Data protection information relating to the Postcard product

High data protection standards are part of DHL Group’s brand essence and, just like the security of our IT systems, are particularly important for our business. As a company with a global presence, whose business model is based upon connecting people and exchanging sensitive data, we believe we have a special responsibility in this regard.

The following information is intended to provide you with an overview of how your data is processed. As such, you will find information applicable to all products and services in the general section. The details of the processing of your data in relation to a particular product can be found in Part C).

A) General section

a) Controller’s name and contact details:

Deutsche Post AG is the controller within the meaning of the General Data Protection Regulation (GDPR):

Deutsche Post AG Charles-de-Gaulle-Straße 20

53113 Bonn

Germany

b) Data protection officer’s name and contact details:

Deutsche Post AG Gabriela Krader, LL.M

53250 Bonn

Germany

datenschutz@dpdhl.com

c) Competent supervisory authority

Data processing in connection with postal and telecommunications services:

Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit Graurheindorfer Straße 153

53117 Bonn

Germany

Other data processing carried out by the controller:

Die Landesbeauftragte für den Datenschutz Nordrhein Westfalen Kavalleriestraße 2-4

40213 Düsseldorf

Germany

We process your data in order, for instance, to

  • perform the contract concluded with you or a sender,
  • make visits to our websites/apps as pleasant as possible,
  • send you the newsletter if you subscribe to it,
  • send or display to you - where permitted - targeted advertising,
  • carry out a credit check, where necessary,
  • handle your requests via our customer service department,
  • fulfil obligations as part of statutory requirements (e.g., Strafprozessordnung (German code of criminal procedure), Außenwirtschaftsgesetz (German foreign trade and payments act)),
  • fulfil our security requirements (e.g., for crime detection purposes),
  • compile statistics
  • and for purposes of quality assurance, process optimisation and planning certainty.

You can find further details, including the type of data, the purpose of processing and the legal basis, below under the relevant products.

a) To obtain information regarding the data that we have on file about you.

b) To have any incorrect data that we may have on file about you rectified.

c) To have data that are no longer required for the purpose stated erased or– where a requirement to store data exists– to have the processing thereof restricted.

d) To receive data they provide in a structured, standard and machine-readable format.

e) To file an objection if the processing of your data is based upon a legitimate interest/to its use for advertising purposes/to a decision based solely upon automated processing, including profiling. f) To lodge a complaint with the competent supervisory authority if you have doubts about whether the processing of your data complies with data protection regulations.

If you would like to assert your rights, please write to:

Deutsche Post AG Charles-de-Gaulle-Straße 20

53113 Bonn

Germany

or send an e-mail to: datenschutz@dpdhl.com.

If you would like to exercise your right to object– in particular to the use of your data for advertising purposes– please contact the authorities listed.

If you would like to exercise your right to object– in particular to the use of your data for advertising purposes– please contact the authority listed under C) in relation to the relevant product.

The data will be stored for as long as they are required. The necessity ensues either from statutory retention periods, such as from Section 257 of the Handelsgesetzbuch (HGB – German commercial code) or from Section 147 of the Abgabenordnung (AO – German fiscal code). Where such statutory periods do not exist, the data will be stored for contract performance and invoicing purposes and as proof of the correct performance of the contract, until the liability periods expire, and it will subsequently be erased.

The DHL Group Data Privacy Policy regulates the standards for data processing throughout the Group, with a particular focus upon so-called third-country transfers, i.e., transmission of personal data to countries outside the European Union that are not recognised as having an adequate level of data protection. If you would like to know more about the DHL Group Data Privacy Policy, please use this link:

DHL Group Data Privacy Policy (summary) (PDF, 204 KB).

B) Data processing during visits to our website

C) Postcard product

Data item Purpose of storage End of purpose Retention period after end of purpose
Card manager Point of contact at the customer for all POSTCARD-related matters When the customer’s last POSTCARD contract (procedure 25) to which this card manager is assigned expires. Twelve months

Customer:

first name, last name, date of birth

Proof of a proper contractual relationship

When the POSTCARD contract to which the order relates expires.

 Twelve months

Card holder

Performance of service provision

When the POSTCARD contract to which the service provision relates expires.

Six months

POSTCARD name/ID

Transparency for the customer

When this POSTCARD is permanently deactivated.

Six months

Internal user: first name, last name, e-mail address, telephone number

Access authorisation management

Last login

Six months

The data are processed primarily for the purpose of performing the contract pursuant to Article 6 (1) b) of the GDPR. Pursuant to Article 6 (1) c) of the GDPR, processing may also occur in order to comply with legal requirements, such as, amongst others, Section 161 of the Strafprozessordnung (StOP - German code of criminal procedure), Section 40 of the Postgesetz (PostG - German postal act) and Section 13a of the Unterlassungsklagegesetz (UKlG - German injunctive relief act). Unless a statutory obligation to disclose data to public authorities or third parties exists, data will be disclosed to third parties only where the Postcard holder has given their consent. Hence, Article 6 (1) a) of the GDPR provides the legal basis. Finally, processing is also carried out for the additional purposes listed below:

  • As part of our security requirements (e.g., for crime detection purposes).
  • For the purpose of compiling statistics.
  • For purposes of quality assurance, process optimisation and planning certainty.
  • For sending you– where permitted– targeted advertising.

Deutsche Post AG has a legitimate interest in the above with a view to ensuring a smooth process and to improving products and services on an on-going basis. In Deutsche Post AG’s view, no overriding legitimate interest exists as the intrusiveness of the processing is kept to a minimum, e.g., through pseudonymisation. Consequently, Article 6 (1) f) of the GDPR provides the legal basis.

If you would like to exercise your right to object– in particular to the use of your data for advertising purposes– please write to: Deutsche Post AG– Kundenservice BRIEF-Postcard, 53247 Bonn, Germany.

Disclosure occurs to companies involved in providing our services (card production). Likewise, disclosure occurs as part of statutory obligations (e.g., to investigating authorities) or also to third parties, where statutory obligations exist. In addition, customer care services or also IT-related services are outsourced to service providers.

Your data are, as a rule, not processed in a third country.

The card data will be stored for as long as they are required. If the intended purpose ceases to apply, the data will be stored for a further six or twelve months and they will subsequently be erased (in this regard, refer to C 1.).