.

Cookies are small files containing data that enable DPD to store and analyse specific information on the preferences of DPD website visitors during their visit. If you grant your consent to their processing, cookies will download to your device when you visit the website. In the following visits of DPD website the cookies will be recognised thanks to which the browser will remember your specific settings, or send a tailor-made content corresponding to your user preferences. The data generated by cookies include anonymised IP address of the website visitors and they are transferred to the servers of the service providers listed below. These servers are located in the EU or the USA and they are fully compliant with the legal regulations. The service providers may provide this information to Third Parties only if it is permitted within the applicable legal regulations. Overview of types of cookies DPD uses on its website a. Cookies necessary for the website operation There are certain settings that are necessary for the mere functionality of the website. These settings do not contain any specific information about the user. This also hold true of the cookies that collect data on user preferences of the website visitors which, however, do not allow for identification of the person and therefore regulations of personal data protection do not apply to them. b. Cookies containing specific user settings These are cookies for saving data on the settings of individual users on the website. They make the use of the website more comfortable and more efficient for the users. These cookies do not record or monitor any activities of the users during their visit of the website. c. Remarketing These cookies collect data on the preferences of the users during their search and based on that they adjust their marketing communications to the interest of the users. The purpose of this processing is to provide the user with content corresponding to his/her potential preferences, which again helps to enhance comfort for the users. The cookies remember that the user has visited the website and then share this information with other entities providing the internet services. What service providers do we use for the above purposes? For running cookies and achieving the purpose for which they are used, we engage the following services:

• services operated by Google Inc., Amphitheatre Parkway, Mountain View, CA 94043, USA. The types of cookies by Google are listed at the following link: https://policies.google.com/technologies/types
• services operated by Facebook Inc., 1601 Willow Road, Menlo Park, CA 94025, USA. These services concern only those users who have a Facebook account. The principles of cookies processing by Facebook are available at the following link: https://www.facebook.com/policies/cookies

How the user may block the use of cookies at the DPD website The users may block the cookies to be downloaded to their devices, or they can delete the cookies at any time. As the manner thereof may differ depending on the browser, type of device, etc., we recommend proceeding in line with the instructions given directly by the producers of the products that the users employ. Detailed information on how to proceed can be easily obtained by entering “how to delete cookies” into any kind of internet search engine. Also, users can block collection and use of the cookies in individual services as instructed by the individual service providers, e.g.: Google

• You will find the instruction for termination of the recording of your data used for analytical purpose at this address: https://tools.google.com/dlpage/gaoptout.

 

• At this address: https://support.google.com/accounts/answer/2662922#stop_goog_p13n , you will find instructions to switch-off collection of data for personalised marketing.

Facebook

• At the address: https://www.facebook.com/business/help/1415256572060999, you will find recommended instructions to switch-off personalised marketing at Facebook.

DPD stores all data on specially protected servers. These servers are accessible only to authorised persons who are responsible for technical, business and editing tasks in relation to these servers. We have defined and implemented necessary technical and organisational measures to be able to guarantee security of your Data.

To ensure IT security and authorised access, the use of all technical devices (hardware) we employ for Data processing is regulated by clearly defined policies. Users of these devices are trained and motivated to comply with the security policies and with the system of internal control.

Moreover, Data transfers are secured by reasonable technical restraints that correspond to the relevance of the processed Data.

We also process Data that are saved on external media, be them electronic media (USB, DVD, etc.) or printed documents. Even for these cases, we have clearly defined rules how to handle the Data saved in this way, we train our staff who handle them to comply with these rules, or they are bound either by a contract or by their statutory duties.

Our priority is to protect the Data to prevent any losses, falsification, unlawful handling, abuse or unauthorised access.

We use and process your Data only for the declared purposes that are connected to our business activities. We do not provide Data we process to anyone and for any purposes that are not connected to our services, except in the following cases:

a. To comply with Statutory Requirements

There are cases specified in the legislation where we are obliged to disclose the Data we process to the competent bodies upon their request or in compliance with the legislation. These bodies include state administration bodies and authorities, social security and health insurance bodies, auditing companies etc.

b. Secondary Data Controllers

In some cases where it is necessary to act on a contract or an agreement with Data Subject, we must transfer the Data in the relevant scope to another entity that determines the purpose of and means for the Data processing on its own, in other words, to the secondary Data controller. Where we transfer the Data to another Data Controller, we will do so transparently, and we will appropriately inform you about it in advance. This usually concerns employees’ insurance policies or contracts with ICT operators that include also private numbers as requested by the employees.

c. Data processors

Data processor means any entity whom we provide with the Data to be processed within a controlled process, i.e. to carry out a certain operation necessary to achieve the purpose for which DPD has collected the Data.

These processors include without limitation:

i. Subcontracted Carriers

Entrepreneurs who pick up and deliver the parcels on behalf of the DPD based on a contract.

Scope of the data processed: Identification and Contact Details of the Consignors and Consignees of the parcels.

ii. Entities cooperating within DPD Group and partners involved in the transportation

In the case of international services, it is necessary to ensure that the parcels are delivered / transited in / to other countries, and this is done by the organisational units or partners of the DPD Group that are responsible for the services in the relevant country.

Scope of the data processed: Identification and Contact Details of the Consignors and Consignees of the parcels.

iii. ICT service providers

To a necessary extent, the Data may also be disclosed to providers of ICT services within a controlled process, including without limitation:

• to ensure the efficiency of DPD services, especially the optimization of delivery processes, notification services, transfer of data about the parcels, payment of the COD service charge, etc.

Scope of the data processed: Identification and Contact Details of the Consignors and Consignees of the parcels, Identification Data of the Users of the online applications.

• to support internal processes within DPD, such as internal communications, flow of information and processing of information, and to carry out any administrative activities.

Scope of the data processed: Data contained in the Company’s information systems.

• to store the Data for the period as is prescribed, and for analytical and statistical purposes or other legal purposes as statutory duties.

Scope of the data processed: Identification Data and Contact Details of the Consignors and Consignees of the parcels or other relevant Data Subjects.

iv. Service Contractors

There are companies that, to a limited extent, take part in some of the DPD’s activities, while doing so they may come across some Data. This usually concerns subcontractors who are responsible for loading and sorting of the parcels.

Scope of the data processed: Data specified on the shipping labels of the parcels.

v. Contractors providing services in favor of our Employees

The data of our employees are provided to certain contractual persons within a controlled process to provide services in favor of our employees, including calculating and payment of salaries and employees’ benefits, to carry out any activities related to the employment relation and compliance with any employment requirements.

Scope of the data processed: Identification Data of the employees.

DPD has concluded Data Processing Contracts with all Data Processors whereunder the Data Processors agreed to comply with all requirements laid down in the Legislation on Data Protection and the requirements for Data security that DPD requires.

d. Other Data recipients

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. Such disclosure may only be considered if it is necessary for defending the rights and claims of DPD CZ or Data Subjects. E.g. it may be necessary to proof the value of the consignment to the insurance company or to the entity responsible for damage to the consignment in the context of claiming damages.

The Data related to provision of DPD services are transferred abroad for the following purposes:

a. Due delivery /transit of parcels sent to another country. In this case, the Data are provided to GeoPost SA, with its registered office at 26 rue Guynemer, 92130, Issy Les Moulineaux, France, its subsidiaries and branch offices (DPD Group) and to partners engaged in the transportation in the transit country and the destination country. In some jurisdictions of some transit/destination countries the Data may not be protected in the same extent as it is in the EU. In such cases, we strictly apply Legislation on Data Protection.

b. Archiving and statistical purposes. In this case, the Data are transferred for processing to Geopost International Services GmbH & Co. KG, Wailandtstrasse 1, 63741 Aschaffenburg, Germany, which is responsible for controlling and protecting the data related to the transportation for the period for which DPD is obliged to store the data on the transportation, i.e. maximum 10 years from the date of sending of the parcel.

c. Operation of the DPD website using Google Analytics provided by Google. Google Analytics use Cookies that help analyse our website and its use. Any information generated by Cookies based on your visit to the website is transferred and stored as a rule by Google on servers located in the United States of America.

We guarantee transparent approach in case anyone whose Data we process wishes to exercise their rights. We take requests of Data Subjects to exercise their rights seriously, and thus we also pay maximum attention to ascertain that these requests are raised by persons who are really authorised to do so. That means that before we address your request, we must verify the identity of the interested person (this does not apply to general queries regarding processing).

In line with the Legislation on Data Protection, we will respond to the requests of the Data Subject to exercise their right without undue delay, within 30 days from the date of filing the request and from ascertaining that the request was raised by an authorised person at the latest. In some exceptionally difficult cases, this period may be extended, however it will not exceed 3 months.