Avviso sulla privacy

1.1 Area of Application

(1) The Policy applies to the processing of Personal Data of natural persons, in particular the data of customers, employees, shareholders and business partners and shall create an adequate level of protection for the Data Transfer of Personal Data from DHL Group Companies established in the European Union (EU) / European Economic Area (EEA) to DHL Group Companies in a Third Country not having an adequate level of protection. The categories of Personal Data processed, as well as the purposes of the Data Processing, depend on the relationship that Data Subjects may have with one or more DHL Group Companies. The Data Processing governed by this Policy mainly relates to the handling of employment relationships covering a wide range of possible aspects from the start of employment to possible career and development opportunities, as well as customer relationship management, which may include a variety of customer services.

(2) The list of purposes covered by the Policy is provided in Appendix 2, with details on relevant categories of Data Subjects and Personal Data processed for each purpose. Appendix 2 may be updated from time to time according to section 5 of the Policy.

(3) The Policy does not apply to Data Transfers subject to legal derogations.

(4) The Policy does also not apply to Personal Data collected and processed outside the EEA and outside of the scope of application of the General Data Protection Regulation 2016/679 ( GDPR) unless the Personal Data is collected and processed as part of an Onward Data Transfers specified under section 1.4.

(5) Moreover, in addition to safeguarding Data Transfers to DHL Group Companies in Third Countries, the Policy forms part of a comprehensive Data Protection Management System that defines DHL Group overall accountability approach to the processing of Personal Data. In this sense, the Policy not only defines the principles to be followed by DHL Group Companies when processing Personal Data but also links to the relevant procedures designed to ensure DHL Group compliance with applicable Data Protection Laws and, in particular, the GDPR.

1.2 Legally Binding Effect

(1) The Policy is based on authorisation by the DHL Group Corporate Board and enters into force with its publication.

(2) The Policy becomes binding for each DHL Group Company and its employees as soon as the management of the respective DHL Group Company declares its accession to the Policy and confirms its implementation within the respective DHL Group Company. A list of DHL Group Companies that are bound by the Policy is attached in Appendix 3.

(3) All DHL Group employees are bound by the Policy through their employment contracts and/or through the obligation to comply with the DHL Group policies, including the DHL Group Code of Conduct that refers to the Policy. DHL Group Companies shall make their employees aware of the Policy and related obligations through internal communication and mandatory training. The obligation to make the employees aware of the Policy including their obligations under the Policy is with the DHL Group Company employing the relevant employees, and such DHL Group Company shall ensure that it will impose sanctions on the employees breaching the obligations under the Policy according to local Laws and Regulations.

(4) The binding effect shall end with the withdrawal of the Policy or if the respective DHL Group Company withdraws from DHL Group. Any DHL Group company that is no longer bound by the Policy shall return, or delete the Personal Data received under the Policy as DHL Data Importer. Ceasing DHL Data Importer may only keep Personal Data if they agree to be bound by other appropriate safeguards (such as but not limited to Standard Contractual Clauses). The same shall apply with respect to Onward Data Transfers by the ceasing DHL Data Importer.

1.3 Applicable Local Laws and Effects on Compliance With the Policy

(1) The principles of the Policy shall not replace Laws and Regulations governing the processing of Personal Data. Where local Laws and Regulations require a higher level of protection for Personal Data, they shall take precedence over the Policy. In any case, DHL Group Companies shall process Personal Data in compliance with Laws and Regulations.

(2) The lawfulness of Data Processing in relation to Data Transfers to Third Countries and Onward Data Transfers shall be determined by the Laws and Regulations of the EEA country in which the DHL Data Exporter has its registered office.

(3) Each DHL Group Company shall be responsible for verifying the lawfulness of its Data Processing, including any existing requirements to notify national Supervisory Authorities or other regulators, according to relevant local Laws and Regulations. If a DHL Group Company has any doubt that Laws and Regulations may prevent it from fulfilling its obligations under the Policy, it shall inform the competent Data Protection Official or Data Protection Legal Advisor, unless prohibited from doing so by a law enforcement authority.

(4) If a DHL Group Company is subject to local legal requirements that compromise the guarantees provided by the Policy (including binding requests for disclosure of Personal Data), it shall make every effort to notify the Corporate Data Protection Officer who shall assist in informing the competent Supervisory Authority, unless prohibited to do so by Laws and Regulations.

1.4 Onward Data Transfer

(1) If the DHL Data Importer transfers Personal Data to another DHL Data Importer, the DHL Data Importer shall ensure that the Onward Data Transfer complies with this Policy.

(2) In case of Onward Data Transfers to Third Parties, DHL Data Importers shall conclude the EU Standard Contractual Clauses (EU SCCs) or apply other appropriate safeguards in compliance with the applicable Data Protection Laws. In the absence of such safeguards, Onward Data Transfers may take place if a derogation under the GDPR applies. Notwithstanding the foregoing, Personal Data may only be transferred based on the requirements of applicable Data Protections Laws and in accordance with the provisions for Transfer Impact Assessments as set out in section 1.5.

(3) The foregoing provisions shall not apply to the extent that local Laws and Regulations, in particular for reasons of national security, defense, public safety, or for the prevention, ascertainment, and prosecution of criminal acts, expressly provide for the Data Transfer of Personal Data for these purposes.

1.5 Transfer Impact Assessment

(1) DHL Data Exporters shall only transfer Personal Data to DHL Data Importers established in a Third Country based on the Policy where it has been assessed that the Laws and Regulations of such Third Country do not prevent the DHL Data Importer from fulfilling its obligations under the Policy.

(2) DHL Group Companies shall base their assessment of the Laws and Regulations of the Third Country on the understanding that these Laws and Regulations respect the essence of the fundamental rights and freedoms of natural persons and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives of public interest.

(3) When conducting a Transfer Impact Assessment (TIA) as part of the Privacy Impact Assessment (PIA), DHL Group Companies shall consider the following:

a) The specific circumstances of the Data Transfer(s) or set of Data Transfers and of any envisaged Onward Data Transfer within the same Third Country or to another Third Country, including:

• the purposes for which the data are transferred and processed (e.g., HR, IT support, etc.);
• the types of entities involved in the Data Processing;
• the economic sector in which the Data Transfer or set of Data Transfers occur;
• the categories and format of the Personal Data transferred;
• the location of the Data Processing including storage; and
• the transmission channels used.

b) The Laws and Regulations of the Third Country of destination relevant to the circumstances of the Data Transfer, including those requiring disclosing Personal Data to, or permit access by public authorities and those that provide access to such Personal Data during the Data Transfer, as well as the applicable restrictions and safeguards.

c) Any relevant contractual, technical, or organizational safeguards put in place to supplement the safeguards under the Policy including measures applied during the transmission and to the processing of Personal Data in the Third Country of destination. If the TIA concludes that supplementary measures must be implemented in addition to those provided under the Policy, the DHL Data Importer and the responsible Data Protection Official shall be notified and involved in the implementation of such safeguards. The documentation of the TIA shall be made available to the competent Supervisory Authority upon request.

(4) DHL Data Importers shall continuously monitor the Laws and Regulations of their countries when using the Policy as a tool for Data Transfers to identify any changes that would require an update of the TIAs and the implementation of supplementary measures. Where a DHL Data Importer has reasons to believe that it has become subject to Laws and Regulations that would prevent it from complying with its obligations under the Policy, it shall notify the relevant Data Protection Official and the Corporate Data Protection Officer and the relevant DHL Group Company to ensure that each Data Transfer of Personal Data to the respective Third Country is subject to appropriate supplementary measures. The same applies if a DHL Data Exporter has reasons to believe that the DHL Data Importer can no longer fulfil its obligations under the Policy. The relevant Data Protection Official shall advise the DHL Group Companies acting as Data Exporter and Data Importer to identify and implement appropriate supplementary measures. In addition, the Data Protection Official shall also inform the Corporate Data Protection Officer.

(5) If a DHL Group Company concludes that the Policy can no longer be complied with – even where supplementary measures have been implemented – for a specific Data Transfer or set of Data Transfers, or if instructed by the competent Supervisory Authority, it shall suspend such Data Transfer or set of Data Transfers until compliance is ensured or the Data Transfer is terminated. In addition, the competent Data Protection Official, as well as the Corporate Data Protection Officer shall be informed.

(6) If compliance with the Policy is not restored within one month of suspension, the Data Transfer or set of Data Transfers must be terminated. The DHL Data Exporter may decide whether Personal Data transferred prior to the suspension and copies thereof shall be returned or destroyed.

(7) In practice, the assessments of Laws and Regulations of Third Countries, as well as the specific TIAs conducted for a Data Transfer or set of Data Transfers and the supplementary measures identified and implemented, as well as all relevant documentation, shall be made available to all DHL Group Companies and Data Protection Officials to ensure compliance with the Policy and consistency of its implementation across the DHL Group. This also includes the information that where effective supplementary measures could not be put in place, the Data Transfers at stake shall be suspended or ended. Upon request, the documentation of the assessments as well as the selected and implemented supplementary measures shall be made available to the competent Supervisory Authority.

1.6 Access Requests Issued by Third Country Public Authorities

(1) In accordance with Laws and Regulations, the DHL Data Importer shall promptly notify the DHL Data Exporter (and its Data Protection Official) and, if possible, the Data Subject if it:

a) receives a legally binding request from a public authority for the disclosure of Personal Data transferred under the Policy.

b) becomes aware of any direct access by public authorities to Personal Data transferred under the Policy.

(2) The notification shall include all information available to the DHL Data Importer, including, in particular, the Personal Data requested, the requesting public authority, the legal basis for the request and the response provided.

(3) DHL Data Importer shall use its best efforts to obtain a waiver if it is prohibited from notifying DHL Data Exporter and/or the Data Subject, with the aim of providing as much information as possible and shall document its efforts made in order to be able to demonstrate them upon request of the DHL Data Exporter.

(4) DHL Data Importer shall regularly provide DHL Data Exporter as well as the Corporate Data Protection Officer with relevant information on the requests received (in particular, number of requests, type of data requested, requesting public authority, whether requests have been challenged and the outcome of such challenges, etc.) or shall inform the DHL Data Exporter without undue delay if it is prohibited from providing such information.

(5) DHL Data Importer shall preserve the aforementioned information for as long as the Personal Data is subject to the Policy safeguards and shall make it available to any competent public authority upon request.

(6) DHL Data Importer shall review the lawfulness of a request for access or disclosure of Personal Data, challenge it if it is deemed unlawful, and pursue possibilities of appeal. When challenging a request, the Data Importer shall seek interim measures with a view to suspending the effects of the request pending a decision on the merits by a competent judicial authority. It will not disclose the Personal Data requested until it is required to do so under the applicable procedural rules.

(7) When DHL Data Importer is obliged to respond to a request, it shall provide the minimum amount of information permissible. Furthermore, any Data Transfer performed by a DHL Group Company to fulfil a request from a public authority should not be massive, disproportionate, or indiscriminate in a manner that would go beyond what is necessary in a democratic society.

2.1 Transparency of Data Processing

(1) DHL Data Controller shall inform the Data Subjects about how their Personal Data is processed. This also includes the publication of the Policy.

(2) DHL Data Controller shall provide the following information to the Data Subjects:

a) the identity and the contact details of the DHL Data Controller ;

b) the contact details of the Data Protection Officer, where applicable;

c) the purpose and scope of Data Processing;

d) the legal basis for the Data Processing:

e) where Data Processing is based on legitimate interests, the legitimate interests pursued by the DHL Data Controller or by a Third Party;

f) the recipients or categories of recipients of the Personal Data;

g) where applicable, the fact that the DHL Data Controller intends to transfer Personal Data to a Third Country or international organization and the existence or absence of an adequacy decision by the EU Commission, reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available;

h) the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period;

i) the existence of the right to request from the DHL Data Controller access to and rectification or erasure of Personal Data or restriction of Data Processing concerning the Data Subject or to object to Data Processing as well as the right to data portability;

j) where the Data Processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of Data Processing based on consent before its withdrawal;

k) the right to lodge a complaint with a Supervisory Authority;

l) whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the Data Subject is obliged to provide the Personal Data and of the possible consequences of failure to provide such data;

m) the existence of automated decision-making, including Profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Data Processing for the Data Subject;

n) where Personal Data have not been obtained from the Data Subject, the categories of Personal Data concerned and from which source the Personal Data originate, and if applicable, whether it came from publicly accessible sources;

o) where it is intended to further process the Personal Data for a purpose other than that for which the Personal Data was collected, the Data Subject shall be provided prior to that further Data Processing with information on that other purpose.

(3) The information may be omitted if the Data Subject already has the information.

In case where Personal Data have not been obtained from the Data Subject the information may be additionally omitted, if

a) the provision of such information proves impossible, or it would entail a disproportionate expense,

b) obtaining or disclosure is expressly laid down by local laws and regulations to which the Controller is subject and which provides appropriate measures to protect the Data Subject's legitimate interests, or

c) Personal Data must remain confidential subject to an obligation of professional secrecy regulated local laws and regulations, including a statutory obligation of secrecy.

(4) DHL Data Controller shall provide the information to the Data Subject at the time when Personal Data is collected. Where Personal Data has not been obtained from the Data Subject, information shall be provided at the latest within one month after obtaining the Personal Data, having regard to the specific circumstances in which Personal Data is processed. In case Personal Data is to be used for communication with the Data Subject, DHL Data Controller shall provide information at the latest at the time of the first communication to that Data Subject. If a disclosure to another recipient is envisaged, DHL Data Controller shall provide information at the latest when the Personal Data is first disclosed.

2.2 Fairness and Lawfulness of Processing

(1) DHL Group Companies shall process Personal Data lawfully, fairly and in a transparent manner in relation to the Data Subject, requiring that one or more of the following conditions are met:

a) The Data Subject has given consent to the processing of his or her Personal Data for one or more specific purposes.

b) The processing of Personal Data is necessary for the performance of a contract to which the Data Subject is party, including the contractual information and/or ancillary obligations, or for the implementation of pre- and/or post-contractual measures which are carried out at the request of the Data Subject for the initiation or execution of the contractual relationship.

c) The processing of Personal Data is necessary for compliance with a legal obligation to which the DHL Data Controller is subject.

d) The processing of Personal Data is necessary to protect the vital interests of the Data Subject or of another natural person.

e) The processing of Personal Data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the DHL Data Controller or the Third Party to whom the Personal Data is disclosed.

f) The processing is necessary for the purposes of the legitimate interests pursued by the DHL Data Controller or by a Third Party, except where such interests are overridden by the interests of the Data Subject which require protection.

(2) The processing of Personal Data collected in EEA regarding criminal convictions and offenses, or related security measures, based on section 2.2.1 of this Policy, may only be carried out under the control of official EEA authority or when permitted by EU law or the law of a EU Member State, which provides appropriate safeguards for the rights and freedoms of the affected Data Subjects.

2.3 General Admissibility Requirements for the Processing of Personal Data

DHL Group Companies shall comply with the data protection principles as set out below.

2.3.1 Data Minimization

DHL Group Companies shall take into account the intended purpose of the processing of Personal Data and shall process Personal Data only if it is adequate and relevant and does not go beyond what is necessary in relation to the processing. The principles of Data Processing, including the principle of data minimization, shall also apply to archived Personal Data.

2.3.2 Anonymization and Pseudonymization

Where possible and economically reasonable, DHL Group Companies shall use procedures to remove identification features that can be used to identify individual Data Subjects (Anonymization) or to replace identification features with identifiers (Pseudonymization). 

2.3.3 Purpose Limitation

DHL Group Companies shall only collect and process Personal Data for specified, explicit and legitimate purposes. It may only be used for the purpose for which it was originally collected. Changes to the purpose are only admissible with the consent of the Data Subject, if permitted by local Laws and Regulations or where Data Processing for another purpose is compatible with the purpose for which the Personal Data is initially collected.

2.3.4 Consent

(1) DHL Group Companies shall obtain the consent of the Data Subject no later than the date on which the processing of Personal Data begins.

(2) The consent must be freely given, specific, unambiguous and provided on an informed basis, clearly indicating to the Data Subject the scope of Data Processing covered by the consent and the possible consequences of not giving consent. The consent language shall be sufficiently clear and inform the Data Subject of their right to withdraw their consent at any time.

(3) Consent shall be obtained in a form appropriate to the circumstances (in writing or by electronic means). Exceptionally, it may also be provided verbally if the fact that consent has been provided by the Data Subject and the specific circumstances which require that consent is obtained through an oral statement are documented. If the consent is given together with other declarations, it must be clearly highlighted.

2.3.5 Storage Limitation

DHL Group Companies shall keep Personal Data in a form which permits identification of Data Subjects for no longer than necessary for the processing purposes.

2.3.6 Processor

(1) If a DHL Group Company or an external provider process Personal Data on behalf of a DHL Group Company, the obligations of both contractual parties shall be governed by a contract meeting the requirements of applicable Data Protection Laws (Controller-Processor Agreement). The Controller-Processor Agreement shall be concluded in addition to a service agreement which may be concluded in writing or in another equivalent form.  It shall stipulate, in particular, that the Processor:

a) processes Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a Third Country, unless required to do so by applicable Laws and Regulations to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless applicable Laws and Regulations prohibit such information on important grounds of public interest;

b) ensures that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality ;

c) takes all technical and organizational measures required pursuant to applicable Laws and Regulations ;

d) respects the conditions for engaging another Processor ;

e) taking into account the nature of the processing, assists the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in section 2.6. ;

f) assists the Controller in ensuring compliance with the obligations pursuant to the applicable Laws and Regulations taking into account the nature of processing and the information available to the Processor ;

g) at the choice of the Controller, deletes or returns all the Personal Data to the Controller after the end of the provision of services relating to processing, and deletes existing copies unless applicable Laws and Regulations require storage of Personal Data ;

h) makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this section and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

(2) Without prior authorization of the DHL Data Controller, the Processor may not process Personal Data, which was passed on to it, for its own or a Third Party’s purposes. The obligations set out in the Controller-Processor Agreement for the Processor shall be imposed on any Sub-Processor commissioned by the Processor. The Processor and any Sub-Processor shall be selected on the basis of their ability to comply with the obligations set out in the Controller-Processor Agreement.

(3) If DHL Group Companies enter into contracts with external Processors and/or Sub-Processors in Third Countries, adequate safeguards as stipulated under GDPR, and applicable Data Protection Laws shall be implemented with respect to the rights and freedoms of Data Subjects and the exercise of their rights.

2.3.7 Accountability

(1) Each DHL Group Company shall ensure and be able to demonstrate compliance with applicable requirements under the Policy.

(2) All DHL Group Companies must maintain a record of all categories of Data Processing activities (Data Protection Record, “DPR”) carried out under the Policy. The DPR includes, as a minimum:

a) the name and contact details of the DHL Data Controller / Processor (where applicable, the joint controller, the DHL Data Controller’s representative and the Data Protection Officer);

b) the purposes of the Data Processing;

c) a description of the categories of Data Subjects and of the categories of Personal Data;

d) the categories of recipients to whom Personal Data have been or will be disclosed;

e) where applicable, transfers of Personal Data to a Third Country or an international organization;

f) where possible, the envisaged time limits for erasure of the different categories of Personal Data;

g) where possible, a general description of the technical and organizational security measures.

DHL Group Companies shall ensure that all DPRs are maintained in writing, including in electronic form. For this purpose, DHL Group Companies are provided with a central documentation tool and platform known as the DHL Group Privacy Portal. DPRs shall be made available to the competent Supervisory Authority upon request.

(3) In order to demonstrate compliance, DHL Group Companies shall ensure that PIAs are conducted for all Data Processing activities involving Personal Data transferred under the Policy. In particular, a PIA shall be carried out for Data Processing operations that are likely to result in a high risk to the rights and freedoms of natural persons. For this purpose, the DHL Group Privacy Portal shall assist DHL Group Companies in fulfilling their documentation and accountability obligations and facilitate the performance of PIAs.

(4) DHL Group Company shall consult the Supervisory Authority prior to Data Processing if a PIA indicates that the Data Processing would result in a high risk in the absence of measures taken by DHL Group Company to mitigate the risk.

(5) DHL Group Companies shall adopt and implement appropriate technical and organizational measures, which are designed to incorporate data protection principles and to support compliance with the requirements outlined in the Policy. These measures should be implemented in practice, to ensure privacy by design and by default.

2.4 Special Data Processing Cases

2.4.1 Special Categories of Personal Data

DHL Group Companies shall only process Special Categories of Personal Data if it is strictly necessary and legally required or if the Data Subject has given explicit consent. DHL Group Companies must implement technical and organizational measures to ensure the security of the Data Processing.

2.4.2 Automated Decisions in Individual Cases

(1) Data Subjects have the right not to be subject to a decision based solely on automated Data Processing, including Profiling, which produces legal effects concerning them or significantly affects them. This right does not apply if the decision is:

a) necessary for entering into, or performance of, a contract between the Data Subject and a DHL Data Controller,

b) authorized by local Laws and Regulations to which DHL Data Controller is subject and which also lays down suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests, or

c) based on the Data Subject’s explicit consent.

(2) The DHL Group Company shall inform the Data Subject about the existence of automated decision-making, including Profiling, about the underlying logic involved, as well as the significance and the envisaged consequences of such Data Processing for the Data Subject.

(3) In the cases referred to in paragraph (1)(a) and (c) above, the DHL Data Controller shall implement suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the DHL Data Controller, to express their point of view and to contest the decision.

(4) In the case of automated decisions based on Special Categories of Personal Data, these are only permissible if based on consent of the Data Subject or if necessary for reasons of substantial public interest, based on applicable Data Protection Laws.

2.5 Data Quality/ Security of Data Processing

2.5.1 Data Quality

DHL Group Companies shall comply with the data quality principles, such as accuracy, completeness, and relevance. The Personal Data must be adequate, relevant, and limited to what is necessary for the purposes for which it is processed. The DHL Group Companies shall take reasonable steps to ensure that inaccurate or incomplete Personal Data is erased, rectified, supplemented, or updated without delay, considering the intended Data Processing and the interests of the Data Subject.

2.5.2 Confidentiality

Only those employees who are authorized and who have committed themselves to the principles of data protection and confidentiality are permitted to process Personal Data. Any processing of Personal Data for personal benefit, unauthorized disclosure, or making it accessible in any other way which is not in line with Laws and Regulations is strictly prohibited. This includes the transfer of Personal Data to unauthorized parties or making it accessible to them in any other way. In this context, “unauthorized” parties may also include employees of the same or another DHL Group Company if the data is not required and necessary for their field of work or specialist tasks or where the Data Processing is not legitimized by Laws and Regulations.

2.5.3 Technical and Organizational Measures

When processing Personal Data DHL Group Companies shall implement appropriate technical and organizational measures to ensure the security of Personal Data, and to protect Personal Data against unlawful access, loss, destruction, or alteration. To this end and in accordance with the respective internal standards, DHL Group Companies shall implement all necessary measures.

These measures include:

• Denying access to unauthorized persons to data processing facilities where Personal Data is processed or used (entry control).
• Preventing unauthorized persons from using data processing systems (usage control).
• Ensuring that authorized users of a data processing system can access Personal Data only within the scope of their access rights, and that Personal Data stored within the data processing system cannot be read, copied, modified or removed without authorization, either during processing or use or when stored (access control).
• Ensuring that Personal Data cannot be read, copied, modified or removed without authorization during electronic data transfer or in the process of transmission or storage on data media, and that it is possible to verify and establish where the transfer of Personal Data is supported by data transfer facilities (transfer control).
• Ensuring that it can be reviewed and established retrospectively whether, and by whom, Personal Data has been provided, modified or removed from data processing systems (input control).
• Ensuring that Personal Data processed on behalf of the DHL Data Controller can only be processed in accordance with the DHL Data Controller’s instructions (process control).
• Ensuring that Personal Data is protected against accidental destruction or loss (availability control).
• Ensuring that items of data collected for different purposes are processed separately (separation requirement).
• Providing possibility of pseudonymization and encryption of Personal Data.
• Providing the ability to ensure the confidentiality, integrity, availability and resilience of processing systems and services, including the ability to restore the availability and access to Personal Data.
• Provide a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures ensuring the security of the Data Processing.

2.5.4 Personal Data Breach

As stated above, confidentiality and data security are key aspects of DHL Group Data Protection Management System. However, in the event of a Personal Data Breach, the respective DHL Group Company shall document the Personal Data Breach in a dedicated register and notify it to the competent management and Data Protection Official, in accordance with the DHL Group Personal Data Breach process. Where the Personal Data Breach is likely to result in a risk to the rights and freedoms of natural persons, the respective DHL Group Company shall notify the competent Supervisory Authority (for EEA within 72 hours after becoming aware, however, might differ for other jurisdictions). When the Personal Data Breach is likely to result in a high risk to the rights and freedoms of natural persons, the respective DHL Group Company shall additionally notify the Data Subject, in accordance with applicable Data Protection Laws. In case the respective DHL Group Company is acting as a Processor it shall notify the DHL Group Company acting as a Controller when it becomes aware of the Personal Data Breach.

2.6 Rights of the Data Subject

2.6.1 General Obligations

(1) DHL Data Controller shall take appropriate measures to provide to the Data Subject information and communication relating to Data Processing in a concise, transparent, intelligible, and easily accessible form. The information shall be provided in writing, or by other means as appropriate.

(2) DHL Data Controller shall provide information or take action upon request pursuant to section 2.6.2 to 2.6.4 without undue delay and in any event within one month of receipt of the request. Where necessary, taking into account the complexity and number of requests, this period may be extended by two further months. The Data Subject shall be informed of any such extension within one month of receipt of the request, together with the reasons for the delay.

2.6.2 Right of Access

(1) Each Data Subject shall have the right to obtain from the DHL Data Controller confirmation as to whether their Personal Data is being processed and, where that is the case, to access their Personal Data and to receive additional information, including its origin, the purpose of the processing, the recipients to which it has been disclosed and where possible, the envisaged period for which the data will be stored, or the criteria to determine that period. In addition, the Data Subject shall receive access to information whether automate decision-making, including Profiling, is performed. Where this is the case, they shall receive further information about the logic involved and the significance and envisaged consequences of such Data Processing. The Data Subject shall also be informed about appropriate safeguards relating to the Data Transfer of Personal Data to a Third Country, where applicable.

(2) Upon request of the Data Subject, DHL Data Controller shall provide a copy of the Personal Data undergoing Data Processing. For any further copies requested by the Data Subject, the Controller may impose a reasonable fee for issuing such information based on administrative costs.

2.6.3 Right of Rectification, Restriction, Erasure (right to Be Forgotten), and Data Portability

(1) The Data Subject has the right to demand rectification if the data stored about the Data Subject is incomplete and/or incorrect.

(2) The Data Subject shall have the right to request from DHL Data Controller the restriction of Data Processing when:

a) the accuracy of Personal Data is contested,

b) the Personal Data is no longer needed by the DHL Data Controller,

c) the Data Processing is unlawful, or

d) where the Data Subject has objected to Data Processing according to section 2.6.4.

(3) Furthermore, the Data Subject shall have the right to request the deletion of their Personal Data if the Data Processing was inadmissible or where the Personal Data is no longer required for the Data Processing purpose, or if any other reason provided for under Laws and Regulations applies.

Where the DHL Data Controller has made the Personal Data public, it shall - taking into account available technology and costs of implementation - take reasonable steps to inform other controllers which are processing the Personal Data that the Data Subject has requested to delete any links to, or copies or replication of those Personal Data (right to be forgotten). The above obligations do not apply where Data Processing is necessary for compliance with legal obligations by Laws and Regulations which require processing.

(4) The Data Subject shall have the right to receive its Personal Data provided to the DHL Data Controller under the conditions mentioned in Laws and Regulations in a structured, commonly used and machine-readable format (data portability).

2.6.4 Right to Object

(1) The Data Subject shall have the right to object at any time to the processing of their Personal Data, which is based on public interest or the exercise of official authority vested in a DHL Data Controller or based on legitimate interests pursued by the DHL Data Controller or by a Third Party. Unless DHL Data Controller demonstrates compelling legitimate grounds for Data Processing which override the interests of the Data Subject or demonstrates necessity for the establishment, exercise, or defense of legal claims, the DHL Data Controller shall no longer process the Personal Data.

(2) Where DHL Group Companies process Personal Data for direct marketing purposes, the Data Subject shall have the right to object at any time to the Data Processing, which includes Profiling, to the extent that it is related to such direct marketing. In case of objection by the Data Subject, DHL Group Companies shall no longer process Personal Data for direct marketing purposes.

2.6.5 Discrimination Ban

DHL Group Companies shall treat Data Subjects fairly and equally when they assert their rights.

2.6.6 Assertion

(1) The Data Subject may at any time contact the Data Protection Official of the respective DHL Data Controller (via the request form under Privacy Notice on dhl.com) regarding the processing of Data Subject’s Personal Data or with questions regarding the Policy, including where they wish to complain about the Data Processing.

(2) For inquiries and complaints by mail, Data Subjects can use the following contact address:

Deutsche Post AG
Global Data Protection
53250 Bonn

The inquiries and complaints will be forwarded to the respective DHL Group Company.

(3) Data Subjects may lodge their inquiries and complaints directly against the DHL Data Controller. In such cases, the DHL Data Controller, commits to handle such inquiries and complaints without undue delay within one month of receipt of the request. Taking into account the complexity and the number of requests, DHL Group Companies may extend the one-month period at maximum by two further months, in which case the Data Subject shall be informed accordingly within one month of receipt of the request, together with the reasons for the delay.

(4) Data Subjects are duly informed of the complaint handling procedure and how to file a complaint through the Policy and the privacy notices published by DHL Group Companies on the respective websites.

(5) Notwithstanding the foregoing, the Data Subject also has the right to lodge a complaint with the competent Supervisory Authority and/or to take legal action.

3.1 Corporate Data Protection Officer

(1) The Corporate Data Protection Officer coordinates cooperation and agreement on all matters concerning the Policy. In particular, the Corporate Data Protection Officer is a representative vis-à-vis external parties and national/international Supervisory Authorities in all matters concerning the Policy. Regardless of this, the Data Protection Officials who are appointed according to the Laws and Regulations shall keep their independence and freedom from instructions.

(2) The Corporate Data Protection Officer monitors the implementation of the Policy based on audits according to section 3.5 below, as well as other appropriate instruments and reports to the DHL Group Board of Management. DHL Group Companies shall support the Corporate Data Protection Officer in performing these tasks.

(3) DHL Group Companies shall inform the Corporate Data Protection Officer if and when they accede to or withdraw from the Policy. Yearly, and upon request, the Corporate Data Protection Officer shall provide the Supervisory Authority with the list of acceded DHL Group Companies.

(4) The Corporate Data Protection Officer is also responsible for updating the Policy as described under chapter 5 below as well as for providing mandatory trainings in this regard.

3.2 Data Protection Steering Committee

In order to implement the Policy and to achieve continuous integration of data protection requirements into business processes, a Data Protection Steering Committee consisting of divisional representatives, has been established. In particular, the Data Protection Steering Committee shall support and exchange with the Corporate Data Protection Officer to establish and maintain the DHL Group Data Protection Management System.

3.3 Data Protection Officials and Data Protection Legal Advisors

(1) Each DHL Group Company shall appoint an independent Data Protection Official. The Data Protection Official is responsible for the implementation of standards and regulations and must have opportunity to report to the managing director of the respective DHL Group Company.

(2) In order to ensure compliance with the Policy, DHL Group Companies shall involve Data Protection Officials at an early stage in the development and design of new and altered operational processes, products, services and marketing measures. To ensure the performance of these tasks, DHL Group Companies shall inform relevant Data Protection Official of any relevant developments.

(3) DHL Group Companies shall inform the Data Protection Official of the DHL Group Company in question of (suspected) breaches of data protection provisions and of the Policy without undue delay.

(4) With regard to incidents violating the Policy that are relevant to more than one DHL Group Company, the Data Protection Official shall also inform the Corporate Data Protection Officer and the competent Data Protection Legal Advisor. In particular, Data Protection Officials shall inform the Corporate Data Protection Officer if the laws applicable to a DHL Group Company change substantially in a disadvantageous manner and where this has effect on data protection or adherence to the Policy.

(5) Data Protection Officials shall support each other with the implementation and the management of the DHL Group Data Protection Management System. Together with Legal Advisors, they form part of the DHL Group Data Privacy Network.

(6) Data Protection Legal Advisors providing legal experience shall support Data Protection Officials in fulfilling their tasks. In particular, as far as regulatory issues are concerned, Data Protection Officials shall seek the advice of Data Protection Legal Advisors.

3.4 Trainings

(1) The Corporate Data Protection Officer shall provide mandatory, appropriate and up-to-date data protection trainings, as well as further trainings and awareness measures. The training cycle for mandatory trainings is two years for employees in an active work status.

(2) Data Protection Officials shall, on a regular basis and in line with the respective training concept, adequately train the respective employees of DHL Group Companies which have permanent or regular access to Personal Data or who are involved in the collection of Personal Data or in the development of tools used to process Personal Data on the application of the Policy.. The implementation of trainings shall be documented by the respective Data Protection Official and reported at least annually to the Corporate Data Protection Officer.

(3) The trainings shall include but are not limited to trainings on managing access requests by public authorities as well as on access management to Personal Data.

3.5 Audits

(1) DHL Group Companies shall audit the implementation of the Policy and all components of the DHL Group Data Protection Management System on a regular basis and according to the Data Protection Audit Program. It consists of the Data Protection Audit Concept, as developed by Corporate Data Protection Officer, and yearly Audit Plans, prepared by the Corporate Data Protection Officer and the DHL Group divisions, specifying the regular audit activities, the auditors and their frequency.

(2) The audit report, including the proposed corrective actions to address and mitigate the risks, must be communicated and – depending on the audit type and scope – to the respective Data Protection Official and to the managing director of the relevant DHL Group Company and, where appropriate, to the Corporate Board of DHL Group. It shall also be made available to the competent Supervisory Authority upon request.

(3) Audits shall be carried out either by internal or external qualified auditors without any conflict of interests. In addition, Corporate Data Protection Officer and Data Protection Officials shall endorse and support general compliance audits, in particular audits carried out by the Internal Audit department or audits performed by external auditors. In the event that an audit identifies any material non-compliance with the principles set out in the Policy, the relevant DHL Group Company that is found to be non-compliant shall promptly implement the necessary corrective actions to achieve compliance.

(4) In addition to the audits, as laid down in this section, ad hoc audits may be initiated by the Corporate Data Protection Officer occasionally.

(5) Upon request, Corporate Data Protection Officer shall provide the Supervisory Authority with the relevant audit report. A competent Supervisory Authority may ask the Corporate Data Protection Officer to carry out or have carried out - in line with Laws and Regulations - an audit in a DHL Group Company to verify compliance with the Policy. The relevant DHL Group Company shall accept such an audit and make adjustments to address any suggestions for improvement identified through the audit.

3.6 Compliance

DHL Group Companies shall commit to the following obligations:

(1) No Data Transfer under the Policy is made to a DHL Data Importer unless it is effectively bound by the Policy and can ensure compliance.

(2) The DHL Data Exporter shall promptly be informed by the DHL Data Importer if DHL Data Importer is unable to comply with the Policy. Where the DHL Data Importer is in breach of the Policy or unable to comply with it, DHL Data Exporter shall suspend the Data Transfer.

(3) DHL Data Exporter shall also suspend Data Transfer to DHL Data Importer when DHL Data Importer substantially or persistently breaches the Policy or DHL Data Importer fails to comply with a binding decision of a competent court or competent Supervisory Authority.

(4) Where DHL Data Exporter has suspended the transfer of Personal Data and compliance is not restored within a month of suspension, DHL Data Importer shall, at the discretion of DHL Data Exporter, immediately return or delete all Personal Data that has been transferred under the Policy. DHL Data Importer shall apply the same commitments to any data copies, certify data deletion to DHL Data Exporter, and ensure compliance with the Policy until Personal Data is deleted or returned.

(5) If local laws prohibit DHL Data Importer from returning or deleting transferred Personal Data, DHL Data Importer shall ensure continued compliance with the Policy and only process Personal Data as long and as required by the local law.

3.7 Cooperation With Competent Supervisory Authorities

(1) DHL Group Companies agree to cooperate in good faith and as far as admissible according to Laws and Regulations with the competent Supervisory Authority.

(2) DHL Group Companies accept to be audited and to be inspected, including where necessary and in line with Laws and Regulations, on-site, by the competent Supervisory Authorities. They take into account their advice and, where necessary and in line with Laws and Regulations, abide by decisions of these Supervisory Authorities on any issue related to the Policy. Upon request, DHL Group Companies will provide the competent Supervisory Authorities with any information about the processing operations covered by the Policy.

(3) In the event of a change in the Laws and Regulations applicable to a DHL Group Company that may have a material adverse effect on the assurances provided under the Policy, the DHL Group Company shall inform the Corporate Data Protection Officer, who shall contact the competent EU Supervisory Authority.

(4) All disputes in connection with the monitoring of compliance with this Policy by the competent Supervisory Authorities shall be decided by the courts of the EU Member State of the Supervisory Authority, in accordance with the procedural law of that member state. The DHL Group Companies agree to be subject to the authority of these courts.

(5) The responsible Data Protection Official and, as far as necessary, the Data Protection Legal Advisor shall be involved in all matters related to the handling of activities of Supervisory Authorities.

4.1 Liabilty of DHL Group Companies

(1) Each DHL Data Exporter shall be liable, towards Data Subjects, for any breaches of the Policy and / or material or non-material damages resulting from such breaches, irrespective of who caused it.

(2) Each DHL Group Company shall be required to prove that it has not violated the Policy. In the event the Data Subject’s claim relates to an act or omission of a DHL Data Importer, the DHL Data Exporter shall only be exempt from liability towards the Data Subject (in whole or in part) if it can prove that the DHL Data Importer has not breached the Policy. 

(3) If a Data Subject, based on a breach by the DHL Data Importer or its Sub-Processor, is not able to bring a claim for redress and compensation, where appropriate, against the DHL Data Exporter, because the DHL Data Exporter has factually disappeared or ceases to exist in law or has become insolvent, DHL Data Importer shall give the Data Subject the right to sue DHL Data Importer instead. If another entity has taken over the legal responsibilities of the DHL Data Exporter by contract or by law, the Data Subject may pursue its rights against that successor entity.

(4) The Data Importer may not rely on a breach by a Sub-Processor of its obligations, in order to avoid its own liability. The liability of the Sub-Processor shall be limited to its own Data Processing operations under the Policy.

(5) The payment of punitive damages, according to which a DHL Group Company would be obliged to make payments to a Data Subject that exceed the actual damage incurred, is expressly excluded.

(6) The Data Subject shall have the right to mandate a non-profit body, organization or association which has been properly constituted in accordance with Laws and Regulations, and which has statutory objectives which are in the public interest and is active in the field of the protection of Data Subjects’ rights and freedoms, with the enforcement of their rights. This may include lodging complaints, exercising their Data Subject rights, and bringing claims for redress and compensation, where appropriate, on their behalf, where provided for by Laws and Regulations.

4.2 Burden of Proof

In any case and where a Data Subject has demonstrated that it has suffered damage that is likely to have been caused by a breach of the Policy, the burden of proof for the processing the Data Subject’s Personal Data in compliance with the Policy lies with the relevant DHL Data Exporter.

4.3 Third Party Rights

(1) If the Data Subject has no direct rights, it shall be entitled to enforce, as a third-party beneficiary, its rights under the Policy against DHL Group Company which has violated its contractual duties towards the Data Subject.

(2) Data Subjects can enforce provisions of the Policy, as third-party beneficiaries, as detailed below:

a) the data protection principles detailed in section 2;

b) the fact that DHL Group grants easy access to the Policy, as detailed in section 1.6;

c) the rights of access, rectification, erasure, restriction, objection to Processing, and the right not to be subject to decisions solely based on automated Processing granted to Data Subjects, as detailed in section 2.6;

d) the obligation, for each DHL Group Company, to notify the competent Supervisory Authority in case of a conflict between the local legislation and the Policy, as detailed in section 1.3;

e) the right for Data Subjects to complain through the Group's internal complaint process, as detailed in section 2.6.6;

f) the duty for DHL Group Companies to cooperate with the Supervisory Authorities, as detailed in section 3.7;

g) the obligation for each EEA DHL Group Company transferring Personal Data to a Non-EEA DHL Group Company on the basis of the Policy, to accept liability for any breaches of the Policy by the Non-EEA DHL Group Company which received the Personal Data, as detailed in section 4;

h) the obligation to inform Data Subjects about any update of the Policy and its members as detailed in section 5;

i) the right to judicial remedies, redress and compensation, as detailed in section 4.1.

j) the obligation for any Onward Transfer of Personal Data by a Non-EEA DHL Group Company to a Third Party to ensure that such Third Party is required to provide the same level of data protection as set out in this Policy.

4.4 Place of Jurisdiction

At the individual's discretion, the Data Subject has the right to lodge a complaint:

• with a Supervisory Authority, in particular in the EU Member State of the Data Subject’s habitual residence, place of work or place of the alleged infringement, or the competent Supervisory Authority of the EU Member States where the DHL Data Exporter or DHL Data Importer has an establishment, and
• before the competent court of the EU Member States where the DHL Data Exporter or DHL Data Importer has an establishment, or where the Data Subject has its habitual residence.

4.5 Alternative Dispute Resolution

(1) Data Subjects who believe that their right to protection of their private life has been compromised by any actual or presumed processing of their Personal Data, may lodge a complaint with the competent Data Protection Official of the respective DHL Group Company. The Data Protection Official shall examine the legitimacy of the complaint and shall advise the Data Subject regarding its rights. In this context, the Data Protection Official shall uphold the confidentiality of further Personal Data of which the Data Protection Official has been informed by the complainant, insofar as the latter does not release the Data Protection Official from this obligation. Upon request of the Data Subject, the DHL Group Company may try to reach a settlement of the complaint with the Data Subject under the involvement of the Data Protection Official.

(2) The Data Subject’s right to make a complaint with the competent Data Protection Supervisory Authority and/or to take action remains unaffected by this provision.

(1) The Policy may be amended from time to time, when and to the extent necessary, in particular, to comply with applicable Data Protection Laws or to incorporate changes within DHL Group.

(2) In case of necessary updates, Corporate Data Protection Officer shall inform Data Protection Steering Committee and provide relevant proposals. Corporate Data Protection Officer shall also initiate further management alignment, as required, depending on the substance of necessary changes.

(3) Any significant changes to the Policy shall be reported in advance and with a brief explanation of the reasons to the Supervisory Authority. Any other change to this Policy (if applicable), such as those made in order to align the Policy with any updated EDPB recommendations regarding Binding Corporate Rules, shall be reported with a brief explanation of the reasons to the Supervisory Authority once a year.  This may apply where the relevant changes potentially affect compliance of the DHL Group Company with applicable data protection laws, or where the changes are potentially detrimental to Data Subject rights.

(4) Clear and easily available information regarding any such significant changes shall be made available to all DHL Group Companies and their employees.

(5) A current version of the Policy and the list of the Policy members will be published on DHL Group websites.

(1) The Policy shall be subject to the procedural law of the Federal Republic of Germany in the case of any disputes.

(2) If individual provisions of the Policy are or become void, they shall be deemed to have been replaced by the provisions that most closely approximate the original intentions of the Policy and the void provisions. In case of doubt, the applicable Data Protection Laws of the European Union shall apply in these cases or in the absence of relevant provisions.