Direct Parcel Distribution CZ, s. r. o., company identification number 61329266, with its registered office in Říčany u Prahy, Modletice 135, Postal Code 251 01, registered in the Commercial Register kept by the Municipal Court in Prague, Section C 52346 (hereinafter only “DPD”), hereby provides information on the method and scope in which it processes personal data.
Personal data means any information related to an identified or directly or indirectly identifiable natural person (Data Subject). Personal data are hereinafter referred to as the „Data“.
If there are any other terms and definitions used herein, they will be interpreted within the meaning specified in the EU General Data Protection Regulation No. 2016/679 (“GDPR“), or any other applicable legislation (hereinafter only the „Legislation on Data Protection“).
In DPD we take protection of personal data seriously and we pay due care to the protection from the first moment when we receive the Data until the moment of their disposal and erasure. When processing data, we abide by the Legislation on Data Protection and by internal guidelines that reflect the legislation and formulate reasonable requirements applicable to safe control and handling of the data
DPD processes various categories of personal data of different persons, but only to the extent necessary to achieve the purpose of the processing. The “Scope of Data” indicated hereinbelow illustrates the maximum scope possible. Each processing operation concerns only those data that are relevant only to achieve the respective purpose.
a. Data of Customers, Consignors and Consignees of the parcels
We process Identification Data relevant for providing shipping services and any tasks associated therewith duly and manifestly, including processing of orders, pickup and delivery of parcels, invoicing for the services, collecting any debts and documenting DPD business activities.
Scope of the Data processed: Identification Data, Contact Details (phone numbers, e-mail addresses) and other Data necessary to achieve the purpose.
For some services it may be necessary to process also Birth Dates, or Personal Identification Card Numbers, nevertheless, this is only the case where it is indispensable for such service or task.
Note: For purpose of this Data processing, except of the case when Date of Birth is provided, DPD is not to be considered Data Processor for the Data provided to arrangement and execution of the parcel delivery (Art. 28 GDPR), but is responsible for the Data as Data Controller. For this reason, except Recipient\'s age verification services, it is not necessary for the Consignors to conclude Data processing contracts with DPD.
Why do we in specific cases require insight into the ID card and record some Data?
Besides basic services we offer to our clients specific products that enable the Consignor to receive more security via sure identification of the person to whom the parcel was handed over. These products called Verified Handover and Verified Handover 18+. In these cases, the parcel can only be handed over to a person designated by the Consignor, in case of Verified Handover 18+, DPD will also check the age of the accepting person (Consignor is fully responsible for the statutory reason of Consignee’s age control, as in this case DPD acts only in the role of the Data processor)
While parcel is handed over, we will record the last 5 numbers of the ID card and, in the case of verification of the Consignee\'s age, also a copy of the date of birth. With this we are able to assure the Consignor that his instructions were fully followed.
The other case is to check the identity of the Consignee when delivering the parcel via parcel shop (Pickup). In this case, we also carry out the identity verification and the recording of the part of the document presented in order to ensure the safe handover of the parcel to the authorized person
Verification of identity is not performed if the set-up of the service with the Consignor and the parcel shop allows us to use the security PIN that we will send the authorized Consignee before the parcel is ready for collection.
b. Data of Contractors and their Representatives
We process necessary identification Data of representatives of our contractors and partners in order to ensure due performance of any contracts, or protection/enforcement of legitimate interests within our business relations and business activities.
Scope of the Data processed: Identification Data, Contact Details (phone numbers, e-mail addresses) and other Data necessary to achieve the purpose.
c. Data of Employees of our Contractors
We process Identification Data of employees of other employers who carry out their work at DPD workplaces or who perform tasks arising out of any contracts on behalf of our contractors (where Data are necessary for the purposes of performance of such contracts) only to comply with our statutory duties (e.g. for the purposes of safety and health protection at work and fire prevention, protection of assets and legitimate interests of DPD, or, as the case may be, communication in business relations).
Scope of the Data processed: Name and Surname, Contact Details (phone numbers, e-mail addresses), Signatures and other Data necessary to achieve the purpose.
If work is performed at DPD workplaces, these include also CCTV recordings, Identification Photos, or other Data necessary for the performance of the relevant contract, such as GPS coordinates of places where parcel labels are scanned.
d. Data of Persons in employment relations (Employees) or similar relations with DPD
We process Identification Data and other necessary Data of our employees and temporary employees to fulfil our obligations and exercise our rights arising out of employment relations, social security, tax duties, protection of our assets and legitimate interests. Where legislation requires so, we may also process Data of other persons where it is essential for fulfilling any statutory duties, including Data of children and spouses of these persons.
Scope of the Data processed: Name and Surname, Addresses, Contact Details (phone numbers, e-mail addresses), Signatures, Photos, required Information on Health screening, Data on Marital Status and other Data of similar nature, as well as Data on the Employment History, Data on using work tools and working hours, etc.
e. Data of Visitors of DPD websites and of Users of online applications
We collect Data of visitors of our website, stored in Cookies (small files that allow DPD to save specific information about the PC of the visitors of our website during their visit to DPD website to ensure optimum functionality of the DPD website and online applications for the users, and also of monitoring of its functioning and protection). Cookies help us see the frequency of the visits, number of visitors and adjust our services so that they are comfortable and efficient for the users, and they also help us identify users when using online applications and store their preferred settings. Cookies may not enter users’ system. More information please find in section Use of DPD website cookies.
Scope of the Data processed: IP Addresses and User Settings in online applications.
f. The Data of Recipients of marketing communications
We process contact details of persons representing our contractual clients and also of any other persons who have expressed their consent to marketing communications for the relevant purposes in order to offer our services and for other marketing and business purposes, and to inform them about any relevant facts associated with DPD activities. In this regard, DPD is not only bound by the Legislation on Personal Data Protection, but it also has to abide by the Act on Some Services of Information Society.
Scope of the Data processed: Name and Surname, Contact Details (e-mail addresses).
g. The Data of Persons entering monitored DPD premises
DPD premises where parcels are handled are, mainly for security reasons, monitored by CCTV and the video recordings are stored. If a person enters the premises, he may be recorded by the CCTV. The use of the CCTV is subject to strict DPD rules and recordings are accessible only by a limited number of employees, and only for the purposes of addressing any security events. As a rule, recordings are stored for 60 days on secured servers. Places that are monitored are duly marked with informative signs.
Scope of the Data processed: Appearance and Behaviour of the persons in the monitored premises
h. The Data of Other Persons
In the diverse areas of DPD’s activities, sometimes it is necessary to process Data of persons that cannot be categorised in advance. In such cases, we always process the Data only to the extent necessary to achieve the relevant purpose of the processing and within a controlled process.
Scope of the Data processed: Specific Data according to the purpose, while respecting the principle of data minimisation.
DPD stores all data on specially protected servers. These servers are accessible only to authorised persons who are responsible for technical, business and editing tasks in relation to these servers. We have defined and implemented necessary technical and organisational measures to be able to guarantee security of your Data.
To ensure IT security and authorised access, the use of all technical devices (hardware) we employ for Data processing is regulated by clearly defined policies. Users of these devices are trained and motivated to comply with the security policies and with the system of internal control.
Moreover, Data transfers are secured by reasonable technical restraints that correspond to the relevance of the processed Data.
We also process Data that are saved on external media, be them electronic media (USB, DVD, etc.) or printed documents. Even for these cases, we have clearly defined rules how to handle the Data saved in this way, we train our staff who handle them to comply with these rules, or they are bound either by a contract or by their statutory duties.
Our priority is to protect the Data to prevent any losses, falsification, unlawful handling, abuse or unauthorised access.
We use and process your Data only for the declared purposes that are connected to our business activities. We do not provide Data we process to anyone and for any purposes that are not connected to our services, except in the following cases:
a. To comply with Statutory Requirements
There are cases specified in the legislation where we are obliged to disclose the Data we process to the competent bodies upon their request or in compliance with the legislation. These bodies include state administration bodies and authorities, social security and health insurance bodies, auditing companies etc.
b. Secondary Data Controllers
In some cases where it is necessary to act on a contract or an agreement with Data Subject, we must transfer the Data in the relevant scope to another entity that determines the purpose of and means for the Data processing on its own, in other words, to the secondary Data controller. Where we transfer the Data to another Data Controller, we will do so transparently, and we will appropriately inform you about it in advance. This usually concerns employees’ insurance policies or contracts with ICT operators that include also private numbers as requested by the employees.
c. Data processors
Data processor means any entity whom we provide with the Data to be processed within a controlled process, i.e. to carry out a certain operation necessary to achieve the purpose for which DPD has collected the Data.
These processors include without limitation:
i. Subcontracted Carriers
Entrepreneurs who pick up and deliver the parcels on behalf of the DPD based on a contract.
Scope of the data processed: Identification and Contact Details of the Consignors and Consignees of the parcels.
ii. Entities cooperating within DPD Group and partners involved in the transportation
In the case of international services, it is necessary to ensure that the parcels are delivered / transited in / to other countries, and this is done by the organisational units or partners of the DPD Group that are responsible for the services in the relevant country.
Scope of the data processed: Identification and Contact Details of the Consignors and Consignees of the parcels.
iii. ICT service providers
To a necessary extent, the Data may also be disclosed to providers of ICT services within a controlled process, including without limitation:
to ensure the efficiency of DPD services, especially the optimization of delivery processes, notification services, transfer of data about the parcels, payment of the COD service charge, etc.
Scope of the data processed: Identification and Contact Details of the Consignors and Consignees of the parcels, Identification Data of the Users of the online applications.
to support internal processes within DPD, such as internal communications, flow of information and processing of information, and to carry out any administrative activities.
Scope of the data processed: Data contained in the Company’s information systems.
to store the Data for the period as is prescribed, and for analytical and statistical purposes or other legal purposes as statutory duties.
Scope of the data processed: Identification Data and Contact Details of the Consignors and Consignees of the parcels or other relevant Data Subjects.
iv. Service Contractors
There are companies that, to a limited extent, take part in some of the DPD’s activities, while doing so they may come across some Data. This usually concerns subcontractors who are responsible for loading and sorting of the parcels.
Scope of the data processed: Data specified on the shipping labels of the parcels.
v. Contractors providing services in favor of our Employees
The data of our employees are provided to certain contractual persons within a controlled process to provide services in favor of our employees, including calculating and payment of salaries and employees’ benefits, to carry out any activities related to the employment relation and compliance with any employment requirements.
Scope of the data processed: Identification Data of the employees.
DPD has concluded Data Processing Contracts with all Data Processors whereunder the Data Processors agreed to comply with all requirements laid down in the Legislation on Data Protection and the requirements for Data security that DPD requires.
d. Other Data recipients
Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. Such disclosure may only be considered if it is necessary for defending the rights and claims of DPD CZ or Data Subjects. E.g. it may be necessary to proof the value of the consignment to the insurance company or to the entity responsible for damage to the consignment in the context of claiming damages.
The Data related to provision of DPD services are transferred abroad for the following purposes:
a. Due delivery /transit of parcels sent to another country. In this case, the Data are provided to GeoPost SA, with its registered office at 26 rue Guynemer, 92130, Issy Les Moulineaux, France, its subsidiaries and branch offices (DPD Group) and to partners engaged in the transportation in the transit country and the destination country. In some jurisdictions of some transit/destination countries the Data may not be protected in the same extent as it is in the EU. In such cases, we strictly apply Legislation on Data Protection.
b. Archiving and statistical purposes. In this case, the Data are transferred for processing to Geopost International Services GmbH & Co. KG, Wailandtstrasse 1, 63741 Aschaffenburg, Germany, which is responsible for controlling and protecting the data related to the transportation for the period for which DPD is obliged to store the data on the transportation, i.e. maximum 10 years from the date of sending of the parcel.
c. Operation of the DPD website using Google Analytics provided by Google. Google Analytics use Cookies that help analyse our website and its use. Any information generated by Cookies based on your visit to the website is transferred and stored as a rule by Google on servers located in the United States of America.
This Statement on Personal Data Protection is the primary document specifying the processing of the personal data in DPD. This document may be subject to changes and you are recommended to check for any updated version hereof.
DPD contact details for matters related to Personal Data Protection
If you wish to raise any queries or requests in the matter of personal data protection in DPD, please contact us using one of the means specified at our website, or send us an e-mail to: [email protected]
Supervisory Authority
ÚŘAD PRO OCHRANU OSOBNÍCH ÚDAJŮ
Pplk. Sochora 27
170 00 Praha 7
Česká republika
Homepage / Ochrana osobních údajů