Privacy Notice

Deutsche Post AG (hereinafter called 'DHL Group') is pleased that you have visited our website and are interested in our company, products and services. It is important to us to protect your personal data during handling throughout the entire business process.

In the following, we explain what information DHL Group when you visit our website and how this information is used.

Frequently Asked Questions

Personal data means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This includes information such as your real name, address, telephone number and date of birth. Information which cannot be linked to your real identity - such as favorite websites or number of users of a site - is not considered personal data.

This Privacy Notice applies for the data processing carried out by: Deutsche Post AG

If you have queries with regard to the processing of your personal data, please contact the Data Protection team. The Data Protection team is also available to help with information requests, take suggestions or handle complaints.

Contact data protection team

Visiting our Website

DHL Group is committed to preserving the privacy of users of our websites. When you visit our web pages, our web servers always temporarily save for connection and set up and security purposes the connection data of the computer connecting to our site, a list of the web pages that you visit within our site, the date and duration of your visit, the IP address of your device, the identification data of the type of browser and operation system used as well as the website through which you linked to our site. Additional personal information such as your name, address, telephone number or e-mail address is not collected unless you provide this data voluntarily, e.g. while completing an online contact form, as part of a registration, survey, competition, fulfillment of contract or an information request.

The legal basis for the processing of the aforementioned data categories is Art. 6 (1) (a) of the European General Data Protection Regulation (GDPR). Due to the said purposes, in particular to guarantee security and a smooth connection setup, we have a legitimate interest to process this data.

The web tracking data will be stored for a period of 25 months and then automatically deleted. Furthermore we are using cookies, tracking-tools and targeting measures. You will find more details hereto below "Use of Web Tracking" and "Use of Cookies".

As far as you have enabled geo localization functions in your browser, respectively in your operating system we will use this data to offer you location-based services (e. g. location of the nearest branch, packing station etc.). We will not use this data for any other purpose. If you disable this function your data will be deleted in due time.

Performance of a Contract

For contractual reasons, we also need personal data to provide our services and comply with the obligations arising from contractual agreements concluded with you. This data is used e. g. for performing a (shipment) contract, managing customer data, handling payments and, as the case may be, assessing creditworthiness. Certain shipment data will also be provided to the authorities of the country of transit or destination for customs and tax clearance or for security screening, as required by the laws of such country. The information provided would usually include: shipper name and address, receiver name and address, description of the goods, number of pieces, weight and value of shipment.

The legal basis is usually Art. 6 (1) b) GDPR since the processing is for the performance of a contract to which you are a party.

Further information on data protection in specific services and products is available at the relevant Customer Portal.

Processing for Advertising Purposes

If you are an existing customer of a DHL Group entity, your postal data (e.g. name, address) will be processed to contact you in order to provide you with the latest information about our offers, news, products and services. Apart from an existing consent, we will process your e-mail address exclusively in order to provide you with information regarding DHL Group own and similar products.

Legal basis for the aforementioned processing is Art. 6 (1) f) GDPR. The processing of customer data for own direct marketing purposes is regarded as carried out for a legitimate interest.

You have right to object at any time to the said processing. To exercise your right, simply get in touch with us by using the contact details mentioned under "Who is Responsible".

If you register for one of our newsletters, we are entitled to use your e-mail address for this purpose. You may unsubscribe from the newsletter at any time by clicking the relevant link at the bottom of the newsletter.

In case you file an objection or unsubscribe from our newsletter services the respective data will be blocked, respectively deleted and no longer be processed for such purposes.

We use tracking software to determine how many users visit our website and how often. We do not use this software to collect individual personal data or individual IP addresses. The data are used solely in anonymous and summarized form for statistical purposes and for developing the website.

"Cookies" are small files that enable us to store information related to your device and you, the user, specifically, while you visit one of our websites. Cookies help us to determine how frequently our internet pages are accessed as well as the number of users. And they help us configure our offers so that they are as convenient and efficient as possible for you.

On the basis of Art. 6 (1) f) GDPR, we are using "session cookies" in order to optimize our website and to guarantee and convenient and undisturbed user experience. These cookies are stored exclusively for the duration of your visit to our internet pages. They are automatically deleted when you close your browser.

In addition, we use "persistent cookies" for retaining information about visitors who repeatedly access one of our internet pages. The purpose of using cookies is to be able to offer you optimal user guidance as well as to "recognize" you and thus be able to present (as much as possible) diversified internet pages and new contents during repeated use.

Generally, we do not create an individual profile of your online activities. The content of a persistent cookie is limited to an identification number. Name, email address, IP address, etc., are not saved on the majority of our sites.

CATEGORIES

We have provided details of all cookies used on this websites in the table below.

All cookies in this table have been categorized according to four numbered groups. Please note that cookies can belong to more than one category.

The categories are as follows:

[1] Strictly Necessary: These cookies are essential in order to enable you to move around the website and use its features. Without these cookies, services you have asked for cannot be provided. As already stated above, this is based on Art. 6 (1) f) GDPR.

[2] Performance: These cookies collect information about how visitors use a website, for instance which pages visitors go to most often. These cookies don't collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how a website works.

[3] Functionality: These cookies allow the website to remember choices you make and provide enhanced, more personal features. For example, these cookies can be used to enable visitors to share content with a range of networking and sharing platforms. Information these cookies collect may be anonymized and they cannot track your browsing activity on other websites.

[4] Targeting or Advertising: These cookies are used to deliver adverts more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as helping measure the effectiveness of an advertising campaign. They are usually placed by advertising networks with the website operator's permission.

LIST OF COOKIES

Adobe Marketing Cloud & Audience Manager Cookies

These cookies are used to collect information in an anonymous form about how visitors use the website. The information is used to improve the site and provide users with content that is more appropriate to them.

AMCV_###@AdobeOrg⁴
This is a pattern type cookie name associated with Adobe Marketing Cloud. It stores a unique visitor identifier, and uses an organisation identifier to allow a company to track users across their domains and services.
AMCVS_###@AdobeOrg⁴
This is a pattern type cookie name associated with Adobe Marketing Cloud. It stores a unique visitor identifier, and uses an organisation identifier.
demdex⁴
This cookie helps Adobe Audience Manager perform basic functions such as visitor identification, ID synchronization, segmentation, modeling, reporting, etc.
dextp⁴
This cookie is set by Adobe Audience manager to record the last time it made a data synchronization call.
dpm⁴
This domain is owned by Adobe Audience Manager. The main business activity is online profiling for targeted marketing.
ev_sync_dd⁴
This domain is owned by Adobe. The main business activity is: Advertising. Used to link anonymous analytics data into a visitor profile and help provide a personalised experience through the website, marketing and advertising.
everest_g_v2⁴
This domain is owned by Adobe. The main business activity is: Advertising.
everest_session_v2⁴
This domain is owned by Adobe. The main business activity is: Advertising.
s_cc²
Adobe Site Catalyst cookie, determines whether cookies are enabled in the browser. This cookie is a session cookie and will expire when the browser is closed.
s_vi²
This cookie is used to identify unique visitor time/date stamp. This is a permanent cookie which expires after 2 years.
s_fid²
This cookie is a 'fallback' visitor identifier where the s_vi cookie normally used for this purpose is blocked. It contains a randomly generated, unique id.
s_sq²
This cookie records what links the user has clicked. This cookie is a session cookie and will expire when the browser is closed.
s_getNewRepeat²
Analytics: Measures whether a visitor is a new visitor or a repeat visitor.

More information about Privacy at Adobe.

Akamai Cookies¹

Akamai provides a defensive shield built to protect websites, mobile infrastructure, and API-driven requests. The Akamai Data Protection and Privacy Program protects the personal information that is processed by respecting global privacy principles.

ak_bmsc
Used by Akamai to optimize site performance and security.
bm_mi
Akamai Bot Manager: Security cookie
bm_sv
Akamai Bot Manager: Fraud prevention
TS0129cac⁴
Akamai Load Balancing cookie
TS0189fea³
Akamai Load Balancing cookie

More information about Privacy at Akamai Privacy Trust Center.

1st party Cookies¹

cookieDisclaimer
This cookie is set when site visitors have agreed to the general setting of cookies. To do this, site visitors must accept or confirm the general "Cookie Disclaimer". The cookie is set when clicking on "Accept", it is valid globally for the respective language variant of the site (i.e. EN/DE).
dpdhl-pageDisclaimer
This cookie is set when site visitors have accepted the disclaimer text on a disclaimer-protected page. If you do not accept the disclaimer text, you will be forwarded to the respective homepage and the cookie will not be set. The actual text of the disclaimer-protected page is only displayed if the site visitors accept the disclaimer text. The cookie is only valid for a single page/URL, the page protected by the disclaimer.
lang
Website's language selection DE/EN

Investor Relations Chat Bot Cookies⁴

The IR Chat Bot is a service that allows to interact with our IR section and the information it contains.

_pk_id.269.xxxx
This cookie contains the visitor ID value used to identify repeat visitors. Its default lifetime is 13 months.
_pk_ref.269.xxxx
This cookie determines whether chatbot visitors came to our site from a referring website or whether they accessed the chatbot directly. Its default lifetime is six months.
_pk_ses.269.xxx
This cookie is responsible for ensuring that the session with the chatbot is trackable for 30 minutes after the last tracked interaction. Once this timeframe elapses, the visit is considered over, meaning that the next chatbot interaction will start a new tracking session.

The IR Chat Bot is based upon IBM Watson and is administered by a subcontractor. The data protection policy of IBM Deutschland GmbH, Ehningen (Germany), and other relevant documents can be found here:

Data protection policy of IBM
Data Processing Addendum of IBM

OneTrust Cookie Consent Management Cookies¹

OneTrust offers a cookie consent solution that scans websites for first and third party tracking technologies including cookies, tags, pixcels, web beacons, and more. This software automatically categorizes the trackers and blocks them until consent is given.

OptanonAlertBoxClosed
This cookie is set by websites using certain versions of the cookie law compliance solution from OneTrust. It is set after visitors have seen a cookie information notice and in some cases only when they actively close the notice down. It enables the website not to show the message more than once to a user. The cookie has a one year lifespan and contains no personal information.
OptanonConsent
This cookie is set by the cookie compliance solution from OneTrust. It stores information about the categories of cookies the site uses and whether visitors have given or withdrawn consent for the use of each category. This enables site owners to prevent cookies in each category from being set in the users browser, when consent is not given. The cookie has a normal lifespan of one year, so that returning visitors to the site will have their preferences remembered. It contains no information that can identify the site visitor.

More information about cookies and privacy at OneTrust Privacy Notice.

Online Survey Cookies⁴

These cookies are set to support the technical control of our online customer survey. The recording and readout of this information serves the sole purpose of not inviting you too frequently and not to survey you repeatedly.

We do not store information you have provided for the survey in any cookie and no personal data is collected or transferred,

dpost_survey_svcsc
This domain is owned by .companion Strategieberatung. Is used to determine if cookies are enabled in the browser.
dpost_survey28_1_1
This domain is owned by .companion Strategieberatung. Is used to control recruitment for a web survey (i.e. avoid multiple invites, do not invite again if a user does not want to participate). Relevant for German Site/Survey.
dpost_survey28_2_1
This domain is owned by .companion Strategieberatung. Is used to control recruitment for a web survey (i.e. avoid multiple invites, do not invite again if a user does not want to participate). Relevant for English Site/Survey.

More information at WebXF Web Excellence Forum

Streaming Cookies³

Performance cookies collect analytical data for DHL Group to understand how visitors use and view webcasts. For example, we can see which webcasts are most popular, identify which webcasts have been watched the most etc.

bhCookieSess, bhResults
This combination of session and persistent first-party cookies deliver webcast and live streaming functionality to the DHL Group website.
STST_BCNAME_<BCID>
Certain detection cookies are set as soon as a visitor arrives at a webcast page. These functional cookies detect the user’s device including the browser, OS (Operating System) and plug-in being used. Based on the results given, StreamStudio will provide streaming media that will work for the specific visitor.
STST_AUTH_<BCID>, STST_REG_CO_<COID>, STST_REG_CSO_<CSOID>, STST_REG_<BCID>, STST_STATS_SESSION_<BCID>, STST_STATS_STATUS_<BCID>
Functional cookies also store user preferences including registration. STST_REG_CO_<COID>, STST_REG_CSO_<CSOID>, STST_REG_<BCID> do not have an expiry date, STST_AUTH_<BCID> expires after 24 hours and any other functional cookies expire at the end of the current session.

These cookies allow web analytics services to recognize your browser or device and, for example, identify whether you have visited our streaming services before. The information is anonymous and only used for statistical purposes.

Analytics are used confidentially only by DHL Group internally to improve its websites and the user experience and the cookies expire at the end of the current session.

Please note that StreamStudio webcasts will not work properly if cookies are turned off.

More information about StreamStudio privacy

Cookies used in the online annual reports from 2013 and 2014

dhlBasket³ | Shopping basket function
This cookie is used to collect and download the online annual reports from 2013 and 2014 in the Documents section of the Download Center. The cookie expires after one day.
dhlFontsize³ | Font size
This cookie sets the font size.
_pk_id* / _pk_ses* ² | Web mining
Piwik cookies collect anonymized information to determine how visitors use the website.
session_id_* ³ | Mark page and login
This application cookie is used for the "Mark page" function and for logging into the backend. The cookie is deleted when the browser is closed.
PHPSESSID² | Video
Implemented in the 2014 annual report. A cookie is set when a video is integrated using iFrame. It is then deleted when the browser is closed.

Additional Information

Third Party Cookies in embedded content

Please note that on some pages of our websites you may notice that cookies have been set that are not related to Deutsche Post DHL Group. When you visit a page with content embedded from, for example, YouTube or Vimeo, these service providers may set their own cookies on your web browser. Deutsche Post DHL Group does not control the use of these cookies and cannot access them due to the way that cookies work, as cookies can only be accessed by the party who originally set them. You should check the third party websites for more information about these cookies.

Using our products and services without cookies is also possible. In your browser, you can deactivate the saving of cookies, limit them to particular websites, or set the browser to notify you when a cookie is sent. You can also delete cookies from your PC hard drive at any time (file: "cookies"). Please note that in this case you will have to expect a limited page presentation and limited user guidance.

Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit: All about cookies

For further EU-specific advice on cookies and the various opt out options available to you, you can also visit the following website: Your online choices

To opt out of being tracked by Adobe Analytics, visit Adobe Experience Cloud Opt-Out.

Please remember that if you delete your cookies, or use a different browser or computer you will need to set your opt-out status again.

Please note that it is not technically possible to detect the Opt-Out if you delete the cookies from your browser.

On our website and in accordance with Art. 6 (1) f) GDPR we are using social-media-plug-ins (like facebook, google+, X etc.) in order to promote our brand, products and services and to get in touch with our customers. Therefore these advertising purposes are regarded as carried out for a legitimate interest. It is the responsibility of the respective social-media provider to be in line with all applicable laws and regulations.

1. Introduction

Deutsche Post AG (hereinafter called 'DHL Group') is pleased that you have visited our social media presences and are interested in our company and our products and services. In the following, we would like to inform you about certain issues related to data protection that apply when you visit our social media presences.

Our social media presences are made available by the respective operators of the social media platform pursuant to the applicable terms and conditions of use. The respective platform operator is solely responsible for the technical operation of this profile.
DHL Group is solely responsible for the content that DHL Group posts on this page (such as information about our company, products, services, sweepstakes, campaigns) and for our interaction with visitors to our profile.
The operators of the social media platform operate the entire IT infrastructure of the platforms. It makes its privacy policy available to users and has its own separate relationship with registered users of the platform. The operators of the social media platforms are solely responsible for all data protection topics involving your user profile, to which we have no access.
We have no influence over the data processing by the operators of social media platforms who collect them. Furthermore, we have no information regarding the extent to which, the purposes for which or the length of time that the operators of the social media platforms store personal data and possibly analyze, link or transfer them to third parties.
Please note that your personal data can, under certain circumstances, also be processed outside of the European Union/European Economic Area. This could result in data protection risks for users because an adequate level of data protection cannot be guaranteed in such cases and the ability to assert data subject rights is limited.
Please see the respective privacy policies and cookie policies for the social media platforms to learn more about their data processing activities and how you can exercise your rights vis-á-vis the operators of the social media platforms.
- Facebook: https://www.facebook.com/policy.php
- Instagram: https://privacycenter.instagram.com/policy
- X: https://twitter.com/de/privacy
- LinkedIn: https://de.linkedin.com/legal/privacy-policy
- YouTube: https://policies.google.com/privacy?hl=de
- TikTok: https://www.tiktok.com/legal/privacy-policy-eea?lang=en
If you would like to contact DHL Group directly - in other words, without the involvement of the social media platforms - please use the contact service on our website.

2. Contacting the data controller and data protection officer

DHL Group is the data controller for the information it posts and also for the data processing that falls in its area of responsibility for the following social media presences:

Facebook: https://www.facebook.com/DHL
Instagram: https://www.instagram.com/dhl_global
TikTok: https://www.tiktok.com/@dhl, https://www.tiktok.com/@deutschepostdhl
X: https://twitter.com/deutschepostdhl, https://twitter.com/DHLglobal
YouTube: https://www.youtube.com/dhl, https://www.youtube.com/deutschepostdhl
LinkedIn: https://www.linkedin.com/company/dhl

To the extent that it concerns the processing of personal data as part of page insights, the following platform operators are jointly responsible, along with us, for data processing. Joint data processing is based on an agreement between the joint controllers pursuant to Article 26 of the General Data Protection Regulation (GDPR).

Facebook/Instagram: Facebook
LinkedIn: LinkedIn Pages Joint Controller Addendum

3. Purpose and legal basis of processing

3.1 Data processing in connection with our social media presences

We make use of our social media presences to inform you about, for example, our company, products, services, campaigns and sweepstakes and to interact with you regarding various topics and respond to your inquiries. The data processing performed in this connection is undertaken to safeguard our legitimate interests in accordance with Article 6(1)(f) of the GDPR. Our legitimate interest lies in public relations work and communication.

The social media platform operator publishes the information you provide on our profile, such as comments, likes, images and videos, and we process this information solely for the abovementioned purposes. We reserve only the right to erase illegal content should this be necessary. This applies, for example, to posts that constitute infringements of the law or are unlawful, hate comments, suggestive comments (explicitly sexual content) or attachments (such as images or videos), which under circumstances violate copyrights, privacy rights, criminal law or Deutsche Post AG's ethics rules.

Data are also collected for the purpose of holding and processing sweepstakes. The details, such as which data are processed and the purpose of the processing, can be found in the privacy notices and terms and conditions of the respective contest.

If you would like to exchange personal data with us, we recommend that you contact our customer service.

3.2 Data processing of page insights for statistical purposes

The social media platform operators from Facebook, Instagram and LinkedIn provide us with page insights, for which we are jointly responsible together with the platform operators. Page insights are anonymous statistics that are generated as a result of certain events and are tracked by social media platforms via cookies and similar technologies when a user such as you interacts with our social media profile. We can use the page insights, which contain no personal data, to see which content is particularly accessed by which group of individuals. This allows us to optimize our social media presence. This represents a legitimate interest on our part for the processing that takes place. The legal basis for data processing related to page insights is Article 6(1)(f) of the GDPR. We would like to point out that data processing can also take place independent of whether you are logged in or registered on the social media platform. We are unable to influence the use of cookies and similar technologies on the social media platform and, in this respect, refer you to your ability as a user to change your settings regarding the related data processing via the respective cookie banner on the social media platform (granting or not granting your consent).

3.3 Social media monitoring

We use social media monitoring in order to obtain a picture of how our business, our products and our services are viewed and, based on this, identify potential for improvement. This entails analyzing posts on the social media platform based on the channel links used and relevant hashtag links. Only those posts to which you allow full public access will be used for this. The legal basis for processing personal data as part of social media monitoring is Article 6(1)(f) of the GDPR because we have a legitimate interest in identifying in freely accessible statements possible deficits in our products or services and responding appropriately.

4. Rights of the data subject

You may exercise your rights as set forth in this Privacy Notice by using our contact form.

If you would like to exercise your rights as a data subject vis-à-vis the social media platform operators, please use the contact options provided by the platform operators on the social media platforms. Should we receive an inquiry that falls within the area of responsibility of the social media platforms, we will forward it to them for further processing.

5. Storage periods

The length of time during which your data are stored will depend on the particular context of the processing and will be based on the parameters imposed by data protection law. All public posts you make on our profiles will remain on our profiles for an unlimited time, unless we erase them on the basis of an update of the original post, a breach of law or an infringement of our guidelines. You may of course erase your posts, comments and the like at any time yourself or exercise your right to have us erase them.

In the case of the social media platform operators' erasure of your data, we have no influence over this and therefore refer you to the privacy policy of the respective platform operator.

Career opportunities within DHL Group are as diverse as our teams all over the world. With about 600,000 employees in over 220 countries, we connect people, improving their lives. If you would like to apply for one of our open jobs you will find more information, also on data protection, here.

DHL Group does not share, sell, transfer or otherwise disseminate your personal data to third parties and will not do so in future, unless required by law, unless required for the purpose of the contract or unless you have given explicit consent to do so. For instance, it may be necessary to pass on your address and order data to our contractors when you order products. Further information on data protection in specific services and products is available at the relevant Customer Portal.

External service providers that process data on our behalf are contractually obliged to maintain strict confidentiality as per Art. 28 GDPR. DHL Group retains responsibility for safeguarding your information in such circumstances. The service providers follow the instructions of DHL Group, and this is guaranteed by technical and organizational measures, as well as by means of checks and controls.

Apart from the right to obtain you have the following rights:

You can request information as to what personal data is stored
You can request that we correct, delete or block your personal data provided these actions are permitted by law and in compliance with existing contractual conditions.
You can request to receive personal data you have provided in a structured, commonly used and machine-readable format.
You may lodge a complaint with the supervisory authority. To find your competent data protection authority, please click here.

Right to object

The right to object applies for all processing of personal data which is based on Art. 6 (1) f) GDPR.

To exercise your right, simply get in touch with us by using the contact details mentioned under "Contact".

DHL Group takes all of the necessary technical and organizational security measures to protect your personal data from being lost or misused. For instance, your data is saved in a secure operating environment which is not accessible to the public. In certain cases, your personal data is encrypted by Secure Socket Layer technology (SSL) during transmission. This means that an approved encryption procedure is used for communication between your computer and the DHL Group servers if your browser supports SSL. Should you wish to contact DHL Group by e-mail, we would like to point out that the confidentiality of the information sent cannot be guaranteed. The contents of e-mail messages can be read by third parties. We therefore recommend you send us confidential information only by post.

Further information on data protection in specific services and products is available at the relevant Customer Portal.

DHL Group reserves the right to change its Privacy Notice at any time with or without prior notice. Please check back frequently to be informed of any changes. By using DHL Group's websites you agree to this Privacy Notice.

This statement was last updated on January 27th, 2026.

DHL Group Data Privacy Policy

Binding Corporate Rules

Global Data Protection
Version 3
Public

Preamble

The use of modern information and communication technologies and a global network of information flows are fundamental to the business processes of DHL Group. Particularly, complex organizational structures and the challenge of running the necessary processing systems on a 24-hour basis require an international IT infrastructure in which Personal Data is processed on a group wide level. Against this background, the protection of the Personal Data of customers, employees, shareholders and business partners is a key global concern for all DHL Group Companies.

The aim of this DHL Group Data Privacy Policy (hereinafter referred to as “Policy”) is to establish a standardized, adequate, and global data protection and data security standard for the entire DHL Group. In particular, the objective is to ensure compliance with legal requirements for cross-border data flows as well as to ensure adequate protection for Data Subjects in the internal, cross-company processing of Personal Data. The Policy thus contributes to and is part of the data protection accountability measures of the DHL Group, as described in the DHL Data Protection Management System. It was first approved by the German Federal Commissioner for Data Protection and Freedom of Information in 2011.

DHL Group Companies are aware that they are perceived as a single unit in many areas and are therefore committed to sharing responsibility for implementing the Policy by handling Personal Data in a reliable and secure manner in order to contribute to the commercial success of the DHL Group and its reputation towards Data Subjects.

1.1 Area of Application

(1) The Policy applies to the processing of Personal Data of natural persons, in particular the data of customers, employees, shareholders and business partners and shall create an adequate level of protection for the Data Transfer of Personal Data from DHL Group Companies established in the European Union (EU) / European Economic Area (EEA) to DHL Group Companies in a Third Country not having an adequate level of protection. The categories of Personal Data processed, as well as the purposes of the Data Processing, depend on the relationship that Data Subjects may have with one or more DHL Group Companies. The Data Processing governed by this Policy mainly relates to the handling of employment relationships covering a wide range of possible aspects from the start of employment to possible career and development opportunities, as well as customer relationship management, which may include a variety of customer services.

(2) The list of purposes covered by the Policy is provided in Appendix 2, with details on relevant categories of Data Subjects and Personal Data processed for each purpose. Appendix 2 may be updated from time to time according to section 5 of the Policy.

(3) The Policy does not apply to Data Transfers subject to legal derogations.

(4) The Policy does also not apply to Personal Data collected and processed outside the EEA and outside of the scope of application of the General Data Protection Regulation 2016/679 ( GDPR) unless the Personal Data is collected and processed as part of an Onward Data Transfers specified under section 1.4.

(5) Moreover, in addition to safeguarding Data Transfers to DHL Group Companies in Third Countries, the Policy forms part of a comprehensive Data Protection Management System that defines DHL Group overall accountability approach to the processing of Personal Data. In this sense, the Policy not only defines the principles to be followed by DHL Group Companies when processing Personal Data but also links to the relevant procedures designed to ensure DHL Group compliance with applicable Data Protection Laws and, in particular, the GDPR.

1.2 Legally Binding Effect

(1) The Policy is based on authorization by the DHL Group Corporate Board and enters into force with its publication.

(2) The Policy becomes binding for each DHL Group Company and its employees as soon as the management of the respective DHL Group Company declares its accession to the Policy and confirms its implementation within the respective DHL Group Company. A list of DHL Group Companies that are bound by the Policy is attached in Appendix 3.

(3) All DHL Group employees are bound by the Policy through their employment contracts and/or through the obligation to comply with the DHL Group policies, including the DHL Group Code of Conduct that refers to the Policy. DHL Group Companies shall make their employees aware of the Policy and related obligations through internal communication and mandatory training. The obligation to make the employees aware of the Policy including their obligations under the Policy is with the DHL Group Company employing the relevant employees, and such DHL Group Company shall ensure that it will impose sanctions on the employees breaching the obligations under the Policy according to local Laws and Regulations.

(4) The binding effect shall end with the withdrawal of the Policy or if the respective DHL Group Company withdraws from DHL Group. Any DHL Group company that is no longer bound by the Policy shall return, or delete the Personal Data received under the Policy as DHL Data Importer. Ceasing DHL Data Importer may only keep Personal Data if they agree to be bound by other appropriate safeguards (such as but not limited to Standard Contractual Clauses). The same shall apply with respect to Onward Data Transfers by the ceasing DHL Data Importer.

1.3 Applicable Local Laws and Effects on Compliance With the Policy

(1) The principles of the Policy shall not replace Laws and Regulations governing the processing of Personal Data. Where local Laws and Regulations require a higher level of protection for Personal Data, they shall take precedence over the Policy. In any case, DHL Group Companies shall process Personal Data in compliance with Laws and Regulations.

(2) The lawfulness of Data Processing in relation to Data Transfers to Third Countries and Onward Data Transfers shall be determined by the Laws and Regulations of the EEA country in which the DHL Data Exporter has its registered office.

(3) Each DHL Group Company shall be responsible for verifying the lawfulness of its Data Processing, including any existing requirements to notify national Supervisory Authorities or other regulators, according to relevant local Laws and Regulations. If a DHL Group Company has any doubt that Laws and Regulations may prevent it from fulfilling its obligations under the Policy, it shall inform the competent Data Protection Official or Data Protection Legal Advisor, unless prohibited from doing so by a law enforcement authority.

(4) If a DHL Group Company is subject to local legal requirements that compromise the guarantees provided by the Policy (including binding requests for disclosure of Personal Data), it shall make every effort to notify the Corporate Data Protection Officer who shall assist in informing the competent Supervisory Authority, unless prohibited to do so by Laws and Regulations.

1.4 Onward Data Transfer

(1) If the DHL Data Importer transfers Personal Data to another DHL Data Importer, the DHL Data Importer shall ensure that the Onward Data Transfer complies with this Policy.

(2) In case of Onward Data Transfers to Third Parties, DHL Data Importers shall conclude the EU Standard Contractual Clauses (EU SCCs) or apply other appropriate safeguards in compliance with the applicable Data Protection Laws. In the absence of such safeguards, Onward Data Transfers may take place if a derogation under the GDPR applies. Notwithstanding the foregoing, Personal Data may only be transferred based on the requirements of applicable Data Protections Laws and in accordance with the provisions for Transfer Impact Assessments as set out in section 1.5.

(3) The foregoing provisions shall not apply to the extent that local Laws and Regulations, in particular for reasons of national security, defense, public safety, or for the prevention, ascertainment, and prosecution of criminal acts, expressly provide for the Data Transfer of Personal Data for these purposes.

1.5 Transfer Impact Assessment

(1) DHL Data Exporters shall only transfer Personal Data to DHL Data Importers established in a Third Country based on the Policy where it has been assessed that the Laws and Regulations of such Third Country do not prevent the DHL Data Importer from fulfilling its obligations under the Policy.

(2) DHL Group Companies shall base their assessment of the Laws and Regulations of the Third Country on the understanding that these Laws and Regulations respect the essence of the fundamental rights and freedoms of natural persons and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives of public interest.

(3) When conducting a Transfer Impact Assessment (TIA) as part of the Privacy Impact Assessment (PIA), DHL Group Companies shall consider the following:

a) The specific circumstances of the Data Transfer(s) or set of Data Transfers and of any envisaged Onward Data Transfer within the same Third Country or to another Third Country, including:

the purposes for which the data are transferred and processed (e.g., HR, IT support, etc.);
the types of entities involved in the Data Processing;
the economic sector in which the Data Transfer or set of Data Transfers occur;
the categories and format of the Personal Data transferred;
the location of the Data Processing including storage; and
the transmission channels used.

b) The Laws and Regulations of the Third Country of destination relevant to the circumstances of the Data Transfer, including those requiring disclosing Personal Data to, or permit access by public authorities and those that provide access to such Personal Data during the Data Transfer, as well as the applicable restrictions and safeguards.

c) Any relevant contractual, technical, or organizational safeguards put in place to supplement the safeguards under the Policy including measures applied during the transmission and to the processing of Personal Data in the Third Country of destination. If the TIA concludes that supplementary measures must be implemented in addition to those provided under the Policy, the DHL Data Importer and the responsible Data Protection Official shall be notified and involved in the implementation of such safeguards. The documentation of the TIA shall be made available to the competent Supervisory Authority upon request.

(4) DHL Data Importers shall continuously monitor the Laws and Regulations of their countries when using the Policy as a tool for Data Transfers to identify any changes that would require an update of the TIAs and the implementation of supplementary measures. Where a DHL Data Importer has reasons to believe that it has become subject to Laws and Regulations that would prevent it from complying with its obligations under the Policy, it shall notify the relevant Data Protection Official and the Corporate Data Protection Officer and the relevant DHL Group Company to ensure that each Data Transfer of Personal Data to the respective Third Country is subject to appropriate supplementary measures. The same applies if a DHL Data Exporter has reasons to believe that the DHL Data Importer can no longer fulfil its obligations under the Policy. The relevant Data Protection Official shall advise the DHL Group Companies acting as Data Exporter and Data Importer to identify and implement appropriate supplementary measures. In addition, the Data Protection Official shall also inform the Corporate Data Protection Officer.

(5) If a DHL Group Company concludes that the Policy can no longer be complied with – even where supplementary measures have been implemented – for a specific Data Transfer or set of Data Transfers, or if instructed by the competent Supervisory Authority, it shall suspend such Data Transfer or set of Data Transfers until compliance is ensured or the Data Transfer is terminated. In addition, the competent Data Protection Official, as well as the Corporate Data Protection Officer shall be informed.

(6) If compliance with the Policy is not restored within one month of suspension, the Data Transfer or set of Data Transfers must be terminated. The DHL Data Exporter may decide whether Personal Data transferred prior to the suspension and copies thereof shall be returned or destroyed.

(7) In practice, the assessments of Laws and Regulations of Third Countries, as well as the specific TIAs conducted for a Data Transfer or set of Data Transfers and the supplementary measures identified and implemented, as well as all relevant documentation, shall be made available to all DHL Group Companies and Data Protection Officials to ensure compliance with the Policy and consistency of its implementation across the DHL Group. This also includes the information that where effective supplementary measures could not be put in place, the Data Transfers at stake shall be suspended or ended. Upon request, the documentation of the assessments as well as the selected and implemented supplementary measures shall be made available to the competent Supervisory Authority.

1.6 Access Requests Issued by Third Country Public Authorities

(1) In accordance with Laws and Regulations, the DHL Data Importer shall promptly notify the DHL Data Exporter (and its Data Protection Official) and, if possible, the Data Subject if it:

a) receives a legally binding request from a public authority for the disclosure of Personal Data transferred under the Policy.

b) becomes aware of any direct access by public authorities to Personal Data transferred under the Policy.

(2) The notification shall include all information available to the DHL Data Importer, including, in particular, the Personal Data requested, the requesting public authority, the legal basis for the request and the response provided.

(3) DHL Data Importer shall use its best efforts to obtain a waiver if it is prohibited from notifying DHL Data Exporter and/or the Data Subject, with the aim of providing as much information as possible and shall document its efforts made in order to be able to demonstrate them upon request of the DHL Data Exporter.

(4) DHL Data Importer shall regularly provide DHL Data Exporter as well as the Corporate Data Protection Officer with relevant information on the requests received (in particular, number of requests, type of data requested, requesting public authority, whether requests have been challenged and the outcome of such challenges, etc.) or shall inform the DHL Data Exporter without undue delay if it is prohibited from providing such information.

(5) DHL Data Importer shall preserve the aforementioned information for as long as the Personal Data is subject to the Policy safeguards and shall make it available to any competent public authority upon request.

(6) DHL Data Importer shall review the lawfulness of a request for access or disclosure of Personal Data, challenge it if it is deemed unlawful, and pursue possibilities of appeal. When challenging a request, the Data Importer shall seek interim measures with a view to suspending the effects of the request pending a decision on the merits by a competent judicial authority. It will not disclose the Personal Data requested until it is required to do so under the applicable procedural rules.

(7) When DHL Data Importer is obliged to respond to a request, it shall provide the minimum amount of information permissible. Furthermore, any Data Transfer performed by a DHL Group Company to fulfil a request from a public authority should not be massive, disproportionate, or indiscriminate in a manner that would go beyond what is necessary in a democratic society.

2.1 Transparency of Data Processing

(1) DHL Data Controller shall inform the Data Subjects about how their Personal Data is processed. This also includes the publication of the Policy.

(2) DHL Data Controller shall provide the following information to the Data Subjects:

a) the identity and the contact details of the DHL Data Controller ;

b) the contact details of the Data Protection Officer, where applicable;

c) the purpose and scope of Data Processing;

d) the legal basis for the Data Processing:

e) where Data Processing is based on legitimate interests, the legitimate interests pursued by the DHL Data Controller or by a Third Party;

f) the recipients or categories of recipients of the Personal Data;

g) where applicable, the fact that the DHL Data Controller intends to transfer Personal Data to a Third Country or international organization and the existence or absence of an adequacy decision by the EU Commission, reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available;

h) the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period;

i) the existence of the right to request from the DHL Data Controller access to and rectification or erasure of Personal Data or restriction of Data Processing concerning the Data Subject or to object to Data Processing as well as the right to data portability;

j) where the Data Processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of Data Processing based on consent before its withdrawal;

k) the right to lodge a complaint with a Supervisory Authority;

l) whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the Data Subject is obliged to provide the Personal Data and of the possible consequences of failure to provide such data;

m) the existence of automated decision-making, including Profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Data Processing for the Data Subject;

n) where Personal Data have not been obtained from the Data Subject, the categories of Personal Data concerned and from which source the Personal Data originate, and if applicable, whether it came from publicly accessible sources;

o) where it is intended to further process the Personal Data for a purpose other than that for which the Personal Data was collected, the Data Subject shall be provided prior to that further Data Processing with information on that other purpose.

(3) The information may be omitted if the Data Subject already has the information.

In case where Personal Data have not been obtained from the Data Subject the information may be additionally omitted, if

a) the provision of such information proves impossible, or it would entail a disproportionate expense,

b) obtaining or disclosure is expressly laid down by local laws and regulations to which the Controller is subject and which provides appropriate measures to protect the Data Subject's legitimate interests, or

c) Personal Data must remain confidential subject to an obligation of professional secrecy regulated local laws and regulations, including a statutory obligation of secrecy.

(4) DHL Data Controller shall provide the information to the Data Subject at the time when Personal Data is collected. Where Personal Data has not been obtained from the Data Subject, information shall be provided at the latest within one month after obtaining the Personal Data, having regard to the specific circumstances in which Personal Data is processed. In case Personal Data is to be used for communication with the Data Subject, DHL Data Controller shall provide information at the latest at the time of the first communication to that Data Subject. If a disclosure to another recipient is envisaged, DHL Data Controller shall provide information at the latest when the Personal Data is first disclosed.

2.2 Fairness and Lawfulness of Processing

(1) DHL Group Companies shall process Personal Data lawfully, fairly and in a transparent manner in relation to the Data Subject, requiring that one or more of the following conditions are met:

a) The Data Subject has given consent to the processing of his or her Personal Data for one or more specific purposes.

b) The processing of Personal Data is necessary for the performance of a contract to which the Data Subject is party, including the contractual information and/or ancillary obligations, or for the implementation of pre- and/or post-contractual measures which are carried out at the request of the Data Subject for the initiation or execution of the contractual relationship.

c) The processing of Personal Data is necessary for compliance with a legal obligation to which the DHL Data Controller is subject.

d) The processing of Personal Data is necessary to protect the vital interests of the Data Subject or of another natural person.

e) The processing of Personal Data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the DHL Data Controller or the Third Party to whom the Personal Data is disclosed.

f) The processing is necessary for the purposes of the legitimate interests pursued by the DHL Data Controller or by a Third Party, except where such interests are overridden by the interests of the Data Subject which require protection.

(2) The processing of Personal Data collected in EEA regarding criminal convictions and offenses, or related security measures, based on section 2.2.1 of this Policy, may only be carried out under the control of official EEA authority or when permitted by EU law or the law of a EU Member State, which provides appropriate safeguards for the rights and freedoms of the affected Data Subjects.

2.3 General Admissibility Requirements for the Processing of Personal Data

DHL Group Companies shall comply with the data protection principles as set out below.

2.3.1 Data Minimization

DHL Group Companies shall take into account the intended purpose of the processing of Personal Data and shall process Personal Data only if it is adequate and relevant and does not go beyond what is necessary in relation to the processing. The principles of Data Processing, including the principle of data minimization, shall also apply to archived Personal Data.

2.3.2 Anonymization and Pseudonymization

Where possible and economically reasonable, DHL Group Companies shall use procedures to remove identification features that can be used to identify individual Data Subjects (Anonymization) or to replace identification features with identifiers (Pseudonymization).

2.3.3 Purpose Limitation

DHL Group Companies shall only collect and process Personal Data for specified, explicit and legitimate purposes. It may only be used for the purpose for which it was originally collected. Changes to the purpose are only admissible with the consent of the Data Subject, if permitted by local Laws and Regulations or where Data Processing for another purpose is compatible with the purpose for which the Personal Data is initially collected.

2.3.4 Consent

(1) DHL Group Companies shall obtain the consent of the Data Subject no later than the date on which the processing of Personal Data begins.

(2) The consent must be freely given, specific, unambiguous and provided on an informed basis, clearly indicating to the Data Subject the scope of Data Processing covered by the consent and the possible consequences of not giving consent. The consent language shall be sufficiently clear and inform the Data Subject of their right to withdraw their consent at any time.

(3) Consent shall be obtained in a form appropriate to the circumstances (in writing or by electronic means). Exceptionally, it may also be provided verbally if the fact that consent has been provided by the Data Subject and the specific circumstances which require that consent is obtained through an oral statement are documented. If the consent is given together with other declarations, it must be clearly highlighted.

2.3.5 Storage Limitation

DHL Group Companies shall keep Personal Data in a form which permits identification of Data Subjects for no longer than necessary for the processing purposes.

2.3.6 Processor

(1) If a DHL Group Company or an external provider process Personal Data on behalf of a DHL Group Company, the obligations of both contractual parties shall be governed by a contract meeting the requirements of applicable Data Protection Laws (Controller-Processor Agreement). The Controller-Processor Agreement shall be concluded in addition to a service agreement which may be concluded in writing or in another equivalent form. It shall stipulate, in particular, that the Processor:

a) processes Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a Third Country, unless required to do so by applicable Laws and Regulations to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless applicable Laws and Regulations prohibit such information on important grounds of public interest;

b) ensures that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality ;

c) takes all technical and organizational measures required pursuant to applicable Laws and Regulations ;

d) respects the conditions for engaging another Processor ;

e) taking into account the nature of the processing, assists the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in section 2.6. ;

f) assists the Controller in ensuring compliance with the obligations pursuant to the applicable Laws and Regulations taking into account the nature of processing and the information available to the Processor ;

g) at the choice of the Controller, deletes or returns all the Personal Data to the Controller after the end of the provision of services relating to processing, and deletes existing copies unless applicable Laws and Regulations require storage of Personal Data ;

h) makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this section and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

(2) Without prior authorization of the DHL Data Controller, the Processor may not process Personal Data, which was passed on to it, for its own or a Third Party’s purposes. The obligations set out in the Controller-Processor Agreement for the Processor shall be imposed on any Sub-Processor commissioned by the Processor. The Processor and any Sub-Processor shall be selected on the basis of their ability to comply with the obligations set out in the Controller-Processor Agreement.

(3) If DHL Group Companies enter into contracts with external Processors and/or Sub-Processors in Third Countries, adequate safeguards as stipulated under GDPR, and applicable Data Protection Laws shall be implemented with respect to the rights and freedoms of Data Subjects and the exercise of their rights.

2.3.7 Accountability

(1) Each DHL Group Company shall ensure and be able to demonstrate compliance with applicable requirements under the Policy.

(2) All DHL Group Companies must maintain a record of all categories of Data Processing activities (Data Protection Record, “DPR”) carried out under the Policy. The DPR includes, as a minimum:

a) the name and contact details of the DHL Data Controller / Processor (where applicable, the joint controller, the DHL Data Controller’s representative and the Data Protection Officer);

b) the purposes of the Data Processing;

c) a description of the categories of Data Subjects and of the categories of Personal Data;

d) the categories of recipients to whom Personal Data have been or will be disclosed;

e) where applicable, transfers of Personal Data to a Third Country or an international organization;

f) where possible, the envisaged time limits for erasure of the different categories of Personal Data;

g) where possible, a general description of the technical and organizational security measures.

DHL Group Companies shall ensure that all DPRs are maintained in writing, including in electronic form. For this purpose, DHL Group Companies are provided with a central documentation tool and platform known as the DHL Group Privacy Portal. DPRs shall be made available to the competent Supervisory Authority upon request.

(3) In order to demonstrate compliance, DHL Group Companies shall ensure that PIAs are conducted for all Data Processing activities involving Personal Data transferred under the Policy. In particular, a PIA shall be carried out for Data Processing operations that are likely to result in a high risk to the rights and freedoms of natural persons. For this purpose, the DHL Group Privacy Portal shall assist DHL Group Companies in fulfilling their documentation and accountability obligations and facilitate the performance of PIAs.

(4) DHL Group Company shall consult the Supervisory Authority prior to Data Processing if a PIA indicates that the Data Processing would result in a high risk in the absence of measures taken by DHL Group Company to mitigate the risk.

(5) DHL Group Companies shall adopt and implement appropriate technical and organizational measures, which are designed to incorporate data protection principles and to support compliance with the requirements outlined in the Policy. These measures should be implemented in practice, to ensure privacy by design and by default.

2.4 Special Data Processing Cases

2.4.1 Special Categories of Personal Data

DHL Group Companies shall only process Special Categories of Personal Data if it is strictly necessary and legally required or if the Data Subject has given explicit consent. DHL Group Companies must implement technical and organizational measures to ensure the security of the Data Processing.

2.4.2 Automated Decisions in Individual Cases

(1) Data Subjects have the right not to be subject to a decision based solely on automated Data Processing, including Profiling, which produces legal effects concerning them or significantly affects them. This right does not apply if the decision is:

a) necessary for entering into, or performance of, a contract between the Data Subject and a DHL Data Controller,

b) authorized by local Laws and Regulations to which DHL Data Controller is subject and which also lays down suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests, or

c) based on the Data Subject’s explicit consent.

(2) The DHL Group Company shall inform the Data Subject about the existence of automated decision-making, including Profiling, about the underlying logic involved, as well as the significance and the envisaged consequences of such Data Processing for the Data Subject.

(3) In the cases referred to in paragraph (1)(a) and (c) above, the DHL Data Controller shall implement suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the DHL Data Controller, to express their point of view and to contest the decision.

(4) In the case of automated decisions based on Special Categories of Personal Data, these are only permissible if based on consent of the Data Subject or if necessary for reasons of substantial public interest, based on applicable Data Protection Laws.

2.5 Data Quality/ Security of Data Processing

2.5.1 Data Quality

DHL Group Companies shall comply with the data quality principles, such as accuracy, completeness, and relevance. The Personal Data must be adequate, relevant, and limited to what is necessary for the purposes for which it is processed. The DHL Group Companies shall take reasonable steps to ensure that inaccurate or incomplete Personal Data is erased, rectified, supplemented, or updated without delay, considering the intended Data Processing and the interests of the Data Subject.

2.5.2 Confidentiality

Only those employees who are authorized and who have committed themselves to the principles of data protection and confidentiality are permitted to process Personal Data. Any processing of Personal Data for personal benefit, unauthorized disclosure, or making it accessible in any other way which is not in line with Laws and Regulations is strictly prohibited. This includes the transfer of Personal Data to unauthorized parties or making it accessible to them in any other way. In this context, “unauthorized” parties may also include employees of the same or another DHL Group Company if the data is not required and necessary for their field of work or specialist tasks or where the Data Processing is not legitimized by Laws and Regulations.

2.5.3 Technical and Organizational Measures

When processing Personal Data DHL Group Companies shall implement appropriate technical and organizational measures to ensure the security of Personal Data, and to protect Personal Data against unlawful access, loss, destruction, or alteration. To this end and in accordance with the respective internal standards, DHL Group Companies shall implement all necessary measures.

These measures include:

Denying access to unauthorized persons to data processing facilities where Personal Data is processed or used (entry control).
Preventing unauthorized persons from using data processing systems (usage control).
Ensuring that authorized users of a data processing system can access Personal Data only within the scope of their access rights, and that Personal Data stored within the data processing system cannot be read, copied, modified or removed without authorization, either during processing or use or when stored (access control).
Ensuring that Personal Data cannot be read, copied, modified or removed without authorization during electronic data transfer or in the process of transmission or storage on data media, and that it is possible to verify and establish where the transfer of Personal Data is supported by data transfer facilities (transfer control).
Ensuring that it can be reviewed and established retrospectively whether, and by whom, Personal Data has been provided, modified or removed from data processing systems (input control).
Ensuring that Personal Data processed on behalf of the DHL Data Controller can only be processed in accordance with the DHL Data Controller’s instructions (process control).
Ensuring that Personal Data is protected against accidental destruction or loss (availability control).
Ensuring that items of data collected for different purposes are processed separately (separation requirement).
Providing possibility of pseudonymization and encryption of Personal Data.
Providing the ability to ensure the confidentiality, integrity, availability and resilience of processing systems and services, including the ability to restore the availability and access to Personal Data.
Provide a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures ensuring the security of the Data Processing.

2.5.4 Personal Data Breach

As stated above, confidentiality and data security are key aspects of DHL Group Data Protection Management System. However, in the event of a Personal Data Breach, the respective DHL Group Company shall document the Personal Data Breach in a dedicated register and notify it to the competent management and Data Protection Official, in accordance with the DHL Group Personal Data Breach process. Where the Personal Data Breach is likely to result in a risk to the rights and freedoms of natural persons, the respective DHL Group Company shall notify the competent Supervisory Authority (for EEA within 72 hours after becoming aware, however, might differ for other jurisdictions). When the Personal Data Breach is likely to result in a high risk to the rights and freedoms of natural persons, the respective DHL Group Company shall additionally notify the Data Subject, in accordance with applicable Data Protection Laws. In case the respective DHL Group Company is acting as a Processor it shall notify the DHL Group Company acting as a Controller when it becomes aware of the Personal Data Breach.

2.6 Rights of the Data Subject

2.6.1 General Obligations

(1) DHL Data Controller shall take appropriate measures to provide to the Data Subject information and communication relating to Data Processing in a concise, transparent, intelligible, and easily accessible form. The information shall be provided in writing, or by other means as appropriate.

(2) DHL Data Controller shall provide information or take action upon request pursuant to section 2.6.2 to 2.6.4 without undue delay and in any event within one month of receipt of the request. Where necessary, taking into account the complexity and number of requests, this period may be extended by two further months. The Data Subject shall be informed of any such extension within one month of receipt of the request, together with the reasons for the delay.

2.6.2 Right of Access

(1) Each Data Subject shall have the right to obtain from the DHL Data Controller confirmation as to whether their Personal Data is being processed and, where that is the case, to access their Personal Data and to receive additional information, including its origin, the purpose of the processing, the recipients to which it has been disclosed and where possible, the envisaged period for which the data will be stored, or the criteria to determine that period. In addition, the Data Subject shall receive access to information whether automate decision-making, including Profiling, is performed. Where this is the case, they shall receive further information about the logic involved and the significance and envisaged consequences of such Data Processing. The Data Subject shall also be informed about appropriate safeguards relating to the Data Transfer of Personal Data to a Third Country, where applicable.

(2) Upon request of the Data Subject, DHL Data Controller shall provide a copy of the Personal Data undergoing Data Processing. For any further copies requested by the Data Subject, the Controller may impose a reasonable fee for issuing such information based on administrative costs.

2.6.3 Right of Rectification, Restriction, Erasure (right to Be Forgotten), and Data Portability

(1) The Data Subject has the right to demand rectification if the data stored about the Data Subject is incomplete and/or incorrect.

(2) The Data Subject shall have the right to request from DHL Data Controller the restriction of Data Processing when:

a) the accuracy of Personal Data is contested,

b) the Personal Data is no longer needed by the DHL Data Controller,

c) the Data Processing is unlawful, or

d) where the Data Subject has objected to Data Processing according to section 2.6.4.

(3) Furthermore, the Data Subject shall have the right to request the deletion of their Personal Data if the Data Processing was inadmissible or where the Personal Data is no longer required for the Data Processing purpose, or if any other reason provided for under Laws and Regulations applies.

Where the DHL Data Controller has made the Personal Data public, it shall - taking into account available technology and costs of implementation - take reasonable steps to inform other controllers which are processing the Personal Data that the Data Subject has requested to delete any links to, or copies or replication of those Personal Data (right to be forgotten). The above obligations do not apply where Data Processing is necessary for compliance with legal obligations by Laws and Regulations which require processing.

(4) The Data Subject shall have the right to receive its Personal Data provided to the DHL Data Controller under the conditions mentioned in Laws and Regulations in a structured, commonly used and machine-readable format (data portability).

2.6.4 Right to Object

(1) The Data Subject shall have the right to object at any time to the processing of their Personal Data, which is based on public interest or the exercise of official authority vested in a DHL Data Controller or based on legitimate interests pursued by the DHL Data Controller or by a Third Party. Unless DHL Data Controller demonstrates compelling legitimate grounds for Data Processing which override the interests of the Data Subject or demonstrates necessity for the establishment, exercise, or defense of legal claims, the DHL Data Controller shall no longer process the Personal Data.

(2) Where DHL Group Companies process Personal Data for direct marketing purposes, the Data Subject shall have the right to object at any time to the Data Processing, which includes Profiling, to the extent that it is related to such direct marketing. In case of objection by the Data Subject, DHL Group Companies shall no longer process Personal Data for direct marketing purposes.

2.6.5 Discrimination Ban

DHL Group Companies shall treat Data Subjects fairly and equally when they assert their rights.

2.6.6 Assertion

(1) The Data Subject may at any time contact the Data Protection Official of the respective DHL Data Controller (via the request form under Privacy Notice on dhl.com) regarding the processing of Data Subject’s Personal Data or with questions regarding the Policy, including where they wish to complain about the Data Processing.

(2) For inquiries and complaints by mail, Data Subjects can use the following contact address:

Deutsche Post AG
Global Data Protection
53250 Bonn

The inquiries and complaints will be forwarded to the respective DHL Group Company.

(3) Data Subjects may lodge their inquiries and complaints directly against the DHL Data Controller. In such cases, the DHL Data Controller, commits to handle such inquiries and complaints without undue delay within one month of receipt of the request. Taking into account the complexity and the number of requests, DHL Group Companies may extend the one-month period at maximum by two further months, in which case the Data Subject shall be informed accordingly within one month of receipt of the request, together with the reasons for the delay.

(4) Data Subjects are duly informed of the complaint handling procedure and how to file a complaint through the Policy and the privacy notices published by DHL Group Companies on the respective websites.

(5) Notwithstanding the foregoing, the Data Subject also has the right to lodge a complaint with the competent Supervisory Authority and/or to take legal action.

3.1 Corporate Data Protection Officer

(1) The Corporate Data Protection Officer coordinates cooperation and agreement on all matters concerning the Policy. In particular, the Corporate Data Protection Officer is a representative vis-à-vis external parties and national/international Supervisory Authorities in all matters concerning the Policy. Regardless of this, the Data Protection Officials who are appointed according to the Laws and Regulations shall keep their independence and freedom from instructions.

(2) The Corporate Data Protection Officer monitors the implementation of the Policy based on audits according to section 3.5 below, as well as other appropriate instruments and reports to the DHL Group Board of Management. DHL Group Companies shall support the Corporate Data Protection Officer in performing these tasks.

(3) DHL Group Companies shall inform the Corporate Data Protection Officer if and when they accede to or withdraw from the Policy. Yearly, and upon request, the Corporate Data Protection Officer shall provide the Supervisory Authority with the list of acceded DHL Group Companies.

(4) The Corporate Data Protection Officer is also responsible for updating the Policy as described under chapter 5 below as well as for providing mandatory trainings in this regard.

3.2 Data Protection Steering Committee

In order to implement the Policy and to achieve continuous integration of data protection requirements into business processes, a Data Protection Steering Committee consisting of divisional representatives, has been established. In particular, the Data Protection Steering Committee shall support and exchange with the Corporate Data Protection Officer to establish and maintain the DHL Group Data Protection Management System.

3.3 Data Protection Officials and Data Protection Legal Advisors

(1) Each DHL Group Company shall appoint an independent Data Protection Official. The Data Protection Official is responsible for the implementation of standards and regulations and must have opportunity to report to the managing director of the respective DHL Group Company.

(2) In order to ensure compliance with the Policy, DHL Group Companies shall involve Data Protection Officials at an early stage in the development and design of new and altered operational processes, products, services and marketing measures. To ensure the performance of these tasks, DHL Group Companies shall inform relevant Data Protection Official of any relevant developments.

(3) DHL Group Companies shall inform the Data Protection Official of the DHL Group Company in question of (suspected) breaches of data protection provisions and of the Policy without undue delay.

(4) With regard to incidents violating the Policy that are relevant to more than one DHL Group Company, the Data Protection Official shall also inform the Corporate Data Protection Officer and the competent Data Protection Legal Advisor. In particular, Data Protection Officials shall inform the Corporate Data Protection Officer if the laws applicable to a DHL Group Company change substantially in a disadvantageous manner and where this has effect on data protection or adherence to the Policy.

(5) Data Protection Officials shall support each other with the implementation and the management of the DHL Group Data Protection Management System. Together with Legal Advisors, they form part of the DHL Group Data Privacy Network.

(6) Data Protection Legal Advisors providing legal experience shall support Data Protection Officials in fulfilling their tasks. In particular, as far as regulatory issues are concerned, Data Protection Officials shall seek the advice of Data Protection Legal Advisors.

3.4 Trainings

(1) The Corporate Data Protection Officer shall provide mandatory, appropriate and up-to-date data protection trainings, as well as further trainings and awareness measures. The training cycle for mandatory trainings is two years for employees in an active work status.

(2) Data Protection Officials shall, on a regular basis and in line with the respective training concept, adequately train the respective employees of DHL Group Companies which have permanent or regular access to Personal Data or who are involved in the collection of Personal Data or in the development of tools used to process Personal Data on the application of the Policy.. The implementation of trainings shall be documented by the respective Data Protection Official and reported at least annually to the Corporate Data Protection Officer.

(3) The trainings shall include but are not limited to trainings on managing access requests by public authorities as well as on access management to Personal Data.

3.5 Audits

(1) DHL Group Companies shall audit the implementation of the Policy and all components of the DHL Group Data Protection Management System on a regular basis and according to the Data Protection Audit Program. It consists of the Data Protection Audit Concept, as developed by Corporate Data Protection Officer, and yearly Audit Plans, prepared by the Corporate Data Protection Officer and the DHL Group divisions, specifying the regular audit activities, the auditors and their frequency.

(2) The audit report, including the proposed corrective actions to address and mitigate the risks, must be communicated and – depending on the audit type and scope – to the respective Data Protection Official and to the managing director of the relevant DHL Group Company and, where appropriate, to the Corporate Board of DHL Group. It shall also be made available to the competent Supervisory Authority upon request.

(3) Audits shall be carried out either by internal or external qualified auditors without any conflict of interests. In addition, Corporate Data Protection Officer and Data Protection Officials shall endorse and support general compliance audits, in particular audits carried out by the Internal Audit department or audits performed by external auditors. In the event that an audit identifies any material non-compliance with the principles set out in the Policy, the relevant DHL Group Company that is found to be non-compliant shall promptly implement the necessary corrective actions to achieve compliance.

(4) In addition to the audits, as laid down in this section, ad hoc audits may be initiated by the Corporate Data Protection Officer occasionally.

(5) Upon request, Corporate Data Protection Officer shall provide the Supervisory Authority with the relevant audit report. A competent Supervisory Authority may ask the Corporate Data Protection Officer to carry out or have carried out - in line with Laws and Regulations - an audit in a DHL Group Company to verify compliance with the Policy. The relevant DHL Group Company shall accept such an audit and make adjustments to address any suggestions for improvement identified through the audit.

3.6 Compliance

DHL Group Companies shall commit to the following obligations:

(1) No Data Transfer under the Policy is made to a DHL Data Importer unless it is effectively bound by the Policy and can ensure compliance.

(2) The DHL Data Exporter shall promptly be informed by the DHL Data Importer if DHL Data Importer is unable to comply with the Policy. Where the DHL Data Importer is in breach of the Policy or unable to comply with it, DHL Data Exporter shall suspend the Data Transfer.

(3) DHL Data Exporter shall also suspend Data Transfer to DHL Data Importer when DHL Data Importer substantially or persistently breaches the Policy or DHL Data Importer fails to comply with a binding decision of a competent court or competent Supervisory Authority.

(4) Where DHL Data Exporter has suspended the transfer of Personal Data and compliance is not restored within a month of suspension, DHL Data Importer shall, at the discretion of DHL Data Exporter, immediately return or delete all Personal Data that has been transferred under the Policy. DHL Data Importer shall apply the same commitments to any data copies, certify data deletion to DHL Data Exporter, and ensure compliance with the Policy until Personal Data is deleted or returned.

(5) If local laws prohibit DHL Data Importer from returning or deleting transferred Personal Data, DHL Data Importer shall ensure continued compliance with the Policy and only process Personal Data as long and as required by the local law.

3.7 Cooperation With Competent Supervisory Authorities

(1) DHL Group Companies agree to cooperate in good faith and as far as admissible according to Laws and Regulations with the competent Supervisory Authority.

(2) DHL Group Companies accept to be audited and to be inspected, including where necessary and in line with Laws and Regulations, on-site, by the competent Supervisory Authorities. They take into account their advice and, where necessary and in line with Laws and Regulations, abide by decisions of these Supervisory Authorities on any issue related to the Policy. Upon request, DHL Group Companies will provide the competent Supervisory Authorities with any information about the processing operations covered by the Policy.

(3) In the event of a change in the Laws and Regulations applicable to a DHL Group Company that may have a material adverse effect on the assurances provided under the Policy, the DHL Group Company shall inform the Corporate Data Protection Officer, who shall contact the competent EU Supervisory Authority.

(4) All disputes in connection with the monitoring of compliance with this Policy by the competent Supervisory Authorities shall be decided by the courts of the EU Member State of the Supervisory Authority, in accordance with the procedural law of that member state. The DHL Group Companies agree to be subject to the authority of these courts.

(5) The responsible Data Protection Official and, as far as necessary, the Data Protection Legal Advisor shall be involved in all matters related to the handling of activities of Supervisory Authorities.

4.1 Liabilty of DHL Group Companies

(1) Each DHL Data Exporter shall be liable, towards Data Subjects, for any breaches of the Policy and / or material or non-material damages resulting from such breaches, irrespective of who caused it.

(2) Each DHL Group Company shall be required to prove that it has not violated the Policy. In the event the Data Subject’s claim relates to an act or omission of a DHL Data Importer, the DHL Data Exporter shall only be exempt from liability towards the Data Subject (in whole or in part) if it can prove that the DHL Data Importer has not breached the Policy.

(3) If a Data Subject, based on a breach by the DHL Data Importer or its Sub-Processor, is not able to bring a claim for redress and compensation, where appropriate, against the DHL Data Exporter, because the DHL Data Exporter has factually disappeared or ceases to exist in law or has become insolvent, DHL Data Importer shall give the Data Subject the right to sue DHL Data Importer instead. If another entity has taken over the legal responsibilities of the DHL Data Exporter by contract or by law, the Data Subject may pursue its rights against that successor entity.

(4) The Data Importer may not rely on a breach by a Sub-Processor of its obligations, in order to avoid its own liability. The liability of the Sub-Processor shall be limited to its own Data Processing operations under the Policy.

(5) The payment of punitive damages, according to which a DHL Group Company would be obliged to make payments to a Data Subject that exceed the actual damage incurred, is expressly excluded.

(6) The Data Subject shall have the right to mandate a non-profit body, organization or association which has been properly constituted in accordance with Laws and Regulations, and which has statutory objectives which are in the public interest and is active in the field of the protection of Data Subjects’ rights and freedoms, with the enforcement of their rights. This may include lodging complaints, exercising their Data Subject rights, and bringing claims for redress and compensation, where appropriate, on their behalf, where provided for by Laws and Regulations.

4.2 Burden of Proof

In any case and where a Data Subject has demonstrated that it has suffered damage that is likely to have been caused by a breach of the Policy, the burden of proof for the processing the Data Subject’s Personal Data in compliance with the Policy lies with the relevant DHL Data Exporter.

4.3 Third Party Rights

(1) If the Data Subject has no direct rights, it shall be entitled to enforce, as a third-party beneficiary, its rights under the Policy against DHL Group Company which has violated its contractual duties towards the Data Subject.

(2) Data Subjects can enforce provisions of the Policy, as third-party beneficiaries, as detailed below:

a) the data protection principles detailed in section 2;

b) the fact that DHL Group grants easy access to the Policy, as detailed in section 1.6;

c) the rights of access, rectification, erasure, restriction, objection to Processing, and the right not to be subject to decisions solely based on automated Processing granted to Data Subjects, as detailed in section 2.6;

d) the obligation, for each DHL Group Company, to notify the competent Supervisory Authority in case of a conflict between the local legislation and the Policy, as detailed in section 1.3;

e) the right for Data Subjects to complain through the Group's internal complaint process, as detailed in section 2.6.6;

f) the duty for DHL Group Companies to cooperate with the Supervisory Authorities, as detailed in section 3.7;

g) the obligation for each EEA DHL Group Company transferring Personal Data to a Non-EEA DHL Group Company on the basis of the Policy, to accept liability for any breaches of the Policy by the Non-EEA DHL Group Company which received the Personal Data, as detailed in section 4;

h) the obligation to inform Data Subjects about any update of the Policy and its members as detailed in section 5;

i) the right to judicial remedies, redress and compensation, as detailed in section 4.1.

j) the obligation for any Onward Transfer of Personal Data by a Non-EEA DHL Group Company to a Third Party to ensure that such Third Party is required to provide the same level of data protection as set out in this Policy.

4.4 Place of Jurisdiction

At the individual's discretion, the Data Subject has the right to lodge a complaint:

with a Supervisory Authority, in particular in the EU Member State of the Data Subject’s habitual residence, place of work or place of the alleged infringement, or the competent Supervisory Authority of the EU Member States where the DHL Data Exporter or DHL Data Importer has an establishment, and
before the competent court of the EU Member States where the DHL Data Exporter or DHL Data Importer has an establishment, or where the Data Subject has its habitual residence.

4.5 Alternative Dispute Resolution

(1) Data Subjects who believe that their right to protection of their private life has been compromised by any actual or presumed processing of their Personal Data, may lodge a complaint with the competent Data Protection Official of the respective DHL Group Company. The Data Protection Official shall examine the legitimacy of the complaint and shall advise the Data Subject regarding its rights. In this context, the Data Protection Official shall uphold the confidentiality of further Personal Data of which the Data Protection Official has been informed by the complainant, insofar as the latter does not release the Data Protection Official from this obligation. Upon request of the Data Subject, the DHL Group Company may try to reach a settlement of the complaint with the Data Subject under the involvement of the Data Protection Official.

(2) The Data Subject’s right to make a complaint with the competent Data Protection Supervisory Authority and/or to take action remains unaffected by this provision.

(1) The Policy may be amended from time to time, when and to the extent necessary, in particular, to comply with applicable Data Protection Laws or to incorporate changes within DHL Group.

(2) In case of necessary updates, Corporate Data Protection Officer shall inform Data Protection Steering Committee and provide relevant proposals. Corporate Data Protection Officer shall also initiate further management alignment, as required, depending on the substance of necessary changes.

(3) Any significant changes to the Policy shall be reported in advance and with a brief explanation of the reasons to the Supervisory Authority. Any other change to this Policy (if applicable), such as those made in order to align the Policy with any updated EDPB recommendations regarding Binding Corporate Rules, shall be reported with a brief explanation of the reasons to the Supervisory Authority once a year. This may apply where the relevant changes potentially affect compliance of the DHL Group Company with applicable data protection laws, or where the changes are potentially detrimental to Data Subject rights.

(4) Clear and easily available information regarding any such significant changes shall be made available to all DHL Group Companies and their employees.

(5) A current version of the Policy and the list of the Policy members will be published on DHL Group websites.

(1) The Policy shall be subject to the procedural law of the Federal Republic of Germany in the case of any disputes.

(2) If individual provisions of the Policy are or become void, they shall be deemed to have been replaced by the provisions that most closely approximate the original intentions of the Policy and the void provisions. In case of doubt, the applicable Data Protection Laws of the European Union shall apply in these cases or in the absence of relevant provisions.

Appendices

The Policy is supplemented by the following appendices, which provide further information and clarification on the terms, entities, and processes involved in the data protection practices of the DHL Group. The appendices are an integral part of the Policy and should be read in conjunction with it.

Anonymization

means a process by which Personal Data is altered in such a way that the data can no longer be assigned to a specific or specifiable natural person, without a disproportionate amount of time, money and effort being required.

Controller – Processor Agreement

An agreement concerning the processing of Personal Data on behalf of the DHL Data Controller by a Processor.

Corporate Data Protection Officer

is responsible for developing DHL Group global data protection strategy, as well as creating policies, standards, guidelines, and training materials. The tasks also include coordinating the DHL Group Data Privacy Network and the Data Protection Steering Committee and monitoring the implementation and compliance with the Policy.

Data Processing

means any operation or set of operations which is performed with Personal Data or with sets of Personal Data, whether or not by automatic means, such as the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Protection Laws

means the laws and regulations that govern the collection, use, disclosure, protection and other type of Data Processing of Personal Data, such as the General Data Protection Regulation (GDPR).

Data Protection Legal Advisor

Legal Advisors (incl. dedicated Country Data Privacy Counsels (CDPC)), responsible for providing advice related to local Data Protection laws.

Data Protection Official

may be – where provided by national laws – appointed as a statutory Data Protection Officer in accordance with such laws and is responsible for the implementation of standards and regulations on local level and reports to the management of the respective DHL Group Company.

Data Protection Record

means the record of processing activities that each DHL Group Company is required to maintain under the Data Protection Laws, documenting the purposes, categories, recipients, transfers, retention periods, and security measures of Personal Data processed by DHL Group Company.

Data Subject

is every identified or identifiable natural person whose Personal Data is processed.

Data Transfer

means disclosure by transmission, e.g. passing on stored Personal Data, to a Third Party by actively forwarding it or enabling third parties to access it.

DHL Data Controller

means the DHL Group Company which alone, or jointly with others, determines the purposes and means of the Data Processing of Personal Data.

DHL Data Exporter

is the DHL Group Company established in an EEA country which Data Transfers Personal Data to a Data Importer.

DHL Data Importer

is the DHL Group Company located in a Third Country (outside EEA) which receives Personal Data from the DHL Data Exporter.

DHL Group Company

means Deutsche Post AG, as well as all companies in which Deutsche Post AG has a direct or indirect stake of more than 50%, or over which it has financial control. Furthermore, in the context of the Policy, companies which have voluntarily acceded to the Policy are equalized with Group companies.

DHL Group Data Protection Management System

The DHL Group Data Protection Management System (DPMS) is a central component of DHL Group overall data privacy accountability. It provides support to the DHL Group legal entities in complying with legal and statutory requirements in the field of data protection.

DHL Group Privacy Portal

The Privacy Portal is a centralized platform encompassing the following items: data processing Inventory and DPR of processing activities; data protection risk classification; PIAs; data protection audits and Personal Data Breach handling.

EEA

consists of the Member States of the European Union (EU) and three countries of the European Free Trade Association (EFTA) (Iceland, Liechtenstein, and Norway; excluding Switzerland).

GDPR

General Data Protection Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of Personal Data and on the free flow of movement of such data.

Laws and Regulations

means the applicable laws and regulations in the respective country, including their local interpretation.

Onward Data Transfer

Onward Data Transfer exists if a Data Importer forwards data to other third parties that have their registered office in a Third Country or engages in the cross-border Data Transfer of data.

Personal Data

is any information relating to an identified or identifiable natural person (Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.

Personal Data Breach

means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

Privacy Impact Assessment

is a process designed to help companies identify, assess, and manage (mitigate or minimize) data protection risks resulting from certain Data Processing activities. It shall ensure that data protection is an integral part of the design and implementation of such initiatives, and that there is a balance between operational needs and data protection obligations.

Processor

means any natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the DHL Data controller.

Profiling

Profiling means any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

Pseudonymization

Means a process by which Personal Data is altered using an allocation system, so that individual details can no longer be attributed to a natural person without access to the allocation system.

Special Categories of Personal Data

are Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership and the processing of genetic or biometric data for the purpose of uniquely identifying a natural person, data concerning health or concerning a natural person’s sex life or sexual orientation.

Sub-Processor

means any Processor engaged by the Data Importer or by any other Sub-Processor of the Data Importer, who agrees to receive from the Data Importer, or from another Sub-Processor of the Data Importer, Personal Data exclusively intended for Data Processing activities to be carried out on behalf of the Data Exporter, in accordance with its instructions, the relevant terms of the Policy and the terms of the written subcontract.

Supervisory Authority

means an independent public authority responsible for overseeing the implementation of and compliance with Data Protection Laws within a specific jurisdiction.

Third Country

means any country outside European Union/European Economic Area, which does not benefit from an adequacy decision issued by the European Commission.

Third Party

is a natural or legal person, public authority, agency, or body other than the Data Subject, DHL Data Controller, Processor, and person who, under the direct authority of the DHL Data Controller or Processor, is authorized to process Personal Data.

The table, which is available as a separate document, describes the key Data Transfers carried out by DHL Group Companies and covered by the Policy where DHL Group Companies acts as a Data Controller. The list below is intended to be as complete as possible but shall not be construed as being exhaustive and will be updated where necessary.

DHL Group Processing Activities and Data Flows Report (PDF, 357 KB)

The list of DHL Group Companies that are bound by the Policy is available as a separate document. The list will be updated on a yearly basis to reflect any changes in the corporate structure of DHL Group.

DHL Group Companies Bound by the DHL Group Data Privacy Policy (PDF, 606KB)

Version History

Version	Date	Comments
V.1.0	04/2012	Initial Version
V.2.0	10/2019	Update to comply with new requirements under the General Data Protection Regulation GDPR
V.2.1	03/2023	Editorial adjustments
V.2.2	07/2023	Update due to renaming from DPDHL to DHL Group
V.3.0	11/2025	Update to comply with new EDSA requirements^[1]

^[1] Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR) adopted on 20 June 2023.

Reviewed and approved by

Corporate Data Protection Officer / Global Data Protection: Review and Update

The Federal Commissioner for Data Protection and Freedom of Information: Approved by official letter in 2012; Reviewed and confirmed new version as per official authority process in 2026.

The Group

Corporate Divisions

Corporate Governance

Supplier Portal

News

Media Library

Service

Subscriptions

Shares

Investment Highlights

Publications

Events

Contact

At a glance

Environment

Social Responsibility

Corporate Citizenship

Governance

Documents

START SHIPPING

The Group

Corporate Divisions

Corporate Governance

Supplier Portal

News

Media Library

Service

Subscriptions

Shares

Investment Highlights

Publications

Events

Contact

At a glance

Environment

Social Responsibility

Corporate Citizenship

Governance

Documents

START SHIPPING

Privacy Notice

Frequently Asked Questions

What is personal data?

Who is responsible?

What are the purposes of and the legal basis for the processing of Personal Data? / What are the Controller's or Third Party's legitimate interests?

Online presence and website optimization

Use of cookies

Table of cookies and categories

How to manage cookies / Right to object and to opt-out

Social Media Plug-ins

Social Media Presences

Jobs and careers at Deutsche Post and DHL

Will my data be passed on?

What are my data subject's rights?

How about data security?

Where do I find service specific information regarding the processing of personal data?

Changes to Privacy Notice

DHL Group Data Privacy Policy

Preamble

1. Scope and Relation to Local Laws

2. Principles

3. Data Protection Management

4. Liability

5. Update of the Policy

6. Procedural Law and Severability Clause

Appendices

Appendix 1 – Definitions

Appendix 2 – DHL Group Processing Activities and Data Flows

Appendix 3 – DHL Group Companies Bound by the DHL Group Data Privacy Policy

Change Log