- Company
- Services
- Newsroom
- Expertise
- Sustainability
- Career
- Your local delivery experts
- DPD Austria
- DPD Belgium
- DPD China
- DPD Croatia
- DPD Czech Republic
- DPD Estonia
- DPD France
- DPD Germany
- DPD Hong Kong
- DPD Hungary
- DPD Ireland
- DPD Latvia
- DPD Lithuania
- DPD Luxembourg
- DPD Netherlands
- DPD Poland
- DPD Portugal
- DPD Romania
- DPD Slovakia
- DPD Slovenia
- DPD Switzerland
- DPD Taiwan
- DPD United Kingdom
- BRT Italy
- Chronopost France
- SEUR Spain
- Company
- Services
- Newsroom
- Expertise
- Sustainability
- Career
- Your local delivery experts
- DPD Austria
- DPD Belgium
- DPD China
- DPD Croatia
- DPD Czech Republic
- DPD Estonia
- DPD France
- DPD Germany
- DPD Hong Kong
- DPD Hungary
- DPD Ireland
- DPD Latvia
- DPD Lithuania
- DPD Luxembourg
- DPD Netherlands
- DPD Poland
- DPD Portugal
- DPD Romania
- DPD Slovakia
- DPD Slovenia
- DPD Switzerland
- DPD Taiwan
- DPD United Kingdom
- BRT Italy
- Chronopost France
- SEUR Spain
Personal Data Protection Policy
Personal Data Protection Policy
GeoPost is committed to personal data protection both during our business operations and as part of the services provided.
This Policy sets out the principles and guidelines we apply to protect your Personal Data. It is designed to explain:
- The types of Personal Data we collect and the reasons why we collect it,
- How we use your Personal Data,
- Your rights as the data subject.
This Policy applies to the processing of Personal Data in the context of GeoPost's parcel delivery activities in an international context. All operations on your Personal Data are carried out in compliance with the regulations in force and in particular with the European Regulation (EU) 2016/679 of 27 April 2016 on the protection of personal data (GDPR), the law n°78-17 "Informatique, Fichiers et Libertés" of 6th January 1978 as amended, as well as its application decrees.
Further personal Data Protection information
How does DPDgroup deal with Personal Data Protection?
GeoPost considers the protection of your Personal Data and privacy when designing new products and services (principles of "privacy by design" and "privacy by default"), and where appropriate, when these products or services are revised/upgraded. To ensure the security of your Personal Data and safeguard the proper exercise of your rights, GeoPost implements measures designed to protect your Personal Data :
- Establishment of a procedure for exercising rights and a procedure in the event of a personal data breach;
- Carrying out IT security and GDPR compliance questionnaires prior to the implementation of a project or an application;
- Verification of the guarantees presented by our subcontractors and future subcontractors with regard to the requirements of the GDPR;
- Carrying out internal audits, drawing up recommendations, monitoring and updating the inherent actions;
- Consulting with project managers to define relevant and reasonable retention periods, not exceeding the time necessary to fulfil the purpose of the processing;
- Maintaining and updating a register of processing operations;
- Conducting regular training sessions for all our employees;
- Coordination of a Data Protection Officer network including all our European subsidiaries
What Personal Data are used by DPDgroup?
GeoPost undertakes to only collect the data that is strictly necessary for the provision of the requested services.
If optional data is requested, you will be given a clear explanation of the Personal Data GeoPost needs to provide the requested service and the data you may decide to provide voluntarily.
Where does the data we process come from?
If you ship a package, we receive your data when you contact us, visit one of our shipping sites or ship packages with us.
If you are the recipient of a package, we receive your data from our shipping customers. They provide us with your data, together with package information or notification instructions, primarily in electronic form or via their own or our shipping systems. They normally do this to the extent that they have established a contractual relationship with you in accordance with Article 6(1b) of the GDPR, and we need this data to deliver the goods you have ordered to the shipper. In addition, we naturally receive your data from other postal service providers who act on our behalf for the delivery of consignments, for example if the consignment originates from abroad and another postal service provider who cooperates with us has been commissioned with the delivery.
Finally, we receive data directly from you when you have filled in your personal information in your user area (delivery address, delivery preferences, etc.).
If you are a visitor to our website, we receive your data through various functions of the website. For this purpose we use cookies or ask you directly for information. Our priority is to optimise the presentation of our website and to provide you with information about our services. You can limit the services or disable them completely at any time by using a link or by making the appropriate selection. (Please see "Web analysis, cookies and advertising services").
Your Personal Data will only be used to propose other services if you have agreed to receive commercial communication. In any case, you have the possibility to revoke your consent at any time.
To which services or companies are your Personal Data transferred to?
Your data may be transferred to:
- Departments within GeoPost: departments in charge of performing the requested services;
- External providers: technical service providers, including sub-contractors (if applicable, the data is transmitted to our subcontractors under the conditions prescribed by Article 28 of the GDPR);
- Companies of La Poste Group, for the performance of the services.
Can your Personal Data be transferred to non-EU countries?
GeoPost carries out all Personal Data processing activities within the European Union (EU).
However, for some specific services, GeoPost may use data processors or business partners located outside of the EU. Some of your Personal Data may therefore be transferred to them for the strict purposes of their services. In such cases and in accordance with the regulations in force, GeoPost requires its data processors to provide the necessary safeguards to ensure regulated, secure transfers, mainly by requiring them to sign the European Commission’s standard contractual clauses.
How long will GeoPost keep your Personal Data?
Different retention periods apply for the various services we provide. GeoPost undertakes not to retain your Personal Data any longer than is necessary for the provision of the service or, if applicable, for compliance with the retention periods arising from the applicable limitation periods.
Joint Controllership
For the implementation of the processing of personal data described, GeoPost determines, jointly with its subsidiaries located on the territory of the European Union or in a country recognised as adequate by the European Commission, the purposes and means of the processing. In accordance with Article 26 of the GDPR, a joint data controller agreement has been signed by all the data controllers concerned. It describes in particular the responsibilities and obligations of each of the joint controllers, the relations with the data subjects and the way in which the latter can exercise their rights with regard to the GDPR, the security and confidentiality measures taken to protect their personal data, the defined retention periods (these may however vary locally in application of the regulations in force), as well as the procedure in the event of detection of a data breach.
Personal data processing
| Common Processing Activity | Purposes | Legal basis | Personal Data | Retention period |
| Parcel delivery & unauthenticated consignee interaction | - Shipment and labeling process - Track and trace by DPD employees - Consultation of the parcel’s status by customers via dedicated applications - Delivery tool management - Order management / collection requests - Parcel’s temperature (containing food) monitoring throughout their life cycle and generate alerts in the event of a break in the cold chain - Calculation of an estimated number of days to deliver parcel based on zip code of both the origin and the destination - Facilitating delivery services with delivery instructions - Track and trace the parcels by the consignees via consignee application - Knowledge improvement and interaction with consignees and prospects - Parcel return management - Collection of the level of satisfaction of the consignees | Performance of a contract + Legitimate interest + Legal obligation | Sender or receiver data, when is Consumer only: First / last name, username, e-mail, address (including home GPS coordinates), phone number, parcel number, date of birth, home GPS coordinates, POD, picture of front door or safe place, COD, contact details, ID numbers, additional information necessary for ID check, free text fields for more detail about the address for example (door code) Depending on BUs, some other personal data can be stored and managed locally. | 6 months in active database + archive database for regulatory purposes (indicated in other processing) Postal address (House number, street name, city, Post code, Country code, Longitude, Latitude) will be kept for 3 years based on the necessity to have reliable data and be able to calculate tactical planning scenarios). |
| CS Investigation & claim management | • Customer service back-office communication tool between customer services of BUs for cross-border parcels • Measurement of BU's performance • Monitoring the performance of BU’s customer service employees by managers of BU’s CS | Performance of a contract (for claim management) + Legitimate interest (for the measurement of BU's performance) | Sender or receiver data, when is Consumer only: Name, address (street number, zip code, city, country) e-mail, phone number, parcel number, collection request number, case number, COD amount, POD, free text fields for parcel content for example | 6 months after case closure database and 6 months in archive database (not anonymized) Anonymization of consignee’s personal data for reporting |
| Geocheck (Embargo) | - Comparison of personal data against Denied Party Lists (DPLs) published by organizations - Generation of events according to verification results - Decision whether or not to block the parcel - Request of licenses if designated persons are confirmed among the workforce | Legal obligation | Receiver data, when is Consumer only: Name, e-mail, address, phone number, parcel number, result of the comparison/verification These personal data concerns also the employees of DPDgroup. | 30 days in live/production database From 30 days to 2 years on a restricted database (restricted access for LECO only) From 2 years to 10 years in archive (legal requirements, restricted access only for Geocheck administrator) |
| Customs process | - Notification management and payment for duties and taxes - Generation of proofs of payment | Legal obligation | Sender and receiver data, when is Consumer only: Name, e-mail, address (including street and house number, city, country, zip code), phone number, SMS, contact, parcel number, IP address, content of the parcels associated to value of goods | 6 months in active database and 5 years in archive database (unless advised differently by BUs) |
| Reporting KPI | - Leverage data from X months/years for sales/marketing/ops analysis for market assessment - Measurement of the quality of the performance | Legitimate interest | Sender and receiver data, when is Consumer only: Name, e-mail, address, phone number, parcel number | 6 months (anonymization after) Postal address (House number, street name, city, Post code, Country code, Longitude, Latitude) will be kept for 3 years based on the necessity to have reliable data and be able to calculate tactical planning scenarios) |
| Authenticated consignee interaction | - Management of notifications to consignees via e-mail or SMS or social media (Predict, etc.) - Execution of prospecting operations to improve the offers and services of GeoPost and its subsidiaries - Collection of the level of satisfaction of the consignees - Consumers profiling according to uses of DPD services, frequency of delivery, delivery experiences and customer service interactions, etc. (without automated decisions) - Display of advertising, newsletters, personalized campaign - Loyalty program | Performance of a contract + Legitimate interest + Consent | Sender and receiver data, when is Consumer only: Name, e-mail, address, phone number, parcel number Sender and receiver data, when is Consumer only: Name, e-mail, address (street, street number, house number, postcode, city), phone number, parcel number, title (Mr, Ms), company, free text fields, ID numbers and passports, HS code, login, gender, delivery preferences (preferred PUDO location, safeplace, etc.), communication preferences (email, SMS, push, etc) Data may concern also 3rd person and/or neighbor who retrieve the parcel instead of the consignee | 2 years following last connection Postal address (House number, street name, city, Post code, Country code, Longitude, Latitude) will be kept for 3 years based on the necessity to have reliable data and be able to calculate tactical planning scenarios) |
| Export Control | Allow DPD and its subsidiaries to verify export authorisations and permits for dual-use goods | Legal obligation | - Name, First name - Postal address - Parcel content (HS code and description) - Origin country of the parcel - Destination country of the parcel - Telephone number | 30 days in a live/production database - 30 days to 2 years on a restricted database (restricted access only for LECO - Local Embargo Compliance Officer) - 2 years to 6 years in archives (legal requirements, restricted access only for ECM administrator |
| Professionnal whistleblowing / Safecall | - Receiving and recording whistleblowing alerts - Investigation and monitoring of the alerts - Closure of alerts - Development of activity data (statistics) on anonymous data | Legal obligation Legitimate interest | - Email address - Date and purpose of whistleblowing alert - Phone number - First name, last name - Any other data communicated as part of the alert and/or investigation | Relevant data to process the whistleblowing shall be kept during the processing. If the alert: - is not eligible, data anonymized within 30 days of receipt. - is admissible but not reasoned or does not give rise to disciplinary/legal action, it is anonymised within 2 months of its closure. - gives rise to disciplinary or legal actions, the data are kept until the end of the actions or measures and are anonymized within 2 months, unless legal obligations impose another retention period |
| Purposes |
|---|
| Parcel delivery & unauthenticated consignee interaction | - Shipment and labeling process - Track and trace by DPD employees - Consultation of the parcel’s status by customers via dedicated applications - Delivery tool management - Order management / collection requests - Parcel’s temperature (containing food) monitoring throughout their life cycle and generate alerts in the event of a break in the cold chain - Calculation of an estimated number of days to deliver parcel based on zip code of both the origin and the destination - Facilitating delivery services with delivery instructions - Track and trace the parcels by the consignees via consignee application - Knowledge improvement and interaction with consignees and prospects - Parcel return management - Collection of the level of satisfaction of the consignees |
|---|
| CS Investigation & claim management | • Customer service back-office communication tool between customer services of BUs for cross-border parcels • Measurement of BU's performance • Monitoring the performance of BU’s customer service employees by managers of BU’s CS |
|---|
| Geocheck (Embargo) | - Comparison of personal data against Denied Party Lists (DPLs) published by organizations - Generation of events according to verification results - Decision whether or not to block the parcel - Request of licenses if designated persons are confirmed among the workforce |
|---|
| Customs process | - Notification management and payment for duties and taxes - Generation of proofs of payment |
|---|
| Reporting KPI | - Leverage data from X months/years for sales/marketing/ops analysis for market assessment - Measurement of the quality of the performance |
|---|
| Authenticated consignee interaction | - Management of notifications to consignees via e-mail or SMS or social media (Predict, etc.) - Execution of prospecting operations to improve the offers and services of GeoPost and its subsidiaries - Collection of the level of satisfaction of the consignees - Consumers profiling according to uses of DPD services, frequency of delivery, delivery experiences and customer service interactions, etc. (without automated decisions) - Display of advertising, newsletters, personalized campaign - Loyalty program |
|---|
| Export Control | Allow DPD and its subsidiaries to verify export authorisations and permits for dual-use goods |
|---|
| Professionnal whistleblowing / Safecall | - Receiving and recording whistleblowing alerts - Investigation and monitoring of the alerts - Closure of alerts - Development of activity data (statistics) on anonymous data |
|---|
| Legal basis |
|---|
| Parcel delivery & unauthenticated consignee interaction | Performance of a contract + Legitimate interest + Legal obligation |
|---|
| CS Investigation & claim management | Performance of a contract (for claim management) + Legitimate interest (for the measurement of BU's performance) |
|---|
| Geocheck (Embargo) | Legal obligation |
|---|
| Customs process | Legal obligation |
|---|
| Reporting KPI | Legitimate interest |
|---|
| Authenticated consignee interaction | Performance of a contract + Legitimate interest + Consent |
|---|
| Export Control | Legal obligation |
|---|
| Professionnal whistleblowing / Safecall | Legal obligation Legitimate interest |
|---|
| Personal Data |
|---|
| Parcel delivery & unauthenticated consignee interaction | Sender or receiver data, when is Consumer only: First / last name, username, e-mail, address (including home GPS coordinates), phone number, parcel number, date of birth, home GPS coordinates, POD, picture of front door or safe place, COD, contact details, ID numbers, additional information necessary for ID check, free text fields for more detail about the address for example (door code) Depending on BUs, some other personal data can be stored and managed locally. |
|---|
| CS Investigation & claim management | Sender or receiver data, when is Consumer only: Name, address (street number, zip code, city, country) e-mail, phone number, parcel number, collection request number, case number, COD amount, POD, free text fields for parcel content for example |
|---|
| Geocheck (Embargo) | Receiver data, when is Consumer only: Name, e-mail, address, phone number, parcel number, result of the comparison/verification These personal data concerns also the employees of DPDgroup. |
|---|
| Customs process | Sender and receiver data, when is Consumer only: Name, e-mail, address (including street and house number, city, country, zip code), phone number, SMS, contact, parcel number, IP address, content of the parcels associated to value of goods |
|---|
| Reporting KPI | Sender and receiver data, when is Consumer only: Name, e-mail, address, phone number, parcel number |
|---|
| Authenticated consignee interaction | Sender and receiver data, when is Consumer only: Name, e-mail, address, phone number, parcel number Sender and receiver data, when is Consumer only: Name, e-mail, address (street, street number, house number, postcode, city), phone number, parcel number, title (Mr, Ms), company, free text fields, ID numbers and passports, HS code, login, gender, delivery preferences (preferred PUDO location, safeplace, etc.), communication preferences (email, SMS, push, etc) Data may concern also 3rd person and/or neighbor who retrieve the parcel instead of the consignee |
|---|
| Export Control | - Name, First name - Postal address - Parcel content (HS code and description) - Origin country of the parcel - Destination country of the parcel - Telephone number |
|---|
| Professionnal whistleblowing / Safecall | - Email address - Date and purpose of whistleblowing alert - Phone number - First name, last name - Any other data communicated as part of the alert and/or investigation |
|---|
| Retention period |
|---|
| Parcel delivery & unauthenticated consignee interaction | 6 months in active database + archive database for regulatory purposes (indicated in other processing) Postal address (House number, street name, city, Post code, Country code, Longitude, Latitude) will be kept for 3 years based on the necessity to have reliable data and be able to calculate tactical planning scenarios). |
|---|
| CS Investigation & claim management | 6 months after case closure database and 6 months in archive database (not anonymized) Anonymization of consignee’s personal data for reporting |
|---|
| Geocheck (Embargo) | 30 days in live/production database From 30 days to 2 years on a restricted database (restricted access for LECO only) From 2 years to 10 years in archive (legal requirements, restricted access only for Geocheck administrator) |
|---|
| Customs process | 6 months in active database and 5 years in archive database (unless advised differently by BUs) |
|---|
| Reporting KPI | 6 months (anonymization after) Postal address (House number, street name, city, Post code, Country code, Longitude, Latitude) will be kept for 3 years based on the necessity to have reliable data and be able to calculate tactical planning scenarios) |
|---|
| Authenticated consignee interaction | 2 years following last connection Postal address (House number, street name, city, Post code, Country code, Longitude, Latitude) will be kept for 3 years based on the necessity to have reliable data and be able to calculate tactical planning scenarios) |
|---|
| Export Control | 30 days in a live/production database - 30 days to 2 years on a restricted database (restricted access only for LECO - Local Embargo Compliance Officer) - 2 years to 6 years in archives (legal requirements, restricted access only for ECM administrator |
|---|
| Professionnal whistleblowing / Safecall | Relevant data to process the whistleblowing shall be kept during the processing. If the alert: - is not eligible, data anonymized within 30 days of receipt. - is admissible but not reasoned or does not give rise to disciplinary/legal action, it is anonymised within 2 months of its closure. - gives rise to disciplinary or legal actions, the data are kept until the end of the actions or measures and are anonymized within 2 months, unless legal obligations impose another retention period |
|---|
Other data processing
For the data processing described below, GeoPost SA is data controller and determines the means and purposes of the processing.
| Common Processing Activity | Purposes | Legal basis | Personal Data | Retention period |
| GATE – Business management | - Client and prospect management - Development of trade statistics - Steering and monitoring the activity of the sales team | - Performance of a contract (for Customers) - Legitimate interest (for prospects) | - Name, First name - Email - Phone number - Job qualification | The personal data are kept during the contractual relationship for the Customers. The data are kept for a period of 3 years from the last contact with the data subjects when it comes to prospects. After the performance of the contract, the data are kept in intermediate storage, if the controller has the legal obligation to do so (for example, to meet accounting or tax obligations) or if he wishes to establish evidence in the event of litigation and within the applicable limitation period |
| Purposes |
|---|
| GATE – Business management | - Client and prospect management - Development of trade statistics - Steering and monitoring the activity of the sales team |
|---|
| Legal basis |
|---|
| GATE – Business management | - Performance of a contract (for Customers) - Legitimate interest (for prospects) |
|---|
| Personal Data |
|---|
| GATE – Business management | - Name, First name - Email - Phone number - Job qualification |
|---|
| Retention period |
|---|
| GATE – Business management | The personal data are kept during the contractual relationship for the Customers. The data are kept for a period of 3 years from the last contact with the data subjects when it comes to prospects. After the performance of the contract, the data are kept in intermediate storage, if the controller has the legal obligation to do so (for example, to meet accounting or tax obligations) or if he wishes to establish evidence in the event of litigation and within the applicable limitation period |
|---|
Are your Personal Data protected?
GeoPost undertakes to adopt all measures protecting the security and confidentiality of your Personal Data and, in particular, to prevent any damage, erasure or unauthorised access by a third party.
To this end, GeoPost has an Information System Security Policy based on the ISO 27002 standard, which defines the guidelines for good information security management practices. The policy covers human, physical, organisational and technical security controls.
If your Personal Data is affected by a security breach (destruction, loss, alteration or disclosure), GeoPost undertakes to fulfill our obligation to notify Personal Data Breaches, in particular to the French Data Protection Authority (CNIL) and to inform you as soon as possible in accordance with Article 34 of the GDPR.
What are your rights concerning your Personal Data?
You may contact GeoPost to exercise your rights held under the personal data regulations in force at any time:
- Right of access: you may obtain a copy of your Personal Data being processed by GeoPost;
- Right to rectification: you may update your Personal Data or ask us to rectify your Personal Data processed by GeoPost;
- Right to object, in particular to prevent direct marketing: you may notify your preference not to receive direct marketing from GeoPost or ask GeoPost to stop processing your Personal Data;
- Right to erasure: you may ask GeoPost to delete your Personal Data;
- Right to restrict processing: you may ask GeoPost to suspend the processing of your Personal Data;
- Right to data portability: you may ask GeoPost to retrieve your Personal Data for reuse.
Whenever you sign up for a service or provide Personal Data, GeoPost will state the postal and/or email address to which any data subject requests may be sent.
All requests must be submitted with proof of your identity. GeoPost undertakes to respond to your data subject requests without undue delay and in any event, within the times imposed by law.
Has GeoPost appointed a Data Protection Officer?
The appointment of a Data Protection Officer reflects GeoPost’s commitment to ensuring the protection, security and confidentiality of Personal Data.
Our Data Protection Officer may be contacted at the following address:
Data Protection Officer
CP C703
9 Rue du Colonel Pierre Avia
75015 Paris
If you believe, after having contacted us, that your rights with regard to your data have not been respected, you may submit a complaint to the Commission Nationale de l'Informatique et des Libertés (3 place de Fontenoy - TSA 80715 - 75334 Paris cedex 07; tel: 01 53 73 22 22).
Changes to this Privacy policy
Our privacy policy is reviewed on a regular basis.
GeoPost reserves the right to change its privacy policy at any time with or without prior notice. We therefore recommend that you inform yourself regularly about any changes. By using DPDgroup website you accept the terms of this privacy policy.
Cookies and third-party services
We and our partners use cookies or other tracers to facilitate the use of the site, improve the performance and security of the site, and propose personalized advertising according to your use and your profile. These cookies, apart from necessary cookies, require your consent before their deposit. Your choices will be valid for the vendors and purposes listed into the “Cookie settings”. You can withdraw your consent at any time by managing your cookies through "Cookies" in our website footer.
Glossary
All capitalised terms are defined as follows:
“Data Protection Policy”: Means this Policy describing the measures adopted for the processing, exploitation and management of your Personal Data and your data subject rights.
“Personal Data”: Means any information relating to you that can be used to identify you, directly or indirectly as a natural person.
“Processing”: Means any operation or any set of operations performed on your Personal Data.
“Personal Data Breach”: Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, your Personal Data.
myDPD Privacy Policy
Please select your country to see the relevant Privacy Policy.
Home / Privacy