> > Data Protection Compliance


Data Protection Compliance

The UPU makes it harder for postal services to sell personal data

At its 25th Congress in Doha in October 2012, the UPU adopted a new personal data protection compliance framework. Adherence to this framework is compulsory for all postal service providers who are designated by a Member State of the Universal Postal Union to fulfil the universal service obligation.

The 25th UPU Congress made it clear:

The UPU Convention provides for the confidentiality of the data gathered by designated operators, AND for the protection and security of that data.


Defining Personal Data

The global postal network defines personal data as the information needed to identify a postal service user.

The UPU’s data protection compliance framework on personal data conforms to the definitions given in international and regional regulations on the handling of personal data, and adapts them to the postal context.

In terms of the current postal delivery business model, personal data is primarily the information needed to identify the sender and recipient of a postal item (name and physical postal address/delivery point).

Article 11bis: Personal data may be deployed ONLY for the purposes for which it is gathered

The new Article 11bis of the UPU Convention, which came into force on 1 January 2014, states that personal data on users may be deployed only for the purposes for which it was gathered, and must abide by national data protection legislation. This brings data protection compliance regulations on personal data by postal services into line with international and European Community legislation.

As data is currently processed in accordance with the legislation of the country in which it was gathered, the methods of collecting and processing data may vary. Therefore Article 11bis states that:

Designated operators have an obligation to inform postal service users how their personal data is being used, and the purposes for which this information is being collected.

Where data may enable third parties to identify the postal user directly or indirectly, postal services may only transfer this data where national legislation authorizes them to do so.


Tough Times for List Brokers

The UPU Convention has made clear that this new postal data protection compliance is a fundamental cornerstone of the postal service provision, and stresses the confidentiality, protection & security of personal data.

Essentially, no change here.

However, this effectively pulls the rug out from beneath the address and list broker industry.

Given the clear and specific declaration that a postal service user’s personal data may be employed only for the purposes for which it was gathered (i.e. for delivering a mail piece), any list privileges, list brokerage, or the reselling of address data which enables third parties to directly or indirectly identify postal services users is, by definition, prohibited.

This is referred to as "purpose limitation".

Where postal services want to continue using their customers’ personal data in this way, a hard "opt-in" is required – postal users must give their express permission for their personal data to be used, after having been fully informed about the exact use that will be made of their data.

Any other use - a contrario - is prohibited. It is easy to imagine that, particularly where there is no financial inducement to the postal user, hard opt-in rates will be neglible.

The European direct marketing business model, however, runs counter to this model of data protection compliance.

Data is currently used to identify postal users from address lists, from traceable and trackable data provided via the Internet, by cross referencing and data mining activities to identify customer interests.

All this falls outside the definition of postal data protection compliance and clear purpose limitation. Postal services will be required to clearly separate themselves from these activities.


data protection compliance,postal services, data selling, data mining, german market

Fig.1: Data Selling in Germany -  the major players in today's data market. (German article on data selling here.)





Posts as Trusted Mediators in a Digital World

The Universal Postal Union, a special UN body dedicated to the global postal network and serving the needs of governments and their designated operators, has clearly understood the importance of focusing on the paradigm of trust in global postal service provision.

Traditionally providing a document-based global communications network, the UPU is currently shifting its activities into the digital realm with the introduction of its own top level domain, .post.

The new data protection compliance framework is part of this move, providing the basis upon which the UPU hopes to establish posts as trusted mediators within a digital communications ecosystem. The data protection compliance framework is a clear and forward-thinking regulation and supports this development.


IN BRIEF: At the 25th UPU Congress in Doha, 2012, the UPU officially adopted its data protection compliance framework, allowing personal data, gathered to provide a physical, digital or financial postal service, to be made available to 3rd parties or used for any other purposes only with the express permission of the user.

This removes the current basis for the business of address and list brokers. Confidentiality, protection and security of personal data are the cornerstones of the UPU service provision.

Top of Page

> > Data Protection Compliance