Data protection

Data protection information relating to the Postcard product

High data protection standards are part of Deutsche Post DHL Group’s brand essence and, just like the security of our IT systems, are particularly important for our business. As a company with a global presence, whose business model is based upon connecting people and exchanging sensitive data, we believe we have a special responsibility in this regard.

The following information is intended to provide you with an overview of how your data is processed. As such, you will find information applicable to all products and services in the general section. The details of the processing of your data in relation to a particular product can be found in Part C).

A) General section

1. Contact Details: a) Controller’s name and contact details:
Deutsche Post AG is the controller within the meaning of the General Data Protection Regulation (GDPR):

       Deutsche Post AG
       Charles-de-Gaulle-Straße 20
       53113 Bonn
       Germany

b) Data protection officer’s name and contact details:

Deutsche Post AG
Gabriela Krader, LL.M
53250 Bonn
      Germany
      datenschutz@dpdhl.com

c)   Competent supervisory authority
    Data processing in connection with postal and telecommunications services:

     Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Graurheindorfer Straße 153
       53117 Bonn
       Germany

    Other data processing carried out by the controller:

       Die Landesbeauftragte für den Datenschutz Nordrhein Westfalen
       Kavalleriestraße 2-4
       40213 Düsseldorf
       Germany

2. Purposes of data processing – essential information

We process your data in order, for instance, to

perform the contract concluded with you or a sender,
make visits to our websites/apps as pleasant as possible,
send you the newsletter if you subscribe to it,
send or display to you - where permitted - targeted advertising,
carry out a credit check, where necessary,
handle your requests via our customer service department,
fulfil obligations as part of statutory requirements (e.g., Strafprozessordnung (German code of criminal procedure), Außenwirtschaftsgesetz (German foreign trade and payments act)),
fulfil our security requirements (e.g., for crime detection purposes),
compile statistics
and for purposes of quality assurance, process optimisation and planning certainty.

You can find further details, including the type of data, the purpose of processing and the legal basis, below under the relevant products.

3. You have the following rights as a data subject: a) To obtain information regarding the data that we have on file about you.
b) To have any incorrect data that we may have on file about you rectified.
c) To have data that are no longer required for the purpose stated erased or – where a requirement to store data         exists – to have the processing thereof restricted.
d) To receive data they provide in a structured, standard and machine-readable format.
e) To file an objection if the processing of your data is based upon a legitimate interest/to its use for advertising             purposes/to a decision based solely upon automated processing, including profiling.
f) To lodge a complaint with the competent supervisory authority if you have doubts about whether the processing       of your data complies with data protection regulations.

If you would like to assert your rights, please write to:

Deutsche Post AG
Charles-de-Gaulle-Straße 20
53113 Bonn
Germany

or send an e-mail to: datenschutz@dpdhl.com.

If you would like to exercise your right to object – in particular to the use of your data for advertising purposes – please contact the authorities listed.

If you would like to exercise your right to object – in particular to the use of your data for advertising purposes – please contact the authority listed under C) in relation to the relevant product.

4. Storage period: The data will be stored for as long as they are required. The necessity ensues either from statutory retention periods, such as from Section 257 of the Handelsgesetzbuch (HGB – German commercial code) or from Section 147 of the Abgabenordnung (AO – German fiscal code). Where such statutory periods do not exist, the data will be stored for contract performance and invoicing purposes and as proof of the correct performance of the contract, until the liability periods expire, and it will subsequently be erased.

5. Deutsche Post DHL Data Privacy Policy: The Deutsche Post DHL Data Privacy Policy regulates the standards for data processing throughout the Group, with a particular focus upon so-called third-country transfers, i.e., transmission of personal data to countries outside the European Union that are not recognised as having an adequate level of data protection. If you would like to know more about the Deutsche Post DHL Data Privacy Policy, please use this link:

Deutsche Post DHL Data Privacy Policy (summary) (PDF, 204 KB).

B) Data processing during visits to our website

Information: You can find information at www.deutschepost.de/de/f/footer/datenschutz.html regarding the processing of data during visits to Deutsche Post AG’s website (www.deutschepost.de).

C) Postcard product

1. We store the following data

Data item	Purpose of storage	End of purpose	Retention period after end of purpose
Card manager	Point of contact at the customer for all POSTCARD-related matters	When the customer’s last POSTCARD contract (procedure 25) to which this card manager is assigned expires.	Twelve months
Customer: first name, last name, date of birth	Proof of a proper contractual relationship	When the POSTCARD contract to which the order relates expires.	Twelve months
Card holder	Performance of service provision	When the POSTCARD contract to which the service provision relates expires.	Six months
POSTCARD name/ID	Transparency for the customer	When this POSTCARD is permanently deactivated.	Six months
Internal user: first name, last name, e-mail address, telephone number	Access authorisation management	Last login	Six months

2. Purposes and legal basis of processing

The data are processed primarily for the purpose of performing the contract pursuant to Article 6 (1) b) of the GDPR. Pursuant to Article 6 (1) c) of the GDPR, processing may also occur in order to comply with legal requirements, such as, amongst others, Section 161 of the Strafprozessordnung (StOP - German code of criminal procedure), Section 40 of the Postgesetz (PostG - German postal act) and Section 13a of the Unterlassungsklagegesetz (UKlG - German injunctive relief act). Unless a statutory obligation to disclose data to public authorities or third parties exists, data will be disclosed to third parties only where the Postcard holder has given their consent. Hence, Article 6 (1) a) of the GDPR provides the legal basis. Finally, processing is also carried out for the additional purposes listed below:

As part of our security requirements (e.g., for crime detection purposes).
For the purpose of compiling statistics.
For purposes of quality assurance, process optimisation and planning certainty.
For sending you – where permitted – targeted advertising.

Deutsche Post AG has a legitimate interest in the above with a view to ensuring a smooth process and to improving products and services on an on-going basis. In Deutsche Post AG’s view, no overriding legitimate interest exists as the intrusiveness of the processing is kept to a minimum, e.g., through pseudonymisation. Consequently, Article 6 (1) f) of the GDPR provides the legal basis.

If you would like to exercise your right to object – in particular to the use of your data for advertising purposes – please write to: Deutsche Post AG – Kundenservice BRIEF-Postcard, 53247 Bonn, Germany.

3. Recipients or categories of recipients: Disclosure occurs to companies involved in providing our services (card production). Likewise, disclosure occurs as part of statutory obligations (e.g., to investigating authorities) or also to third parties, where statutory obligations exist. In addition, customer care services or also IT-related services are outsourced to service providers.

4. Transfer to a third country (i.e., the data are transmitted to a country outside the European Economic Area (EEA) or are accessed from there): Your data are, as a rule, not processed in a third country.

5. Storage period: The card data will be stored for as long as they are required. If the intended purpose ceases to apply, the data will be stored for a further six or twelve months and they will subsequently be erased (in this regard, refer to C 1.).

6. Data processing during visits to our website: You can find information at www.deutschepost.de/de/f/footer/datenschutz.html regarding the processing of data during visits to the Postcard product website (www.deutschepost.de/de/p/postcard.html).