Handling your data responsibly

It is important to us that you feel at ease with us and can entrust your data to us with confidence. We would therefore like to provide you with transparent information on what data we collect relating to you and how we handle your data.

Deutsche Post AG (DPAG) uses a Consentric procedure to determine statistical parameters and to form target groups for advertising purposes (offline/online). Below you will find an overview of the different phases involved in our data processing. DPAG does not process data on its own; it relies on the help of various partners. Depending on the phase in question, the data processed may be of the type that can be traced back to individuals or not.

With regard to data processing for which the relevant partner is solely responsible, you will find information about this in the respective privacy policies of the partners/users of the Consentric procedure.

I. The development of the Consentric procedure with regard to data protection

Right from the start, DPAG's Consentric procedure was developed with the requirements of data protection law in mind and with the aim of processing as little data as possible that can be traced back to individuals. The Consentric procedure involves DPAG (with the help of various partners) linking a cookie stored on a user's end device with a Deutsche Post Direkt GmbH ("DP Direkt") microcell. This microcell contains just one statement about a group (6.6 households on average) so that the cookie ID cannot be assigned to any individual. Various addresses are aggregated in a microcell so that, using the Consentric procedure, a data-protection-compliant link is set up between an end device and a microcell as a geographical location.

The technical implementation is taken care of by the relevant service providers commissioned by DPAG, based on a predefined concept. This initial step is known as the "labeling procedure", when DPAG, together with its various partners, establishes the necessary link. DPAG can then use this link between the cookie ID and microcell number in various ways, as set out in sections II.3 and II.4, and in compliance with data protection requirements.

II. Data protection information regarding the Consentric procedure

1. Who is responsible and who to contact in the case of data protection queries

Unless stipulated otherwise below, the relevant partner and/or (depending on the procedure described) Deutsche Post AG (DPAG) are responsible as per the European Union's General Data Protection Regulation (GDPR) for the processing of personal data within the framework of the Consentric procedure described in this document. Depending on the stage of the procedure, however, DPAG only processes anonymous data.

Insofar as Deutsche Post AG and its respective partner process personal data as the party responsible as defined above, they have established their responsibility for compliance with the provisions of data protection law in a data protection agreement. Upon request, DPAG shall provide data subjects with information on the essential provisions of this agreement to the extent permitted by law.

If you have any further queries regarding the handling of personal data, and in particular if you wish to obtain information about processed personal data or assert additional rights (see section 5 below for details on this), please contact the partner involved in the Consentric procedure first. The right to assert your rights as a data subject, including vis-à-vis Deutsche Post AG, remains unaffected. The contact details for DPAG can be found in section 6 below.

2. The labeling procedure: description of individual processing activities

The process begins with what is known as the labeling procedure, which is divided into two parts:

a) Enabling the address matching partner to use the address
At the start of the labeling procedure, a DPAG partner takes the delivery/billing address it has stored and arranges for a commissioned service provider to assign it to an anonymous Deutsche Post Direkt GmbH microcell. This address matching process produces a code in encrypted form, which is stored with another service provider. The delivery/billing address used is deleted immediately and the code generated is not reported back to DPAG's partner. The legal basis for this use of the address, in shared responsibility between the partner and Deutsche Post AG, is Article 6(1) sentence 1 letter (f) GDPR. It is therefore the partner, as the website operator, who is responsible for this initial processing step – the use of the stored address for the purpose of matching it against the microcell database. The same applies to the below-described pixelization of the website and the forwarding of a user’s request to Deutsche Post AG for subsequent labeling using a cookie.

b) Obtaining consent for saving and reading a cookie
While the relevant microcell is being established, a cookie is used to label an end device (PC, tablet, mobile device). To do this, Deutsche Post AG has tasked a service provider with saving and subsequently reading the Consentric cookie in the end device being used in each case. In addition to this, DPAG has tasked the company diva-e and its IntelliAd service with saving another cookie on the end device for use in subsequent cases (see sections 3 and 4). Both cookies are assigned indirectly to an anonymous Deutsche Post Direkt GmbH microcell. No further data, such as names or any other profile or usage data, is collected or stored for the cookies. The Consentric cookie has a lifetime of 12 months. The cookie set for DPAG via IntelliAd only lasts for three months. The time limit resets each time the cookie is called up by Deutsche Post AG's service provider. I can revoke my consent at any time with effect for the future via this website:
https://pixel.consentric.de/optout
https://login.intelliad.com/optout.php

The end device is labeled based on the data subject's consent, which gives permission for cookies to be saved and read for the following purposes:

  • Measurement of access to websites the user has visited that are participating in Deutsche Post AG’s Consentric procedure, for anonymous inclusion in statistics;
  • Measurement of access to websites the user has visited that are participating in Deutsche Post AG’s Consentric procedure, in order to identify relevant anonymous microcells of Deutsche Post Direkt GmbH;
  • Transfer of cookie IDs to partner companies for the purpose of target group formation for the display of online advertising. The cookie IDs used for this purpose were selected in advance as a relevant target group based on the indirectly assigned microcell;
  • Matching against cookies from other providers (cookie matching). A third-party provider’s cookie ID stored on my end device may be forwarded to Deutsche Post AG, stored there as a unique cookie ID and used to implement the purposes mentioned above.

The procedure for labeling an end device and assigning an ID to the relevant Deutsche Post Direkt GmbH microcell was developed in accordance with statutory data protection requirements and was awarded the ADCERT Privacy Audit GmbH (www.adcert.eu) data protection seal of approval by virtue of its outstanding data protection compliance.

3. Use of the procedure in practice: „online to offline“

As soon as the labeling procedure is complete, advertisers can make use of the assignment of a cookie ID to a microcell ID. For example, it could be used to record online access behavior on a website and for identification at microcell level.

a) Tracing online IDs and assigning them to microcells
In one use case, participating companies could apply a conventional tracking device to a website that can attribute access to the website to a particular microcell.

When a participating company, as a website operator implementing the Consentric procedure, measures access in this way, the first step is to record website call-ups. This may involve the website operator reading a cookie on the end device being used by the user, or even setting new cookies if necessary. The website operator is responsible for this and the data subject's consent forms the legal basis.

The website operator then passes on the cookie ID, which was set with the data subject's consent, to DPAG's service provider, which can in turn take care of assigning the cookie ID to a microcell. This step is used to determine what website access can be attributed to a particular microcell. To enable DPAG to assign individual measurements to customers too, an assignment number linked to the time period during which the measurements were taken is allocated to each measurement. No further data, such as details of interests or preferences, is recorded. The procedure is limited to converting a cookie ID into a microcell ID.

Microcell IDs are anonymous. It is not possible to exclude absolutely any possibility of the cookies used by the website operator being traced back to individuals, e.g. based on other profile or usage data, and the website operator shall be responsible for this. Only the anonymous cookie ID is required for the conversion process in the "online to offline" procedure.

b) Joint responsibility between the website operator/advertiser and Deutsche Post AG
With regard to the cookie ID read on the advertiser’s website being forwarded to Deutsche Post AG for conversion into a microcell ID, the website operator/advertiser and Deutsche Post AG bear joint responsibility for this in accordance with Art. 26 GDPR and are therefore both responsible for protecting the data subjects' personal data. This joint responsibility is limited to the process of forwarding the cookie ID that has been read to Deutsche Post AG for participation in the Consentric procedure (conversion to a microcell ID). Responsibility for the individual process steps is divided up as follows:

The advertiser is responsible for the pixelization/integration of a script on its websites and for forwarding the cookie ID, along with campaign information, to Deutsche Post AG. Deutsche Post AG is responsible for running the Consentric procedure and for issuing instructions to the advertiser on forwarding the cookie IDs to Deutsche Post AG. The cookie ID is used to help identify you as a visitor to a website participating in the measurement. This information is then aggregated on the basis of the anonymous Deutsche Post Direkt GmbH microcell and can therefore no longer be assigned to you as an individual. Individual users are never identified by name. Their identity therefore remains protected. 

If you have any further queries regarding the handling of personal data, and in particular if you wish to obtain information about processed personal data or assert additional rights, please contact the website operator/advertiser first. The relevant contact details can be found in the "Data protection" section of the advertiser's website. The right to assert your rights as a data subject (see section 5), including vis-à-vis Deutsche Post AG via Consentric@deutschepost.de (for further contact details, see section 6), remains unaffected.

c) Further mail services from Deutsche Post Direkt GmbH
Deutsche Post Direkt GmbH ("DP Direkt") is a specialist service provider that enables advertisers to send their advertising to DP Direkt's address database. Advertisers can use various anonymous microcells and the assumed characteristics of individual microcells as selection criteria for identifying target groups. DP Direkt has data-protection-compliant procedures in place for sending mailed advertising using a selection of microcells. This process of selecting a microcell is made easier thanks to the Consentric procedure, as the results of the measurement process already carried out automatically indicate which microcells may be of interest to the advertiser. Mailed advertising can therefore be dispatched in response to a user calling up a particular website.

DP Direkt is solely responsible for ensuring that this data processing is compliant with data protection law. Further details can be found here.

4. Use of the procedure in practice: „offline to online“

In another example of a use case based on the labeling procedure, advertisers make use of the assignment of a microcell ID to a cookie ID. This involves the following data processing activities:

a) Tracing online IDs based on the selection of a microcell
Each anonymous microcell is given an average probability value, which indicates an assumed characteristic of the addresses aggregated in a microcell. Advertisers can use the selection criteria available to ascertain which microcells have the required characteristics. Using the Consentric procedure, a service provider commissioned separately by DPAG can work out the relevant cookie IDs for the microcells identified. The assignment of the cookie ID to an advertiser is the only information that is recorded at this stage in the data processing; no other attributes (interests, preferences) are stored.

DPAG is responsible for this process step. Up to this point, only anonymous data is processed.

b) Disclosing online IDs for advertising online
Providing the advertiser, or a service provider commissioned by an advertiser, with the identified cookie IDs, marks a shift in the responsibility for ensuring that any further data processing is compliant with data protection law. Advertisers can use the cookie IDs provided as selection filters for managing their online advertising campaign.

When the cookie IDs are transferred, the partner assumes responsibility for processing them. This is ensured on a regular basis based on consent obtained from the data subject.

5. Rights of the data subject

Under certain conditions, each data subject has the following rights in relation to the parties responsible in each case:

Right of access (Art. 15 GDPR)

The right to access information on (i) whether or not personal data concerning him or her is being processed and (ii) what data is being processed where that is the case, including information on the purpose of the processing, the categories of personal data, the recipients or categories of recipient, and the envisaged periods for which the personal data will be stored;

Right to rectification (Art. 16 GDPR), right to erasure (Art. 17 GDPR) and right to restriction of processing (Art. 18 GDPR)

The right to rectification, erasure, or restriction of processing, e.g. for the following reasons: (i) the accuracy of the personal data is contested, (ii) the personal data is no longer needed for the purposes of processing, or (iii) the data subject withdraws consent on which the processing is based;

Right to withdraw consent for the future (Art. 7(3) GDPR)

If the processing of personal data is based on the provision of consent, the data subject shall have the right to withdraw his or her consent at any time without affecting the lawfulness of processing based on consent before its withdrawal;

Right to object (Art. 21 GDPR)

Where personal data is processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing;

Right to object to processing in specific legitimate cases on grounds relating to the data subject's particular situation.

In this case, the data subject must provide the party responsible with information of the particular situation concerned. Once the grounds for objection given by the data subject have been checked, the responsible party shall either cease processing the personal data concerned or demonstrate compelling legitimate reasons for the processing that override the objection;

Right to lodge a complaint (Art. 77 GDPR)

The right to take legal action against an infringement of the data subject's rights or to lodge a complaint with the responsible supervisory authority;

Right to data portability (Art. 20 GDPR)

The data subject's right, where legally applicable, to (i) receive personal data concerning him or her, which he or she has provided to a responsible party, in a structured, commonly used and machine-readable format, and (ii) to transmit this data to another responsible party without hindrance from the original responsible party to whom the data was provided. Insofar as is technically feasible, the data subject also has the right to have the personal data transmitted directly from one responsible party to another.


Data subjects can (i) exercise their rights as described above at any time, (ii) direct any questions they may have in connection with this to those responsible, and (iii) lodge a complaint regarding the processing of personal data by contacting the relevant responsible party.

6. Contact details for Deutsche Post AG

The following contact details apply with regard to data processing for which DPAG is responsible:

Deutsche Post AG, Charles-de-Gaulle-Strasse 20 53113 Bonn, Germany;
Details can be found here.

To contact the (Group) data protection officer, please use this e-mail address: datenschutz@dpdhl.com

To assert your rights as a data subject, particularly with regard to access, blocking, and/or deletion of data, please use this e-mail address: Consentric@deutschepost.de

Data subjects can direct any general inquiries, concerns or comments regarding data protection to Deutsche Post AG. To do this, please use the following contact form.

If data subjects contact Deutsche Post AG, the information provided for handling the query will be processed and, as a general rule, deleted as soon as the query has been dealt with and provided there is no contractual requirement for or any other legitimate interest in processing the data. If any legal retention periods apply, the data in question will be stored accordingly.

Bonn, November 30, 2020