1.      What can I find in this Privacy Policy?

This Privacy Policy (hereinafter – “Policy”) contains information on how UAB DPD Lietuva (hereinafter referred – “Company”, “we”) collects, stores and uses your personal data.

We comply with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC General Data Protection Regulation (hereinafter – “GDPR”), and other personal data protection laws.

2.     Who is responsible for the security of my personal information?

We are: UAB DPD Lietuva

Our company reg. No.: 111639299

Our address: Liepkalnio Str. 180, Vilnius 02121

Our email: [email protected]

3.     How does DPD Lithuania deal with personal data protection issues?

DPD Lithuania, together with other DPD Group companies (GeoPost), takes the protection of your personal data into consideration when developing its new products and services (evaluates the principles for standard and customized protection of personal data). If necessary, products or services are reviewed/updated. In order to ensure the security of your personal data and the proper exercise of your rights, we perform the following:

 - We have established the procedure for exercising your rights in order to identify cases of your personal data security breaches;

 - We complete IT security and GDPR compliance questionnaires when implementing new projects or creating applications;

 - We check the guarantees offered by our partners regarding the implementation of GDPR requirements;

 - We conduct internal audits, and prepare and implement its recommendations;

 - We get consultancy from project managers in order to establish appropriate and reasonable time limits for data storage that do not exceed the time necessary to achieve the purpose of data processing;

 - We keep data processing records;

 - We conduct regular training for our employees;

 - We have appointed data protection officers.

4.    What personal data do we collect?

DPD Lietuva undertakes to collect only those personal data that are necessary for the provision of the requested services. When we collect optional personal data, we clearly identify what personal data is required to provide the requested service and what data you would provide on a voluntary basis. Details of the collected data are provided in Paragraph 9 of this Policy.

5.     Where do we get your personal data from?

If you send a parcel, we receive your data when you contact us, visit one of our parcel delivery points or send the parcels using our services.

If you are a recipient of a parcel, we receive your data from the sender. Senders provide your details to us together with the packaging information or notification instructions. We need this data to deliver the goods or other parcels you have ordered. We may also obtain your data from other providers of postal services acting on our behalf and delivering parcels, e.g. if you receive a parcel from abroad, and the delivery has been assigned to another postal service provider cooperating with us.

We also obtain data directly from you when you fill in your personal information on your user account.

If you are a visitor to our website, we obtain your data through various website features. For this purpose, we use cookies or directly request information from you using the chatbot. We aim to optimize the operation of our website and provide you with information about our services. More information on cookies and their management is provided in Paragraph 14 of this Policy.

We will use your personal data to offer our services if you have agreed to receive commercial notifications as referred to in Paragraph 9.12 of this Policy. In any case, you have the opportunity to withdraw your consent at any time.

6.    Who receives your personal data? Do we transfer your data to non-EU countries?

In order to provide quality services, we transfer your personal data to our partners and other DPD Group companies.

DPD Lithuania carries out personal data processing activities within the European Economic Area (EEA). However, we use data processors or other business partners outside the EEA for some specific services. Therefore, some of your personal data may be transferred to them strictly for the purposes of providing the services. In such cases, we require data processors to ensure the safeguards necessary for safe transfer of personal data.

Below is the detailed information about the service providers involved and data transfers outside the EEA.

7.     Where do we get your personal data from?

Time limits for storage of personal data as specified in Paragraph 9 apply to different services we provide. We undertake not to store your personal data for longer than is necessary for the specific services or, if applicable, to comply with the time limits for storage arising from the applicable requirements of legal acts.

8.    Basic provisions of the agreement of the joint data controllers

8.1. The Company is part of the DPD Group network and uses both the tools of the DPD Group and the established procedures when processing data. Therefore, together with the companies of the DPD Group – Geopost S. A. and DPD companies in other countries (the complete list of companies is available here), we have established the purposes and means of the processing of your personal data as specified in Paragraph 9.2 (provision of parcel collection and delivery services), 9.3 (identification of the recipients of parcels), 9.4 (services of cash collection from recipients), 9.8 (handling of claims and complaints), 9.11 (customer service), 9.12 (execution of direct marketing and surveys), 9.13 (improvement of services provided by DPD Lietuva), 9.16 (customs administration), and 9.17 (administration of compliance with import and export prohibitions) (hereinafter –  Joint Data Controllers)

8.2. Together with the Joint Data Controllers, we have determined the responsibilities for the implementation of obligations stipulated in the applicable data protection laws, primarily including exercising of your rights and informing about data processing performed by Joint Data Controllers

8.3. Every Joint Data Controller undertakes to ensure compliance with the applicable data protection laws, to process jointly controlled data in a correct and lawful manner, not to process the data in any way which causes or may cause any damage to you.

8.4. The Joint Data Controllers together implement appropriate measures of security, integrity, accessibility and confidentiality pursuant to the provisions of the applicable data protection laws and are committed to taking all necessary precautions to ensure that your jointly controlled personal data is safe and confidential, to prevent any accidental or illegal destruction, loss, modification, illegitimate disclosure of or access to personal data transferred, stored or processed.

8.5. In cases where you use our services and the parcel transits several countries, your rights will be ensured by the DPD company which is delivering the parcel to you, and other related Joint Data Controllers undertake to assist in exercising your rights. Please be informed that for the purpose of data processing specified in Paragraph 8.1 of this Policy, to exercise your rights listed in Paragraph 11 herein, you must contact us using the contact details provided in Paragraph 12 or other Joint Data Controllers.

8.6. For the purposes other than those specified in Paragraph 8.1, the Company is your only data controller.

9.    Why and how do we manage your personal data?

• For the purpose of selection of candidates for vacancies

• For the purposes of parcel collection and delivery services

We process your personal data in order to provide parcel collection and delivery services. Our services typically include the following actions: collection and marking of a parcel, placing the information about the parcel in the parcel tracking system, managing the ordering and delivery of the parcel, estimating the delivery time, managing the return of the parcel, and measuring the temperature of the parcel containing foodstuffs. The scope of data processed for the purposes referred to in this paragraph depends on your role in the parcel collection and delivery process.

• For the purpose of identifying the recipient of the parcel

• To provide services of cash collection from recipients

• For the purposes of leasing and other contracts

• For the purposes of the conclusion and performance of contracts

• For the purposes of debt management

• For the purpose of handling claims and complaints

• For the purpose of reporting damaged packaging

• For the purposes of issuing invoices for services

• For customer service purposes

We record incoming telephone calls on the following lines:

• Ordering line – tel. 8 700 55700;

• Customer service consultancy line – tel. 8 5 2106 777;

• Sales consultancy line – tel. 8 5 2106 766.

If you wish to contact us, but do not wish your phone call to be recorded, we kindly request that you call us by dialling our administration phone number 85 2106 750, or contact us by email (email addresses are provided in the contact section of the DPD website) or visit our registered office in person.

• Provision of Benefits for Expedited Parcel Retrieval

We process data for this purpose during festive and other peak periods when parcel deliveries surge. Our goal is to ensure optimal loading of parcel terminals, facilitating timely and efficient parcel retrieval for both senders and recipients. During these specific periods, we offer customers the opportunity to avail benefits for prompt parcel retrieval, such as winning prizes. Information regarding these incentives is included in messages sent to customers.

• For the purpose of direct marketing and surveys

• For the purpose of improving the services provided by DPD Lithuania

For this purpose, we evaluate your data in connection with the sales and operations over a certain period of time in order to evaluate the quality of the services provided by the Company.

• For the purpose of administering social network accounts

• For the purpose of administering accounting

• For the purposes of customs administration

Customs administration generally includes: checking of data against the lists of prohibited countries announced by organizations, generation of search results, and a decision to block/not to block a parcel.

• For the purpose of administration of compliance with the requirements for import and export prohibitions

The management of compliance with import and export prohibitions generally involves: checking of data against the lists of prohibited countries announced by organizations, generation of information on the basis of the results of the verification, and a decision to block/not to block a parcel.

• For the purpose of video surveillance in the parcel distribution terminals

• For the purpose of maintaining relations with legal persons

• For the purpose of control of access to the site

• For the purpose of the protection of legal interests and enforcement of legal requirements

• Is my personal data safe?

DPD Lietuva undertakes to take all measures to ensure the security and confidentiality of your personal data, in particular to prevent any damage, erasure or unauthorized access by a third party.

For this purpose, we have an approved the information system security policy at the level of the DPD Group, which defines the guidelines for information security management. The policy includes human, physical, organizational and technical security controls.

If your personal data are subject to a data breach (destruction, loss, alteration or disclosure), DPD Lietuva undertakes to notify the data protection supervisory authority of the personal data breaches and to notify you immediately, as soon as this can be done in accordance with Article 34 of the GDPR.

11        What rights do I have?

Subject to the conditions, limitations and exceptions laid down in the data protection laws, you have the following rights:

12       Do you profile me and make automated decisions?

We do not make decisions that are based solely on automated processing, which would have legal consequences for you or would have another significant impact on you. Your profiling may only be performed for the purpose specified in Paragraph 9.12.

13       Contact details and data protection officers

If you have any questions related to the protection of personal data, please contact us by email [email protected] (general administration) or contact our Data Protection Officer directly at [email protected].

14      Amendments to this Privacy Policy

This Policy is reviewed on a regular basis and, where necessary, updated at least once every two years. Any supplements or amendments to the Policy shall take effect from the date of their publication on the websites.

15       Information about the cookies we use

We and our partners use cookies or other tracking technologies to facilitate the use of our website, improve the operation and safety of the website and offer you personal advertising. Before activation of cookies, except the necessary cookies, we must obtain your consent. You can manage your choices – our partners and goals – by clicking Cookie Settings. You may withdraw your consent at any time by managing cookies in our website footer.

Detailed information on the cookies used on our websites is provided below:

 This data protection notice governs the access and the use of the https://www.dpd.com/lt/en/mydpd-2/ website and the “myDPD” application (hereinafter jointly referred to as “myDPD”).

Under the name "myDPD", DPD Lietuva UAB provides digital platforms on web servers or mobile terminals which enable consumers to monitor and manage their received, sent, and returned parcels.

Your personal data is jointly processed by Geopost SA, with registered office at 26 rue Guynemer - 92130 Issy-Les-Moulineaux (France), and its subsidiary DPD Lietuva UAB as well as their own subsidiary (collectively referred to as the “Companies”. They are together Joint Data Controllers of the following Data Processing

• “Parcel Delivery & Unauthenticated consignee interaction”: This processing concerns consignees that do not have an account on myDPD

• “Authenticated consignee interaction”: This processing concerns consignees that created an account on myDPD (“myDPD account”).

What does “Joint Data Controllers” mean?

It means that under Article 26 of GDPR, Geopost SA and DPD Lietuva UAB jointly determine the purposes and means of the processing.

What personal data do we collect?

By default, the myDPD services can be used without registration.

Personal data collected through your myDPD account are not mandatory for the execution of delivery services. However, this data enables us to provide you with the best possible service and to optimize the delivery of your parcel.

We collect the following data:

• Parcel number

• First name

• Last name

• E-mail address

• Delivery address

• Phone number

• Proof of Delivery including in some cases the signature

• Free text fields for additional delivery address information (e.g. code number)

• Photo of front door or safe place

• Notes (if you have assigned any)

We draw your attention to the importance of not communicating sensitive data (under Article 9 of the GDPR) in the free text fields.

In order to access all of the functionalities offered, you are invited to register either by means of an e-mail address and password or by using an existing Facebook, Apple or Google account. In this respect, Geopost and DPD Lietuva UAB do not transmit any parcel information to Facebook, Apple or Google and only use these services for authentication purposes. After authentication, a unique myDPD account is created for all our services.

Why do we collect your personal data?

The personal data are processed in the context of delivery services agreements as well as any other existing service related to the creation of your myDPD account. The data will be used by Geopost SA and DPD Lietuva UAB, and/or any third party involved in the performance of the services, particularly for the following purposes:

• For delivery services

• When you choose to provide us additional information to facilitate delivery of the parcel

• Manage your myDPD account

• Manage notifications to consignees via e-mail, SMS, push notification or social media

• Help the user get in contact with our support team

• Build consumers profiling according to uses of DPD services, frequency of delivery, delivery experiences, purchases and location

• Communicate via personalized or non-personalized e-mails, push notifications and banners about DPD Lietuva UAB and/or our partners

• Ensure the security of your account

What legal basis do we use to process your personal data?

We collect your personal information based on:

• Our contractual obligations in the context of our delivery activities; or

• Our compliance to legal obligations; or

• The legitimate interests of Geopost SA and DPD Lietuva UAB (provided your interests and fundamental rights do not override those interests)

• Your consent on the processing of your data for communications

Account creation

Connection with external account

Login with Apple ID: If you use your Apple ID when logging in to DPD, you can register or log in with your Apple account. You will then be forwarded to the Apple website. For the iOS app the process takes place entirely within the operating system. For the login you will need the email address which is stored with Apple. This is required for identification purposes in order to create a secure DPD account for you and is stored with us. Your Apple profile and your DPD account are permanently linked via the email address. You can remove this link at any time on the Apple website. DPD never learns your Apple access data. You can read how Apple handles privacy settings in the Apple data protection notices; these are also the valid regulations governing this possibility of logging in and registering with DPD.

Login with Facebook: Facebook Connect is an offer from Facebook Ireland Limited (Hanover Reach, 5-7 Hanover Quay, Dublin 2, Ireland). Its use is voluntary and optional. When using Facebook Connect, Facebook profile data and public data from your Facebook profile are transferred to DPD. We use and process your first and last name, gender, email address, and Facebook ID for simplified registration to use the Parcel Navigator. If you are already a DPD customer, only the Facebook ID will be processed. Your Facebook account is linked to the DPD account via the Facebook ID. This makes it possible for you to register for the service using your Facebook access data via the "Login with Facebook" button. In addition, every time you log in, Facebook will know that you are using the DPD service. The link to Facebook can be revoked at any time on Facebook itself. Please also read Facebook's privacy policy on this subject.

Login with Google: The same applies to the use of the Google login. This Google service is provided by Google Inc. "('Google'; Amphitheatre Parkway, Mountain View, CA 94043, USA). Registration and use of Google's services are subject to Google's Privacy Policy and Terms of Use, which you can view at: Privacy Policy – Privacy & Terms – Google.

myDPD account creation

Geopost SA and DPD Lietuva UAB allow you to create an account on myDPD using the essential information provided on one or other of the platforms. In this way, accounts recognized by an email address will be identified and your information shared so that you don't have to re-enter it.

The personal data listed in point 1 as well as the following personal data are collected:

• Home address

• Expeditions

• Purchases

• User delivery address book

• Favourite parcel shops

• Delivery preferences

• Country/Language

• Consent for commercial information and communication preferences

• Parcel delivery history

• Connection method

• Terminal information

Personal data may also concern a third party or a neighbour who can retrieve the parcel on behalf of the consignee.

How long do we keep your data?

If you are an unauthenticated user, your personal data are kept for a maximum period of six (6) months in the active database and are then archived.

If you are an authenticated user of myDPD, your personal data are kept for a maximum period of two (2) years after your last connection to your myDPD account, with the exception of your physical address which is kept for three (3) years, separate from any other personal data concerning you, to help us improve our delivery performance and thus guarantee you an optimal customer experience.

In case of account deletion, the account linked to ‘myDPD” will be deleted with all data linked to the account with the exception of your physical address which is kept for three (3) years, separate from any other personal data concerning you, to help us improve our delivery performance and thus guarantee you an optimal customer experience.

Who might we share your information with?

We share the information that you provide to us with our staff so that we can provide our services to you:

• Business partners (shippers);

• Sub-contractors, especially drivers, for the performance of the delivery contract;

• Geopost;

• DPD Lietuva UAB subsidiaries

• Internally to our customer service, marketing, sales and IT departments

• Billing platform (including parcel number)

• Data processors for data management, emailing and storage

Improving delivery experience

Because DPD wants to improve your delivery experience, we display a message when you connect to your myDPD account once you have a given number of failed deliveries in a determined period to suggest you to set up your delivery preferences. How does it work? We use a commercial partner (Imagino), as a data processor, who can compute the total number of your unsuccessful deliveries to generate messages, thanks to delivery events provided to him. A message will be displayed through ABTasty when you connect to your myDPD account to promote delivery preferences.

The use of a tag by Imagino and the deposite of the ABTasty cookie are based on your consent. You can remove your consent at any time by managing your cookie settings here: https://www.dpd.com/lt/lt/mydpd-2/ (bottom part of the website). If you decide to remove your consent, we will immediately stop using the number of your unsuccessful deliveries in this process.

The display of the message to promote delivery preferences is based on our legitimate interest to:

• improve our business strategy and our delivery performance

• ensure the best possible customer experience by going beyond his expectations

• reducing operational costs and customer care costs

• promoting green redirections

Personalized communication by e-mail

With your consent, we want to send you personalized communications on Geopost and its partners we think might interest you.

Subject to your consent when creating your myDPD account, we wish to display in your myDPD space, personalized advertisements on our partners according to your interests.

Keep in mind that we do not share your information with our partners so that they can contact you, only DPD Lietuva UAB can send you personalized communications.

You can change or revoke your consent at any time in the setings section of your myDPD account.

Chatbot

A chatbot is available to help you track, redirect and get more detailed information about your parcel. Please note that the chatbot includes a free comment area where you can be led to give personal data to help us find information about your parcel. This data will be used to examine your request and is necessary to enable us to provide a more appropriate response. The information you provide is intended for the customer services and our technical service providers, within the framework of the tasks entrusted to them.

The data collected in the context of a conversation about a parcel delivery is stored during six (6) months, which is a parcel’s lifetime, after which it is automatically deleted. The data can also be deleted beforehand on request. Insofar as the information collected in this way is personally identifiable, it will be processed in accordance with Art. 6 of the GDPR based on our legitimate interest in providing an effective customer service.

In accordance with the applicable regulations on the protection of personal data, you have the right to access, rectify, oppose, limit the processing, request the transfer of your data where possible and delete your data.

We also draw your attention on the importance of not communicating sensitive data (under Article 9 if the GDPR) in this free comment area.

Do we transfer your personal data outside of EU?

We may transfer your personal information outside the European Economic Area ("EEA") or outside the European Union and will only do so if adequate protection measures are in place in compliance with data protection regulations. We use the following protection measures:

• Transferring to European Commission approved adequate countries under Article 45 of the GDPR;

• Using appropriate safeguards such as European Commission approved Standard Contractual Clauses or Binding Corporate Rules.

How do we protect your personal data?

We apply the cybersecurity best practices and follow recognized standards to ensure the protection of data and users.

 What are your rights on your data?

Under Articles 15 to 22 of the GDPR, you have the right to:

• Access your personal data and to obtain from the Joint Data Controllers confirmation as to whether your personal data are being processed;

• Rectification of your personal data and to obtain from the Joint Data Controllers without undue delay the rectification of inaccurate personal data concerning you;

• Erasure from the Joint Data Controllers of your personal data without undue delay;

• Restriction of processing;

• Data portability by transmission of your data where technically feasible.

These rights may be exercised by sending an e-mail to [email protected].

For any problem linked to the management of your personal data, you have the right to lodge a complaint with the following data protection authority: State Data Protection Inspectorate, L. Sapiegos g. 17, Vilnius, LT-10312 Vilniaus m. sav.