As a provider of postal services it is the primary task of DPD to apply the very latest technical standards in delivering shipments on behalf of consignors securely and reliably to consignees, and at the same time in meeting all the statutory requirements and the necessary protection of confidentiality, availability and integrity in relation to the data entrusted to DPD.
As a company under private law DPD is in particular subject to the provisions of the the EU General Data Protection Regulation (GDPR), the latest version of the Federal Data Protection Act (BDSG new), the Postal Services Act (PostG).
For this reason we process your data as a rule on the basis of Art. 6 (1a – consent), 6 (1b – contractual relationships), 6 (1c – legal requirements) and 6 (1f -legitimate interest) of the GDPR, §26 BDSG new (employee data) and §39, §41, §41a-§41c of the Postal Services Act (PostG) (shipment, invoicing and master data). Further information is provided below and within the descriptions of individual services.
You can contact Michael Mayer, our Data Protection Officer, at [email protected]. If anything is not clear to you please do not hesitate to get in touch with our Data Protection Officer.
If you have any questions relating to parcel shipping with DPD, please use our contact form.
If you wish to assert your rights in accordance with Article 15-22 GDPR, you can use our data policy contact form. (Please note that this form is not to be used for questions relating to parcel shipping). It also enables you to request information about your data, together with the blocking, correction and deletion of such data. If in your opinion we have a data or security leak, you can also report it there. DPD will check your concern, contact you in the event of questions, or provide you with the relevant answer. Please note that emails do not necessarily come from DPD simply because this is indicated in the address of the sender, and treat any suspicious replies or enquiries accordingly. DPD will never ask you for a password or any other confidential identifying feature. At most we will require from you the number of your shipment, parcel notification number, recipient postcode or if relevant your customer number.
The regulatory authority responsible for DPD is the
Federal Commissioner for Data Protection and Freedom of Information,
Referat 22 Postdienste, Wirtschaftsverwaltung, Husarenstr. 30, D-53117 Bonn
For what purpose do we process your data?
Where do we receive your data from, and what data is involved? DPD receives data for processing from various sources and for various purposes.
If you are a consignor we receive your data when you contact us, visit one of our shipping websites or ship parcels with us. For this purpose we save your invoice address, details of pickup times, contact persons or selected/offered products. As a rule we receive this data directly from you, or in rare cases you are brought to our attention via the Internet or our sales partners.
If you are a consignee we receive your data from consignors. They provide us with your data, as well as information about the parcel or notification instructions, mainly in electronic form or via their own or our shipping systems. They normally do so in that they have entered into a contractual relationship with you in accordance with Article 6(1b) GDPR, and we require the data in order to deliver the goods you have ordered from the consignor. In addition we naturally receive your data from other providers of postal services which act on our behalf in delivering shipments, e.g. if the shipment comes from abroad and if a different provider of postal services which cooperates with us has been entrusted there with the delivery.
If you are a system partner, parcel shop operator or delivery driver we receive your data when you get in touch with us or with a system partner with the intention of working for us. On the basis of a number of statutory requirements and a specific amount of legitimate interest we are obliged to collect a certain amount of further information about you. This ranges from background checks to insurance protection, the vehicles used, existing licences and permits, or further information. If you are a visitor to our website we receive your data via various website functions. For this purpose we apply cookies or request information from you directly. Our priority is to optimise the presentation of our website and to provide you with information about our services. You can at any time restrict the services or deactivate them completely by using a link or making the appropriate selection. (Please see “Web analysis, cookies and third party serices”).
If you are an applicant for a job we receive your data when you get in touch with us and send us your application. We use the data only for our own purposes.
Who do we transmit your data to?
DPD transmits your data to various locations, but only for the intended purposes. This also includes locations outside the European currency area, if the place of delivery is located there.
If you are consignor we send your data mainly to our depots, which are responsible for collecting your shipments, and to the local system partners and drivers who are involved.
If you are a consignee we send your data exclusively to the relevant consignors, system partners, parcel shops and delivery drivers (or other providers of postal services who may be involved in the delivery also in other countries). If a parcel happens to be damaged we also send your data to our insurance company.
Shipment data or details of the contents of shipments will only be transmitted or made available to third parties in exceptional circumstances. Such third parties are above all the customs authorities, the prosecution service or insurance companies. You can obtain information about the status of shipments at any time via our app or the tracking functions on our website. This information is only available to authorised users and can only be obtained by the entry of the consignee postcode and the parcel number.
Job application documents are received at our company only by the relevant department or by our system partners in the case of applications for work as delivery drivers, and are subject to the relevant consent.
In order to maintain our privileged customs status as an "Authorised Economic Operator (AEO)" and to avoid fines for violations of the EU anti-terrorism regulations (EC 881/2002 and 2580/2001) and the Foreign Trade and Payments Act (AWG), at defined intervals we check the names and addresses of shippers, consignees, partners and employees against the official sanction list databases.
In some cases we also use service providers for the implementation of tasks and activities on our behalf. Unless they operate on our behalf as part of the logistics chain, all such service providers are under an obligation to comply with our instructions on the processing of data as specified in an appropriate service contract. DPD does not rent, lend or sell personal data to third parties. However, data can be passed on to companies connected with DPD as part of the company group, and can be processed jointly in accordance with Art. 26 GDPR.
Who can you contact if you wish to reject the processing of your data, or to have your data corrected or deleted?
If you have a special wish involving the rejection or the processing of your data or instructions relating to its correction or deletion, you can simply use our contact form and select the relevant option.
How long will your data be stored?
As is the case with all other companies under private law, DPD has to comply with specific regulations relating to the storage of data. This includes above all retention periods in accordance with tax legislation, e.g. relating to consignment notes, tour plans and delivery lists, damage reports, claims, invoices and balance sheets. In addition, for security reasons we store the tracking data for parcels for a period of time which varies per platform between 30 and 180 days.In the absence of consent to a longer storage period, job application documents will be deleted in accordance with data protection legislation at the latest within six months after the rejection of the application.DPD account data is deleted two years after the deactivation of the account. Rejections of delivery notifications (Predict) are stored in a blocking list until the rejection is withdrawn.
For the length of storage relating to cookies, please see our list in Web analysis, cookies and third party serices.
In the process your IP address is immediately anonymised, so that as a user you remain anonymous to us. The information generated by the cookie about your use of the website is not passed on to third parties.If you have activated the “Do not track” setting in your browser, no data will be saved by Matomo. Please note: if you delete your cookies, the consequence may be that the opt-out cookie is also deleted and may need to be reactivated by you.
In order to optimise our service we apply Google Analytics and our own statistical analyses. Google Analytics is a web analysis service provided by Google, which is used for purposes of market research and for ensuring that the service meets user requirements. Google Analytics uses “cookies”, which are placed on your computer to make it possible to analyse how you make use of the service. The information generated by the cookies about the use of the service (including the user’s anonymised IP address) is as a rule transmitted to and stored by Google on servers in the United States . Google uses this information in order to evaluate your use of the service and to create reports on activities for the operator of the service. Google may also transmit this information to third parties if this is prescribed by law, or if third parties process the data on behalf of Google. On no account will Google connect your IP address with other Google data. At http://tools.google.com/dlpage/gaoptout?hl=de you can, with effect for the future, opt out of the recording and saving of your data at any time. In addition we use the remarketing functions and reports on demographic features and interests provided by Google Analytics in order to display to visitors of the website targeted advertisements on the partner websites of the Google display and search network. The saving of cookies enables user behaviour to be analysed and interest-based advertising to be activated. At http://www.google.de/settings/ads you can, with effect for the future, opt out of the recording and use of your data for advertising purposes.
The legal basis for the application of Google Analytics is Art. 6 (1f) GDPR. Sessions and campaigns are terminated after the expiry of a specific period of time.
Google DBM and DFP (Doubleclick for Publisher) Small Business Server
All the cookies we set, together with their purpose and duration, are shown in the following table:
Under the name "myDPD" DPD Deutschland GmbH, Wailandtstraße 1, 63741 Aschaffenburg, Germany, provides digital platforms on web servers or mobile terminals which enable shippers and consignees to send parcels and to monitor or manage their delivery. These functions are referred to below as the "service" or "services". myDPD distinguishes between private and commercial use of the services.
Basically the service can be used without registration. To be able to use the convenience functions, however, registration is required. This is done either by registering via the service with an email address and password or by using an existing Facebook or Google account. DPD does not transmit any parcel information to Facebook or Google in this respect, and only uses these services for authentication purposes. After authentication, a uniform DPD account is created for all our services. Commercial customers need to request their access data directly through their sales contact.
"Login with Facebook"
"Login with Google"
DPD processes the following data from you in order to provide the relevant services and information: email address, mobile phone number, password, a standard postcode (usually your recipient postcode), Predict status (whether you want parcel notifications or not), the names of the devices you use, and shipment related information from our delivery systems.
Whether or not our service may send you messages is up to you to decide on the settings of theapp in your mobile device, or in the user account of the services.
"Login with netID"
If you use the netID button when logging in to DPD, you can register or log in with your netID account. You will then be redirected to the netID website. Your email address, which is stored with netID, is required for the login. This is necessary for identification in order to create a secure DPD account for you and is stored with us. Your netID profile and your DPD account will be permanently linked via the email address. You can remove this link at any time on the netID website.
DPD does not learn your netID access data at any stage. You can read how netID handles privacy settings in the netID privacy notices; these are also the applicable requirements for this possibility for logging in and registering with DPD.
Credit rating assessment
To assess the creditworthiness of new customers, we use a probability value (score procedure) based on automated mathematical-statistical procedures for commercial customers provided by e-crefo GmbH, Hellersbergstraße 12, 41460 Neuss, and for private customers from Creditreform Boniversum GmbH, Hellersbergstraße 11, 41460 Neuss. We use this information as a decision-making aid. Subjective value judgements or personal financial circumstances are not queried. Data is only stored and transmitted if this is necessary to safeguard the legitimate interests of DPD Deutschland GmbH. We would also like to draw your attention to the fact that if e-crefo GmbH has insufficient data about the company concerned at the time when commercial customers apply to us, in individual decisions we will also request a probability value for the owner or managing director of the company concerned at Creditreform Boniversum GmbH, Hellersbergstraße 11, 41460 Neuss. In order not to unreasonably disadvantage your interests in individual cases with the credit assessment, DPD weighs the various interests involved. If the credit check is negative, DPD reserves the right to change the terms of payment.
Use of the platform
The platform makes it easier for shippers to transfer data to DPD as part of their shipping orders and to manage the addresses required for this purpose. DPD uses this data exclusively for shipment processing as described under the section on the "DPD parcel delivery service". The basis for the use of the platform is the transmission of data for the performance of postal services in accordance with Article 6(1b) of the GDPR and the Postal Act on the basis of the resulting shipping order.
Advertising / information
If you have previously given us your consent under "Profile" or (insofar as statutory regulations provide for this) have not objected, we process and use this data for our own product-related information, surveys, competitions and marketing purposes. We may use service providers for this purpose. These work exclusively in accordance with our instructions under the terms of order processing in accordance with Article 28ff GDPR.
DPD processes the data stored on the platforms only as long as it is legally required. Sometimes you can delete the data yourself (if this does not violate legal retention periods). We will maintain your myDPD account until you delete it yourself under your "Profile". Shipment data is stored in varying levels of detail between 40 days and 10 years. We keep invoice information for 7/11 years.
Matomo und Google Analytics
In order to optimise our service we apply Google Analytics and Matomo. Details on the use of these services are described above under Web analysis, cookies and third-party services. DPD only makes data from the use of the services and about the service itself to available authorised internal users.
In order to ensure the correct delivery of shipments to the right consignee DPD requires a range of data, which is as a rule provided by the consignor. In addition to details of the address, parcel type and parcel shipping options, the data may include further information which will, for example, enable us to notify the consignee of the delivery or when parcels are picked up at the parcel shop (e.g. ID card/passport number). In compliance with postal legislation and the regulations on data protection in postal services, DPD processes this data in a shipment-related way and only for delivery purposes. The details which are provided are used exclusively within the DPD network for delivering shipments and invoicing services, or for clarifying issues relating to shipments (e.g. transport damage). DPD does not use consignee data for advertising purposes or for other personal analyses. Findings from DPD's delivery processes are only used in an anonymised form for the purpose of optimising delivery operations. Your data is not sold, rented out or exchanged. If we provide data to external service providers, this is implemented on the basis of Art. 28 EU GDPR (processing of orders) or other data protection regulations.
DPD also appears in a number of social networks. These include Facebook, Instagram, Twitter, Xing and YouTube. DPD provides its services on these platforms under the data protection provisions of the individual platform operator and has no direct responsibility for the way the operator processes data. Any findings from this data are used only for internal purposes and direct consultation. DPD wishes to point out that these platforms are in themselves public and anything which is posted on them can as a rule be read by all users. DPD will not provide shipment-related information or details of personal data in any public forum via these platforms.
With this service the consignee receives advance notification of shipments sent by the consignor in the form of an email or SMS text message, notifying the consignee when the shipment will be delivered and the arrangements for the delivery. For this purpose the consignor (shipping customer) provides DPD with the necessary supplementary information, such as the email address or mobile number of the consignee.
One possible basis for the transmission of such data to DPD on the part of the consignor is, from the DPD point of view, Article 6 (1f) EU GDPR (“Processing of data for the safeguarding of justified interests”).
Grounds: the transmission of the data is implemented in the legitimate interests of both the consignor and of DPD as the postal service provider, in order to avoid incorrect deliveries (which serves to protect postal secrecy) and to ensure customer-friendly determination of the time and place of delivery on the part of the party concerned (consignee). The basis for the processing of the data between the consignor and the consignee is as a rule an order, or a contractual or similar relationship with the party concerned in accordance with Article 6 (1b) EU GDPR. In the process DPD functions as the service provider (provider of postal services). The transmission of the additional information does not restrict any interests of the party concerned which require protection, or that party’s fundamental rights and freedoms. The party concerned can reject the processing of this supplementary information at both locations. Predict notifications are not advertising aimed at promoting DPD’s own sales or that of an outside company, but serve the implementation of the delivery process for goods which have already been ordered.
DPD processes this data exclusively for this purpose and for no other purpose. For purposes of dealing with complaints or invoicing, the data is recorded in relation to the individual shipment and saved, also in relation to the individual shipment, in our shipping archives in accordance with statutory provisions relating to archiving periods. Shipping customers are responsible for ensuring the correctness of the information provided to DPD about the email addresses and telephone numbers of their customers (consignees), as well as with regard to the correct spelling, syntax and allocation to a specific shipment. If DPD has received instructions from a consignee blocking the transfer of information by email or SMS, DPD is under an obligation to follow these instructions and to terminate the service to the relevant consignee. There will be no message to the shipping customer that this service has been blocked by the consignee.
As part of DPD’s Predict-Service, consignors can also provide customers with information about themselves in the form of banner advertising. In addition to the company name and address, the customer’s banner can contain the company logo, the website URL and a company slogan/claim, but no advertising content that goes beyond this in the for
m of texts or images. DPD undertakes towards shipping customers not to send any advertising of its own to their customers (consignees).
Consignees who wish to block their email address for the Predict-Service should send an informal notice of cancellation to [email protected] indicating their name, address and the email address which is to be blocked. The effect of blocking the email address will be that the consignee will receive no further email notifications from us relating to shipments.
Suggested text for instructions in the privacy policies of DPD’s shipping customers from 25.5.2018:
”During shipping operations we transmit, on the basis of Art. 6 (1f) of the EU’s General Data Protection Regulation, your data (name, address, if necessary email address and/or mobile phone number for notification options and re-directions, together with further shipment-related data) to our shipping partner DPD Deutschland GmbH. You can reject the transmission of supplementary information such as email or mobile phone data both with us […add customer contact address…] and with DPD direct under [email protected] or, in the case of all parcel notifications, via a link.“
When you send us your online application you declare your consent to the electronic processing of your data, as described below.
Information which is required and recorded
As part of the application procedure, the DPD group of companies* only record and process the personal data which you submit to us or have entered in the application form.
Who has access to your data
Access to your data is only provided to such persons who have been trained in the relevant aspects of data protection and data security, and are subject to a contractual obligation of non-disclosure. The data which you make available in a concrete application is only seen by such persons who are responsible for filling the relevant vacancy. These are in particular HR staff within the company to which you apply, as well as any potential line managers.
Of course your data will not be used for any other purposes than for the application procedure, and will never be used for advertising purposes. Under no circumstances will your data be passed on to companies or persons outside the DPD group of companies.
Beyond the application procedure itself your application data may only be made available to other companies in the DPD group of companies for the purpose of filling other possible vacancies. If you do not agree to this, you can revoke your consent by sending an email to [email protected].
A variety of security procedures are used to protect the application data which is collected. The use of the latest technologies such as secure servers, firewalls and the encryption of application data protects against unauthorised access to your personal data. The security standard involved is continuously reviewed and adapted to the latest technological developments.
Deletion of data
Data which is provided in connection with a specific unsuccessful application for an advertised vacancy is deleted six months after the applicant has been notified. Applications which are included in the pool of applicants are automatically deleted after one year.
Possibility of submitting an application on paper
You of course have the option of submitting your application documents to us on paper instead of electronically. However, please note that we do not return written application documents, and subsequently destroy them in accordance with data protection regulations.
Right of revocation
You have the right to revoke at any time the consent you have provided us with, as well as the right to request information at any time about the data we collect. In order to assert these rights, or any other rights you may have under data protection regulations, please also contact [email protected].
The responsible regulatory body in relation to data protection is the Federal Officer for Data Protection and Freedom of Information, who can be contacted as follows: Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, Referat 24, Husarenstraße 30, in 53117 Bonn.
*DPD Deutschland GmbH, DPDgroup International Services GmbH & Co. KG,
GeoPost International Management & Development Holding GmbH, iloxx GmbH
DPD Deutschland GmbH offers you the opportunity to apply online to work with us as a delivery driver or system partner. For this purpose we collect specific data from you.
From delivery drivers:
As DPD does not employ its own drivers, we evaluate your data and then pass it on to a suitable system partner. By providing your consent at the end of the data collection you agree that the recorded data – as displayed on the screen – can be passed on to a system partner. After the data has been passed on it will then be processed. We delete your data after 6 months.
From system partners:
To qualify as a system partner to DPD, the relevant person/company must have a business licence and a permit to transport goods. We will contact you after using the data which you provide for preliminary classification purposes. The data is used by us exclusively for selection and checking purposes, and will be deleted after 6 months if you cannot be considered as a system partner.
DPD Financial Services is a service for the processing of electronic invoices. The service is operated on behalf of DPD by DATEV eG, Nuremberg.
Your data is saved by DPD on specially protected servers in Germany. Access to the servers is only available to a small number of specially authorised persons who are in charge of the technical, commercial or editorial support of the servers. DPD has taken precautions in order to ensure the security of your personal data. Your data will be conscientiously protected against loss, destruction, falsification, manipulation and unauthorised access or publication. The communication with our Financial Services online is also implemented by encrypted connections using special safety precautions. DPD uses session cookies for the identification of authorised users. These small text files, which your Internet browser administers and saves on your computer, are automatically deleted once more when you log out of Financial Services.
To assess the creditworthiness of (new) customers and suppliers, we use probability values based on automated mathematical-statistical procedures ("scoring"). These are determined by prestigious credit agencies and commercial credit insurers on our behalf. For this purpose, we pass on data to these service providers on the basis of corresponding contractual agreements verified under data protection law. In order not to disadvantage your interests unreasonably in individual cases with the credit assessment, DPD weighs up the interests involved. If the credit assessment is negative, DPD reserves the right to restrict the terms of payment, to change them or to put the cooperation to the test.
If you use our contact forms to contact us in electronic form, your voluntarily provided personal data will be collected and stored.
We use the personal data provided by you exclusively for the purpose of answering your inquiry and fulfilling your requirements.
The processing of the personal data from the contact form serves us primarily for the purpose of responding to the establishment of contact.
The data is processed primarily for the fulfilment of the contract in accordance with Art. 6 1 b GDPR, as well as for the protection of legitimate interests in accordance with Art. 6 1 f GDPR. A justified interest on the part of DPD is, in particular, to ensure efficient processing and service, and to improve these on a permanent basis.
Your data will be stored as long as it is necessary to process the relevant contact enquiries.
The data collected via this website in connection with long-distance transport tenders and contracts (both regular and ad-hoc transport) is used only for the purpose of processing offers and enquiries between you and the DPD company or partner (DPD depot) involved. The data is not transferred by DPD or a third party. System partners to DPD Deutschland GmbH in long-distance transport must have the necessary creditworthiness as well as the licences and permits required for long-distance transport operations. If the portal is not used for 6 months, the data collected during the registration process is deleted again.
DPD distinguishes between the following applications of video technology
These are then used for the following purposes:
The underlying legal basis for Purposes 1 and 2 is provided by Article 6 (1f) GDPR and postal secrecy in accordance with §39 PostG and Article 6 (1c) GDPR, the Customs Code Implementing Provisions (based on the Customs Code of the EU / Directive (EU) No. 952/2013), and by the conclusion of works agreements with the responsible works councils on the basis of §26 Federal Data Protection Act and the Works Constitution Act, which can be inspected on site.
The storage period is 40 days, and 12 months in the case of still images.
On myDPD you have the possibility to register for our free newsletter by email. The newsletter informs you regularly about the latest information relating to our offers and services.
When you register for the newsletter, the personal data to be entered is transmitted to us from the input mask. For this purpose you have to enter your email address as a mandatory field. The purpose of collecting the email address is to ensure that emails are delivered correctly. In some cases, further voluntary details are requested for the individual dispatch of information such as your surname, first name and address data. In addition, your IP address and the date and time of the enquiry are automatically collected and stored.
Data collection during registration and double opt-in
When you sign up for our newsletter for the first time, a confirmation email will be sent to the email address you have provided. This confirmation email contains a link that you have to click on in order to confirm your registration. This so-called double opt-in procedure serves to check whether the owner of the email address has actually authorised receipt of the newsletter and agrees to receive this newsletter.
All registration processes are logged, so that it can be proved that the registration process was implemented in accordance with the applicable legal requirements. This includes the storage of the times of registration and confirmation, as well as the data transferred to us.
If consent has been provided by the user, the legal basis for the processing of the data after registration by the user for the newsletter is Art. 6 1 a GDPR.
Use of newsletter service providers
We use the services of external service providers for the dispatch and evaluation as well as for the technical processing of our newsletters. These services are under an express obligation to comply with data protection regulations on the basis of Art. 28 EU GDPR.
We record your use of our newsletter, such as when emails are opened or clicked on, using tracking technology provided by the service provider.
This allows our service provider to report the success or failure of an email campaign, so that we can optimise the content of our newsletter. We regard the advertising purpose behind this as our legitimate interest within the meaning of Art. 6 1 f GDPR.
Duration of storage, right of revocation
The personal data which is processed in the context of the subscription to and the dispatch of the newsletter is stored by us for as long as the subscription to the newsletter is active. You can cancel your subscription to the newsletter and your consent to the processing of your data for the abovementioned purposes at any time via the unsubscribe link provided in the newsletter.
A separate revocation regarding the described tracking is not possible. However, you have the option of configuring the email programme you use so that emails are displayed in text form and not in HTML format. This hides image and graphic files so that tracking is not possible. In these cases, however, the newsletter will not be displayed in full and you may not be able to use all the available functions.
The eSolutions portal offers solutions for various DPD services. Various DPD shipping applications and interfaces as well as information on the offers of our partners are available to consignors and consignees. In addition, we offer documentation and implementation guides to all application developers who want to access our systems. Test systems are also available for DPD web services, for example to use the cloud parcel label printing function.
If you log into our portal to use our services or request information about the services or use our test servers, these activities are logged for security purposes within the framework of our security concept on the basis of Article 6 (1f) GDPR. Only a few administrators are allowed access to it and the logs are used exclusively for the prosecution of criminally relevant enquiries.
On our website we also offer users a chatbot so that they can get in touch with us. The data is entered into an input mask, transmitted to us and saved. The data is stored in our computer centres in Germany and France. We store this data for a period of six months, after which it is automatically deleted. The data can also be deleted beforehand on request. The data is not passed on to third parties. Insofar as the information collected in this way is personally identifiable, it will be processed in accordance with Art. 6 Section 1 lit. f GDPR on the basis of our legitimate interest in providing an effective customer service.