DPD France places the protection of personal data at the heart of its missions and services offered to its customers.
This Policy sets out the principles and guidelines we apply to protect your Personal Data and aims to inform you about:
the Personal Data that DPD France collects and the reasons for its collection,
how your Personal Information is used,
your rights regarding your Personal Data.
This Policy applies to all of DPD France's services.
How does DPD France consider the protection of your Data?
DPD France is committed to considering the protection of Personal Data and the privacy of its customers from the design of new products or services offered to them. To ensure security and ensure the respect and proper exercise of your rights, measures to protect your personal data are implemented :
Implementation of a procedure for exercising rights and a procedure in the event of a personal data breach;
Carrying out IT security and RGPD compliance questionnaires prior to the implementation of a project or application;
Verification of the guarantees presented by our subcontractors and future subcontractors with regard to the requirements of the RGPD;
Carrying out internal audits, drawing up recommendations, monitoring and updating related actions;
Consultation with project managers in order to define relevant and reasonable retention periods, not exceeding the period necessary to achieve the purpose of the processing operation
Maintaining and updating a data processing register;
Regular training sessions for all our employees;
Participation in the Data Protection Officer network, which includes all Geopost's European subsidiaries.
Which personal data is used by DPD France?
DPD France undertakes to only collect the data that is strictly necessary for the provision of the requested services.
We use your Data in accordance with this Policy, the general terms and conditions of sale or use of our products and services and particularly:
when you have been given clear, apparent and precise information regarding the processing in place and agreed, for one or more specific purposes either by way of a written declaration, including by electronic means, or by the absence of opposition or written declaration;
when it is needed for the performance of contract, the general terms and conditions of sale or use or the performance of pre-contractual measures;
for the compliance of legal or regulatory obligations and the legitimate interests of DPD France.
If optional data is requested, DPD France will be given a clear explanation of the Data we need to provide the requested service and the data you may decide to provide voluntarily.
Where does the data we process come from?
If you ship a parcel, we receive your data when you contact us, visit one of our shipping sites or ship parcels with us.
If you are the recipient of a parcel, we receive your details from our shipping customers. They provide us with your details, together with package information or notification instructions, primarily in electronic form or via their own shipping systems or ours. They normally do this to the extent that they have entered into a contractual relationship with you in accordance with Article 6(1b) of the GDPR, and we need this data to deliver the goods you have ordered to the shipper. In addition, we naturally receive your data from other postal service providers who act on our behalf to deliver consignments, for example if the consignment originates from abroad and another postal service provider who cooperates with us has been commissioned with the delivery.
Finally, we receive data directly from you when you have filled in your personal information in your user area (delivery address, delivery preferences, etc.) and/or when you contact our customer service department and/or exercise your rights regarding your personal data.
If you are visiting our website, we receive your data through various functions of the site. To this end, we use cookies or request information directly from you. Our priority is to optimise the presentation of our website and to provide you with information about our services. You can limit the services or deactivate them completely at any time by using a link or making the appropriate selection. (Please consult the General Terms and Conditions of Use of the website). Personal Data is used to offer you other services, only if you have agreed to receive commercial communications. In any event, you may revoke your consent at any time.
How is the collection of Personal Data from minors?
Some of our services may be used by minors. They must obtain the consent of their parents or legal representatives.
Which departments or companies can have access to your Personal Data?
Your data may be transferred to:
departments within DPD France: departments in charge of performing subscribed services in particular Customer Service, Sales Force, etc…
service providers outside DPD France with whom we always sign a contract ensuring the respect of your Data and particularly transport sub-contractors that may be entrusted with carrying out your delivery.
within Le Groupe La Poste.
How is your Personal Data processed?
In order to carry out the services subscribed to, DPD France is responsible for processing the data collected and processed, for which it determines the purposes and means:
Subject matter |
Purpose |
Data Subjects |
Type of Personal Data |
Retention period |
Legal basis |
Role of DPD France |
Customer relationship management and analysis of business activity |
Contract management |
Customers and contacts (natural persons) |
Name, first name, position, address, telephone number, email address, fax number, signature, billing information |
Length of the business relationship + 5 years / 3 years from last contact (prospects) |
Performance of the contract / legitimate interest (prospect) |
Operations relating to the management and follow-up of the contract with the Customer, the customer file (concerning sales proposals, price lists) and invoicing. History of the customer relationship and correspondence exchanges; Elaboration of sales statistics. Optimizing the commercial approach. Emailing. |
Claim and dispute management |
3 years archived (see CNIL definition) |
Claims management / pre-litigation and litigation |
||||
Parcel delivery management |
Delivery tracking and proof |
Customer's customers (recipients) |
Name, first name, postal address, telephone number, email address, signature, data necessary for delivery (door code, ...) if necessary. |
13 months from the date of delivery (cf. Art. L. 133-6 French Commercial Code) |
Performance of the contract (cf. art. L-132-8 C. com) / legitimate interest |
Collection/pick-up of parcels prepared by the Customer. Transport to the delivery place indicated on the parcel and handover of the parcel to the recipient appearing on the parcel. |
Delivery preference instructions issued by recipients |
customers of the Customer and/or its agent (recipients) |
Retrieval of data and/or delivery instructions issued by the Customer's customers. |
||||
Customer service: management of complaints |
Customer's customers (recipients) |
Management of any complaints from the Customer's customers within the framework of the outsourcing of its customer service in Madagascar |
||||
Reporting KPI |
To measure the quality of performance and optimise tactical delivery schedules |
Customer's customers (recipients) |
Surname, first name, postal address, telephone number, e-mail address, parcel number |
13 months (then anonymised) |
Legitimate interest |
To analyse and use the data over a certain period to produce statistics enabling the quality of parcel delivery services to be assessed and performance to be improved. |
Listening to and one-off recording of telephone conversations |
Improvement of service quality |
Customers and, if applicable, their employees / customers of the Customer (recipients) |
Name, first name, postal and email address, telephone number, recording of the conversation, time and duration of the call |
- Reports of recordings: 1 year - Recordings: 6 months |
Legitimate interest |
Use of recordings to improve service quality and train and evaluate customer service operators (operated in France and/or Madagascar). |
Satisfaction surveys |
Name, first name, postal and email address, telephone number, reviews and comments |
6 months and archived for a maximum of 3 years unless consent is withdrawn |
Legitimate interest |
Use of opinions and comments to measure the level of satisfaction and improve service quality. |
||
Chatbot |
Responding to various requests |
Users of the chatbot via the website www.dpd.com/fr/fr |
Name, first name, postal address, telephone number, e-mail address, data required for delivery (digicode, etc.), opinions, comments if any |
6 months |
Legitimate interest |
Management of users' requests via the online conversation software application provided by DPD France on the website and processed by customer service (operated in France and/or Madagascar). |
Professional alerts / Safecall |
Provision, management and processing of professional alerts in accordance with regulations and/or in the event of situations contrary to DPD France's code of conduct and/or DPD France's and/or GeoPost's policies and procedures |
Customers and, where applicable, the Customer's employees/customers (recipients) |
Name, first name, postal address, telephone number, e-mail address, data relating to the alert, date and subject of the request or alert |
Inadmissible alert: anonymisation within 30 days of receipt; admissible but not giving rise to any action: anonymisation within 2 months of closure; failing this, the data is kept until the end of the actions or measures |
Legal obligation / Legitimate interest |
Receipt and recording of professional alerts - Investigation and follow-up of alerts - Closure of alerts - Compilation of activity data (statistics) on anonymous data. Data is processed via the Safecall platform (telephone and/or online) operating from the United Kingdom. |
To implement the personal data processing described below, DPD France determines, jointly with Geopost, its parent company, the purposes and means of the processing. In accordance with Article 26 of the GDPR, a joint responsibility agreement has been signed. In particular, it describes the responsibilities and obligations of each of the joint data controllers, the relationship with data subjects and the way in which they can exercise their rights under the RGPD, the security and confidentiality measures taken to protect their personal data, the defined retention periods, as well as the procedure in the event of the detection of a data breach.
Subject matter |
Purpose |
Data Subjects |
Type of Personal Data |
Retention period |
Legal Basis |
Role of co-controllers |
Reporting KPI |
Measure performance quality and optimize tactical delivery schedules
|
Customers of the Customer and/or its agent (recipients) |
Name, first name, postal address, telephone number, email address, parcel number |
6 months (then anonymization) Postal address: 3 years (optimization schedules) |
Legitimate interest |
Analyse and use data over a period of time to derive statistics that can be used to assess the quality of parcel delivery services and improve performance.
|
Parcel delivery and interaction with unauthenticated recipients |
Parcel delivery management within the Geopost Group network, of which DPD France is a member (interoperability of information systems) |
Customers and/or customer's customers and/or its agent (recipients) |
Data of the sender or recipient when it is a consumer: Name, first name, username, email address, postal address (including GPS coordinates), telephone number, parcel number, Proof of Delivery (POD), photo of the entrance door or safe place, information required for ID verification, free text areas (data necessary for delivery). |
6 months in active database, then archiving if there is a legal obligation to retain the data
Postal address: 3 years (optimization schedules) |
Performance of the contract / Legitimate interest / Legal obligation |
Shipping and labelling process - Tracking and location by DPD employees - Parcel status consultation by customers via dedicated applications - Delivery tool management - Order/collection request management - Temperature monitoring of parcels throughout their lifecycle and generation of alerts in case of threshold exceedance - Calculation of estimated delivery days based on origin and destination postal codes - Facilitation of delivery services with delivery instructions - Tracking and location of parcels by recipients through the recipient application - Improvement knowledge and interaction with recipients and prospects - Management of parcel returns - Collection of recipient satisfaction levels.
|
Interaction with authenticated recipients |
Personalization of the recipient customer experience for parcel delivery management within the Geopost Group network, of which DPD France is a member (interoperability of information systems) |
Customers and/or customer's customers and/or its agent (recipients) |
Data of the sender or recipient when it is a consumer: Name, first name, email address, postal address, telephone number, parcel number, Company, Free text areas - information required for ID verification, login, delivery preferences, communication preferences (email, SMS, push, etc.)
|
2 years from the last login.
Postal address: 3 years (optimization schedules) |
Performance of the contract / Legitimate interest / Consent |
Management of notifications sent to recipients via email, SMS, or social media (Predict, etc.) - Prospecting operations to improve offers and services of DPD France and/or the GeoPost network - Collection of recipient satisfaction levels - Profiling consumers based on their use of DPD services, delivery frequency, delivery experiences, interactions with customer service, etc. (no automated decision-making) - Display of advertisements, newsletters, and personalized campaigns - Implementation of a loyalty program. |
Investigation of customer service and management of complaints |
Management of complaints regarding cross-border parcel deliveries |
Customers of the Customer and/or its agent (recipients) |
Name, first name, postal and email address, parcel number, collection request number (collection request), telephone number, case number, POD (signature), free text area for description of parcel contents, for example |
6 months from the closure of the case (+ 6 months in archive) and anonymization of recipient data (reporting) |
Performance of the contract / Legitimate interest (subsidiary measure) |
Management of customer service and complaints (back-office communication tool between customer service departments of GeoPost Group entities for cross-border parcels) - Performance monitoring of GeoPost Group entities - Performance control of customer service employees of GeoPost Group entities by their respective managers. |
Customs clearance management |
Compliance with customs regulations |
Customers and, if applicable, their employees |
Name, first name, postal address, telephone number, email address, parcel number, POD (proof of delivery), parcel contents, billing and payment information, IP address |
6 months (+ 5 years in archive) |
Legal obligation |
Manage the notification and payment of duties and taxes. Generate proof of payment. |
Embargo and trade sanctions |
Compliance with international regulations and in particular embargo restrictions |
Customer and if necessary its employees / Customer's customers (recipients) |
Name, first name, postal address, country, parcel number resulting from the comparison |
10 years |
Legal obligation |
Comparing personal data with lists issued by national and supranational organizations through a tool developed by GeoPost. And, if necessary, assessing the result in accordance with the required procedures by DPD France operators and/or located in the Philippines.
|
Export controls |
Compliance with international regulations and in particular export controls |
Customers of the Customer and/or its agent (recipients) |
Name, first name, postal address, parcel contents, country of origin, country of destination |
6 years |
Legal obligation |
Verify the authorizations and export licenses for dual-use goods. |
Professional Alerts / Safecall |
Non-financial reporting |
Customer and if necessary its employees / Customer's customers (recipients) |
Name, first name, postal address, telephone number, email address, data related to the alert, date and purpose of the request or alert |
Non-eligible alert: anonymization within 30 days of receipt; eligible but not resulting in any action: anonymization within 2 months following its closure; otherwise, the data is kept until the end of actions or measures
|
Legal obligation / Legitimate Interest |
Compilation of activity data (statistics) based on anonymized data. |
For how long does DPD France keep your Personal Data?
Different retention periods apply for the various services we provide. DPD France undertakes not to retain your Data any longer than is necessary for the provision of the service or for compliance with the retention periods arising from the applicable limitation periods.
Can your Personal Data be transferred outside the European Union?
DPD France carries out all Data processing activities within the European Union (EU).
However, for some specific services and particularly for the services provided by customer services, DPD France may need to call on the services of sub-contractors located outside the EU. Some of your Data may therefore be transferred to them for the strict purposes of their services. In such cases and in accordance with the regulations in force, DPD France requires its data processors to provide the necessary safeguards to ensure regulated, secure transfers, mainly by requiring them to sign the European Commission’s standard contractual clauses.
Is your Data protected?
DPD France undertakes to adopt all necessary measures in order to protect the security and confidentiality of your Data and, in particular, to prevent any damage, erasure or unauthorised access by a third party.
To this end, DPD France has an Information System Security Policy based on the ISO 27002 standard, which defines the guidelines for good information security management practices. This policy covers human, physical, organizational and technical security controls.
If your Data is affected by a security breach (destruction, loss, alteration or disclosure), DPD France undertakes to fulfil our obligation to notify Data Breaches, in particular to the French Data Protection Authority (CNIL).
What are your rights concerning your Data?
You may contact DPD France to exercise your rights held under the personal data regulations in force at any time, provided that you satisfy the relevant conditions and particularly:
Right of access: you may be sent your Data that is processed by DPD France;
Right to rectification: you may update your Data or have your Data rectified by DPD France;
Right to object, in particular to prevent direct marketing: you may wish to no longer receive marketing communications from DPD France;
Right to erasure: you may ask us to delete your Data;
To exercise your rights, you can also contact DPD France :
By sending a registered letter with acknowledgement of receipt addressed to the Direction Juridique de DPD France SAS, 11-13 rue René Jacques, Immeuble Vivaldi, 92130 ISSY-LES-MOULINEAUX, or
By email at the following address: [email protected]
All requests must include your surname, first name, postal address and any other information that can be used to prove your identity.
DPD France will respond to your data subject requests without undue delay and in any event, within the times imposed by law.
Has DPD France appointed a Data Protection Officer?
The appointment of a Data Protection Officer reflects DPD France's commitment to ensuring the protection, security and confidentiality of Personal Data.
The Data Protection Officer may be contacted at the following address : Mr La Poste Group's Data Protection Officer, CP C703, 9 rue du Colonel Pierre Avia 75015 Paris.
In the event of any difficulty in connection with the management of your Personal Data, you have the right to file a complaint with the CNIL : Commission Nationale de l’Informatique et des Libertés (3 place de Fontenoy - TSA 80715 – 75334 Paris cedex 07 ; tél. : 01 53 73 22 22).
GLOSSARY
Each term beginning with a capital letter has the meaning given below.
"Privacy and Personal Data Protection Policy" and "Policy": means this Policy describing the measures adopted for the processing, exploitation and management of your Personal Data and your data subject rights
"Personal Data": means to any information relating to you that can be used to identify you, directly or indirectly.
“Processing”: means to any operation or set of operations performed on your Personal Data.
"Data controller": means DPD France which carries out the Processing of your Personal Data.
"Violation of personal data": refers to a breach of security leading, accidentally or unlawfully, to the destruction, loss, alteration, unauthorised disclosure of or access to your Personal Data.
Updated on September 1st, 2023
Parcel shipping for business and private customers / Personal Data Protection Policy