Data protection information relating to the Postcard product
High data protection standards are part of Deutsche Post DHL Group’s brand essence and, just like the security of our IT systems, are particularly important for our business. As a company with a global presence, whose business model is based upon connecting people and exchanging sensitive data, we believe we have a special responsibility in this regard.
The following information is intended to provide you with an overview of how your data is processed. As such, you will find information applicable to all products and services in the general section. The details of the processing of your data in relation to a particular product can be found in Part C).
A) General section
- 1. Contact Details
a) Controller’s name and contact details:
Deutsche Post AG is the controller within the meaning of the General Data Protection Regulation (GDPR):
Deutsche Post AG
b) Data protection officer’s name and contact details:
Deutsche Post AG
Gabriela Krader, LL.M
c) Competent supervisory authority
Data processing in connection with postal and telecommunications services:
Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Other data processing carried out by the controller:
Die Landesbeauftragte für den Datenschutz Nordrhein Westfalen
- 2. Purposes of data processing – essential information
We process your data in order, for instance, to
- perform the contract concluded with you or a sender,
- make visits to our websites/apps as pleasant as possible,
- send you the newsletter if you subscribe to it,
- send or display to you - where permitted - targeted advertising,
- carry out a credit check, where necessary,
- handle your requests via our customer service department,
- fulfil obligations as part of statutory requirements (e.g., Strafprozessordnung (German code of criminal procedure), Außenwirtschaftsgesetz (German foreign trade and payments act)),
- fulfil our security requirements (e.g., for crime detection purposes),
- compile statistics
- and for purposes of quality assurance, process optimisation and planning certainty.
You can find further details, including the type of data, the purpose of processing and the legal basis, below under the relevant products.
- 3. You have the following rights as a data subject
a) To obtain information regarding the data that we have on file about you.
b) To have any incorrect data that we may have on file about you rectified.
c) To have data that are no longer required for the purpose stated erased or – where a requirement to store data exists – to have the processing thereof restricted.
d) To receive data they provide in a structured, standard and machine-readable format.
e) To file an objection if the processing of your data is based upon a legitimate interest/to its use for advertising purposes/to a decision based solely upon automated processing, including profiling.
f) To lodge a complaint with the competent supervisory authority if you have doubts about whether the processing of your data complies with data protection regulations.
If you would like to assert your rights, please write to:
Deutsche Post AG
or send an e-mail to: firstname.lastname@example.org.
If you would like to exercise your right to object – in particular to the use of your data for advertising purposes – please contact the authorities listed.
If you would like to exercise your right to object – in particular to the use of your data for advertising purposes – please contact the authority listed under C) in relation to the relevant product.
- 4. Storage period
The data will be stored for as long as they are required. The necessity ensues either from statutory retention periods, such as from Section 257 of the Handelsgesetzbuch (HGB – German commercial code) or from Section 147 of the Abgabenordnung (AO – German fiscal code). Where such statutory periods do not exist, the data will be stored for contract performance and invoicing purposes and as proof of the correct performance of the contract, until the liability periods expire, and it will subsequently be erased.
C) Postcard product
- 1. We store the following data
Data item Purpose of storage End of purpose Retention period after end of purpose Card manager Point of contact at the customer for all POSTCARD-related matters When the customer’s last POSTCARD contract (procedure 25) to which this card manager is assigned expires. Twelve months
first name, last name, date of birth
Proof of a proper contractual relationship
When the POSTCARD contract to which the order relates expires.
Performance of service provision
When the POSTCARD contract to which the service provision relates expires.
Transparency for the customer
When this POSTCARD is permanently deactivated.
first name, last name, e-mail address, telephone number
Access authorisation management
- 2. Purposes and legal basis of processing
The data are processed primarily for the purpose of performing the contract pursuant to Article 6 (1) b) of the GDPR. Pursuant to Article 6 (1) c) of the GDPR, processing may also occur in order to comply with legal requirements, such as, amongst others, Section 161 of the Strafprozessordnung (StOP - German code of criminal procedure), Section 40 of the Postgesetz (PostG - German postal act) and Section 13a of the Unterlassungsklagegesetz (UKlG - German injunctive relief act). Unless a statutory obligation to disclose data to public authorities or third parties exists, data will be disclosed to third parties only where the Postcard holder has given their consent. Hence, Article 6 (1) a) of the GDPR provides the legal basis. Finally, processing is also carried out for the additional purposes listed below:
- As part of our security requirements (e.g., for crime detection purposes).
- For the purpose of compiling statistics.
- For purposes of quality assurance, process optimisation and planning certainty.
- For sending you – where permitted – targeted advertising.
Deutsche Post AG has a legitimate interest in the above with a view to ensuring a smooth process and to improving products and services on an on-going basis. In Deutsche Post AG’s view, no overriding legitimate interest exists as the intrusiveness of the processing is kept to a minimum, e.g., through pseudonymisation. Consequently, Article 6 (1) f) of the GDPR provides the legal basis.
If you would like to exercise your right to object – in particular to the use of your data for advertising purposes – please write to: Deutsche Post AG – Kundenservice BRIEF-Postcard, 53247 Bonn, Germany.
- 3. Recipients or categories of recipients
Disclosure occurs to companies involved in providing our services (card production). Likewise, disclosure occurs as part of statutory obligations (e.g., to investigating authorities) or also to third parties, where statutory obligations exist. In addition, customer care services or also IT-related services are outsourced to service providers.
- 4. Transfer to a third country (i.e., the data are transmitted to a country outside the European Economic Area (EEA) or are accessed from there)
Your data are, as a rule, not processed in a third country.
- 5. Storage period
The card data will be stored for as long as they are required. If the intended purpose ceases to apply, the data will be stored for a further six or twelve months and they will subsequently be erased (in this regard, refer to C 1.).
- 6. Data processing during visits to our website