The regulations in this data processing agreement concluded between Deutsche Post AG – hereinafter referred to as the “Processor” – and its customers – hereinafter referred to as the “Controller” – apply to the management of personal data in the DHL business customer portal beyond the data processing required for the provision of postal services.

The Processor shall provide the Controller with the additional “Track Letter” function – which is not necessary for the provision of postal services – for tracking shipments with the DHL business customer portal. This function provides the customer with an overview of the shipments sent with DPAG, including the recipient details, the current shipment status and the shipping process.

This data processing agreement is tied to the term of the Main Agreement.

The details of the processing operations, in particular the categories of personal data and the purposes for which the personal data are processed on behalf of the Controller, are provided in Annex I.

1. Instructions
   
   a. The Processor shall process personal data only upon the documented instruction of the Controller, unless it is obligated to process data under Union law or under the law of a Member State to which it is subject. In such a case, the Processor shall inform the Controller of these legal requirements prior to processing, unless the law in question prohibits this on important grounds of public interest. The Controller may issue further instructions throughout the processing of personal data. These instructions shall always be documented. Since the “Track Letter” function is a standardized service for a large number of customers, the Processor reserves the right to terminate the contract for the provision and use of the “Track Letter” service from Deutsche Post AG without notice if the instructions of the Controller cannot be followed within the framework of the standardized process.
   
   b. The Processor shall inform the Controller immediately if it believes that instructions issued by the latter are in contravention of Regulation (EU) 2016/679 or applicable data protection provisions of the Union or Member States.
   
   
2. Purpose limitation
   
   The Processor shall process the personal data only for the specific purpose(s) stated in Annex I unless it receives additional instructions from the Controller.
   
   
3. Security of processing
   
   a. The Processor shall take at least the technical and organizational measures listed in Annex II to ensure the security of the personal data. This includes protecting the data from a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the data (hereinafter referred to as “personal data breach”). In assessing the appropriate level of protection, the parties shall take due account of the state of the art, the implementation costs, the nature, scope, circumstances and purposes of the processing, as well as the risks involved for the data subjects.
   
   b. The Processor shall grant its personnel access to the personal data that is subject to processing only to the extent strictly necessary for the performance, management and supervision of the agreement. The Processor shall ensure that persons authorized to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
   
   
4. Documentation and compliance with the clauses
   
   a. The parties must be able to demonstrate that they have complied with these clauses.
   
   b. The Processor shall promptly and appropriately handle requests from the Controller regarding the processing of data pursuant to these clauses.
   
   c. The Processor shall provide the Controller with all information necessary to demonstrate compliance with the obligations set forth in these clauses and arising directly from Regulation (EU) 2016/679. At the request of the Controller, the Processor shall also permit an audit of the processing activities covered by these clauses if
   
   – the Controller has reason to assume that the Processor is not acting in compliance with the technical/organizational measures and/or the obligations under this agreement;
   – a security breach has occurred;
   – the regulatory authority responsible for the Controller requests such an audit.
   
   When deciding on a review or audit, the Controller may consider relevant certifications of the Processor.
   
   d. Notwithstanding the foregoing, evidence of compliance with the applicable requirements can be furnished in the following ways:
   
   – Compliance with the approved codes of conduct and/or
   – Certification under an approved certification procedure in accordance with Article 42 of the GDPR and/or
   – recent certificates issued by auditors, reports or excerpts from reports provided by independent bodies. At the Controller’s request, the Processor shall provide the Controller with a copy of the audit report signed by the external auditor so that the Controller may reasonably verify whether the Processor is implementing the technical and organizational measures and fulfilling the obligations under this agreement.
   
   e. The Controller may conduct the audit itself or instruct an independent auditor to do so. Audits may include inspections of the Processor’s premises or physical facilities and shall be conducted with reasonable advance notice, as appropriate. If the Controller conducts an audit at the Processor’s premises or facilities, this shall be done under the following conditions:
   
   – after prior notice of at least ten (10) working days;
   – audits shall be conducted only during standard business hours and not more than once a year;
   – the audit shall be limited to the data that are relevant to the Controller;
   – the Controller shall prevent any disruption to the normal business operations of the Processor;
   – the Controller shall ensure, where legally permissible, the confidentiality of all collected information that is to be kept confidential owing to its nature.
   – Each party shall bear the costs incurred by it. If the audit imposes work/outlay on the Processor or another processor that exceeds one business day, the Controller agrees to reimburse all costs related to additional days.
   
   f. Upon request, the parties shall make available to the appropriate regulatory agency or agencies the information specified in this clause, including the results of audits.
   
   
5. Use of Subcontracted Processors
   
   a. The Processor has the general authorization of the Controller to engage sub-processors. A list of sub-processors is provided in Annex III. The Processor shall explicitly inform the Controller in writing at least four (4) weeks in advance of any intended changes to this list in the form of addition or removal of sub-processors, and shall allow the Controller sufficient time to object to these changes before the sub-processor(s) in question is/are commissioned. The Processor shall provide the Controller with the necessary information to enable the Controller to exercise its right to object. A list of sub-processors is provided in Annex III. The parties shall ensure that Annex III is kept up to date.
   
   b. Where the Processor instructs a sub-processor to perform certain processing activities (on behalf of the Controller), this instruction shall take the form of a contract that binds the sub-processor to essentially the same data protection obligations as those that apply to the Processor in accordance with these clauses. The Processor shall ensure that the sub-processor meets the obligations that are imposed on the Processor in accordance with these clauses and Regulation (EU) 2016/679.
   
   c. The Processor shall provide the Controller with a copy of any such subcontracting agreement and any subsequent amendments upon the Controller’s request. To the extent necessary to protect trade secrets or other confidential information, including personal data, the Processor may obscure the wording of the agreement prior to disclosing any copy.
   
   d. The Processor shall be fully liable to the Controller for the sub-processor’s compliance with its obligations under the contract concluded with the Processor. The Processor shall notify the Controller if the sub-processor fails to fulfil its contractual obligations.
   
   
6. International data transfers
   
   a. Any transfer of data by the Processor to a third country or an international organization shall take place exclusively on the basis of documented instructions from the Controller or to comply with a specific provision under Union law or the law of a Member State to which the Processor is subject, and must be in accordance with Chapter V of Regulation (EU) 2016/679.
   
   b. The Controller agrees that where the Processor uses a sub-processor pursuant to Clause 7.7 to carry out certain processing activities (on behalf of the Controller) and such processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the Processor and the sub-processor can ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission pursuant to Article 46 (2) of Regulation (EU) 2016/679, provided that the conditions for the application of those standard contractual clauses are met.

1. The Processor shall immediately inform the Controller of any request received from the data subject. It shall not answer the request itself, unless it has been authorized to do so by the person in charge.
   
   
2. Taking into account the nature of the processing, the Processor shall assist the Controller in fulfilling the latter’s obligation to respond to requests from data subjects to exercise their rights. In fulfilling its obligations according to letters a) and b), the Processor shall follow the instructions of the Controller.
   
   
3. Aside from the Processor’s obligation to assist the Controller pursuant to Clause 6 (b), the Processor, taking into account the nature of the data processing and the information available to it, shall also assist the Controller in complying with the following obligations:
   
   a. The obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (hereinafter referred to as “data protection impact assessment”), if a form of processing is likely to result in a high risk to the rights and freedoms of natural persons;
   
   b. The obligation to consult the responsible supervisory authority/authorities prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the Controller to mitigate the risk;
   
   c. The obligation to ensure that the personal data are factually correct and up to date, in that the Processor shall inform the Controller without delay if it discovers that personal data processed by it are incorrect or out of date;
   
   d. Obligations arising from Article 32 of Regulation (EU) 2016/679.
   
   
4. In Annex II, the parties set out the suitable technical and organizational measures for the Processor’s support of the Controller in the application of this clause, as well as the scope and applicability of the required support.

In the event of a personal data breach, the Processor shall work with the Controller and shall support the latter accordingly so that the Controller may meet its obligations under Articles 33 and 34 of Regulation (EU) 2016/679, with the Processor taking into account the nature of the processing and the information available to it.

1. Breach of data processed by the Controller
   In the event of a personal data breach that concerns the data processed by the Controller, the Processor shall support the Controller as follows:
   
   a. in the immediate reporting of the personal data breach to the responsible supervisory authority/authorities, after the Controller has become aware of the breach, where relevant (unless the personal data breach is unlikely to result in a risk to the personal rights and freedoms of natural persons);
   
   b. in the collection of the following information, which is to be provided in accordance with Article 33 (3) of Regulation (EU) 2016/679 in the Controller’s report, this information being required to include at least the following:
   
   – the nature of the personal data including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
   – the likely consequences of the personal data breach;
   – the measures taken or proposed to be taken by the Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
   
   If and to the extent that all such information cannot be provided at the same time, the original report shall contain the information available at that time, and further information shall be provided subsequently as soon as it is available without undue delay;
   
   c. in compliance with the obligation arising from Article 34 of Regulation (EU) 2016/679 to inform the data subject of the data breach without undue delay if this breach is likely to result in a high risk to the rights and freedoms of natural persons.
   
   
2. Breach of data processed by the Processor
   
   In the event of a personal data breach that concerns the data processed by the Processor, the Processor shall report this breach to the Controller without delay after it has become aware of the breach. This report must include at least the following information:
   
   a. a description of the nature of the breach (where possible, stating the categories and approximate number of data subjects concerned and the approximate number of data records concerned);
   
   b. details of a point of contact from which further information about the personal data breach can be obtained;
   
   c. the expected consequences and the measures taken or proposed to be taken to address the personal data breach, including measures to mitigate its possible adverse affects.
   
   If and to the extent that all such information cannot be provided at the same time, the original report shall contain the information available at that time, and further information shall be provided subsequently as soon as it is available without undue delay.
   
   The parties shall set out in Annex II any other information that the Processor is required to provide in order to assist the Controller in fulfilling its obligations under Articles 33 and 34 of Regulation (EU) 2016/679.

1. If the Processor fails to comply with its obligations under these clauses, the Controller may – without prejudice to the provisions of Regulation (EU) 2016/679 – instruct the Processor to cease processing personal data until it is in compliance with these clauses or the agreement is terminated. The Processor shall inform the Controller immediately if it is unable to comply with these clauses for any reason whatsoever.
   
   
2. The Controller is entitled to terminate the agreement insofar as it relates to the processing of personal data in accordance with these clauses if
   
   a. the Controller has suspended the processing of personal data by the Processor pursuant to point (a) and compliance with these clauses has not been re-established within an appropriate period of time, and in any case within one month following the suspension;
   
   b. the Processor materially or persistently breaches these clauses or fails to meet its obligations under Regulation (EU) 2016/679;
   
   c. the Processor does not comply with a binding decision of a competent court or the responsible supervisory authority/authorities concerning its obligations under these clauses, Regulation (EU) 2016/679.
   
   
3. The Processor is entitled to terminate the agreement insofar as it relates to the processing of personal data in accordance with these clauses if the Controller insists on the fulfillment of its instructions after having been informed by the Processor that its instructions violate applicable legal requirements pursuant to Clause 7.1 (b).
   
   
4. Upon termination of the contract, the Processor shall, at the choice of the Controller, erase all personal data processed on behalf of the Controller and shall warrant to the Controller that this has been done, or it shall return all personal data to the Controller and erase any copies, unless Union or Member State law requires storage of the personal data. The Processor shall continue to guarantee compliance with these clauses until the data have been erased or returned.