An Post Group Privacy Statement
An Post or any member of the An Post group (“An Post”, “we” or “us”) will collect and process your Personal Data and other information relating to your interactions and dealings with An Post. This Privacy Statement explains how we will manage your Personal Data, how and why we use it, and how you may contact us if you have a query about Personal Data that we hold about you. Where you use An Post websites or obtain specific products and services, separate privacy statements may apply.
Personal Data means any information which An Post has or obtains or which you provide to us, such as your name, address, email address, telephone number(s) and date of birth, from which you can be directly or indirectly personally identified, and may include information such as identification, tax references, account numbers, IP addresses and online identifiers, depending on the services which we provide to you and the manner in which we interact. Some of this Personal Data may be sensitive or “Special Category” Personal Data, the definition of which includes data revealing your racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation (“Sensitive Personal Data”).
How we collect your Personal Data
We will obtain some of your Personal Data directly from you, such as when you complete an application form for one of our products or services, where you enter your details into our online forms, where you use our Webchat services or you send us a communication.
We may also obtain some of your information indirectly, from a variety of sources, such as joint account holder(s), and / or our service providers (eg, vendors providing anti-money laundering and sanctions checking databases) and in the provision of postal services.
Why we use and hold your Personal Data
We will use your Personal Data:
- for the purposes of performing a contract you have entered into with An Post, such as:
- for the purposes of providing national and international postal services to you;
- for the purposes of setting up and administering any accounts you open with us, such as Post Office Savings Bank and other savings accounts;
- to facilitate you in accessing your accounts online in a secure manner where we have agreed to give you access to our online service; and
- to contact you if required in connection with, or to deal with queries, including queries that you make through Webchat, complaints or suggestions in relation to, the services we provide to you, and your accounts or transactions on or relating to your accounts;
- where you have consented to our use for a particular purpose, such as for marketing (please see Marketing Preferences below). If you do give your consent for us to use your Personal Data for a particular purpose, you have the right at any time to withdraw your consent to our future use of your Personal Data for some or all of those purposes by writing to us at the address set out under Contact Us below;
- for compliance with our legal obligations, including:
- for the purposes of providing national and international postal services;
- to provide postal services for elections and referendums;
- anti-money laundering and anti-terrorist financing (collectively “AML”) and fraud prevention purposes. This may include the collection and processing of Sensitive Personal Data in connection with our obligations under applicable AML laws. Any Sensitive Personal Data will only be used and disclosed, as necessary, for such purposes;
- to help detect and prevent crime and prosecute offences;
- compliance with applicable tax, regulatory reporting and customs obligations;
- where we are ordered to disclose information by a court with appropriate jurisdiction; and
- recording of telephone calls and electronic communications in order to comply with applicable law and regulatory obligations;
- where our use is for a legitimate purpose of An Post, including:
- for day to day operational and business purposes, including board and group reporting and management purposes;
- for the purposes of managing our contracts and relationships with our customers, suppliers, service providers, vendors and other commercial partners;
- taking advice from our external legal and other advisors;
- processing for customs and aircraft security purposes. This may include the collection, processing and international transfer of personal data for international postal services, customs and aircraft security purposes. This may also include the international transfer of personal data to test that the international transfer systems work correctly. If personal data is transferred internationally An Post will use reasonable efforts to ensure that this copy data is destroyed after the testing is complete.
- to help us improve our services and systems, and to improve your experience on our web and online services. Where possible An Post will use synthetic or anonymised data to carry out IT systems tests in order to improve services. In the event we use your personal data then we will restrict access to this data and will destroy this copy data after the testing is satisfactorily completed;
- to undertake market research, statistical and product development analyses;
- to provide you with information in relation to An Post Group products and services, as well as those of certain selected third parties, where we are permitted to do so (please see Marketing Preferences below for further information); and
- in deciding what marketing information to send to you and to make it more relevant to you (please see Marketing Preferences below for further information);
- for security purposes. For instance we will take a photograph of the user at our parcel locker. This photograph will only be used in case of fraud to show who collected an item. This photograph is automatically erased after 28 days.
- where necessary to establish, exercise or defend our legal rights or for the purpose of legal proceedings; and
- for such other purposes as were notified to you at the time you provide the information to us.
When we disclose your Personal Data
We will not disclose your Personal Data except as outlined above and / or as follows:
- where the disclosure is necessary to enable us to carry out our obligations under any agreement we have with you;
- to verify the authenticity of documentation provided to us (for example, we may use external databases and other address verification tools to verify a customer’s identity);
- where we need to provide your Personal Data to counterparties to transactions entered into by you;
- in the case of a joint account, to the other account holder(s);
- to anyone providing a service to us or acting as our agents, which may include either other companies within the An Post Group or third party service providers, on the understanding that they will keep your Personal Data confidential;
- where we need to share your Personal Data within the An Post Group or with our auditors, actuaries and our legal and other advisors; and
- if the disclosure is required by law or regulation, or court or administrative order having force of law, or is required to be made to any of our regulators.
We will not otherwise share your Personal Data with any third party unless we receive your prior written consent to do so.
Where we process your Personal Data for other people
In certain circumstances, we act as a data processor for other organisations, such as the National Treasury Management Agency (the “NTMA”), which operates the State Savings products. It will be made clear to you at the time your Personal Data is collected whether we are acting on our own behalf, or on behalf of a different entity.
In cases where we are acting on behalf of a different data controller, we will act only on their instructions in relation to processing your Personal Data. In these cases, it is that third party which is responsible to you for complying with your rights in relation to your Personal Data. If you send any request to us to exercise your rights, we will send it on to the data controller as soon as possible.
Other Recipients of your Personal Data
In any case where we are acting on our own behalf and we share your Personal Data with a third party data controller (including, as appropriate, counterparties to transactions on your accounts), the use by that third party of your Personal Data will be subject to the third party’s own privacy policies.
Employment in An Post
If you are applying for a position within An Post then An Post may share your personal data with external aptitude, psychometric and other relevant online assessment providers who may then become a controller of your personal data. The assessment providers will inform An Post of the results of any such assessment.
International Transfers of Personal Data
Personal Data may be transferred outside of Ireland where necessary to provide our services to you, including for example where you instruct a transfer from one of your accounts to an account outside Ireland, in accordance with your instructions, where you have explicitly consented, and / or as otherwise required or permitted by law.
Many of the countries will be within the European Economic Area (the “EEA”), or will be ones which the European Commission has approved, and will have data protection laws which are the same as or broadly equivalent to those in Ireland.
However, some transfers may be to countries which do not have equivalent protections, and in that case An Post shall use reasonable efforts to implement contractual protections for your Personal Data. While this will not always be possible where we are required to transfer your Personal Data in order to comply with and perform our agreement(s) with you or where we have a legal obligation to do so, any transfers will be done in accordance with applicable data protection laws, including through the implementation of appropriate or suitable safeguards in accordance with such applicable data protection laws.
Where a postal item is addressed to an individual recipient outside of the EEA, An Post will transfer that Personal Data to postal administrations outside of the EEA in order to facilitate the international postal service.
Sensitive Personal Data
In the course of providing certain services to you, you may provide and we may collect and process your Sensitive Personal Data. Any Sensitive Personal Data will only be used and disclosed where necessary for the purposes of those services. For example, where we provide certain accounts or financial services to you, we may, in some circumstances, collect and process Sensitive Personal Data in connection with our obligations under applicable AML and counter terrorist financing laws. Any Sensitive Personal Data will only be used and disclosed, as necessary, for such purposes.
If you expressly consent to the collection, use and disclosure of your Sensitive Personal Data by An Post for the purposes of the provision of our services to you, you have the right to withdraw your consent at any time by writing to Data Privacy Office, An Post, GPO, O’Connell Street Lower, Dublin 1, D01 F5P2.
If you change your mind, this will not affect any use and disclosure of your Personal Data prior to the date you notify us of your change of mind.
If you withdraw your consent to the collection, use and disclosure of your Sensitive Personal Data in this manner, An Post may not be in a position to administer your accounts and / or provide you with certain services.
Third Party Information
Where you provide us with Personal Data relating to other people, such as your spouse, children, mail recipients (if you use the postal service or for the administration of postal services), partners, directors, officers, employees, advisors or other related persons, you represent and warrant that you will only do so in accordance with applicable data protection laws. You will ensure that before doing so, the individuals in question are made aware of the fact that we will hold information relating to them and that we may use it for any of the purposes set out in this Privacy Statement and the relevant terms and conditions, and where necessary you will obtain their consent to our use of their information. We may, where required under applicable law, notify those individuals that you have provided their details to us.
Retention of Personal Data
We are obliged to retain certain customer information to ensure accuracy, to help maintain quality of service and for legal, regulatory, fraud prevention and legitimate business purposes.
We are obliged by law to retain customer identification and customer transaction records on most financial services accounts for seven years from the end of the customer relationship or the date of the transaction, respectively.
In limited circumstances we are also obliged to retain certain information for other service providers who have a separate legal obligation requiring them to act as a controller of your Personal Data.
Other information will be retained for no longer than is necessary for the purpose for which it was obtained by us or as required or permitted for legal, regulatory, fraud prevention and legitimate business purposes. In general, we hold this information for a period of seven years, unless we are obliged to hold it for a longer period under law or applicable regulations.
A cookie is a small piece of information which is transferred to your computer’s hard disk from a website. Cookies can store information about your preferences and other information which you need when you visit a website.
Your rights in relation to your Personal Data
Updating and correcting your Personal Data
If we hold incorrect Personal Data about you, you have the right to have the data amended. While we will use reasonable efforts to keep your Personal Data up to date, you will need to notify us without delay in the event of any change in your personal circumstances, so that we can keep the Personal Data up to date.
You can update your Personal Data by writing to the Data Privacy Office, An Post, GPO, O’Connell Street Lower, Dublin 1, D01 F5P2 together with:
- Your name and address; and
- A description of the specific Personal Data you wish to have rectified.
If you have an An Post Smart Account, you can also update your Personal Data by logging into your account at www.smartaccount.ie
. Postmobile Customers can view and amend their personal data by logging onto their account at www.mypostmobile.ie
Right of erasure
You have the right in some circumstances to have your Personal Data, which we hold, erased by writing to the Data Privacy Office, An Post, GPO, O’Connell Street Lower, Dublin 1, D01 F5P2 or firstname.lastname@example.org
- Your name and address; and
- A description of the specific Personal Data you wish to have rectified.
If you request an erasure of your Personal Data, all your data will be erased subject to the following important notice.
We will not be required to erase your Personal Data where to do so would prevent us from meeting our respective contractual obligations, or where we are required to process (including retaining) your Personal Data in order to comply with a legal obligation, or if the Personal Data is necessary to establish, exercise or defend our legal rights or for the purpose of legal proceedings.
Right of Access
You have a right to be given a copy of your Personal Data on request, subject to certain exceptions. Please note that we have the right to require that you identify yourself before we will respond to any access request.
For more information, see our Data Access Policy
Your Other Rights
You also have the right, in certain circumstances, to request restriction on the use, of your Personal Data, and to object to certain uses of your Personal Data, in each case subject to the restrictions set out in applicable data protection laws. Further information on these rights, and the circumstances in which they may arise in connection with our processing of your Personal Data can be obtained by writing to us at the address set out under Contact Us
In any case where we rely on your consent to process your Personal Data, you have the right to change your mind and withdraw consent by writing to us at the address set out under Contact Us
Where we rely on a legitimate purpose of ours or of a third party recipient of the Personal Data, in order to use and disclose Personal Data, you are entitled to object to such use or disclosure of your Personal Data, and if you do so, we will cease to use and process your Personal Data for that purpose, unless we can show there are compelling legitimate reasons for us to continue or we need to use the Personal Data for the purposes of legal claims.
In limited circumstances, you may also have the right to data portability in respect of certain of your Personal Data, which means you can request that we provide it to you in a structured, commonly used and machine-readable format, or transmit it to your third party nominee where this is technically feasible.
You have the right to lodge a complaint about our processing of your Personal Data with the Data Protection Commission at email@example.com
Where you have agreed to receive marketing material from An Post, we will use this information to contact you with news and special offers from the An Post Group of companies and selected third parties.
We may use and analyse your Personal Data, including transaction data on your accounts, in order to make the marketing materials we send to you more relevant to your interests and requirements. We may also use your Personal Data as part of more general market, statistical and product development analyses in relation to our business generally.
You can object to us analysing your Personal Data in this way by writing to us at Data Privacy Office, An Post, GPO, O’Connell Street Lower, Dublin 1, D01 F5P2 or firstname.lastname@example.org
. If you do object to this analysis, the marketing information you receive will not be made more relevant to you.
You can change your marketing preferences at any time by contacting us at An Post Marketing Department, An Post, GPO, O’Connell Street Lower, Dublin 1, D01 F5P2.
Each time we send you marketing information, we will give you the option to change your mind about receipt of marketing (eg SMS: text STOP).
An Post records CCTV footage to monitor of all the internal and external environs of premises where An Post business is conducted and whether the premises is owned by An Post or a Postmaster (the “Premises”). Any personal data which is obtained by An Post as a result of the operation of the CCTV system is treated in accordance with Data Protection Legislation.
CCTV systems are installed both internally and externally at the Premises for the following legitimate business purposes of An Post:
- Security and prevention of crime. For the purpose of ensuring the health and safety of staff and customers, enhancing security of the Premises and the associated equipment and for the detection and investigation of crime, the apprehension and prosecution of offenders and the protection of property.
- Promotion of safety and customer service. For the purpose of monitoring and resolving traffic management issues.
- Ensuring public and staff safety, investigating accidents and near misses and dealing with customer complaints about service.
Typically, data will be retained for no longer than is necessary for the purpose for which it is collected, or as required or permitted for legal, regulatory, fraud prevention and/or legitimate business purposes. In general, data recorded on CCTV is retained for no longer than 31 days. It will be retained for longer periods where required in connection with criminal investigations, or where An Post requires the data in connection with legal proceedings or has a legal obligation to retain the data for a longer period.
Any queries or complaints regarding our use of the Personal Data and / or the exercise of your individual rights should be addressed to the Data Privacy Office, An Post, GPO, O’Connell Street Lower, Dublin 1, D01 F5P2 or email@example.com
Review and Update
This Policy will be reviewed and updated annually by the An Post Data Protection Officer or more frequently if necessary to ensure that any changes to An Post’s organisation structure and business practices are properly reflected in this Policy.
Last Updated July 2019