Privacy Notice for the Postmuseum

The Postmuseum, owned by PostNord and inaugurated as early as 1906, is more than just a museum – it is a living testament to nearly 400 years of conveying and protecting people’s communication. Since the 17th century, PostNord has ensured that messages are delivered safely and securely, regardless of the challenges of the times.

Protecting information is not just a part of our history – it remains a cornerstone of our operations today. We safeguard your privacy and handle your personal data with the utmost care and security.

Overview

  1. About us
  2. What personal data do we have about you?
  3. Where do we get your personal data from?
  4. How do we use your personal data?
  5. Who do we share your personal data with?
  6. Where do we process your personal data?
  7. How long do we keep your personal data for?
  8. How do we protect your personal data?
  9. What rights do you have?
  10. How to contact us
  11. Review and updates

1.  About us

Your privacy is important to us, and we are committed to respect your rights regarding the use and security of your personal data. PostNord Sverige AB (“Postmuseum”, “PostNord”, “PostNord Group” “we”, “us”) is responsible to ensure that we process your personal data in accordance with applicable data protection legislation and our policies.

This Privacy Notice applies to the Postmuseum’s visitors, persons making purchases in our web shop, donors, employees at our suppliers, journalists and members of the public. (“you”).

We use personal data about you for various reasons. This Privacy Notice, together with other information provided at the time of data collection, tells you what personal data we collect about you, how and why we use it, and what your rights have.

2. What personal data do we have about you? 

We may process the below categories of personal data about you:

  • Contact information, such as name, email address, postal address and telephone number,
  • Identification information, such as photograph, social security number and date of birth,
  • Financial and payment related information,
  • Professional information, such as job title and employer,
  • Information about the device you use to visit our website, such as IP-address and device address,
  • Control measures, including footage from video surveillance monitoring,
  • Other (sensitive) personal data you choose to share with us, such as information about allergies.

3. Where do we get your personal data from?

We make use of the personal data that you give to us and information that we collect about you.

Information you give to us.

Most of the personal data we process about you we receive directly or indirectly from you, for example when you buy a ticket, make a purchase in our web shop or contact us with a question.

You can always choose not to provide us with certain information. However, some personal data we need during your interaction with us.

Information we collect about you.

For collection management purposes and due to our obligation to preserve historical information about our objects, we may collect your personal data in an indirect manner. This can occur, for example, when a third party shared such content with us that contains your personal data. Moreover, we can receive your details connected to our activities and events.

We may also obtain some personal data via third parties, for example online payment providers and (service) providers.

4. How do we use your personal data? 

Our primary use of your information is to enable you to make use of our services, for example, when you visit us or make a purchase in our web shop. We may also need personal data to manage our collection. In addition, we may use your information for business purposes or because we must comply with legal obligations.

We are only allowed to use your personal data when we have a legal basis to do so. Often, we need your information because of your contract with us, for example when you buy a ticket or make a purchase in our web shop. We also need your information because we must comply with legal obligations or because we have a legitimate interest to use your personal data. More than one legal basis could apply when we use your information.

More specifically, we can use your personal data for the following purposes:

  1. Purchase of tickets and visits to our exhibitions, including guided tours,
  2. Purchase of goods, for example in our web shop,
  3. To provide you with an account, for example when you make a purchase in our web shop or borrow books,
  4. Booking of our premises, events, tours, and other activities,
  5. Visit to and use of our library, for example when you borrow books,
  6. Visit to and use of our archive,
  7. Collection management,
  8. Gifts, donations, and purchases of items,
  9. Loans to and from our collections,
  10. Questions, inquiries, feedback, and service matters,
  11. To improve our products and services, such as developing new exhibitions,
  12. Marketing, such as sending newsletters,
  13. Communication, e.g., through press releases and mailings,
  14. Participation in competitions,
  15. To enhance functionality on our website,
  16. To manage security, for example through video surveillance,
  17. To protect our assets and information systems. This includes detecting, preventing, and responding to security incidents or other malicious, deceptive, fraudulent, or illegal cybersecurity related activity,
  18. To monitor and enforce compliance with our obligations and responsibilities,
  19. Dispute management and litigation,
  20. To conduct corporate transactions, including mergers, acquisitions and divestments.

Please see under What we use your personal data for below for an extensive overview of the reasons why we process personal data about you.

5. Whom do we share your personal data with? 

The Postmuseum is part of PostNord Sverige AB, which in turn is a subsidiary of PostNord Group AB. Where necessary, we may share your personal data with other subsidiaries of PostNord Group. Sometimes, we need to share your personal data outside the PostNord Group, for example with:

Our service providers, such as providers of financial services, and our partners. We share your personal data with our service providers who help us in our daily operations, such as providers of payment services, marketing services and booking services. Also, we engage suppliers of digital solutions, operating services, and system support. When needed, we can disclose your information to our partners such as libraries.

Authorities, other public actors, and other recipients. Legal obligations may require us to share information about you, for example to respond to requests from law enforcement agencies, regulatory agencies, and other public and government authorities. We may also disclose information if needed to detect and prevent fraud or for other legal, security, and safety reasons.

Parties involved in legal proceedings. In connection with a potential legal proceeding, including in the preparatory work enabling us to defend ourselves against or enforce any legal claims, your personal data may be shared with parties involved in the proceedings, such as lawyers.

Parties involved in a merger or acquisition. We may share or transfer your personal data in connection with a merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.

Professional advisors, such as lawyers, accountants and auditors.

Other parties. Upon your request or when needed for other reasons.

6. Where do we process your personal data? 

When we use or share your personal data, it may be sent to companies both within and outside the European Economic Area (EEA). We will make sure that these transfers follow the law. If personal data is sent outside the EEA, we will protect it properly. For example, we may rely on the European Commission’s model clauses or send your information to countries which provide a good level of protection according to the European Commission.

7. How long do we keep your personal data for? 

We keep your personal data only for as long as we need it for the reason we collected them. This means that we keep different types of information for different periods of time, depending on the reason for having them.

The Postmuseum keeps your information generally for two (2) years, for example personal data you have shared with us when making a purchase in our web shop or when lending a book from our library.

In some cases, we may process your data for a longer period. This may be the case if we need to protect our legal rights, for example in a legal dispute. We are also under legal obligations which require us to keep your information for a longer period of time, for example the Bookkeeping Act or the Archives Act.

8. How do we protect your personal data?

We have technical and organisational security measures and systems in place to protect and safeguard your personal data. For example, procedures to prevent unauthorised access to, and misuse of, personal data. We also use security procedures and technical and physical restrictions for accessing and using the personal data on our servers. Only those who have a genuine business need in the course of their work are authorized to access personal data. They are governed by our rules of information and IT security, data protection and other relevant internal regulations and guidelines. They are also bound by confidentiality agreements.

While we have measures in place to protect your personal data, it is important for you to understand that complete security cannot be guaranteed. Therefore, we have procedures in place to manage security incidents and to comply with legal requirements applicable to the detection, handling and notification of personal data breaches.

9. What rights do you have?

Under certain circumstances, you have rights in relation to your personal data, which include the following:

Right to erasure (“right to be forgotten”). You can request that we delete personal data about you.

Right to rectification. You have the right to correct inaccurate or incomplete information about yourself.

Right to access your data. You have the right to know what personal data we process about you and why. That is why we inform you about our processing activities via this Privacy Notice. You can also request a copy of your personal data which we process.

Right to restriction. You can ask us to limit our processing of your personal data until inaccurate or incomplete information about you has been corrected, or until an objection from you has been handled.

Right to object. Where we process your personal data based on a legitimate interest, you have right to object to this processing when you believe that your personal interest outweighs ours. We will cease the processing, unless we can demonstrate compelling legitimate grounds for the processing which override your interests.

Right to data portability. In certain situations, you have the right to ask us to transfer the personal data we hold about you to someone else.

Right to withdraw your consent. You may at any time withdraw any consent you have given us. However, please note that withdrawing your consent will not affect any processing that has already taken place.

Right to complain. You have the right to lodge a complaint to our lead supervisory authority or the supervisory authority in the country you live or work in.

Please note that legal rights or obligations may prevent us from disclosing or transfer all or part of your information, or from immediately deleting your information.

10. How to contact us 

If you have any questions or comments regarding your personal data or this Privacy Notice you can reach out to us by contacting:

PostNord Sverige AB
Data Protection Officer
105 00 Stockholm

Email: dataprotectionofficer@postnord.com

11. Review and updates

We may update our Privacy Notice from time to time. Therefore, we recommend that you visit our Privacy Notice periodically to keep yourself informed. If we make any changes to this Privacy Notice that will impact you significantly, we will inform you about the changes before any new activity begins.

What we use your personal data for

At the Postmuseum, we use your personal data for the following purposes and based on the following legal bases:

Purpose: When do we process your personal data? Personal data: What information do we use? Legal basis: Why is processing necessary?
Purchase of tickets and visits to our exhibitions, including guided tours.Name, email address, phone number, billing and payment details.
  • To fulfill the contract with you.
  • To comply with a legal obligation we are subject to, such as requirements from the Accounting Act. 
Purchase of goods, for example in our web shop. Name, email address, postal address, phone number, billing and payment details. 
  • To fulfill the contract with you.
  • To comply with a legal obligation we are subject to, such as requirements from the Accounting Act. 
To provide you with an account, for example when you make a purchase in our web shop or borrow books. Name, email address, and if necessary, postal address, phone number, and login details. To fulfill the contract with you. 
Booking of our premises, events, tours, and other activities.Name, email address, postal address, phone number, organizational affiliation, billing and payment details, and any information you choose to provide, such as allergy information.
  • To fulfill a contract regarding your booking.
  • For our legitimate interest to administer and manage the booking when the contract is not concluded with you but when you are our contact person.
  • To comply with a legal obligation we are subject to, such as requirements from the Accounting Act.
Visit to and use of our library, for example when you borrow books. Name, email address, postal address, phone number, personal identification number, and in some cases, payment details.
  • To fulfill the contract with you.
  • For our legitimate interest to ensure security and protect our property, such as our books.
  • To comply with a legal obligation we are subject to, such as requirements from the Accounting Act.
Visit to and use of our archive. We administer your visit for security reasons. Name, email address, date of visit, and in some cases, billing and payment details.
  • To fulfill the contract with you.
  • For our legitimate interest to ensure security, protect our property, prevent and investigate crimes and accidents, and tracking incidents over time.
Collection management. We collect and manage items of cultural and historical value in our collection and save information about the item’s history and context. We make our collection available to the public, for research purposes, and preserve it for future generations.Name, postal address, email address, phone number, gender, personal identification number, citizenship, birth and death dates, place of birth, marital status, diary number, education, profession and/or occupation, interests, opinions and experiences, statements about third parties, images, films, audio recordings, and special categories of personal data such as medical conditions and political affiliation. To perform a task in the public interest.
Gifts, donations, and purchases of items.Name, email address, postal address, phone number, and in some cases, billing and payment details.
  • To fulfill the contract with you.
  • For our legitimate interest to administer and manage the gift, donation, or purchase when the contract is not concluded with you but when you are our contact person.
  • To comply with a legal obligation we are subject to, such as requirements from the Accounting Act.
Loans to and from our collections.Name, email address, phone number, organisational affiliation, and the contact person’s position.
  • To fulfill the contract with you.
  • For our legitimate interest to administer and the loan when the contract is not concluded with you but when you are our contact person.
  • To comply with a legal obligation we are subject to, such as requirements from the Accounting Act.
Questions, inquiries, feedback, and service matters.Name, email address, and any information you choose to provide when contacting us.For our legitimate interest to respond to your questions, handle your inquiries and matters, and improve our operations based on your feedback.
To improve our products and services, such as developing new exhibitions.All relevant personal data mentioned under point 2 in this Privacy Notice.For our legitimate interest to develop our operations and provide our visitors with good products and services.
Marketing, such as sending newsletters.Name and email address.Your consent.
Communication, e.g., through press releases and mailings.Name, email address, phone number, and in some cases, position and organisational affiliation.For our legitimate interest to inform individuals who may be interested in our activities, events, and exhibitions.
Participation in competitions.Name, email address, and postal address.Your consent.
To enhance functionality on our website. If you have given us your consent, we use cookies and similar technologies to provide you with a good experience when you visit our website. You can find more information about how we use cookies in our Cookie Notice. IP address, device information, browser information, information about how you navigate our website, and other information about your visit.Your consent.
To manage security, for example through video surveillance.Video material where you can be identifiable.For our legitimate interest to protect the safety of our business, our employees, visitors and property.
To protect our assets and information systems. This includes detecting, preventing, and responding to security incidents or other malicious, deceptive, fraudulent, or illegal cybersecurity related activity.All relevant personal data mentioned under point 2 in this Privacy Notice.
  • For our legitimate interest to safeguard our assets, ensure security of our information systems and investigate and mitigate security incidents.
  • For compliance with legal requirements, such as data protection and cybersecurity legislation.
To monitor and enforce compliance with our obligations and responsibilities. For example, legal obligations, our financial and regulatory responsibilities, and obligations under our policies and procedures.All relevant personal data mentioned under point 2 in this Privacy Notice. 
  • To comply with legal obligations we are subject to.
  • For our legitimate interest to manage compliance with internal policies and procedures.
Dispute management and litigation.All personal data relevant to the dispute.For our legitimate interest which includes protecting our assets, legal interests and managing claims and disputes.
To conduct corporate transactions, including mergers, acquisitions and divestments.All relevant personal data mentioned under point 2 in this Privacy Notice. For our legitimate interest in maintaining and developing our business through mergers, acquisition and divestments.