Data protection statement
Thank you for your interest in DPD Switzerland. Because of the nature of our business activities, data protection is a particularly high priority for our company.
It is entirely possible to use the DPD Switzerland website without providing any personal data. However, if an individual (data subject) wishes to use certain of our company’s services via our website, it may be necessary to process their personal data. If it is necessary to process personal data but there is no legal requirement for that processing, we will normally request consent from the data subject.
Our processing of personal data, for example the name, address, email address or telephone number of a data subject, is in compliance with the requirements of the European Union’s General Data Protection Regulation (GDPR) and also in accordance with the national data protection regulations that apply to DPD (Schweiz) AG. In this data protection statement, our company aims to inform the general public about the nature, scope and purpose of the personal data which we process. The data protection statement also serves to inform data subjects about their rights.
As the data controller, DPD Switzerland has implemented numerous technical and organisational measures to ensure that personal data processed via this website is protected as comprehensively as possible. Nevertheless, any Internet-based transmission of data may suffer from security issues, so absolute protection cannot be guaranteed. For that reason, any data subject is free to give us their personal data by other means, for example by telephone.
1. Definition of terms
The DPD (Schweiz) AG data protection statement is based on the terms that were used by the European legislative and regulatory bodies in producing the GDPR. We intend our data protection statement to be easy for members of the public and our customers and business partners to read and understand. With this in mind, we would like to start by explaining some of the terms used.
In this data protection statement and on our website we use the following terms, among others:
a) Personal data
Personal data means any information relating to an identified or identifiable natural person (referred to below as the “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b) Data subject
The data subject is that identified or identifiable person whose personal data is being processed by the data controller.
Processing means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction.
d) Restriction of processing
Restriction of processing means the marking of stored personal data with the aim of limiting its processing in future.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
g) Data controller or body responsible for data processing
A data controller or body responsible for data processing is the natural or legal entity, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for their nomination may be provided for under Union or Member State law.
h) Data processor
A data processor is a natural or legal entity, public authority, agency or other body which processes personal data on behalf of the data controller.
A recipient is a natural or legal entity, public authority, agency or other body to whom personal data is disclosed, regardless of whether they are a third party or not. Public authorities which may receive personal data in the context of a particular enquiry under Union or Member State law are not regarded as recipients.
j) Third parties
A third party is a natural or legal entity, public authority, agency or other body, other than the data subject, controller, processor or persons who, under the direct authority of the controller or processor, is authorised to process personal data.
Consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, in the form of a statement or some other clear affirmative action, signifies that they agree to the processing of personal data relating to him or her.
2. Name and address of the data controller
The data controller within the meaning of the General Data Protection Regulation, other applicable data protection legislation in European Union member states, and other legal provisions which are related to data protection legislation, is:
DPD (Switzerland) AG — Mülibachstrasse 41 — 8107 Buchs ZH
3. Data Protection Officer
The Data Protection Officer who is responsible for data processing can be contacted at any time at:
Any data subject can contact our Data Protection Officer directly at any time if they have any questions or concerns about data protection.
By using cookies, DPD Switzerland can offer users of this website more user-friendly services, which would not be possible without using cookies.
5. Recording general data and information
Every time a data subject or an automated system accesses the DPD Switzerland website, the website records a series of general pieces of data and information. This general data and information is stored in log files on the server. Information that may be recorded includes (1) the browser type and version that is being used, (2) the operating system used by the computer system accessing the website, (3) the website from which an accessing system reaches our website (the so-called referrer), (4) the secondary websites to which an accessing system navigates on our website, (5) the date and time of access to the website, (6) an Internet protocol address (IP address), (7) the Internet service provider of the accessing system and (8) other similar data and information which serve to defend our system in the event of attacks on our IT systems.
DPD Switzerland is unable to identify the data subject by using this general data and information. Instead, this information is required in order to (1) display the content on our website correctly, (2) optimise the content on our website, and how it is displayed, (3) keep our IT systems and website technology functioning at all times and (4) be able to provide the law enforcement authorities with the necessary information to prosecute in the event of a cyber attack. This anonymously collected data and information are therefore analysed by DPD Switzerland, firstly statistically and secondly with the aim of improving data protection and data security at our company in order, ultimately, to guarantee the best possible level of protection for the personal data that we process. The anonymous data in the server log files is stored separately from all personal data provided by a data subject.
A data subject has the option of registering on the DPD Switzerland website by providing certain personal data. Which personal data is sent to DPD Switzerland depends on the entry template that is used for registration. The personal data that is provided by the data subject is collected and stored exclusively for internal use by DPD Switzerland and for its own purposes. DPD Switzerland may instruct it to be passed on to one or more data processors, for example a courier service provider, who also uses the personal data exclusively for an internal purpose attributable to DPD Switzerland.
During registration on the DPD Switzerland website, the IP address issued by the data subject’s Internet service provider (ISP), the date and the time of registration are also stored. The context for storing this data is that this is the only way to prevent misuse of our services and the data may, if necessary, help with the investigation of offences or breaches of copyright that have been committed. For that reason, storing this data is essential to safeguard DPD Switzerland. This data is never passed on to third parties unless there is a legal obligation to pass it on, or doing so assists in a prosecution or legal investigation.
If data subjects register and voluntarily provide their personal data, this helps DPD Switzerland to offer the data subject content or services which, by their nature, can only be offered to registered users. Furthermore, registration by a data subject enables us to monitor how copyrighted written text that we produce is being used, and to check the placing of links and attribution of copyright, as well as using the data for our own documentation purposes. Registered data subjects have the option of having the personal data which they provided on registration entirely deleted from the DPD Switzerland database.
On request, DPD Switzerland will inform any data subject at any time which personal data about that data subject it is storing. Furthermore, DPD Switzerland will correct or delete any personal data at the request, or on the instruction, of the data subject, unless there is a legal obligation to retain it. In this context, the Data Protection Officer named in this data protection statement, or any employee of the data controller, can serve as the point of contact for the data subject.
7. Routine deletion and blocking of personal data
DPD Switzerland processes and stores the personal data of a data subject only for the period necessary to fulfil the purpose for which it was stored, or as provided for by European legislative and regulatory bodies or some other legislator in laws or regulations by which DPD Switzerland is bound.
If the storage purpose no longer applies, or if a period of storage specified by European legislative and regulatory bodies or by another relevant legislator expires, the personal data is routinely blocked or deleted in accordance with legal requirements.
8. Rights of the data subject
a) Right to confirmation
Every data subject has the right to request from the data controller confirmation of whether their own personal data has been processed. If a data subject wishes to exercise this right to confirmation, they can do so at any time by contacting our Data Protection Officer or any other employee of DPD Switzerland.
b) Right of access
Every data subject affected by the processing of personal data has the right to obtain information free of charge from the data controller about the personal data that is being held about them, and a copy of that information. Furthermore, the European legislative and regulatory bodies have given data subjects access to the following information:
- the purposes of the data processing
- the categories of personal data that are processed
- the recipients or categories of recipient to whom the personal data has been or will be disclosed, in particular recipients in third countries or at international organisations
- where possible, the envisaged period for which the personal data will be stored, or, if that is not possible, the criteria used to determine that period
- the existence of a right to have personal data concerning them corrected or deleted, or to have its processing by the data controller restricted, or to object to such processing
- the right to lodge a complaint with a supervisory authority
- where the personal data was not collected from the data subject: any available information about the origin of the data
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and – at least in those cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Furthermore, the data subject has the right to be informed whether the personal data has been transferred to a third country or an international organisation. Where that is the case, the data subject also has the right to be informed of the appropriate safeguards relating to that transfer.
If a data subject wishes to exercise this right of access, they can do so at any time by contacting our Data Protection Officer or any other employee of DPD Switzerland.
c) Right to correction
Every data subject affected by the processing of personal data has the right to request the immediate correction of incorrect personal data relating to them. Furthermore, the data subject also has the right, taking account of the purposes of processing, to request that incomplete personal data be completed — including by means of providing a supplementary statement.
If a data subject wishes to exercise this right to correction, they can do so at any time by contacting our Data Protection Officer or any other employee of DPD Switzerland.
d) Right to deletion (right to be forgotten)
Every data subject affected by the processing of personal data has the right to ask the data controller for the immediate deletion of the personal data relating to them, where one of the following reasons applies and where the processing is not required:
- The personal data was collected for such purposes or in such a way that it is no longer required.
- The data subject withdraws their consent on which the processing in accordance with Art. 6, paragraph 1 point (a) of the GDPR or Art. 9, paragraph 2 point (a) of the GDPR was based and there was no other legal basis for the processing.
- The data subject objects to the processing under Art. 21, paragraph 1 GDPR, and there are no overriding legitimate reasons for the processing, or the data subject objects to the processing under Art. 21, paragraph 2 GDPR.
- The personal data has been unlawfully processed.
- The deletion of the personal data is required to fulfil a legal obligation under Union law or Member State law to which the data controller is subject.
- The personal data was collected in relation to information society services offered in accordance with Art. 8, paragraph 1 GDPR.
If one of the above reasons applies and a data subject would like to request the deletion of personal data stored by DPD Switzerland, they can do so at any time by contacting our Data Protection Officer or any other employee of the data controller. The Data Protection Officer at DPD Switzerland or another employee will arrange for the deletion process to be carried out without delay.
Where the personal data has been disclosed by DPD Switzerland and where our company, as the data controller in accordance with Art. 17, paragraph 1 GDPR, is obliged to delete the personal data, then DPD Switzerland, taking account of the available technology and the cost of implementation, will take appropriate measures, including of a technical nature, to notify other bodies responsible for data processing which have processed the disclosed personal data that the data subject has asked for this other body responsible for data processing to delete all links to that personal data and any copies or duplicates of that personal data, provided the processing of it is not required. The Data Protection Officer at DPD Switzerland or another employee will, in individual cases, take the necessary action.
e) Right to restriction of processing
Any data subject affected by the processing of personal data has the right to ask the data controller to restrict processing where one of the following conditions applies:
- The accuracy of the personal data is disputed by the data subject, with the restriction lasting for a period enabling the data controller to verify the accuracy of the personal data.
- The processing is unlawful and the data subject refuses to have the personal data deleted and instead requests that the use of the personal data should be restricted.
- The data controller no longer requires the personal data for the purposes of the processing, but the data subject requires it in order to establish, exercise, or defend legal claims.
- The data subject has the right to object to processing in accordance with Art. 21, paragraph. 1 GDPR and it is not yet clear whether the legitimate grounds for processing of the data controller override those of the data subject.
If one of the above conditions applies and a data subject would like to request the restriction of personal data stored by DPD Switzerland, they can do so at any time by contacting our Data Protection Officer or any other employee of the data controller. The Data Protection Officer at DPD Switzerland or another employee will arrange for processing to be restricted.
f) Right to data portability
Any data subject affected by the processing of personal data has the right to be given the personal data relating to them which was provided by the data subject to a data controller, in a structured, commonly used and machine-readable format. They also have the right to transmit that data to another data controller without hindrance from the controller to whom that personal data was provided, where the processing is based on consent in accordance with Art. 6, paragraph 1 point (a) of the GDPR or Art. 9, paragraph 2 point (a) GDPR or on a contract in accordance with Art. 6, paragraph 1 point (b) GDPR and the processing is carried out by automated means, where the processing is not required in order to fulfil a task in the public interest, or is being carried out while exercising public authority vested in that data controller.
Furthermore, in exercising their right to data portability in accordance with Art. 20, paragraph 1 GDPR, the data subject has the right to have the personal data transferred directly from one data controller to another data controller, where this is technically possible and does not adversely affect the rights or freedoms of third parties.
If they wish to exercise their right to data portability, a data subject can contact the Data Protection Officer appointed by DPD Switzerland at any time, or any other employee.
g) Right to object
Any data subject affected by the processing of personal data has the right to object to the processing of personal data relating to them at any time for reasons arising from their specific circumstances, where the processing is based on Art. 6, paragraph 1 point (e) or (f) GDPR. The same applies to profiling based on the same terms.
In the event of an objection, DPD Switzerland will no longer process the personal data, unless we can demonstrate compelling defensible reasons for the processing which override the interests, rights or freedoms of the data subject, or the processing is required to establish, exercise or defend legal claims.
Where DPD Switzerland processes personal data for the purpose of direct marketing, the data subject has the right to object at any time to the processing of their personal data for such marketing. The same applies to profiling where it is related to such direct marketing. Where a data subject objects to DPD Switzerland about processing of the data for the purpose of direct marketing, DPD Switzerland will no longer process their personal data for such purposes.
The data subject also has the right to object, for reasons arising from their specific circumstances, to the processing of personal data relating to them which is carried out at DPD Switzerland for scientific or historical research purposes or statistical purposes in accordance with Art. 89, paragraph 1 GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.
To exercise their right of objection, a data subject can contact the Data Protection Officer at DPD Switzerland directly, or any other employee. A data subject may also exercise their right to object where this is in connection with the use of information society services, notwithstanding Directive 2002/58/EC, by automated means, using technical specifications.
h) Automated decision-making in individual cases, including profiling
Any data subject affected by the processing of personal data has the right not to be subject to a decision based solely on automated processing – including profiling – which has a legal effect on them or a similarly detrimental effect, provided that the decision (1) was not made in order to conclude or execute a contract between the data subject and the data controller, and (2) is authorised under the law of the European Union or Member State law to which the data controller is subject and that law contains appropriate measures for protecting the rights and freedoms and legitimate interests of the data subject or (3) is made with the explicit consent of the data subject.
If the decision (1) is necessary in order to conclude or execute a contract between the data subject and the data controller or (2) was made with the explicit consent of the data subject, DPD Switzerland will take appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject, comprising at least the rights to request intervention by a human being on the part of the data controller, to express their own point of view and to contest the decision.
If a data subject would like to exercise their rights in relation to automated decision-making, they can contact our Data Protection Officer at any time, or another employee of the data controller.
i) Right to withdraw consent relating to data protection
Any data subject affected by the processing of personal data has the right to withdraw their consent to the processing of personal data at any time.
If a data subject would like to exercise their right to withdraw consent, they can contact our Data Protection Officer or another employee of DPD Switzerland at any time.
9. Data protection in relation to job applications and during the application procedure
DPD Switzerland collects and processes the personal data of job applicants for the purposes of the application procedure. This processing may take place via electronic channels. This applies particularly where an applicant sends the required application documentation electronically, for example by e-mail, to the data controller. If DPD Switzerland concludes a contract of employment with an applicant, the data that was sent will be stored for the purposes of the employment relationship, in compliance with legal regulations. If DPD Switzerland does not enter into a contract of employment with the applicant, the application documents will be deleted no later than three months after the applicant has been notified of the rejection, provided such deletion does not adversely affect any other legitimate interests of the data controller. Statutory legal obligations relating to the burden of proof or retention requirements that go beyond the Data Protection Act may constitute legitimate interests in this sense.
10. Data protection policy relating to the application and use of Google Analytics (with anonymisation function)
DPD Switzerland has integrated the Google Analytics component (including anonymisation function) on this website. Google Analytics is a web analysis service. Web analysis is the measurement, collection and evaluation of data about the behaviour of users of websites. Among other things, a web analysis service records data about the website from which a data subject reached a website (known as the referrer), which sub‑pages of the website were accessed and for how long a sub-page was looked at. Web analysis is used mainly to optimise a website and for the cost-benefit analysis of online advertising.
The operating company for the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
The data controller uses the suffix “_gat._anonymizeIp” for web analysis via Google Analytics. With this suffix, the IP address for the data subject’s Internet connection is abbreviated and anonymised by Google, when the access to our website is from a European Union member state or another state that is a signatory to the Agreement on the European Economic Area.
The purpose of the Google Analytics component is to analyse the flow of visitors to our website. Google uses the data and information that it obtains to evaluate the use of our website in order to compile online reports for us showing the activity on our website, and to provide us with additional services in connection with the use of our website.
Google Analytics places a cookie on the data subject’s IT system. What cookies are, has already been explained above. Placing the cookies enables Google to carry out the analysis of how our website is being used. Every time one of the individual pages on this website – which is operated by the data controller and on which a Google Analytics component has been integrated – is accessed, that Google Analytics component automatically causes the web browser on the data subject’s IT system to send data to Google for online analysis. In the course of this technical procedure, Google acquires knowledge of personal data such as the IP address of the data subject, which Google uses, among other things, to identify where visitors and clicks are coming from so that commission payments can subsequently be calculated.
Through the cookie, personal information such as the time and place of access, and the frequency of visits to our website by the data subject is stored. For every visit to our website, this personal data, including the IP address of the Internet connection used by the data subject, is sent to Google in the United States of America. This personal data is stored by Google in the United States of America. In some circumstances, Google may pass the personal data that is collected in this technical procedure on to third parties.
As described above, data subjects can prevent cookies being placed by our website at any time by making the necessary setting on the web browser they use, and so permanently refusing the placing of cookies. Making such a setting on the web browser would also prevent Google from placing a cookie on the data subject’s IT system. Furthermore, a cookie that has already been placed by Google Analytics can be deleted at any time via the web browser or another software program.
More information, and Google’s applicable data protection policy, can be downloaded from https://www.google.de/intl/de/policies/privacy/ and http://www/.google.com/analytics/terms/de.html. Google Analytics is explained in more detail here: https://www.google.com/intl/de_de/analytics/.
11. Data protection policy on the application and use of Google AdWords
DPD Switzerland has integrated Google AdWords on this website. Google AdWords is a service for online advertisers that allows them to place advertisements in Google search engine results and on the Google advertising network. Google AdWords enables an advertiser to define in advance certain keywords such that an advertisement is only displayed in the Google search engine results if the user calls up a search result that includes the keyword when using the search engine. On the Google advertising network, advertisements are assigned to relevant websites on the basis of an automatic algorithm and taking account of the pre‑set keywords.
The operating company for Google AdWords services is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
The purpose of Google AdWords is to advertise our website by displaying relevant advertisements on the websites of third‑party companies and in the search results found by the Google search engine, and to display other companies’ advertising on our website.
If a data subject reaches our website via a Google AdWords advertisement, a so-called conversion cookie is placed on the data subject’s IT system by Google. What cookies are has already been explained above. A conversion cookie becomes invalid after thirty days and cannot be used to identify the data subject. Until the conversion cookie expires, it shows whether certain sub‑pages, for example the shopping basking of an online shopping system, have been called up on our website. The conversion cookie enables both us and Google to see whether a data subject who reached our website via a Google AdWords advertisement generated any turnover, i.e. completed or cancelled a purchase.
The data and information gathered by the use of conversion cookies are used by Google to compile visitor statistics for our website. We in our turn use these visitor statistics to calculate the total number of users who were sent to us by Google AdWords advertisements, i.e. to work out the success or failure of each Google AdWords advertisement and optimise our Google AdWords advertisements for the future. Neither our company nor any other advertising company using Google AdWords obtains any information from Google which could be used to identify the data subject.
The conversion cookie is used to store personal information such as the websites visited by the data subject. Consequently, for every visit to our website, personal data, including the IP address of the Internet connection used by the data subject, is sent to Google in the United States of America. This personal data is stored by Google in the United States of America. In some circumstances, Google may pass the personal data that is collected in this technical procedure on to third parties.
As described above, data subjects can prevent cookies being placed by our website at any time by making the necessary setting on the web browser they use, and so permanently refusing the placing of cookies. Making such a setting on the web browser would also prevent Google from placing a conversion cookie on the data subject’s IT system. Furthermore, a cookie that has already been placed by Google AdWords can be deleted at any time via the web browser or another software program.
The data subject also has the option of objecting to an advertisement placed by Google relating to their interests. To do this, the data subject needs to call up the link www.google.de/settings/ads from each web browser that they use and make the required settings there.
More information and Google’s relevant data protection policy can be called up at https://www.google.de/intl/de/policies/privacy/.
12. Data protection policy on the application and use of YouTube
DPD Switzerland has incorporated components of YouTube on this website. YouTube is an Internet video portal which enables video publishers to post video clips free of charge and enables other users to view, review and comment on those videos, also free of charge. YouTube allows the publication of all types of video, consequently both complete films and television broadcasts and music videos, trailers and videos made by the users themselves can be called up via the Internet portal.
The operating company for YouTube is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
Every time a sub‑page of this website, which is operated by the data controller and on which a YouTube component (YouTube video) has been integrated, is accessed, that YouTube component automatically causes the web browser on the data subject’s IT system to download a version of that YouTube component from YouTube. More information about YouTube can be found at https://www.youtube.com/yt/about/de/. In the course of this technical procedure, YouTube and Google acquire knowledge about which specific sub-page of our website was visited by the data subject.
If that data subject is simultaneously logged in to YouTube, then, when a sub-page containing a YouTube video is accessed, YouTube can tell which specific sub-page of our website the data subject is visiting. This information is gathered by YouTube and Google and associated with that data subject’s YouTube account.
YouTube and Google are sent information by the YouTube component about the fact that the data subject has visited our website whenever the data subject is simultaneously logged into YouTube at the time when they call up our website; this occurs regardless of whether the data subject clicks on a YouTube video or not. If a data subject does not want this information sent in this way to YouTube and Google, they can stop it from being sent by logging out of their YouTube account before accessing our website.
The data protection policy published by YouTube, which can be found at https://www.google.de/intl/de/policies/privacy/, provides information about how personal data is collected, processed and used by YouTube and Google.