1. DPD is a controller

According to the General Data Protection Regulation (GDPR), DPD (Netherlands) B.V. is the controller in all business processes. This means that we determine, among other things, which personal data we process, how we process personal data and what the storage period is. In addition, we also determine who has access to the personal data.

2. Purpose of the processing

Our principals are (business and private) shippers (amongst others webshops), who want to have goods transported. We have agreed with the principals that we do not transport parcels ourselves but engage carriers to have the parcel delivered. For the latter, the personal data of the consignee of the parcel, which has been made available by the principal, is required. Furthermore, we also use the personal data to be able to offer additional services and improve our service by, for example, using a review system.

3. Personal data

As we have already mentioned above, the personal data is made available by the principal. It concerns the following data:

Services

Category personal data

Administration

Principal:
·   Company data and general contact data such as telephone number and email address
·   Invoicing data
Contact person: personal contact data

Shipping of a parcel

Principal: shipping address

Consignee: delivery address
Consignee: telephone number and email address

Delivery of a parcel

Consignee:

  • Delivery address and possibly telephone number/email address and signature/initials

  • Date of birth and 5 last digits of ID documentnumber with regard to the option ‘Age Check’

 

Customs clearance

Principal and Consignee: customs clearance data

Complaint

Principal: Name contact person
Principal: Telephone number and email address
Consignee: Name and address

Claim

The data above (see complaint)
Principal and Consignee:
Additional claim documents to substantiate a claim.
Category personal data

Administration

Principal:
·   Company data and general contact data such as telephone number and email address
·   Invoicing data
Contact person: personal contact data

Shipping of a parcel

Principal: shipping address

Consignee: delivery address
Consignee: telephone number and email address

Delivery of a parcel

Consignee:

  • Delivery address and possibly telephone number/email address and signature/initials

  • Date of birth and 5 last digits of ID documentnumber with regard to the option ‘Age Check’

 

Customs clearance

Principal and Consignee: customs clearance data

Complaint

Principal: Name contact person
Principal: Telephone number and email address
Consignee: Name and address

Claim

The data above (see complaint)
Principal and Consignee:
Additional claim documents to substantiate a claim.

In order to provide a better service, we are supported by our parent company GeoPost. Together we are responsible for the following:

ServicesPurposeCategory personal data
MyDPDConsignees can track their parcel in one environment and influence their deliveryConsignee: Account data incl. contact data
Follow my ParcelShows the location of the driver in relation to the delivery addressConsignee: Delivery address and possibly telephone number and email address
Pickup ServicesAdministration system with regard to Pickup parcelshopsSupplier: Company data and contact data such as telephone number and email address
Invoicing data
Geocheckcheck with the list sanction lawPrincipal, consignee and supplier: name and address
Purpose
MyDPDConsignees can track their parcel in one environment and influence their delivery
Follow my ParcelShows the location of the driver in relation to the delivery address
Pickup ServicesAdministration system with regard to Pickup parcelshops
Geocheckcheck with the list sanction law
Category personal data
MyDPDConsignee: Account data incl. contact data
Follow my ParcelConsignee: Delivery address and possibly telephone number and email address
Pickup ServicesSupplier: Company data and contact data such as telephone number and email address
Invoicing data
GeocheckPrincipal, consignee and supplier: name and address

4. Processing and provision personal data

We process the data on secure servers in the Netherlands and on secure servers of GeoPost and the delivery depot of the DPD partners. These servers are located within the European Economic Area (EEA) unless the principal wishes delivery of a parcel in a country outside the EEA, such as the United Kingdom or Switzerland. In that case, to fulfill our contractual obligations towards the principal, we must provide the delivery data to our DPD partner outside the EEA for the purpose of delivering parcels to the specified address on behalf of the principal.

In the event that delivery must take place in a country outside the EEA, we are also obliged, pursuant to legal obligations, to provide personal data with customs. Customs clearance of the parcel can only take place on the basis of the required data.

Since we do not transport ourselves, but engage carriers to have the parcel delivered, we must, prior to the start of the delivery process of the parcel, provide the delivery address and possibly contact details to the carrier, in order to fulfill our contractual obligation. These data are only processed by the carriers with a DPD handheld scanner and are not provided to the carrier in any other way.

Another group of suppliers to whom we may provide personal data are companies that offer a specific service that is not available within our organization but that are supportive to the purpose. Take, for example, IT companies or, as we have indicated earlier, a review system. Based on this legitimate interest, we can improve and expand our services, but also safeguard business continuity.

We also provide personal data to DPD partners, carriers and insurers in case a parcel is lost or damaged. After the claim of the principal has been accepted and compensation has been paid, we will always try to recover damages from the party that has caused the damage. We therefore have a legitimate interest in addressing the party causing the damage and recovering costs on the basis of a substantiated claim.

If we provide personal data in the above situations, we will, if the supplier is a processor, always specify the special conditions under which personal data are provided and processed by concluding a processor agreement. The latter specifies exactly what the supplier can and can’t do with the personal data and what requirements are necessary for the security of the personal data. In the single case that a supplier is located outside the EEA (the so-called third countries), we will always assure that an adequate level of protection applies. DPD will always follow the adequacy decision or the standard provisions of the European Commission, whereby the level of protection corresponds to the level within the EU.

In order to keep a close eye on all processing activities that take place within our organization, we register the processing operations in a processing activities register. This is an overview of, among other things, the type of processing that takes place, the purpose for which it is processed, the category and type of personal data, which supplier may be involved, who has access to the personal data and what ultimately the storage period is.

5. Security

DPD always takes appropriate technical and organizational measures to ensure the security level. We adjust this level to the risk. And in doing so, we take into account technological developments, implementation costs, processing goals and the probability and impact of an infringement. In addition, every employee within DPD signs a confidentiality agreement so that the privacy of the personal data is guaranteed. This also applies to third parties, such as a carrier or an IT company.

6. Storage period

We do not want to store personal data longer than necessary. We therefore use a standard storage period of 2 years. Are there legal obligations that require us to store the data longer? Or do we need the data longer because a claim has been submitted? Then we deviate from the two-year term. After the storage period has expired, we will withdraw the personal data from the systems. Not only with us, GeoPost and delivery depots, but also with the supplier. In the overview below, we have listed some important storage periods

ServicesCategory personal dataStorage period
AdministrationPrincipal:7 years
·   Company data and general contact data such as telephone number and email address
·   Invoicing data
Contact person: personal contact data1 year
Shipping of a parcelPrincipal: shipping address90 days
Consignee: delivery address
Consignee: telephone number and email address14 days
Delivery of a parcel

Consignee:

  • Name, address, signature / initials
  • Date of birth and 5 last digits of ID documentnumber with regard to the option ‘Age Check’
2 years
Customs clearancePrincipal and Consignee: customs clearance data7 years
ComplaintPrincipal: Name contact person2 years
Principal: Telephone number and email address
Consignee: Name and address
ClaimThe data above (see complaint)7 years
Principal and Consignee:
Additional claim documents to substantiate a claim.
My DPDConsignee: account data2 years
Follow my ParcelConsignee: contact data1 years
Pickup ServicesParcelshop: Company data and invoicing data7 years
GeocheckPrincipal and consignee: name and address7 years
Category personal data
AdministrationPrincipal:
·   Company data and general contact data such as telephone number and email address
·   Invoicing data
Contact person: personal contact data
Shipping of a parcelPrincipal: shipping address
Consignee: delivery address
Consignee: telephone number and email address
Delivery of a parcel

Consignee:

  • Name, address, signature / initials
  • Date of birth and 5 last digits of ID documentnumber with regard to the option ‘Age Check’
Customs clearancePrincipal and Consignee: customs clearance data
ComplaintPrincipal: Name contact person
Principal: Telephone number and email address
Consignee: Name and address
ClaimThe data above (see complaint)
Principal and Consignee:
Additional claim documents to substantiate a claim.
My DPDConsignee: account data
Follow my ParcelConsignee: contact data
Pickup ServicesParcelshop: Company data and invoicing data
GeocheckPrincipal and consignee: name and address
Storage period
Administration7 years
1 year
Shipping of a parcel90 days
14 days
Delivery of a parcel2 years
Customs clearance7 years
Complaint2 years
Claim7 years
My DPD2 years
Follow my Parcel1 years
Pickup Services7 years
Geocheck7 years

7. Access to your personal data

Would you like access to your personal data? Then you can contact us by letter or e-mail. You can use the following information for this:
DPD (Nederland) B.V.
To: Legal Department
PO Box 302 - 5684 PK Best
[email protected]

We want to be sure that we give the personal data to the right person. That is why we ask you for a copy of a valid passport, driver's license or identity card. Always ensure that you make the photo unrecognizable. We encourage you to put the entry ‘copy’ and the date. Please also erase the social security number (het BSN) on the document and in the line on the bottom of the card. Of course you can only request personal data from yourself and not from others.

8. Your rights

Are your personal data incorrect and do they need to be corrected? Do you want us to delete your personal data or to restrict the processing of your personal data so that we only use a limited amount of data? Or do you want us to transfer your data to another party? Or have you given permission for the processing of your personal data but do you want to withdraw your permission? Send your request to the email address mentioned above. You can also object to the processing of your data via that email address.

9. Data Protection Officer

DPD has appointed a data protection officer (DPO) which is an internal supervisor for the processing of personal data. If you have any questions, you can contact the DPO via email address [email protected]

Supervisory authority

Are you not satisfied or if you can’t agree with us? Then you can file a complaint with:
Autoriteit Persoonsgegevens
Postbus 93374
2509 AJ Den Haag

Amendments

DPD reserves the right to change the policy as described in this Privacy Statement at any time and at her sole discretion. You can always read the current Privacy Statement on our website.

Date of publication: 1st July 2021

Download the DPD privacy statement

DPD privacy statement

Small (138kb)

PDF