1. OVERVIEW

Picapac OÜ (Commercial Register code 12670875), the controller of personal data, is part of the Omniva Group, whose parent company is AS Eesti Post and whose other subsidiaries include Finbite OÜ, Omniva LT UAB in Lithuania, and Omniva SIA in Latvia.

We hereby provide the information required under Articles 12–14 of the General Data Protection Regulation (GDPR) regarding how Picapac processes customers’ personal data.This information applies to the personal data of natural persons, including individuals associated with legal entities and organizations, but not to other datapertaining to companies or organizations.

Customer data is processed in accordance with the Personal Data Protection Act, the General Data Protection Regulation, and other applicable laws and regulations, as well as the contract entered into or to be entered into with the specific customer, including the standard terms and conditions applicable to the specific service.

Picapac reserves the right to unilaterally amend this overview by notifying the customer via the self-service portal, email, its website, social media, or by other means.

Picapac ensures the confidentiality of customer data and the lawfulness of its processing in accordance with applicable law, and implements appropriate technical and organizational measures to protect customer data against unauthorized access, unlawful processing or disclosure, accidental loss, alteration, or destruction.

2. DEFINITIONS

A data subject is a natural person—that is, an individual— about whom Picapac holds data that can be used to identify them. Data subjects may include prospective, current, and former customers, representatives, representatives of business partners, and individuals who submit inquiries.

Personal data means any information relating to an identified or identifiable natural person, regardless of the form or format of such information.

In the context of these principles, a “Client” is any natural or legal person who uses or has expressed a desire to use services provided or facilitated by Picapac, in whose favor a service agreement has been concluded, who is otherwise connected to the use of any service or a user, or who has any other relationship with Picapac (excluding an employment relationship or job application). 

Processing refers to any operation performed on customer data (including collection, recording, storage, alteration, disclosure, erasure, retrieval, transmission, organization, use, dissemination, etc.).

The remaining terms used in this document that relate to the processing of personal data have the same meaning as defined in the IKÜM. 

3. PURPOSES OF PROCESSING CUSTOMER DATA

Picapac OÜ rents out parcel lockers and provides customers with a self-service platform (information society service) through which they can place and manage their orders and pay their bills.

In addition to the data processing necessary for preparing the contract and directly providing the service, we also process data for the following purposes:

• We use cookies that are necessary for the website to function (functional cookies). If we use any other cookies on the website, we will provide a separate notice on the website and obtain the necessary consent from the customer. For more information about our use of cookies, please visit https://picapac.com/et/cookie-policy/;
• When a customer calls us or one of our employees calls a customer, the call is recorded;
• The customer contacts us via email or social media; the inquiry and its resolution are recorded in the customer management system;
• We send our newsletter to customers upon request;
• We conduct customer satisfaction surveys to better understand how satisfied our customers are with our services and to identify their expectations;
• We organize campaigns (including in collaboration with other partners) and consumer contests, and announce the winners;
• We are analyzing our business client portfolio to identify which services could be of further benefit to our business clients;
• we run ads, including on social media;
• We promote Picapac’s activities and engage with social media users through social media;
• For services that include installment payment options, we assess the business customer’s creditworthiness and the business partner’s reliability;
• invoice management, accounting, debt collection;
• We retain service-related data for the duration of the statute of limitations on claims arising from the transaction in order to resolve any claims that may arise;
• We resolve the claims submitted;
• We file claims for damages against our partners and those responsible for the damage (for example, in the event of vandalism to a parcel locker), collect outstanding debts from our contractual partners and customers, and report business customers’ debt information to the credit bureau;
• At the group level, AS Eesti Post conducts a comprehensive analysis of the group’s business operations, both by business segment and by service: including, for example, the volume of services provided, the speed and quality of service delivery, the size and profile of the business customer base, errors and incidents, compensation for damages, financial analysis (e.g., costs, revenues, profitability), risk analysis (e.g., market risks, liquidity, profit, credit, capital, and financing risks, unforeseen costs), and we prepare forecasts;
• We process data in cases required by law – see section 6 for more details;
• We manage and maintain (correct, update, and delete) the customer database.

4. CATEGORIES OF DATA SUBJECTS AND SOURCES OF PERSONAL DATA

4.1. Picapac collects and processes the personal data of the following individuals:

• service users and third parties in whose favor the contract has been concluded (additional users of the parcel locker);
• legal and authorized representatives;
• people who are looking for information about the service or wish to use it (e.g., a person visits the Picapac website, calls, and asks about service prices);
• Individuals associated with Picapac’s corporate clients (business clients) and contractual partners providing services to Picapac, such as shareholders, partners, board members, company representatives and contact persons, other employees, and beneficial owners;
• perpetrators, offenders, and victims;
• Representatives of government agencies that interact with Picapac;
• Followers of Picapac's social media accounts;
• newsletter subscribers.

4.2. Picapac collects personal data primarily from the service subscriber themselves (the parcel locker tenant, the claimant, etc.). The parcel locker tenant provides Picapac with the data of additional users.

We collect personal data from public sources in connection with our business clients and business partners—such as the commercial register, the register of court decisions, the criminal records database, and the list of entities subject to international sanctions.

From third parties —such as the operator of the credit default registry or government agencies (if they submit inquiries to us).

5. TYPE OF CUSTOMER DATA PROCESSED

In accordance with Articles 13 and 14 of the General Data Protection Regulation, we outline the types of personal data we may process in the course of the activities described above. If necessary, we will provide a more detailed overview in the terms and conditions of additional services or when collecting data (e.g., when obtaining consent for cookies, in connection with a promotional game).

Data in the self-service environment: name, username, and password (except when logging in via a third-party login application), customer status start date, billing address, shipping address, email address, phone number, phone numbers of additional users of the parcel locker; data regarding the service used and payments: service used (primarily parcel locker rental, but other additional services may be included), cost of the service, payment details; date of the last order, next payment date, invoice, payment method, Stripe customer ID (to pay by credit card, the customer enters the credit card number, expiration date, and security code into the Stripe payment service window in the self-service environment; Picapac OÜ does not see this data);

Website usage information: IP address and other technical data, such as browser type, unique device identifier, language preference, referring website, date and time of access, operating system, and mobile network information;

Details for paying the invoice via bank transfer: the payer’s bank account number and name, reference number, amount, date, and payment description;

Parcel locker usage log: parcel locker IMEI code, SIM card number, time the parcel locker door was opened (date, time), parcel locker status (whether open, i.e., empty), time the parcel locker compartment door was closed (date, time).

Communication data and records: language of communication ; call recordings when the customer communicates with Picapac by phone; content of written communications via email and other communication channels, such as social media;

Social media and third-party login apps: username , identification code exchanged with the login app;

Data on customer preferences and satisfaction: responses to customer satisfaction surveys;

Data related to participation in consumer games and campaigns: consents to the processing of personal data related to participation, data related to the content of the game or campaign, prizes won;

Consents and opt-outs: Consents and opt-outs regarding newsletters and promotional offers; other consents for the processing of personal data, where such processing is based on consent;

Debt and damage data: the customer’s debt to Picapac; information regarding breaches of contract; data on damages incurred by Picapac (the party responsible for the damage, the circumstances leading to the damage, the amount, and information arising during the proceedings); and information related to incidents of theft or vandalism involving parcel lockers;

Data collected or obtained in the course of fulfilling a legal obligation: e.g., data resulting from inquiries by investigative authorities or courts, and data regarding status as a subject of international sanctions.  

Information regarding the legal or authorized representative: a document certifying the right of representation, the representative’s name, personal identification number, signature, and details regarding the scope of the right of representation.

6. LEGAL BASIS FOR THE PROCESSING OF CUSTOMER DATA 

• For the provision of the service, i.e., for the performance of the contract (Article 6(1)(b) of the General Data Protection Regulation);
• When preparing the contract (Article 6(1)(b) of the IKÜM);
• With the individual’s consent (Article 6(1)(a) of the GDPR) – newsletters and advertisements via email or SMS, cookies on the website, sharing data with a third-party login application, promotional games (including sharing data with a partner participating in the campaign). Please note that you have the right to withdraw this consent at any time (see section 11 for more details on your rights);
• To comply with the law (Article 6(1)(c) of the IKÜM):
  • documenting and retaining records of transactions and payments in accordance with the Accounting Act;
  • responding to lawful requests from government agencies (e.g., when the police request information);
  • auditing in accordance with the Commercial Code;
  • enforcement of international sanctions in accordance with the International Sanctions Act;
  • Resolving data subjects’ requests in accordance with the General Data Protection Regulation, investigating data protection violations, and having data processing reviewed by a data protection specialist.
• On the basis of a legitimate interest (IKÜM Art. 6(1)(f)). In order for the service to be provided quickly, conveniently, on time, and as cost-effectively as possible, the company must perform a great deal of analytical and organizational work behind the scenes. Although all such activities are entirely oriented toward the provision of services, they do not fall under the aforementioned clause regarding contract performance. Legally, this is defined as the company’s legitimate interests. Our legitimate interests:
  • Organizing the business operations necessary for providing Picapac’s services in a cost-effective and professional manner (this includes data exchange between independent data controllers and contractual partners; see the list of data controllers provided in section 7);
  • Providing the customer with greater added value when delivering the service, for example by adding features that are not strictly necessary for fulfilling the contract’s purpose but enhance the customer’s (including business customers’) convenience;
  • Allowing persons associated with the customer to use the service (additional users);
  • Promoting Picapac’s business activities through advertising, marketing, loyalty programs, campaigns, contests, and similar initiatives. You have the right to opt out of such use of your contact information at any time by contacting us using the contact information provided below or by following the instructions in the notice sent to you;
  • Organizing work processes and ensuring their smooth operation (so that all work processes run smoothly and as quickly as possible);
  • Ensuring high-quality customer service and customer satisfaction (including call recording and the retention and analysis of customer inquiries). This includes monitoring, evaluating, and analyzing the customer experience and the quality of customer service; soliciting feedback; and taking follow-up actions; as well as conducting statistical and time-series comparative analyses of customer service (changes, trends);
  • Requesting feedback. This includes conducting feedback surveys so that we can improve the user-friendliness of our services and products. You have the right to object to this use of your contact information at any time by contacting us using the contact information provided below or by following the instructions in the survey notification sent to you;
  • Development of services and products. This includes analyzing service usage statistics, monitoring trends, and resolving issues identified through customer complaints;
  • Service pricing and cost-benefit analysis (including an analysis of the costs of all service components and risks);
  • Comprehensive analysis (including service statistics) and reporting of the company’s and the group’s financial indicators;
  • Customer data management (e.g., ensuring that the contact information for business clients is up to date, closing the accounts of clients who have stopped using the service);
  • Development (including testing) and maintenance of information systems;
  • Protection of information systems and information assets (network and information security, cybersecurity, ensuring data security);
  • Protection of Omniva and Omniva customers' property (shipments);
  • Resolving requests and complaints (including the necessary investigation of the facts);
  • Resolving legal disputes (contractual disputes, non-contractual claims), including investigating the facts related to the case in question, and defending Omniva’s rights and claims, including in court;
  • Preventing fraud and the misuse or disruption of services; identifying, assessing, mitigating, and avoiding risks (risk management);
  • Debt collection or assignment, and the disclosure of a business customer’s debt information to a third party for the purpose of enforcing payment and protecting third parties;
  • Assessing the reliability of business clients and partners (to avoid entering into a contractual relationship with a company that is unable to fulfill its obligations, has failed to comply with significant legal requirements—including unpaid taxes—or is involved in legal violations).

When processing personal data on the basis of a legitimate interest, we have previously conducted a proper balancing of competing interests, in which we have assessed whether our interest in processing personal data outweighs your interests, rights, and freedoms, which are the basis for the protection of personal data. You may always object to such processing (see section 11 for more details on your rights). You also have the right to request more detailed information about our legitimate interests by contacting us using the contact information provided in section 12.

7. CATEGORIES OF RECIPIENTS

From the customer’s perspective, the provision of a single service often involves many different parties, each of which plays its part on the customer’s behalf. For example, parcel lockers may be maintained and repaired by a maintenance company, credit card payments are processed by a payment service provider, and users can log in to a self-service environment using a third-party login application (e.g., Google).

Below, we list the partners Picapac works with to provide the best possible service to its customers, as well as the parties to whom data must be disclosed by law.

• Authorized processors – who provide services to us: off-the-shelf software providers and data hosting providers (self-service portal software, call recording management and hosting, website cookie management, survey platform), email and SMS service providers, call centers, software developers, survey administrators, advertising, marketing, and design agencies; social media advertising targeting intermediaries, equipment maintenance and repair, e-invoice administrators, and debt collection agencies.
• Independent data controllers – postal or courier service providers (when Picapac shares customer data with them, for example, so that the customer can select a parcel locker address as a pre-filled delivery option); the bank receiving the payment or executing the transfer; the payment service provider; social media platforms (in some cases also acting as joint controllers) and the login service provider (e.g., Google Sign-In); a campaign partner with whom we are running the campaign (e.g., when using the Omniva service, you earn bonus points with our partner, and for this purpose we provide them with the data necessary for calculating the bonus points); other third parties, provided they have a legal basis for obtaining the data (including legitimate interest, e.g., insurance providers); law firms, bailiffs, government agencies.

Within the Omniva Group, AS Eesti Post is responsible for the development, administration, security, and hosting of information systems; customer service (customer calls and inquiries); campaigns and advertising, performs accounting, manages customer data, and conducts data analysis necessary for the purposes listed in section 6. In these situations, AS Eesti Post acts as a joint controller, sole controller, or authorized processor, depending on who determines the purpose of the specific processing operation.

We enter into data processing agreements with authorized processors who process personal data on behalf of Omniva, in which we specify the terms of personal data processing, require the implementation of appropriate security measures, and ensure the lawfulness and confidentiality of customer data processing. Internal relations within the Omniva Group regarding the processing of personal data are governed by the Group’s internal data processing policy.

8. GEOGRAPHICAL AREA OF PROCESSING

The Omniva Group stores data within the European Union. If Picapac’s data processor processes data outside the European Union or the European Economic Area, Picapac verifies that the requirements set forth in Articles 46–49 of the General Data Protection Regulation have been met.

The Stripe payment service is provided by a company registered in Ireland (Stripe Payments Europe, Limited; Stripe Technology Europe, Limited), which, as it directs its services to EU citizens, is subject to the General Data Protection Regulation (GDPR). The software used to maintain the self-service environment, WordPress (Aut O’Mattic A8C Ireland Ltd), certain third-party login applications (e.g., Google Sign-in, Meta log-in), and Stripe may transfer data to the United States. Aut O’Mattic A8C Ireland Ltd, Google, Meta, and Stripe rely on the Standard Data Protection Clauses approved by the European Commission when transferring personal data to the United States, and Meta also implements additional safeguards.

9. AUTOMATED DECISIONS

Pursuant to Article 22(1) and (4) of the GDPR, an automated decision means a decision based solely on automated processing in which no human intervention takes place. Picapac does not make such decisions.

10. DATA RETENTION PERIOD FOR

The retention period is based on agreements with the customer, consent, Picapac’s legitimate interest, or applicable law (e.g., accounting laws, statutes of limitations, other private law). We retain personal data for as long as necessary to fulfill the purpose for which we collected and process the personal data. For example:

• Pursuant to § 12 of the Accounting Act, transaction data and the supporting documents related thereto must be retained for seven years from the end of the fiscal year in which the economic transaction was recorded in the accounting records on the basis of the supporting document.
• For transactions not subject to specific rules, the General Part of the Civil Code Act establishes a general statute of limitations of three years for claims arising from such transactions, during which time it is necessary to retain data regarding the transaction. The statute of limitations for claims arising from non-contractual damages is also 3 years. Consequently, we may retain customer data for up to 3 years after the termination of the customer relationship.
• We retain data that may be necessary in the event of potential administrative liability for a period of 2 years (the statute of limitations for administrative offenses).
• Recordings of phone calls for 1 or 2 years (depending on whether a record exists in the customer database).
• We will retain personal data processed on the basis of consent until such consent is withdrawn, unless there is another legal basis for the continued processing of such personal data.