Privacy policy

Updated 04 07 2025

privatumo-politika privatumo-politika

Privacy policy

Updated 04 07 2025

DPD Lithuania privacy notice

1.      What can I find in this Privacy Policy?

This Privacy Policy (hereinafter – “Policy”) contains information on how UAB DPD Lietuva (hereinafter referred – “Company”, “we”) collects, stores and uses your personal data.

We comply with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC General Data Protection Regulation (hereinafter – “GDPR”), and other personal data protection laws.

2.     Who is responsible for the security of my personal information?

We are: UAB DPD Lietuva

Our company reg. No.: 111639299

Our address: Liepkalnio Str. 180, Vilnius 02121

Our email: [email protected]

 

3.     How does DPD Lithuania deal with personal data protection issues?

DPD Lithuania, together with other DPD Group companies (GeoPost), takes the protection of your personal data into consideration when developing its new products and services (evaluates the principles for standard and customized protection of personal data). If necessary, products or services are reviewed/updated. In order to ensure the security of your personal data and the proper exercise of your rights, we perform the following:

 - We have established the procedure for exercising your rights in order to identify cases of your personal data security breaches;

 - We complete IT security and GDPR compliance questionnaires when implementing new projects or creating applications;

 - We check the guarantees offered by our partners regarding the implementation of GDPR requirements;

 - We conduct internal audits, and prepare and implement its recommendations;

 - We get consultancy from project managers in order to establish appropriate and reasonable time limits for data storage that do not exceed the time necessary to achieve the purpose of data processing;

 - We keep data processing records;

 - We conduct regular training for our employees;

 - We have appointed data protection officers.

 

4.    What personal data do we collect?

DPD Lietuva undertakes to collect only those personal data that are necessary for the provision of the requested services. When we collect optional personal data, we clearly identify what personal data is required to provide the requested service and what data you would provide on a voluntary basis. Details of the collected data are provided in Paragraph 9 of this Policy.

 

5.     Where do we get your personal data from?

If you send a parcel, we receive your data when you contact us, visit one of our parcel delivery points or send the parcels using our services.

If you are a recipient of a parcel, we receive your data from the sender. Senders provide your details to us together with the packaging information or notification instructions. We need this data to deliver the goods or other parcels you have ordered. We may also obtain your data from other providers of postal services acting on our behalf and delivering parcels, e.g. if you receive a parcel from abroad, and the delivery has been assigned to another postal service provider cooperating with us.

We also obtain data directly from you when you fill in your personal information on your user account.

If you are a visitor to our website, we obtain your data through various website features. For this purpose, we use cookies or directly request information from you using the chatbot. We aim to optimize the operation of our website and provide you with information about our services. More information on cookies and their management is provided in Paragraph 14 of this Policy.

We will use your personal data to offer our services if you have agreed to receive commercial notifications as referred to in Paragraph 9.12 of this Policy. In any case, you have the opportunity to withdraw your consent at any time.

 

6.    Who receives your personal data? Do we transfer your data to non-EU countries?

In order to provide quality services, we transfer your personal data to our partners and other DPD Group companies.

DPD Lithuania carries out personal data processing activities within the European Economic Area (EEA). However, we use data processors or other business partners outside the EEA for some specific services. Therefore, some of your personal data may be transferred to them strictly for the purposes of providing the services. In such cases, we require data processors to ensure the safeguards necessary for safe transfer of personal data.

Below is the detailed information about the service providers involved and data transfers outside the EEA.

Recipients of personal data or recipient categories

Purposes of personal data transfer

Country of personal data recipient

European Commission’s decision on whether the third country ensures proper level of personal data protection

Appropriate protection measures which safeguard personal data when it is transferred outside the European Economic Area

AB Telia Lietuva

For the purpose of recording telephone calls

Republic of Lithuania

N/A

N/A

UAB Creditinfo Lietuva

For the purpose of debt management

Republic of Lithuania

N/A

N/A

Enterprises providing IT maintenance services

For the purpose of infrastructure maintenance

Republic of Lithuania

N/A

N/A

Enterprises which help us conduct parcel transfers

To provide you with high-quality parcel collection and delivery services

Republic of Lithuania

N/A

N/A

Enterprises providing customer support services

For the purpose of handling claims and complaints

Republic of Lithuania

N/A

N/A

Partners of "DPD Lietuva" whose job positions are applied for through "DPD Lietuva" job postings.

Recruitment selection

Republic of Lithuania

N/A

N/A

Other DPD Group companies (DPD companies in other countries and Geopost S. A.)

For the purpose of management and administration of the international group of companies

EU

N/A

N/A

Lawyers, notaries public, bailiffs

To defend lawful interests of the Company

Republic of Lithuania

N/A

N/A

Law enforcement institutions and courts of the Republic of Lithuania and the European Union

To defend lawful interests of the Company and comply with legal requirements

Republic of Lithuania / EU

N/A

N/A

Facebook, Inc., Facebook Ltd.

To administer social network accounts of the Company

USA / Ireland (EU)

N/A

Data transferred to the USA are stored in accordance with the Standard contract conditions

LinkedIn Corporation, Linkedin Ltd.

To administer social network accounts of the Company

USA / Ireland (EU)

N/A

Data transferred to the USA are stored in accordance with the Standard contract conditions

 

7.     Where do we get your personal data from?

Time limits for storage of personal data as specified in Paragraph 9 apply to different services we provide. We undertake not to store your personal data for longer than is necessary for the specific services or, if applicable, to comply with the time limits for storage arising from the applicable requirements of legal acts.

 

8.    Basic provisions of the agreement of the joint data controllers

8.1. The Company is part of the DPD Group network and uses both the tools of the DPD Group and the established procedures when processing data. Therefore, together with the companies of the DPD Group – Geopost S. A. and DPD companies in other countries (the complete list of companies is available here), we have established the purposes and means of the processing of your personal data as specified in Paragraph 9.2 (provision of parcel collection and delivery services), 9.3 (identification of the recipients of parcels), 9.4 (services of cash collection from recipients), 9.8 (handling of claims and complaints), 9.11 (customer service), 9.12 (execution of direct marketing and surveys), 9.13 (improvement of services provided by DPD Lietuva), 9.16 (customs administration), and 9.17 (administration of compliance with import and export prohibitions) (hereinafter –  Joint Data Controllers)

8.2. Together with the Joint Data Controllers, we have determined the responsibilities for the implementation of obligations stipulated in the applicable data protection laws, primarily including exercising of your rights and informing about data processing performed by Joint Data Controllers

8.3. Every Joint Data Controller undertakes to ensure compliance with the applicable data protection laws, to process jointly controlled data in a correct and lawful manner, not to process the data in any way which causes or may cause any damage to you.

8.4. The Joint Data Controllers together implement appropriate measures of security, integrity, accessibility and confidentiality pursuant to the provisions of the applicable data protection laws and are committed to taking all necessary precautions to ensure that your jointly controlled personal data is safe and confidential, to prevent any accidental or illegal destruction, loss, modification, illegitimate disclosure of or access to personal data transferred, stored or processed.

8.5. In cases where you use our services and the parcel transits several countries, your rights will be ensured by the DPD company which is delivering the parcel to you, and other related Joint Data Controllers undertake to assist in exercising your rights. Please be informed that for the purpose of data processing specified in Paragraph 8.1 of this Policy, to exercise your rights listed in Paragraph 11 herein, you must contact us using the contact details provided in Paragraph 12 or other Joint Data Controllers.

8.6. For the purposes other than those specified in Paragraph 8.1, the Company is your only data controller.

 

9.    Why and how do we manage your personal data?

  • For the purpose of selection of candidates for vacancies

When is this relevant to me?

What data do you process?

On what legal basis do you process my data?

Where do you get my data from?

Must I provide my data to you? 

How long will you process my data?

When you decide to contact us to participate in our and our partner personnel selection

Firsts name, surname, date of birth, telephone number, email address, residential address, education, current and former workplaces, CV; in the case of A courier selection, data on the service providers with whom the courier has concluded an employment contract, the size of the courier uniform, the driving licence category, years of driving experience, other data in your CV and/or other documents provided on a voluntary basis.

Processing in order to take action on the initiative of the candidate before the conclusion of a contract, in cases where you apply directly for a specific vacant position we or our partner have announced (Article 6[1][b] of the GDPR).

 

Your consent in cases where you apply for a non-specific position or where we ask for your consent to store your data after the end of a specific competition for a position (Article 6[1][a] of the GDPR).

From you

Yes, because without this information we or our partner will not be able to conclude a contract with you and execute it.

Until the end of the selection process for a position.

 

  • For the purposes of parcel collection and delivery services

We process your personal data in order to provide parcel collection and delivery services. Our services typically include the following actions: collection and marking of a parcel, placing the information about the parcel in the parcel tracking system, managing the ordering and delivery of the parcel, estimating the delivery time, managing the return of the parcel, and measuring the temperature of the parcel containing foodstuffs. The scope of data processed for the purposes referred to in this paragraph depends on your role in the parcel collection and delivery process.

When is this relevant to me?

What data do you process?

On what legal basis do you process my data?

Where do you get my data from?

Must I provide my data to you? 

How long will you process my data?

When you send a parcel

First name, surname, address, telephone number, email address, other information you have provided in connection with the delivery of the parcel.

We also process personal data generated by us: the parcel reference number, collection point GPS data, proof of delivery.

Processing for the performance of a contract (Article 6[1][b] of the GDPR).

 

Processing is required to fulfil legal obligations applicable to the data controller (Article 10[2] of the Postal Law of the Republic of Lithuania).

From you, except for the data generated by us

Yes, without this information we will not be able to provide services to you.

Electronic files, records in IT systems and databases are stored for 4 years from the date of receipt of the data.

 

Hard copies of the documents (waybills, manifests, e-parcel  consignment notes) are stored for 1 year and 1 month.

 

Electronic parcel delivery documents or their hard copies are stored for 3 years and 1 month.

 

When you receive a parcel

First name, surname, address, telephone number, email address, signature.

 

We also process personal data generated by us: the parcel reference number, delivery point GPS data, a photo of the front door or another secure location where the parcel is delivered, proof of delivery.

Processing is required to fulfil legal obligations applicable to the data controller (Article 10[2] of the Postal Law of the Republic of Lithuania).

 

Our legitimate interest and the legitimate interest of the sender to deliver the parcel and to identify the person who collects the parcel (Article 6[1][f] of the GDPR).

From the sender, except for the data generated by us

When you collect a parcel on behalf of another person

First name, surname, address, last 5 digits of the number of the ID document, signature

We also process personal data generated by us: delivery point GPS data, a photo of the front door or another secure location where the parcel is delivered, proof of delivery.

From you, except for the data generated by us

 

  • For the purpose of identifying the recipient of the parcel

When is this relevant to me?

What data do you process?

On what legal basis do you process my data?

Where do you get my data from?

Must I provide my data to you? 

How long will you process my data?

When a parcel is sent to you, the condition for delivery is assurance of your identity.

First name, surname, address, the number of the ID document, a photocopy of the ID document.

Our legitimate interest and the legitimate interest of the sender to identify the recipient (Article 6[1][f] of the GDPR).

From you and/or the sender

Yes, because without this information we will not be able to provide services to you.

Up to 6 months from the moment such data are recorded.

 

  • To provide services of cash collection from recipients

When is this relevant to me?

What data do you process?

On what legal basis do you process my data?

Where do you get my data from?

Must I provide my data to you? 

How long will you process my data?

When a parcel is sent to you for which cash payment is collected

First name, surname, address, telephone number, amount of cash, time of cash collection.

Conclusion and performance of a contract (Article 6[1][b] of the GDPR).

 

Legal obligation to properly maintain accounting in accordance with the Law on Accounting of the Republic of Lithuania (Article 6[1][c] of the GDPR).

 

Our legitimate interest and the legitimate interest of the sender to receive payment for the delivered parcel (Article 6[1][f] of the GDPR).

From you and/or the sender

Yes, without this information we will not be able to provide services to you.

Electronic files, records in IT systems and databases are stored for 10 years from the date of receipt of the data.

 

Cash receipts are stored for 10 years.

 

  • For the purposes of leasing and other contracts

When is this relevant to me?

What data do you process?

On what legal basis do you process my data?

Where do you get my data from?

Must I provide my data to you? 

How long will you process my data?

When you receive a contract for signing which is sent through our couriers

First name, surname, address, telephone number, email address, date of birth, the number of the ID document, signature, the contract signed by you.

Conclusion and performance of the contract (Article 6[1][b] of the GDPR).

 

Our legitimate interest and the legitimate interest of the sender to properly identify the recipient (Article 6[1][f] of the GDPR).

From you and/or the sender

Yes, because without this information we will not be able to conclude a contract with you and execute it.

 

Electronic files, records in IT systems and databases are stored for 4 years from the date of receipt of the data.

 

Hard copies of the documents are stored within the time limits set out in the “Document Nomenclature (Directory)”:

leasing and other contracts not delivered to the  recipient are stored for 3 months.

 

  • For the purposes of the conclusion and performance of contracts

When is this relevant to me?

What data do you process?

On what legal basis do you process my data?

Where do you get my data from?

Must I provide my data to you? 

How long will you process my data?

If you are a sole proprietor

First name, surname, personal ID number, address, telephone number, email address, the number and date of issue of the ID document, details of the bank account, signature, the contract concluded by you.

Conclusion and performance of the contract (Article 6[1][f] of the GDPR).

 

Legal obligation to properly maintain accounting in accordance with the Law on Accounting of the Republic of Lithuania (Article 6[1][c] of the GDPR).

From you

Yes, because without this information we will not be able to conclude a contract with you and execute it.

Electronic files, records in IT systems and databases are stored for 10 years after the expiry of the contract.

 

Parcel delivery contracts and invoices for services are stored for 10 years.

 

  • For the purposes of debt management

When is this relevant to me?

What data do you process?

On what legal basis do you process my data?

Where do you get my data from?

Must I provide my data to you? 

How long will you process my data?

If you, as our contractual client, delay payment for our services

First name, surname, telephone number, email address, credit history

Our legitimate interest to receive payment for the services we have provided (Article 6[1][f] of the GDPR).

From you and UAB Creditinfo Lietuva database

No

1 year after the date of debt payment or recovery

If you are the manager or shareholder of our client (legal person) who avoids paying for our services

First name, surname, address, other data provided by UAB Creditinfo Lietuva.

From UAB Creditinfo Lietuva database

 

  • For the purpose of handling claims and complaints

When is this relevant to me?

What data do you process?

On what legal basis do you process my data?

Where do you get my data from?

Must I provide my data to you? 

How long will you process my data?

If you have any inquiries,  claims or complaints regarding the services provided to you

First name, surname, address, information contained in the claim or complaint and documents related to it, the information provided with your inquiry and its attachments and other information provided by you.

Consent (when, by submitting an inquiry, you agree that your personal data will be processed) (GDPR Article 6(1 d. a p.))

Legal obligation (when we are required to respond to your inquiry under applicable legal acts) (GDPR Article 6(1 d. c p.)).

 

Our legitimate interest in clarifying the circumstances and properly examining claims and complaints (GDPR Article 6 (1 d. f) p.).

From you

No

Electronic files, records in IT systems and databases are stored for 3 years from the date of receipt of the data.

 

User claims are stored for 3 years.

If you are a claimant

First name, surname, address, bank details, information on the contents of the parcel, and details specified in the purchase documents of the items sent and parcel transfer documents.

From you

 

  • For the purpose of reporting damaged packaging

When is this relevant to me?

What data do you process?

On what legal basis do you process my data?

Where do you get my data from?

Must I provide my data to you? 

How long will you process my data?

If at delivery of the parcel, it is established that the  packaging is damaged and our couriers prepare a packaging damage report

First name, surname, address, a packaging damage report

Performance of the contract concluded with the sender (Article 6[1][b] of the GDPR).

 

Our legitimate interest in clarifying the circumstances and properly examining claims and complaints (Article 6[1][f] of the GDPR).

From you

Yes, because without this information we will not be able to execute the contract with you.

Electronic files, records in IT systems and databases are stored for 3 years from the date of receipt of the data.

 

Packaging damage reports are stored for 3 years.

 

  • For the purposes of issuing invoices for services

When is this relevant to me?

What data do you process?

On what legal basis do you process my data?

Where do you get my data from?

Must I provide my data to you? 

How long will you process my data?

When you use our services

First name, surname, address

Performance of the contract with you as the sender (Article 6[1][b] of the GDPR).

 

Legal obligation to properly maintain accounting in accordance with the Law on Accounting of the Republic of Lithuania (Article 6[1][c] of the GDPR).

From you

Yes, without providing this information we will not be able to execute the contract with you and issue an invoice for the services we have provided.

 

Electronic files, records in IT systems and databases are stored for 10 years after the expiry of the contract.

 

Invoices for the services we have provided are stored for 10 years.

 

  • For customer service purposes

When is this relevant to me?

What data do you process?

On what legal basis do you process my data?

Where do you get my data from?

Must I provide my data to you? 

How long will you process my data?

When you contact us by telephone

Telephone number, your data provided during a telephone call, recording of a telephone call

Our legitimate interest to ensure and improve the quality of customer service, to  train employees, to properly analyse customer complaints regarding the quality of services provided by telephone and to make decisions in case of a dispute with a caller regarding the interpretation of the conversation (Article 6[1][f] of the GDPR).

From you

No

Not more than 3 months

 

We record incoming telephone calls on the following lines:

  • Ordering line – tel. 8 700 55700;

  • Customer service consultancy line – tel. 8 5 2106 777;

  • Sales consultancy line – tel. 8 5 2106 766.

If you wish to contact us, but do not wish your phone call to be recorded, we kindly request that you call us by dialling our administration phone number 85 2106 750, or contact us by email (email addresses are provided in the contact section of the DPD website) or visit our registered office in person.

  • Provision of Benefits for Expedited Parcel Retrieval

We process data for this purpose during festive and other peak periods when parcel deliveries surge. Our goal is to ensure optimal loading of parcel terminals, facilitating timely and efficient parcel retrieval for both senders and recipients. During these specific periods, we offer customers the opportunity to avail benefits for prompt parcel retrieval, such as winning prizes. Information regarding these incentives is included in messages sent to customers.

 

When does this apply to me?

What data of mine are you processing?

On what legal basis are you processing my data?

Where do you obtain my data from?

Am I obligated to provide my data to you?

How long will you retain my data?

When parcels are received during times of significantly increased delivery volumes.

Information such as surname, first name, phone number, email address, postal address, parcel number, details about received benefits, and won prizes

Ensuring the legitimate interest of the company, parcel senders, and recipients in maintaining optimal loading of parcel terminals during the specified periods (GDPR Article 6(1)(f))

 

Consent (GDPR Article 6(1)(a)) (when announcing winners on websites)

From You

No

From You No During the periods specified in the benefit provision guidelines. 1 year (data of prize winners)

 

  • For the purpose of direct marketing and surveys

When is this relevant to me?

What data do you process?

On what legal basis do you process my data?

Where do you get my data from?

Must I provide my data to you? 

How long will you process my data?

If you are our customer and we provide you information about our services and their changes via email and telephone

First name, surname, email address, telephone number.

If you have used our services, we will process your data in accordance with Article 81(2) of the Law on Electronic Communications of the Republic of Lithuania. If you are a new customer, we will process your data on the basis of your consent (Article 81 of the Law on Electronic Communications of the Republic of Lithuania and Article 6[1][a] of the GDPR).

 

In other cases, we rely on our legitimate interest to inform and ask you about our services and their changes (Article 6[1][f] of the GDPR)

From you

No

In the case of contractual clients, as long as the person is a DPD client.

 

For persons who have given their consent to newsletter subscription, for 5 years after the consent is given.

 

For the purpose of carrying out surveys, 6 months after receipt of the data.

If you receive our surveys to evaluate our service quality

If you are a participant of our loyalty program

 

  • For the purpose of improving the services provided by DPD Lithuania

 

For this purpose, we evaluate your data in connection with the sales and operations over a certain period of time in order to evaluate the quality of the services provided by the Company.

When is this relevant to me?

What data do you process?

On what legal basis do you process my data?

Where do you get my data from?

Must I provide my data to you? 

How long will you process my data?

When you use our services

First name, surname, email address, address, telephone number, the parcel reference number.

Our legitimate interest to ensure and improve the quality of our services provided to you (Article 6[1][f] of the GDPR).

From you

No

6 months (subsequently,  the data is anonymised)

 

  • For the purpose of administering social network accounts

When is this relevant to me?

What data do you process?

On what legal basis do you process my data?

Where do you get my data from?

Must I provide my data to you? 

How long will you process my data?

When you carry out activities in our social network accounts (e.g. comment posts, send us a message, etc.)

First name, surname, account name, gender, country, photo, comments on the post, sharing posts, reacting to posts, and other data you provide to us.

Your consent (Article 6[1][a] of the GDPR)

From you

No

5 years (unless you withdraw your consent earlier)

 

  • For the purpose of administering accounting

When is this relevant to me?

What data do you process?

On what legal basis do you process my data?

Where do you get my data from?

Must I provide my data to you? 

How long will you process my data?

When you order our services

First name, surname, payment time, payment status, bank account number (IBAN), type of credit card, expiration date, payment amount, payment date.

Legal obligation as stipulated in the Law on Accounting of the Republic of Lithuania (Article 6[1][c] of the GDPR)

From you

Yes, without this information we will not be able to provide you services under the contract.

Bookkeeping records are stored for 10 years

 

  • For the purposes of customs administration

Customs administration generally includes: checking of data against the lists of prohibited countries announced by organizations, generation of search results, and a decision to block/not to block a parcel.

When is this relevant to me?

What data do you process?

On what legal basis do you process my data?

Where do you get my data from?

Must I provide my data to you? 

How long will you process my data?

When you order parcels from the countries from which the goods are subject to customs and duty fees

First name, surname, email address, address, telephone number, notifications, the parcel reference number, IP address, content of the parcel and the estimated value of the goods.

Legal obligation as stipulated in the Law on Customs of the Republic of Lithuania (Article 6[1][c] of the GDPR).

From you / the sender

Yes, without this information we will not be able to provide you services under the contract.

6 months in an active database and 5 years in the archives

 

  • For the purpose of administration of compliance with the requirements for import and export prohibitions

The management of compliance with import and export prohibitions generally involves: checking of data against the lists of prohibited countries announced by organizations, generation of information on the basis of the results of the verification, and a decision to block/not to block a parcel.

When is this relevant to me?

What data do you process?

On what legal basis do you process my data?

Where do you get my data from?

Must I provide my data to you? 

How long will you process my data?

When you send or receive parcels to/from the countries which are subject to prohibitions on import or export of goods

First name, surname, email address, address, telephone number, the parcel reference number, parcel comparison/inspection result

Legal obligation as stipulated in the Law of the Republic of Lithuania on the Implementation of Economic and Other International Sanctions (Article 6[1][c] of the GDPR).

From you / the sender

Yes, without this information we will not be able to provide you services under the contract.

30 days in the active database

From 30 days to 2 years in the limited database

From 2 to 10 years in the archives (due to legal requirements)

 

  • For the purpose of video surveillance in the parcel distribution terminals

When is this relevant to me?

What data do you process?

On what legal basis do you process my data?

Where do you get my data from?

Must I provide my data to you? 

How long will you process my data?

When you enter the field of view of video surveillance cameras in the parcel distribution terminal

Image data, time and date of video data.

Our legitimate interest to ensure the security of the material assets (customer’s parcels) in the parcel distribution terminals and to clarify the causes and circumstances of the damage or loss of parcels (Article 6[1][f] of the GDPR).

From you

No

Not more than 30 calendar days

 

  • For the purpose of maintaining relations with legal persons

When is this relevant to me?

What data do you process?

On what legal basis do you process my data?

Where do you get my data from?

Must I provide my data to you? 

How long will you process my data?

If you are a representative of a legal person with whom we have a relationship and we communicate with you in relation to business issues and sign contracts with the legal person you represent

 

First name, surname, email address, phone number, place of employment, position, signature, other information you provide.

Conclusion and performance of the contract (Article 6[1][b] of the GDPR).

 

Our legitimate interest to maintain relations with other legal entities (Article 6[1][f] of the GDPR).

From you / legal person you represent

Yes, without providing this information we will not be able to conclude and execute a contract or maintain business relationship with you.

 

Electronic files, records in IT systems and databases are stored for 10 years after the expiry of the contract.

 

Contracts and invoices for the services are stored for 10 years.

 

  • For the purpose of control of access to the site

When is this relevant to me?

What data do you process?

On what legal basis do you process my data?

Where do you get my data from?

Must I provide my data to you? 

How long will you process my data?

If you are entering or leaving the site of our Kaunas division

Registration number of your vehicle.

Legitimate interest to ensure access control to our site (Article 6[1][f] of the GDPR).

From you

No

Not more than 3 months

 

  • For the purpose of the protection of legal interests and enforcement of legal requirements

When is this relevant to me?

What data do you process?

On what legal basis do you process my data?

Where do you get my data from?

Must I provide my data to you? 

How long will you process my data?

If we become a party or an interested person in court or other legal proceedings to which you are related, and also when we have to provide information about you in order to comply with the requirements of the law.

Those of the above data, which are related to the specific legal proceedings or a legal requirement, documents of the legal proceedings, other information that you provide to us.

Legitimate interest to represent the Company in legal proceedings (Article 6[1][f] of the GDPR).

 

or

 

The legal obligation to provide information under the law (Article 6[1][c] of the GDPR).

From you / the sender

No

10 years after the expiry of contractual relationship with us or 3 years (in the case of legal proceedings) from the date of entry into force of the decision of the court or authority or the date of full execution of the legally binding decision whichever is longer.

 

  • Is my personal data safe?

DPD Lietuva undertakes to take all measures to ensure the security and confidentiality of your personal data, in particular to prevent any damage, erasure or unauthorized access by a third party.

For this purpose, we have an approved the information system security policy at the level of the DPD Group, which defines the guidelines for information security management. The policy includes human, physical, organizational and technical security controls.

If your personal data are subject to a data breach (destruction, loss, alteration or disclosure), DPD Lietuva undertakes to notify the data protection supervisory authority of the personal data breaches and to notify you immediately, as soon as this can be done in accordance with Article 34 of the GDPR.

 

11        What rights do I have?

Subject to the conditions, limitations and exceptions laid down in the data protection laws, you have the following rights:

 

My right

Hwan can I exercise it?

 

Right of access to data

 

When you seek from us confirmation as to whether or not the data concerning you are processed and, if so, access the data and data processing. 

Right to rectification

When you seek that we should correct the inaccurate data concerning you.

Right to erasure (“right to be forgotten”)

 

1) When the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, 2) when you withdraw consent on which the processing is based and there is no other legal ground for the processing, 3) when you object to the processing and there are no overriding legitimate grounds for the processing or you object to the processing of data for direct marketing purposes, 4) when data have been unlawfully processed, 5) when the data must be erased in for compliance with the Company's legal obligation, 6) when the data has been collected in the context of the offer for information society services made directly to a child with his consent.

Right to restriction of processing

 

1) When you contest the accuracy of the data, 2) when the processing is unlawful and you object the erasure of the data and request the restriction of their use instead, 3) when we no longer need the data for the purposes of processing, but they are required for the establishment, exercise or defence of legal claims, 4) when you object to the processing.

Right to data portability

 

When you seek to receive the data which you have provided to us in a structured, commonly used and machine-readable format, and to transmit the data to another controller where the processing is based on consent or a contract and is carried out by automated means.

Right to object

 

Where processing is based on a task carried out in the public interest or in order to exercise the functions of a public authority, or on a legitimate interest of the data controller, including profiling, or if you object to the processing of your data for direct marketing purposes.

Right to withdraw consent

When processing is based on consent and you seek to withdraw it at any time.

Right to file a complaint

When you wish to file a complaint with the supervisory authority, in particular in the Member State where you are domiciled, where you are employed or where the suspected breach of the GDPR took place.

 

12       Do you profile me and make automated decisions?

We do not make decisions that are based solely on automated processing, which would have legal consequences for you or would have another significant impact on you. Your profiling may only be performed for the purpose specified in Paragraph 9.12.

 

13       Contact details and data protection officers

If you have any questions related to the protection of personal data, please contact us by email [email protected] (general administration) or contact our Data Protection Officer directly at [email protected].

 

14      Amendments to this Privacy Policy

This Policy is reviewed on a regular basis and, where necessary, updated at least once every two years. Any supplements or amendments to the Policy shall take effect from the date of their publication on the websites.

 

15       Information about the cookies we use

We and our partners use cookies or other tracking technologies to facilitate the use of our website, improve the operation and safety of the website and offer you personal advertising. Before activation of cookies, except the necessary cookies, we must obtain your consent. You can manage your choices – our partners and goals – by clicking Cookie Settings. You may withdraw your consent at any time by managing cookies in our website footer.

Detailed information on the cookies used on our websites is provided below:

Website address

Category of a cookie

Cookie name

Expiry period of a cookie

Dpd.com

 

Necessary cookies

c::b

 

until the website is closed

Functional cookies

dtSa

 

until the website is closed

yt-player-bandwidth

permanent

TC_PRIVACY_IAB_VENDORLIST

permanent

yt-player-bandaid-host

permanent

Performance (analytical) cookies

 

dtCookie

until the website is closed

dtLatC

dtPC

dtSa

rxec

rxvisitid

rxVisitor

rxvt

yt-player-headers-readable

permanent

Marketing cookies

 

YSC

until the website is closed

yt-remote-fast-check-period

yt-remote-session-app

yt-remote-cast-installed

yt-remote-session-name

test_cookie

1 day

VISITOR_INFO1_LIVE

179 days

IDE

1 year

yt.innertube::nextId

permanent

yt-remote-device-id

permanent

yt-remote-connected-devices

permanent

yt.innertube::requests

permanent

Esiunta.dpd.lt

Necessary cookies

 

rc::c

until the website is closed

XSRF-TOKEN

1 day

__cflb

1 day

laravel_session

1 day

__cfduid

29 days

rc::a

permanent

Functional cookies

 

_hjTLDTest

until the website is closed

storedObject

permanent

Performance (analytical) cookies

 

_gat

1 day

_gid

1 day

_hjid

1 year

_ga

2 years

_hjid

permanent

Marketing cookies

tr

until the website is closed

ads/ga-audiences

_hjIncludedInSample

fr

3 months

_gcl_au

3 months

_fbp

3 months

NID

6 months

Data Protection Notice: myDPD Website and myDPD App

 This data protection notice governs the access and the use of the https://www.dpd.com/lt/en/mydpd-2/ website and the “myDPD” application (hereinafter jointly referred to as “myDPD”).

Under the name "myDPD", DPD Lietuva UAB provides digital platforms on web servers or mobile terminals which enable consumers to monitor and manage their received, sent, and returned parcels.

Your personal data is jointly processed by Geopost SA, with registered office at 26 rue Guynemer - 92130 Issy-Les-Moulineaux (France), and its subsidiary DPD Lietuva UAB as well as their own subsidiary (collectively referred to as the “Companies”. They are together Joint Data Controllers of the following Data Processing

  • “Parcel Delivery & Unauthenticated consignee interaction”: This processing concerns consignees that do not have an account on myDPD

  • “Authenticated consignee interaction”: This processing concerns consignees that created an account on myDPD (“myDPD account”).

 

What does “Joint Data Controllers” mean?

It means that under Article 26 of GDPR, Geopost SA and DPD Lietuva UAB jointly determine the purposes and means of the processing.

 

What personal data do we collect?

By default, the myDPD services can be used without registration.

Personal data collected through your myDPD account are not mandatory for the execution of delivery services. However, this data enables us to provide you with the best possible service and to optimize the delivery of your parcel.

We collect the following data:

  • Parcel number

  • First name

  • Last name

  • E-mail address

  • Delivery address

  • Phone number

  • Proof of Delivery including in some cases the signature

  • Free text fields for additional delivery address information (e.g. code number)

  • Photo of front door or safe place

  • Notes (if you have assigned any)

 

We draw your attention to the importance of not communicating sensitive data (under Article 9 of the GDPR) in the free text fields.

In order to access all of the functionalities offered, you are invited to register either by means of an e-mail address and password or by using an existing Facebook, Apple or Google account. In this respect, Geopost and DPD Lietuva UAB do not transmit any parcel information to Facebook, Apple or Google and only use these services for authentication purposes. After authentication, a unique myDPD account is created for all our services.

 

Why do we collect your personal data?

The personal data are processed in the context of delivery services agreements as well as any other existing service related to the creation of your myDPD account. The data will be used by Geopost SA and DPD Lietuva UAB, and/or any third party involved in the performance of the services, particularly for the following purposes:

  • For delivery services

  • When you choose to provide us additional information to facilitate delivery of the parcel

  • Manage your myDPD account

  • Manage notifications to consignees via e-mail, SMS, push notification or social media

  • Help the user get in contact with our support team

  • Build consumers profiling according to uses of DPD services, frequency of delivery, delivery experiences, purchases and location

  • Communicate via personalized or non-personalized e-mails, push notifications and banners about DPD Lietuva UAB and/or our partners

  • Ensure the security of your account

 

What legal basis do we use to process your personal data?

We collect your personal information based on:

  • Our contractual obligations in the context of our delivery activities; or

  • Our compliance to legal obligations; or

  • The legitimate interests of Geopost SA and DPD Lietuva UAB (provided your interests and fundamental rights do not override those interests)

  • Your consent on the processing of your data for communications

 

Account creation

Connection with external account

Login with Apple ID: If you use your Apple ID when logging in to DPD, you can register or log in with your Apple account. You will then be forwarded to the Apple website. For the iOS app the process takes place entirely within the operating system. For the login you will need the email address which is stored with Apple. This is required for identification purposes in order to create a secure DPD account for you and is stored with us. Your Apple profile and your DPD account are permanently linked via the email address. You can remove this link at any time on the Apple website. DPD never learns your Apple access data. You can read how Apple handles privacy settings in the Apple data protection notices; these are also the valid regulations governing this possibility of logging in and registering with DPD.

Login with Facebook: Facebook Connect is an offer from Facebook Ireland Limited (Hanover Reach, 5-7 Hanover Quay, Dublin 2, Ireland). Its use is voluntary and optional. When using Facebook Connect, Facebook profile data and public data from your Facebook profile are transferred to DPD. We use and process your first and last name, gender, email address, and Facebook ID for simplified registration to use the Parcel Navigator. If you are already a DPD customer, only the Facebook ID will be processed. Your Facebook account is linked to the DPD account via the Facebook ID. This makes it possible for you to register for the service using your Facebook access data via the "Login with Facebook" button. In addition, every time you log in, Facebook will know that you are using the DPD service. The link to Facebook can be revoked at any time on Facebook itself. Please also read Facebook's privacy policy on this subject.

Login with Google: The same applies to the use of the Google login. This Google service is provided by Google Inc. "('Google'; Amphitheatre Parkway, Mountain View, CA 94043, USA). Registration and use of Google's services are subject to Google's Privacy Policy and Terms of Use, which you can view at: Privacy Policy – Privacy & Terms – Google.

myDPD account creation

Geopost SA and DPD Lietuva UAB allow you to create an account on myDPD using the essential information provided on one or other of the platforms. In this way, accounts recognized by an email address will be identified and your information shared so that you don't have to re-enter it.

The personal data listed in point 1 as well as the following personal data are collected:

  • Home address

  • Expeditions

  • Purchases

  • User delivery address book

  • Favourite parcel shops

  • Delivery preferences

  • Country/Language

  • Consent for commercial information and communication preferences

  • Parcel delivery history

  • Connection method

  • Terminal information

Personal data may also concern a third party or a neighbour who can retrieve the parcel on behalf of the consignee.

 

How long do we keep your data?

If you are an unauthenticated user, your personal data are kept for a maximum period of six (6) months in the active database and are then archived.

If you are an authenticated user of myDPD, your personal data are kept for a maximum period of two (2) years after your last connection to your myDPD account, with the exception of your physical address which is kept for three (3) years, separate from any other personal data concerning you, to help us improve our delivery performance and thus guarantee you an optimal customer experience.

In case of account deletion, the account linked to ‘myDPD” will be deleted with all data linked to the account with the exception of your physical address which is kept for three (3) years, separate from any other personal data concerning you, to help us improve our delivery performance and thus guarantee you an optimal customer experience.

 

Who might we share your information with?

We share the information that you provide to us with our staff so that we can provide our services to you:

  • Business partners (shippers);

  • Sub-contractors, especially drivers, for the performance of the delivery contract;

  • Geopost;

  • DPD Lietuva UAB subsidiaries

  • Internally to our customer service, marketing, sales and IT departments

  • Billing platform (including parcel number)

  • Data processors for data management, emailing and storage

 

Improving delivery experience

Because DPD wants to improve your delivery experience, we display a message when you connect to your myDPD account once you have a given number of failed deliveries in a determined period to suggest you to set up your delivery preferences. How does it work? We use a commercial partner (Imagino), as a data processor, who can compute the total number of your unsuccessful deliveries to generate messages, thanks to delivery events provided to him. A message will be displayed through ABTasty when you connect to your myDPD account to promote delivery preferences.

The use of a tag by Imagino and the deposite of the ABTasty cookie are based on your consent. You can remove your consent at any time by managing your cookie settings here: https://www.dpd.com/lt/lt/mydpd-2/ (bottom part of the website). If you decide to remove your consent, we will immediately stop using the number of your unsuccessful deliveries in this process.

The display of the message to promote delivery preferences is based on our legitimate interest to:

  • improve our business strategy and our delivery performance

  • ensure the best possible customer experience by going beyond his expectations

  • reducing operational costs and customer care costs

  • promoting green redirections

 

Personalized communication by e-mail

With your consent, we want to send you personalized communications on Geopost and its partners we think might interest you.

Subject to your consent when creating your myDPD account, we wish to display in your myDPD space, personalized advertisements on our partners according to your interests.

Keep in mind that we do not share your information with our partners so that they can contact you, only DPD Lietuva UAB can send you personalized communications.

You can change or revoke your consent at any time in the setings section of your myDPD account.

 

Chatbot

A chatbot is available to help you track, redirect and get more detailed information about your parcel. Please note that the chatbot includes a free comment area where you can be led to give personal data to help us find information about your parcel. This data will be used to examine your request and is necessary to enable us to provide a more appropriate response. The information you provide is intended for the customer services and our technical service providers, within the framework of the tasks entrusted to them.

The data collected in the context of a conversation about a parcel delivery is stored during six (6) months, which is a parcel’s lifetime, after which it is automatically deleted. The data can also be deleted beforehand on request. Insofar as the information collected in this way is personally identifiable, it will be processed in accordance with Art. 6 of the GDPR based on our legitimate interest in providing an effective customer service.

In accordance with the applicable regulations on the protection of personal data, you have the right to access, rectify, oppose, limit the processing, request the transfer of your data where possible and delete your data.

We also draw your attention on the importance of not communicating sensitive data (under Article 9 if the GDPR) in this free comment area.

 

Do we transfer your personal data outside of EU?

We may transfer your personal information outside the European Economic Area ("EEA") or outside the European Union and will only do so if adequate protection measures are in place in compliance with data protection regulations. We use the following protection measures:

  • Transferring to European Commission approved adequate countries under Article 45 of the GDPR;

  • Using appropriate safeguards such as European Commission approved Standard Contractual Clauses or Binding Corporate Rules.

 

How do we protect your personal data?

We apply the cybersecurity best practices and follow recognized standards to ensure the protection of data and users.

 

 What are your rights on your data?

Under Articles 15 to 22 of the GDPR, you have the right to:

  • Access your personal data and to obtain from the Joint Data Controllers confirmation as to whether your personal data are being processed;

  • Rectification of your personal data and to obtain from the Joint Data Controllers without undue delay the rectification of inaccurate personal data concerning you;

  • Erasure from the Joint Data Controllers of your personal data without undue delay;

  • Restriction of processing;

  • Data portability by transmission of your data where technically feasible.

These rights may be exercised by sending an e-mail to [email protected].

For any problem linked to the management of your personal data, you have the right to lodge a complaint with the following data protection authority: State Data Protection Inspectorate, L. Sapiegos g. 17, Vilnius, LT-10312 Vilniaus m. sav.

Joint-Controllership with Geopost SA

In certain cases, DPD together with Geopost SA (Geopost) process personal data as Joint-Controllers.

 

Geopost SA

Guynemer 92130

Issy-Les-Moulineaux

France

Joint-Controller Agreement (JCA): We have concluded a JCA which governs the processing of your data by the Joint-Controllers. This agreement defines the respective responsibilities of each party, in particular regarding the facilitation of data subject rights and the coordination of data breach management.

 

More information on data processing by Geopost and contact details: Data Protection Notice (https://www.geopost.com/en/data-privacy-policy)

 

Rights of the Data Subject: You may exercise your data protection rights (such as access, rectification, erasure, restriction or objection) with either DPD or Geopost. The internal allocation of responsibilities between the Joint Controllers does not affect your ability to exercise these rights with either party. If your request relates to processing activities or systems operated by Geopost, DPD will coordinate with GeoPost to ensure a proper and timely response.
Data Breach Management: In case of a data breach affecting a system provided by Geopost, we will involve Geopost to manage the data breach together.

 

JCA: Data Processing Activities (Source: Geopost)

 

Common Processing Activity Agreed purposes Legal basis Personal Data Retention period
Parcel delivery & unauthenticated consignee

interaction

- Shipment and labeling process

- Track and trace by Geopost

employees

- Consultation of the parcel’s status

by customers via dedicated

applications

- Delivery tool management

- Order management / collection

requests

- Parcel’s temperature (containing

food) monitoring throughout their

life cycle and generate alerts in

the event of a break in the cold

chain

- Calculation of an estimated

number of days to deliver parcel

based on zip code of both the

origin and the destination

- Facilitating delivery services with

delivery instructions

- Track and trace the parcels by

the consignees via consignee

application

- Knowledge improvement and

interaction with consignees and

prospects

- Parcel return management

- Collection of the level of

satisfaction of the consignees

Performance of a

contract

Legitimate interest

Legal obligation

Sender or receiver data, when

is Consumer only:

First / last name, username, email,

address (including home

GPS coordinates), phone number,

parcel number, date of birth,

home GPS coordinates, POD,

picture of front door or safe place,

COD, contact details, ID numbers,

additional information necessary

for ID check, free text fields for

more detail about the address for

example (door code)

Depending on BUs, some other

personal data can be stored

and managed locally.

6 months in active database +

archive database for

regulatory purposes

(indicated in other

processing)

Postal address (House

number, street name, city,

Post code, Country code,

Longitude, Latitude) will be

kept for 3 years based on the

necessity to have reliable

data and be able to calculate

tactical planning scenarios)

Authenticated consignee

interaction

- Management of notifications to

consignees via e-mail or SMS or

social media (Predict, etc.)

- Execution of prospecting

operations to improve the offers

and services of Geopost and its

subsidiaries

- Collection of the level of

satisfaction of the consignees

- Consumers profiling according to

uses of Geopost services,

frequency of delivery, delivery

experiences and customer

service interactions, etc. (without

automated decisions)

- Display of advertising,

newsletters, personalized

campaign

- Loyalty program

Performance of a

contract

Legitimate interest

Consent

Sender and receiver data, when

is Consumer only:

Name, e-mail, address (street,

street number, house number,

postcode, city), phone number,

parcel number, title (Mr, Ms),

company, free text fields, ID

numbers and passports, HS code,

login, gender, delivery

preferences (preferred PUDO

location, safeplace, etc.),

communication preferences

(email, SMS, push, etc)

Data may concern also 3rd

person and/or neighbor who

retrieve the parcel instead of

the consignee

2 years following last

connection

Postal address (House

number, street name, city,

Post code, Country code,

Longitude, Latitude) will be

kept for 3 years based on the

necessity to have reliable

data and be able to calculate

tactical planning scenarios)

CS Investigation & claim

management

- Customer service back-office

communication tool between

customer services of BUs for

cross-border parcels

- Measurement of BU's

performance

- Monitoring the performance of

BU’s customer service

employees by managers of BU’s

CS

Performance of a

contract (for claim

management)

Legitimate interest (for

the measurement of

BU's performance)

Sender or receiver data, when

is Consumer only:

Name, address (street number,

zip code, city, country) e-mail,

phone number, parcel number,

collection request number, case

number, COD amount, POD, free

text fields for parcel content for

example

6 months after case closure

database and 6 months in

archive database (not

anonymized)

Anonymization of

consignee’s personal data for

reporting

Geocheck (Embargo) - Comparison of personal data

against Denied Party Lists (DPLs)

published by organizations

- Generation of events according to

verification results

- Decision whether or not to block

the parcel

- Request of licenses if designated

persons are confirmed among the

workforce

Legal obligation Receiver data, when is

Consumer only:

Name, e-mail, address, phone

number, parcel number, result of

the comparison/verification

These personal data concerns

also the employees of Geopost.

30 days in live/production

Database

From 30 days to 2 years on a

restricted database (restricted

access for LECO only)

From 2 years to 10 years in

archive (legal requirements,

restricted access only for

Geocheck administrator)

Customs process - Notification management and

payment for duties and taxes

- Generation of proofs of payment

Legal obligation Sender and receiver data, when

is Consumer only:

Name, e-mail, address (including

street and house number, city,

country, zip code), phone number,

SMS, contact, parcel number, IP

address, content of the parcels

associated to value of goods

6 months in active database

and 5 years in archive

database (unless advised

differently by BUs)

Reporting KPI Leverage data from X

months/years for

sales/marketing/ops analysis for

market assessment

- Measurement of the quality of the

performance

Legitimate interest Sender and receiver data, when

is Consumer only:

Name, e-mail, address, phone

number, parcel number

6 months (anonymization

after)

Whistleblowing Alerts - Receiving and recording

whistleblowing alerts

- Investigation and monitoring of

the alerts - Closure of alerts

- Development of activity data

(statistics) on anonymous data

Legal obligation

Legitimate interest

Email address

Date and purpose of

whistleblowing alert

Phone number

First name, last name

Any other data communicated as

part of the alert and/or

investigation

The personal data is kept as

long as needed to handle the

alert; it is then deleted within

a set delay after the closure of

the alert.

More precisely:

- Data relating to an

alert may be kept in

the active database

until a final decision

has been taken on the

action to be taken.

This decision must be

taken within a

reasonable time from

receipt of the alert.

- Once the final

decision on the action

to be taken on the

alert has been taken,

the data may be kept

in the form of

intermediate archives,

for the time strictly

proportionate to their

proportionate to their

processing and the

protection of their

authors, the persons

to whom they refer

and the third parties

mentioned,

considering the time required for any

further investigations.

- When disciplinary or

litigation proceedings

are instituted against

a respondent or the

perpetrator of an

abusive alert, the data

relating to the alert

may be kept by the

organisation

responsible for alert

management until the

end of the procedure

or the time limit for

appeals against the

decision taken.

Data may be kept for a longer

period, in intermediate

storage, if the data controller

is legally obliged to do so (for

example, to meet accounting,

social or tax obligations), or

for evidentiary purposes with

a view to a possible audit or

dispute, or for the purposes

of carrying out quality audits

of the processes for handling

alerts.

Export Control - Allow Geopost and its

subsidiaries to verify export

authorisations and permits for

dual-use goods

Legal obligation Name, First name – Postal

Parcel content (HS code and

description)

Origin country of the parcel

Destination country of the parcel

Telephone number

address

30 days in a live/production

Database

30 days to 2 years on a

restricted database (restricted

access only for LECO - Local

Embargo Compliance Officer)

2 years to 6 years in archives

(legal requirements, restricted

access only for ECM

administrator

Partner Barometer Establish indicators to

measure subcontractor/partner

satisfaction which can be used

to monitor progress and

demonstrate our commitment

to Partner of Choice

- Use the results of the

barometer to support 2-way

dialogue with partners

- The insights acquired from the

barometer can 1) support each

BU to identify the relevant

initiatives in their PoC

roadmap and 2) support

centrally to know where to put

focus.

Legitimate interests First name

Last name

Personal email address

Professionnal email address

12 months (until next update)
Geopost common Cyber

Tooling

- Protect the security of the

information systems of

Geopost and its Business

Units

Legitimate interests User account (email address)

First name

Last name

IP address of personal work

device

Logs

Sentinel One: 14 or 90 days

depending on BUs (device

logs), 365 days (device logs if

alert)

DSP (Semperis) : Managed by

BU

Darktrace: Managed by BU

Recorded Future Identity:

Until the subscription is

cancelled

Tenacy: 90 days (Logs)

Qualys: 6 Months

Nessus: Managed by BU

Mandiant: Cyber incident

Investigation time

Fleet Imagery - Monetizing data captured in

footage of roads and streets

during delivery

Legitimate interests Faces

License plates

Internal storage is set to a

maximum of 30 calendar days

or at minimum until memory is

overwritten (data exceeds

capacity of storage)

You can download our privacy policy here