Menu

PRIVACY NOTICE

DATA OF THE CONTROLLER

Name of Controller: Direct Parcel Distribution SK s.r.o.

Identification number: 35 834 498

Registered office of the Controller: Pri letisku 5, 821 04 Bratislava – mestská časť Ružinov

E-contact of the Controller: [email protected]

Contact details of the Data Protection Office: [email protected]

PRIVACY NOTICE

GPDR_alternative illustration GDPR_illustration mobile

DATA OF THE CONTROLLER

Name of Controller: Direct Parcel Distribution SK s.r.o.

Identification number: 35 834 498

Registered office of the Controller: Pri letisku 5, 821 04 Bratislava – mestská časť Ružinov

E-contact of the Controller: [email protected]

Contact details of the Data Protection Office: [email protected]

DECLARATIONS

DATA PROCESSING CONFORMITY DECLARATION

Please note that during the preparation for the application of Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: ‘GDPR’ or ‘Regulation’), we outlined the personal data processing processes of the undersigned Direct Parcel Distribution SK s.r.o. with its registered office at Pri letisku 5, 821 04 Bratislava – mestská časť Ružinov (hereinafter: ‘DPD SK’) covered by the Regulation. A record was created of the data identified during the processes, which operate legally in accordance with the expected principles.

The purposes and legal grounds of each processing, the scope of personal data involved in the processing (according to the categories of data subjects) and the criteria system of data retention were recorded. The technical and organisational measures for data security have been taken. In the case of data stored on paper and data stored on IT devices, networks and servers, technical organisational measures have been developed, such as the rights management process, servers and server security requirements. A Data Protection Officer has been appointed at our company. Our Data Protection and Data Security Policy sets out the rules for detecting and handling personal data breaches, conducting data protection impact assessments and interest balancing tests.

With regard to further tasks, we are aware of the goals that must be achieved in order for the rights of the data subject to be fully enforced. While striving for the maximum protection of personal data, we respect the right to informational self-determination. We inform the data subjects on the legal remedies available to them. The data processing path used at DPD SK can be tracked and controlled by everyone.

We declare that, in addition to the GDPR Regulation, we carry out our activities in compliance with the provisions of Act No. 18/2008 Coll. on the Protection of Personal Data and on Amendments and Supplements to Certain Acts, as amended. We require strict compliance with legal regulations from all our partners, and in the course of our activities we engage exclusively partners and subcontractors who meet the legislative requirements for the processing of personal data of data subjects.

 

Ing. Peter Pavuk

managing director, Direct Parcel Distribution SK s.r.o.

 

STATEMENT ON THE CONCLUSION OF DATA PROCESSING CONTRACTS UNDER THE GDPR

Dear Clients,

Direct Parcel Distribution SK s.r.o., with its registered office at Pri letisku 5, 821 04 Bratislava – mestská časť Ružinov (hereinafter: ‘DPD SK’) issues the following statement in connection with the request for the conclusion of data processing contracts from its customers, taking into account Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter referred to as GDPR).  

Under Article 28 of the GDPR, a data processing contract must be concluded between the controller and the processor in order to oblige the processor to respect the rules on the processing of personal data, to provide adequate guarantees to ensure compliance with the requirements of the Regulation and to implement technical and organisational measures to ensure the protection of data subjects.

DPD SK is acting as a independent controller and not as a processor in the performance of its courier services. Legal ground of the processing - data processing required for the performance of the contract under Article 6 (1) b) of the GDPR.

DPD SK independently determines the purposes and means of the processing of the personal data during the provision of the service. DPD SK is responsible for the collection, organisation, processing and storage of the personal data.

DPD SK has the right to retain the data collected even after the termination of the contract (it is not obliged to erase them at the customer's request) for the period necessary to satisfy and assess any legal claims (e.g. but not exclusively assessment of compensation claims for lost or damaged parcels).

Thus, in the above-mentioned case, where DPD SK provides only courier services, it is not acting as a processor of personal data relating to customers, but as a controller. Thus, in such a case, the Regulation does not impose the obligation to conclude a contract for processing.

For more information on the processing of personal data, please see our website, where details are provided below.

 

Ing. Peter Pavuk

managing director, Direct Parcel Distribution SK s.r.o.

 

GENERAL INFORMATION ON DATA PROCESSING

HOW DO WE PROTECT PERSONAL DATA?

Direct Parcel Distribution SK s.r.o. (hereinafter “Company”) ensures the security of the data and takes all technical and organisational measures necessary to enforce the GDPR and other data and confidentiality protection regulations. It protects the data against unauthorised access, alteration, transfer, disclosure, erasure or destruction and against accidental destruction or damage.

The Company  applies the following measures in order to secure the personal data processed on paper:

  • the data can only be accessed by authorised persons, with no one else having access thereto

  • the continuously processed documents are only accessible by the competent persons

  • if the personal data processed on paper is digitized, the Company applies the security rules governing digitally stored documents

If the purpose for the processing of the paper-based personal data is achieved, the Company arranges for the destruction of the paper.

In order to ensure the security of personal data stored on a computer or network, the Company applies the following measures and guarantee elements:

  • the computers used in the processing are the property of the Company, or it exercises its rights equivalent to ownership rights over them

  • the data on the computer can only be accessed with a valid, personal and identifiable authorisation - at least with a username and password -, and the passwords are changed by the Company on a regular basis or in justified cases

  • the data stored on the network server computer (hereinafter: ‘server’) can be accessed only with appropriate authorisation and only by designated persons

  • if the purpose of the processing has been achieved and the deadline for the processing has expired, the file containing the data is permanently erased, making it impossible to recover

  • the Company protects the servers with an infrastructure of high level-availability for the security of the data stored on the network, avoiding data loss with backups and archiving

  • the data carrier storing the saved data is stored in a safe box designed for this purpose, in a fireproof place and manner

  • it provides continuous virus protection for the personal data processing network

  • it prevents unauthorised persons from gaining access to the network by using the available IT equipment

The purpose of the regulation of right management is for the allocated rights to be accurately trackable and preserved in a documented form, and for the activities of the persons with individual rights and the range of data used by them to be controlled. The up-to-dateness of this data greatly assists the Company in meeting the level of security expected of it or to be achieved by it, as well as to operate the IT network in accordance with legal and professional standards.

In order to ensure the security of the personal data, the Company applies the following rights management regulations:

  • The setting up of a new right or the modification of a right is performed by the IT specialist based on the authorisation of the right holder

  • When establishing rights, we only allocate the rights necessary and sufficient for the work

  • The allocation of full access or administrator rights to persons who perform other work or not requiring the rights, should be avoided

In order to comply with the GDPR, the Company strives to minimise the processing of personal data, to pseudonymise the personal data as soon as possible, to ensure the transparency of the functions and processing of the personal data, to allow the data subject to monitor the processing, and to enable the controller to create and improve security features.  Built-in data protection (privacy by design), as a result of which the Company complies with the requirements of the GDPR even before the actual start of processing - e.g. already during the project preparation period -, was introduced. Built-in data protection is the sum of the Company's own internal procedures, with which, regardless of external regulations, it seeks to comply with the requirement to protect the privacy of the data subject as much as possible.

DO WE TRANSFER DATA TO THIRD PARTIES?

Direct Parcel Distribution SK s.r.o. (hereinafter “Company”) uses your data only for the purposes stated in connection with our business activity. The data we process is not disclosed to anyone and for purposes that are not directly related to our services, with the exception of the following cases:

Compliance with legal requirements

In certain cases, in accordance with applicable legal regulations, the Company is obliged to provide the data it processes upon request of the competent authorities. Examples of such authorities include tax offices, law enforcement authorities, other public administration and state authorities, auditors, etc.

Processors

Natural or legal persons, public authorities, agencies or any other bodies that process personal data on behalf of the Controller.

The types of data processors are listed below, but are not exhaustive:

  1. Subcontracting carriers

Contractors who collect and deliver parcels on behalf of the Company under contract.

  1. Organisations cooperating with the GeoPost group and partners involved in transportation

Within the framework of international services, the delivery/forwarding of parcels abroad is carried out by the organisational units or partners of the GeoPost Group that are responsible for such services provided in the given country.

  1. Infocommunication service providers

If necessary, the Company also communicates data to infocommunication service providers within a controlled framework. Such cases include, for example:

  • to ensure the efficiency of the services (especially to optimise transportation processes)

  • when using notification services (transfer of parcel data),

  • in connection with the service fee for cash on delivery services, etc.

  1. Service providers

There are companies that have a limited involvement in certain activities of the Company, during which they come into contact with data. By this we usually mean subcontractors whose employees are responsible for loading and sorting parcels.

WHAT ARE THE RIGHTS AND OBLIGATIONS OF DPD AS A CONTROLLER?

Direct Parcel Distribution SK s.r.o. (hereinafter “Company”) processes data in its proceedings only and exclusively in accordance with the provisions of the applicable legislation. The Company  processes personal data only on the basis of a legal authorisation or the prior and, in the case of specific personal data, written consent of the data subject or on the basis of a law or a legal authorisation.

The use of personal data processed by the Company for private purposes is prohibited and our processing will at all times comply with the purpose limitation principle: that is, personal data are processed for a specific purpose, for the exercise of a right or the performance of an obligation, and for the minimum time and scope necessary to achieve that purpose.

If the purpose of the processing ceases to exist or the processing is otherwise unlawful, the data will be erased.

Employees of the Company' s departments who perform data processing and employees of organisations involved in the processing on behalf of the Company and performing processing operations are obliged to keep the personal data obtained by them as trade secrets. If any personal data processed by the Company is incorrect, incomplete or out of date, it must be corrected or the correction must be requested from the employee responsible for the data.

WHAT ARE YOUR RIGHTS AND OBLIGATIONS AS A DATA SUBJECT OF PERSONAL DATA?

Direct Parcel Distribution SK s.r.o. (hereinafter referred to as the “Company”) is, in accordance with applicable legal regulations, obliged to grant the data subject the following rights in relation to his or her personal data. Please note that the exercise of the data subject’s rights depends on the legal basis of the processing; therefore, this description constitutes a general summary.

  1. Right to request access to personal data – you may request information on whether and how the Company processes your personal data, with the subsequent right to access such personal data.

  2. Right to rectification of personal data – you may request the correction of inaccurate or incomplete personal data that the Company processes about you.

  3. Right to erasure of personal data – you may request that the Company erase your personal data, for example if one of the following situations occurs:

  4. a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
    b) you have withdrawn the consent on the basis of which your personal data were processed and there is no other legal ground for the processing;
    c) the personal data have been processed unlawfully;
    d) your personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the Company is subject.

  5. Right to restriction of processing of personal data – you may request that the Company restrict the processing of your personal data if one of the following situations occurs:

  6. a) you contest the accuracy of the personal data, for the period necessary to allow us to verify their accuracy;
    b) the processing of your personal data is unlawful, but you oppose the erasure of the data and request the restriction of their use instead;
    c) the Company no longer needs your personal data for the purposes of processing, but you require them for the establishment, exercise or defence of legal claims;
    d) you have objected to the processing of your personal data, pending the verification of whether the legitimate grounds of the Company as controller override your legitimate grounds.

  7. Right to object to the processing of personal data – you may object to the processing of your personal data.

  8. Right to data portability – in cases provided for by law and/or regulation, you have the right to obtain personal data concerning you in a structured, commonly used and machine-readable format. This right shall not adversely affect the rights and freedoms of others.

  9. Right to withdraw consent – where the processing of your personal data is based on your consent, you have the right to withdraw your consent to the processing of personal data for the purpose for which it was granted at any time.

  10. Right to lodge a complaint with the Office for Personal Data Protection of the Slovak Republic, Hraničná 12, 820 07 Bratislava 27, www.uoou.sk, to initiate proceedings on the protection of personal data.

DPD does not directly provide services to persons under the age of 16. The processing of personal data of persons under the age of 16 is therefore assumed to be based exclusively on the consent of their legal representative.

 

IN WHICH CASES CAN DPD'S LIABILITY AS CONTROLLER BE LIMITED?

Direct Parcel Distribution SK s.r.o. (hereinafter referred to as the “Company”) independently determines the purposes and means of the processing of personal data in the course of providing its services. The Company is responsible for the collection, organisation, processing and storage of personal data.

The Company is responsible for ensuring the security of the data it processes and for any damage that may arise as a result of fault or negligence on the part of the Company.

However, there are cases in which the Company’s liability is excluded, for example:

  • where damage or harm is caused by the fault of the data subject himself/herself or of the original data controller who provided the data to us for processing. The reason may in particular be an incorrect or unlawful procedure in obtaining the data. This also includes, for example, the behaviour of the data subject when, after unpacking a shipment, he or she handles DPD documents improperly, such as an invoice, the packaging of the shipment, or the address label of the shipment containing personal data;

  • in cases where the Company demonstrably bears no responsibility for the specific processing of the data. For example, our websites also contain several links to external websites of other entities that are not directly connected with the Company (e.g. advertisements). If you access such websites, the Company is not responsible for the content of those websites or for their data protection conditions.

WHAT ARE THE CLAIM ENFORCEMENT OPTIONS?

The Company endeavours to ensure that the information provided to you is as concise, transparent, comprehensible, easily accessible, clear and understandable as possible, in all cases, while complying with the rules set out in the GDPR.

If you wish to exercise your rights under the GDPR for the purposes set out in this Notice, you may submit your request in writing, in particular to the contact details of the data protection officer as indicated in this Notice. However, if you request information verbally, an authorised employee of the Company may, after verifying your identity, provide you with the information verbally, provided that the necessary data are available to them. In all other cases, your request will be recorded by our staff and you will be informed of your request within one month of its receipt. This deadline may be extended by a maximum of two additional months if justified by the complexity of the request or the number of requests currently being processed, but you will be informed electronically within one month of the receipt of your request.

If we do not act on your request or if you do not accept our action, you may seek legal remedy. You may lodge a complaint about our processing practices here:

Úrad na ochranu osobných údajov Slovenskej republiky

Námestie 1. mája 18

811 06 Bratislava

https://dataprotection.gov.sk/sk/