As a provider of postal services it is the primary task of DPD to apply the very latest technical standards in delivering shipments on behalf of consignors securely and reliably to consignees, and at the same time in meeting all the statutory requirements and the necessary protection of confidentiality, availability and integrity in relation to the data entrusted to DPD.
As a company under private law DPD is in particular subject to the provisions of the the EU General Data Protection Regulation (GDPR), the latest version of the Federal Data Protection Act (BDSG new), the Postal Services Act (PostG) and the resulting Directive on Data Protection in Postal Services (PDSV).
For this reason we process your data as a rule on the basis of Art. 6 (1a - consent), 6 (1b - contractual relationships), 6 (1c - legal requirements) and 6 (1f -legitimate interest) of the GDPR, §26 BDSG new (employee data) and §5 PDSV (shipment, invoicing and master data). Further information is provided below and within the descriptions of individual services.
You can contact Michael Mayer, our Data Protection Officer, at email@example.com. If anything is not clear to you please do not hesitate to get in touch with our Data Protection Officer.
If you have any questions relating to parcel shipping with DPD, please use our contact form.
If you wish to assert your rights in accordance with Article 15-22 GDPR, you can use our data policy contact form. (Please note that this form is not to be used for questions relating to parcel shipping). It also enables you to request information about your data, together with the blocking, correction and deletion of such data. If in your opinion we have a data or security leak, you can also report it there. DPD will check your concern, contact you in the event of questions, or provide you with the relevant answer. Please note that emails do not necessarily come from DPD simply because this is indicated in the address of the sender, and treat any suspicious replies or enquiries accordingly. DPD will never ask you for a password or any other confidential identifying feature. At most we will require from you the number of your shipment, parcel notification number, recipient postcode or if relevant your customer number.
The regulatory authority responsible for DPD is the
Federal Commissioner for Data Protection and Freedom of Information,
Referat 24, Husarenstr. 30, D-53117 Bonn
Concrete data protection information relating to individual products or services:
For what purpose do we process your data?
Where do we receive your data from, and what data is involved?
DPD receives data for processing from various sources and for various purposes.
If you are a consignor we receive your data when you contact us, visit one of our shipping websites or ship parcels with us. For this purpose we save your invoice address, details of pickup times, contact persons or selected/offered products. As a rule we receive this data directly from you, or in rare cases you are brought to our attention via the Internet or our sales partners.
If you are a consignee we receive your data from consignors. They provide us with your data, as well as information about the parcel or notification instructions, mainly in electronic form or via their own or our shipping systems. They normally do so in that they have entered into a contractual relationship with you in accordance with Article 6(1b) GDPR, and we require the data in order to deliver the goods you have ordered from the consignor. In addition we naturally receive your data from other providers of postal services which act on our behalf in delivering shipments, e.g. if the shipment comes from abroad and if a different provider of postal services which cooperates with us has been entrusted there with the delivery.
If you are a system partner, parcel shop operator or delivery driver we receive your data when you get in touch with us or with a system partner with the intention of working for us. On the basis of a number of statutory requirements and a specific amount of legitimate interest we are obliged to collect a certain amount of further information about you. This ranges from background checks to insurance protection, the vehicles used, existing licences and permits, or further information.
If you are a visitor to our website we receive your data via various website functions. For this purpose we apply cookies or request information from you directly. Our priority is to optimise the presentation of our website and to provide you with information about our services. You can at any time restrict the services or deactivate them completely by using a link or making the appropriate selection. (Please see “Web analysis, cookies and third party serices”).
If you are an applicant for a job we receive your data when you get in touch with us and send us your application. We use the data only for our own purposes.
Who do we transmit your data to?
DPD transmits your data to various locations, but only for the intended purposes. This also includes locations outside the European currency area, if the place of delivery is located there.
If you are consignor we send your data mainly to our depots, which are responsible for collecting your shipments, and to the local system partners and drivers who are involved.
If you are a consignee we send your data exclusively to the relevant consignors, system partners, parcel shops and delivery drivers (or other providers of postal services who may be involved in the delivery also in other countries). If a parcel happens to be damaged we also send your data to our insurance company.
Shipment data or details of the contents of shipments will only be transmitted or made available to third parties in exceptional circumstances. Such third parties are above all the customs authorities, the prosecution service or insurance companies. You can obtain information about the status of shipments at any time via our app or the tracking functions on our website. This information is only available to authorised users and can only be obtained by the entry of the consignee postcode and the parcel number.
Job application documents are received at our company only by the relevant department or by our system partners in the case of applications for work as delivery drivers, and are subject to the relevant consent.
In some cases we also use service providers for the implementation of tasks and activities on our behalf. Unless they operate on our behalf as part of the logistics chain, all such service providers are under an obligation to comply with our instructions on the processing of data as specified in an appropriate service contract. DPD does not rent, lend or sell personal data to third parties. However, data can be passed on to companies connected with DPD as part of the company group, and can be processed jointly in accordance with Art. 26 GDPR.
Who can you contact if you wish to reject the processing of your data, or to have your data corrected or deleted?
If you have a special wish involving the rejection or the processing of your data or instructions relating to its correction or deletion, you can simply use our contact form and select the relevant option.
How long will your data be stored?
As is the case with all other companies under private law, DPD has to comply with specific regulations relating to the storage of data. This includes above all retention periods in accordance with tax legislation, e.g. relating to consignment notes, tour plans and delivery lists, damage reports, claims, invoices and balance sheets. In addition, for security reasons we store the tracking data for parcels for a period of time which varies per platform between 30 and 180 days.In the absence of consent to a longer storage period, job application documents will be deleted in accordance with data protection legislation at the latest within six months after the rejection of the application.DPD account data is deleted two years after the deactivation of the account. Rejections of delivery notifications (Predict) are stored in a blocking list until the rejection is withdrawn.
For the length of storage relating to cookies, please see our list in Web analysis, cookies and third party serices.
If you have activated the “Do not track” setting in your browser, no data will be saved by Matomo. Please note: if you delete your cookies, the consequence may be that the opt-out cookie is also deleted and may need to be reactivated by you.
In order to optimise our service we apply Google Analytics and our own statistical analyses. Google Analytics is a web analysis service provided by Google, which is used for purposes of market research and for ensuring that the service meets user requirements. Google Analytics uses “cookies”, which are placed on your computer to make it possible to analyse how you make use of the service. The information generated by the cookies about the use of the service (including the user’s anonymised IP address) is as a rule transmitted to and stored by Google on servers in the United States . Google uses this information in order to evaluate your use of the service and to create reports on activities for the operator of the service. Google may also transmit this information to third parties if this is prescribed by law, or if third parties process the data on behalf of Google. On no account will Google connect your IP address with other Google data. At http://tools.google.com/dlpage/gaoptout?hl=de you can, with effect for the future, opt out of the recording and saving of your data at any time. In addition we use the remarketing functions and reports on demographic features and interests provided by Google Analytics in order to display to visitors of the website targeted advertisements on the partner websites of the Google display and search network. The saving of cookies enables user behaviour to be analysed and interest-based advertising to be activated. At http://www.google.de/settings/ads you can, with effect for the future, opt out of the recording and use of your data for advertising purposes.
The legal basis for the application of Google Analytics is Art. 6 (1f) GDPR. Sessions and campaigns are terminated after the expiry of a specific period of time.
Google DBM and DFP (Doubleclick for Publisher) Small Business Server
All the cookies we set, together with their purpose and duration, are shown in the following table:
End of session
Technically necessary cookie. Comes from Load Balancer and saves the webnode, so that the user is always directed to the same location and retains the session.
This cookie saves the language settings
A number of general settings for MyDPD Pro
End of session
MyDPD Pro: Liferay session
End of session
MyDPD Pro: Cookie for return to the website after logout
End of session
MyDPD Pro: Session handling for webnode
End of session
MyDPD Bus: Server session cookie
End of session
MyDPD Bus: MyDPDBusiness session cookie
Activations of customer groups
Is used to differentiate website visitors
Is used to differentiate website visitors
Is used to reduce the enquiry rate. If Google Analytics is integrated via Google Tag Manager the cookie is designated: _dc_gtm_<property-id>.
The DPD App and the Parcel Navigator application are operated and made available by DPD Deutschland GmbH, Wailandtstraße 1, 63741 Aschaffenburg, Germany. The following data protection terms are intended both for users of the mobile app and users of the browser-based version, referred to together below as the ‘service’.
In principle the service can be used without registration. However, registration is necessary if you wish to make use of the convenience functions of the service. This is implemented either by registering via the service with an email address and password, or by using an existing Facebook or Google+ account. DPD does not provide Facebook or Google with any parcel information data, and only uses these services for purposes of authentication.
‘Login with Facebook’: Facebook Connect is a service provided by Facebook Ireland Limited (Hanover Reach, 5‒7 Hanover Quay, Dublin 2, Ireland). Use is voluntary and optional. In the use of Facebook Connect, the Facebook profile data and public data from your Facebook profile are transmitted to DPD. For the purpose of simplified registration for the use of the Parcel Navigator we record and process your first name and surname, your gender, age, town of residence, email address and Facebook ID. If you are already a DPD customer, only the Facebook ID will be processed. Via the Facebook ID your Facebook account is then linked with your DPD account. This enables you to use the ‘Login with Facebook’ button to log into the service with your Facebook access data. In addition, if you use this process to log in, Facebook is informed that you are currently using the DPD service. The link with Facebook can be cancelled at any time from your Facebook profile. On this subject see also the Facebook data protection declaration.
The same process is applied if you use the Google+ login. This Google service is provided by Google Inc. (‘Google’; Amphitheatre Parkway, Mountain View, CA 94043, USA). Your registration and use of Google services are subject to the Google terms of data protection and use, which you can view at www.google.com/intl/de/policies/privacy.
In order to make the services and information available, DPD processes the following items of your data: email address, mobile phone number, password, a standard postcode (as a rule your consignee postcode), Predict status (whether you wish parcel notifications or not), the device name of the devices used by you, and shipment-related information from our delivery systems.
With your settings in the Parcel Navigator you can decide yourself whether we may inform you about discount or voucher offers from our partners. You can activate or deactivate these settings independently at any time within your account.
Assessment of creditworthiness: For the assessment of the creditworthiness of new customers we use a probability value (score process) on the basis of automated mathematical-statistical processes. In the case of business customers this service is provided by e-crefo GmbH, Hellersbergstraße 12, 41460 Neuss, and in the case of private customers by Creditreform Boniversum GmbH, Hellersbergstraße 11, 41460 Neuss. We use this information as the basis for making decisions. No enquiries are made involving subjective value judgements or personal financial information. The relevant data is saved and transmitted only if this is required for the protection of the legitimate interests of DPD Deutschland GmbH. We also wish to point out that if at the time of an enquiry from a business customer there is not sufficient information about the relevant company available to e-crefo GmbH, we may in individual cases base our decision on a probability value relating to the owner or manager of the relevant company and provided by Creditreform Boniversum GmbH, Hellersbergstraße 11, 41460 Neuss. DPD will balance the various interests involved so that in individual cases your interests are not unreasonably affected negatively. If the result of the creditworthiness check is negative, DPD reserves the right to change its terms of payment.
Matomo and Google Analytics
In order to optimise our service we apply Google Analytics and Matomo. Details on the use of these services are described above under Web a analysis, cookies and third-party services.
DPD only makes data from the use of the services and about the service itself to available authorised internal users.
In order to ensure the correct delivery of shipments to the right consignee DPD requires a range of data, which is as a rule provided by the consignor. In addition to details of the address, parcel type and parcel shipping options, the data may include further information which will, for example, enable us to notify the consignee of the delivery or when parcels are picked up at the parcel shop (e.g. ID card/passport number). In compliance with postal legislation and the regulations on data protection in postal services, DPD processes this data in a shipment-related way and only for delivery purposes. The details which are provided are used exclusively within the DPD network for delivering shipments and invoicing services, or for clarifying issues relating to shipments (e.g. transport damage). DPD does not use consignee data for advertising purposes or for other personal analyses. Findings from DPD's delivery processes are only used in an anonymised form for the purpose of optimising delivery operations. Your data is not sold, rented out or exchanged. If we provide data to external service providers, this is implemented on the basis of Art. 28 EU GDPR (processing of orders) or other data protection regulations.
DPD also appears in a number of social networks. These include Facebook, Twitter, Xing and Youtube. DPD provides its services on these platforms under the data protection provisions of the individual platform operator and has no direct responsibility for the way the operator processes data. Any findings from this data are used only for internal purposes and direct consultation. DPD wishes to point out that these platforms are in themselves public and anything which is posted on them can as a rule be read by all users. DPD will not provide shipment-related information or details of personal data in any public forum via these platforms.
DPD offers, as part of its product portfolio, its Predict-Service for consignors and consignees. Here you can download our data protection evaluation regarding Predict / EU GDPR (pdf-document)
With this service the consignee receives advance notification of shipments sent by the consignor in the form of an email or SMS text message, notifying the consignee when the shipment will be delivered and the arrangements for the delivery. For this purpose the consignor (shipping customer) provides DPD with the necessary supplementary information, such as the email address or mobile number of the consignee.
One possible basis for the transmission of such data to DPD on the part of the consignor is, from the DPD point of view, Article 6 (1f) EU GDPR (“Processing of data for the safeguarding of justified interests”).
Grounds: the transmission of the data is implemented in the legitimate interests of both the consignor and of DPD as the postal service provider, in order to avoid incorrect deliveries (which serves to protect postal secrecy) and to ensure customer-friendly determination of the time and place of delivery on the part of the party concerned (consignee). The basis for the processing of the data between the consignor and the consignee is as a rule an order, or a contractual or similar relationship with the party concerned in accordance with Article 6 (1b) EU GDPR. In the process DPD functions as the service provider (provider of postal services). The transmission of the additional information does not restrict any interests of the party concerned which require protection, or that party’s fundamental rights and freedoms. The party concerned can reject the processing of this supplementary information at both locations. Predict notifications are not advertising aimed at promoting DPD’s own sales or that of an outside company, but serve the implementation of the delivery process for goods which have already been ordered.
DPD processes this data exclusively for this purpose and for no other purpose. For purposes of dealing with complaints or invoicing, the data is recorded in relation to the individual shipment and saved, also in relation to the individual shipment, in our shipping archives in accordance with statutory provisions relating to archiving periods. Shipping customers are responsible for ensuring the correctness of the information provided to DPD about the email addresses and telephone numbers of their customers (consignees), as well as with regard to the correct spelling, syntax and allocation to a specific shipment. If DPD has received instructions from a consignee blocking the transfer of information by email or SMS, DPD is under an obligation to follow these instructions and to terminate the service to the relevant consignee. There will be no message to the shipping customer that this service has been blocked by the consignee.
As part of DPD’s Predict-Service, consignors can also provide customers with information about themselves in the form of banner advertising. In addition to the company name and address, the customer’s banner can contain the company logo, the website URL and a company slogan/claim, but no advertising content that goes beyond this in the form of texts or images. DPD undertakes towards shipping customers not to send any advertising of its own to their customers (consignees).
Consignees who wish to block their email address for the Predict-Service should send an informal notice of cancellation to firstname.lastname@example.org indicating their name, address and the email address which is to be blocked. The effect of blocking the email address will be that the consignee will receive no further email notifications from us relating to shipments.
Suggested text for instructions in the privacy policies of DPD’s shipping customers from 25.5.2018:
”During shipping operations we transmit, on the basis of Art. 6 (1f) of the EU’s General Data Protection Regulation, your data (name, address, if necessary email address and/or mobile phone number for notification options and re-directions, together with further shipment-related data) to our shipping partner DPD Deutschland GmbH. You can reject the transmission of supplementary information such as email or mobile phone data both with us […add customer contact address…] and with DPD direct under email@example.com or, in the case of all parcel notifications, via a link.“
When you send us your online application you declare your consent to the electronic processing of your data, as described below.
- Information which is required and recorded
As part of the application procedure, the DPD group of companies* only record and process the personal data which you submit to us or have entered in the application form.
- Who has access to your data
Access to your data is only provided to such persons who have been trained in the relevant aspects of data protection and data security, and are subject to a contractual obligation of non-disclosure. The data which you make available in a concrete application is only seen by such persons who are responsible for filling the relevant vacancy. These are in particular HR staff within the company to which you apply, as well as any potential line managers.
Of course your data will not be used for any other purposes than for the application procedure, and will never be used for advertising purposes. Under no circumstances will your data be passed on to companies or persons outside the DPD group of companies.
Beyond the application procedure itself your application data may only be made available to other companies in the DPD group of companies for the purpose of filling other possible vacancies. If you do not agree to this, you can revoke your consent by sending an email to Bewerbung_Datenschutz@dpd.de.
- Data security
A variety of security procedures are used to protect the application data which is collected. The use of the latest technologies such as secure servers, firewalls and the encryption of application data protects against unauthorised access to your personal data. The security standard involved is continuously reviewed and adapted to the latest technological developments.
- Deletion of data
Data which is provided in connection with a specific unsuccessful application for an advertised vacancy is deleted six months after the applicant has been notified. Applications which are included in the pool of applicants are automatically deleted after one year.
- Possibility of submitting an application on paper
You of course have the option of submitting your application documents to us on paper instead of electronically. However, please note that we do not return written application documents, and subsequently destroy them in accordance with data protection regulations.
- Right of revocation
You have the right to revoke at any time the consent you have provided us with, as well as the right to request information at any time about the data we collect. In order to assert these rights, or any other rights you may have under data protection regulations, please also contact Bewerbung_Datenschutz@dpd.de.
The responsible regulatory body in relation to data protection is the Federal Officer for Data Protection and Freedom of Information, who can be contacted as follows: Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, Referat 24, Husarenstraße 30, in 53117 Bonn.
*DPD Deutschland GmbH, DPDgroup International Services GmbH & Co. KG,
GeoPost International Management & Development Holding GmbH, iloxx GmbH
DPD Deutschland GmbH offers you the opportunity to apply online to work with us as a delivery driver or system partner. For this purpose we collect specific data from you.
From delivery drivers:
As DPD does not employ its own drivers, we evaluate your data and then pass it on to a suitable system partner. By providing your consent at the end of the data collection you agree that the recorded data – as displayed on the screen – can be passed on to a system partner. After the data has been passed on it will then be processed. We delete your data after 6 months.
From system partners:
To qualify as a system partner to DPD, the relevant person/company must have a business licence and a permit to transport goods. We will contact you after using the data which you provide for preliminary classification purposes. The data is used by us exclusively for selection and checking purposes, and will be deleted after 6 months if you cannot be considered as a system partner.
DPD Financial Services is a service for the processing of electronic invoices. The service is operated on behalf of DPD by DATEV eG, Nuremberg.
Your data is saved by DPD on specially protected servers in Germany. Access to the servers is only available to a small number of specially authorised persons who are in charge of the technical, commercial or editorial support of the servers. DPD has taken precautions in order to ensure the security of your personal data. Your data will be conscientiously protected against loss, destruction, falsification, manipulation and unauthorised access or publication. The communication with our Financial Services online is also implemented by encrypted connections using special safety precautions. DPD uses session cookies for the identification of authorised users. These small text files, which your Internet browser administers and saves on your computer, are automatically deleted once more when you log out of Financial Services.
The eSolutions Portal offers solutions for various DPD services. Various DPD shipping applications and interfaces as well as information on the offers of our partners are available to consignors and consignees. In addition, we offer documentation and implementation guides to all application developers who want to access our systems. Test systems are also available for DPD web services, for example to use the cloud parcel label printing function.
If you log into our portal to use our services or request information about the services or use our test servers, these activities are logged for security purposes within the framework of our security concept on the basis of Article 6 (1f) GDPR. Only a few administrators are allowed access to it and the logs are used exclusively for the prosecution of criminally relevant enquiries.
To assess the creditworthiness of (new) customers and suppliers, we use probability values based on automated mathematical-statistical procedures ("scoring"). These are determined by prestigious credit agencies and commercial credit insurers on our behalf. For this purpose, we pass on data to these service providers on the basis of corresponding contractual agreements verified under data protection law. In order not to disadvantage your interests unreasonably in individual cases with the credit assessment, DPD weighs up the interests involved. If the credit assessment is negative, DPD reserves the right to restrict the terms of payment, to change them or to put the cooperation to the test.
The data collected via this website in connection with long-distance transport tenders and contracts (both regular and ad-hoc transport) is used only for the purpose of processing offers and enquiries between you and the DPD company or partner (DPD depot) involved. The data is not transferred by DPD or a third party. System partners to DPD Deutschland GmbH in long-distance transport must have the necessary creditworthiness as well as the licences and permits required for long-distance transport operations.
If the portal is not used for 6 months, the data collected during the registration procss is deleted again.
DPD distinguishes between the following applications of video technology
- Camera systems for the purpose of parcel tracking (in the vicinity of sorting facilities) as well as
- The use of video systems for site and building surveillance
These are then used for the following purposes:
- Parcel tracking for purposes of detecting and correcting errors during parcel handling on the sorting installation, the feed-in and exit points to the system and operational safety.
- Ensuring proper conduct on the premises and securing them against burglary, theft and vandalism as well as unauthorised entry.
- To comply with the requirements of the Customs department's AEO-F certification to maintain the company's status as an Authorised Economic Operator.
The underlying legal basis for Purposes 1 and 2 is provided by Article 6 (1f) GDPR and postal secrecy in accordance with §39 PostG and Article 6 (1c) GDPR, the Customs Code Implementing Provisions (based on the Customs Code of the EU / Directive (EU) No. 952/2013), and by the conclusion of works agreements with the responsible works councils on the basis of §26 Federal Data Protection Act and the Works Constitution Act, which can be inspected on site.
The storage period is 40 days, and 12 months in the case of still images.
If you use our contact forms to contact us in electronic form, your voluntarily provided personal data will be collected and stored.
We use the personal data provided by you exclusively for the purpose of answering your inquiry and fulfilling your requirements.
The processing of the personal data from the contact form serves us primarily for the purpose of responding to the establishment of contact.
The data is processed primarily for the fulfilment of the contract in accordance with Art. 6 1 b GDPR, as well as for the protection of legitimate interests in accordance with Art. 6 1 f GDPR. A justified interest on the part of DPD is, in particular, to ensure efficient processing and service, and to improve these on a permanent basis.
Your data will be stored as long as it is necessary to process the relevant contact enquiries.
On our website or in the Parcel Navigator you have the possibility to register for our free newsletter by email. The newsletter informs you regularly about the latest information relating to our offers and services.
When you register for the newsletter, the personal data to be entered is transmitted to us from the input mask. For this purpose you have to enter your email address as a mandatory field. The purpose of collecting the email address is to ensure that emails are delivered correctly. In some cases, further voluntary details are requested for the individual dispatch of information such as your surname, first name and address data. In addition, your IP address and the date and time of the enquiry are automatically collected and stored.
Data collection during registration and double opt-in
When you sign up for our newsletter for the first time, a confirmation email will be sent to the email address you have provided. This confirmation email contains a link that you have to click on in order to confirm your registration. This so-called double opt-in procedure serves to check whether the owner of the email address has actually authorised receipt of the newsletter and agrees to receive this newsletter.
All registration processes are logged, so that it can be proved that the registration process was implemented in accordance with the applicable legal requirements. This includes the storage of the times of registration and confirmation, as well as the data transferred to us.
If consent has been provided by the user, the legal basis for the processing of the data after registration by the user for the newsletter is Art. 6 1 a GDPR.
Use of newsletter service providers
We use the services of external service providers for the dispatch and evaluation as well as for the technical processing of our newsletters. These services are under an express obligation to comply with data protection regulations on the basis of Art. 28 EU GDPR.
We record your use of our newsletter, such as when emails are opened or clicked on, using tracking technology provided by the service provider.
This allows our service provider to report the success or failure of an email campaign, so that we can optimise the content of our newsletter. We regard the advertising purpose behind this as our legitimate interest within the meaning of Art. 6 1 f GDPR.
Duration of storage, right of revocation
The personal data which is processed in the context of the subscription to and the dispatch of the newsletter is stored by us for as long as the subscription to the newsletter is active. You can cancel your subscription to the newsletter and your consent to the processing of your data for the abovementioned purposes at any time via the unsubscribe link provided in the newsletter.
A separate revocation regarding the described tracking is not possible. However, you have the option of configuring the email programme you use so that emails are displayed in text form and not in HTML format. This hides image and graphic files so that tracking is not possible. In these cases, however, the newsletter will not be displayed in full and you may not be able to use all the available functions.
Important information for consignors
Find out more about contract data processing by DPD and the use of Predict in relation to the EU's GDPR.More