a third country or international organization may only take place in accordance with the principles set out in the applicable Data Protection Legislation and our DPA.  We make sure we have appropriate safeguards mechanisms in place to transfer personal data to a data processor outside of the EEA.

To the extent you are located outside the EEA and not subject to the GDPR, we will take the similar necessary precautions in accordance with the applicable local data protection laws.

Does Unifiedpost use sub-processors ?

A sub-processor is a third party engaged by Unifiedpost, including entities from within the Unifiedpost Group, who has or potentially will have access to or process personal data. Unifiedpost engages different types of sub-processors to perform various functions.

We secure our customers' data by choosing reliable sub-processors with whom we are entering into  carefully revised contractual provisions. This entails that:

  • we conduct privacy vendor assessments prior to engaging new suppliers. For each supplier who is processing personal data on our behalf (our on behalf of our customers), the DPO Office conducts a privacy vendor assessment to evaluate the privacy maturity of the potential new supplier. As we are responsible for our supplier, we also make sure to conduct these assessments frequently.
  • we remain fully responsible for the engagement of our sub-processor. We have an  agreement in place with all sub-processors, with the minimum content as required by the applicable legislations.

We work with general authorization from our customers in accordance with applicable data protection legislation. Consequently, we will not ask your specific authorisation before engaging a new sub-processor. In the event we would engage a new sub-processor, we will inform you of this. We allow you to keep the control of the sub-processors by providing you the opportunity to object to the use of a certain sub-processor within 5 days by writing to our DPO Office (gdpr@unifiedpost.com)and eventually terminate the agreement with us in case we are unable to find a reasonable solution to your concern.

When engaging new sub-processors and/or replacing existing sub-processors, we will notify you at least 5 days in advance before it becomes applicable. Please subscribe to our mailing list to be kept informed (subprocessors@unifiedpost.com ).

To the extent the relevant data protection legislation would require you to notify the data protection authority, you will be given sufficient time.

How does Unifiedpost notify customers of a data breach ?

Despite best efforts, no method of transmission over the internet and no method of electronic storage is perfectly secure. As any other organization, Unifiedpost cannot guarantee absolute security. However, if a personal data breach occurs, Unifiedpost will notify affected users/customers without undue delay so that they can take appropriate protective steps. Unifiedpost’s breach notification procedure is consistent with good industry practices and complies with the applicable laws and regulations. This will allow you to comply with your own obligations.

In its capacity as a data processor, how does Unifiedpost handle requests made by end-users?

We have a procedure instructing employees how to handle data subjects requests for our customers. If Unifiedpost receives a data subject request from a customer’s End-User (i.e., a user of the services to whom a customer has provided our services), Unifiedpost is the data processor, and Unifiedpost will, to the extent that applicable legislation does not prohibit Unifiedpost from doing so, promptly inform the end-user to contact our customer (i.e. the data controller) and we promptly inform our customer directly about any request. Unifiedpost will not further respond to a data subject request without customer’s prior consent.

What happens to data upon termination or expiration of a customer’s agreement with Unifiedpost?

Unifiedpost has a documented process to support and implement the instruction of the customer and requirements around personal data retention and destruction. If you want to have your data deleted we invite you to contact the DPO Office (gdpr@unifiedpost.com).

We make sure that personal data records are destroyed, disposed of or transferred back to business partners, in a manner that prevents improper access, disclosure or destruction. Upon your request, we delete or transfer back the customer data at the end of the business relationship.

We don’t need to retain customer personal information pursuant to legal obligations, except when we are acting as Data Controller.