DPD UK Privacy Notice

DPDgroup Limited (DPD UK) is one of the UK's leading parcel delivery services. We deliver parcels whether destined for the UK or elsewhere in the world.

At DPD UK we take data protection seriously and regularly update all of our policies, procedures and documents to ensure we meet the requirements of the Data Protection Laws (Data Protection Act 2018, UK GDPR and EU GDPR).

This privacy notice will inform you about what personal information we collect from you, how we use it, how long we hold it for, who we share it with, and how we look after it.

General Information

The Data Protection Laws protect the rights and freedoms of living, identifiable, individuals known under the Data Protection Laws as Data Subjects.

Your personal information is any information that identifies and relates to you personally.

There are a number of rights in relation to your personal information, which you can read more about in this Privacy Notice.

Data Controller

DPD UK is a data controller. This means that upon balance we decide why we collect personal information and how we use it.

Where DPD UK processes your personal information in the circumstances set out in this privacy notice, DPD UK acts as a data controller. If you are a Consignee, we recommend that you also refer to the privacy notice of our Customer (the company or individual you ordered the goods from) to find out details of how they process your personal information.

DPD UK is registered with the Information Commissioner's Office (ICO) as a 'data controller’ at:

Postal address:

DPDgroup UK Limited
Roebuck Lane
Smethwick
West Midlands
B66 1BY

ICO Ref: Z6834529

If you would like to get in contact with us about a data protection matter or about anything contained within this privacy notice, please see the ‘Contact Us’ section below.

Who do we collect information about?

In order to operate our parcel delivery service we collect personal information about our ‘Customers’, ‘Consignees’ and general members of the public.

  • A 'Customer' is a person or organisation who has a contract with DPD UK to deliver parcels to or collect parcels from a Consignee or the Customer. The Customer shares Consignees personal information with DPD UK for the purpose of providing a delivery and or collection service. For more information about how we use the personal information of our Customers, please see the ‘Customers’ section of this privacy notice.
  • A 'Consignee' is someone who is intended to have a collection and or delivery from DPD UK or one of our Customers. For more information about how we use the personal information of Consignees, please see the ‘Consignees’ section of this notice.
  • A ‘Member of the General Public’ is an individual excluding Customers or Consignees who may interact with DPD UK for the purposes of - complaints and enquiries, accepting a parcel on behalf of a neighbour, providing information on any of DPD UK websites such as Green, ReLove, Innovation, DPD Eco Fund, community engagement initiatives, careers, graduate or apprenticeship schemes, etc.

DPD UK is 100% committed to protecting the privacy and security of the personal information we hold about our Customers, & Consignees and any other individuals whose personal information we collect through our interactions with them.

  • Children

We do not provide services directly to children. However, we sometimes collect information about children whilst handling a complaint or conducting an investigation.

We may also collect children’s personal information in the form of photograph images or video recordings as part of any DPD UK community or staff engagement activities. However, this will not be without the explicit consent of a parent or guardian for children aged 16 years and under.

Why do we need the personal information that we collect?

We collect and use your personal information in order to provide a dynamic parcel delivery service that exceeds the expectations of everyone that we provide a service to. We use personal information to:

  • Give Customers a choice about how & when they want parcels to be delivered and or collected;
  • Give Consignees a choice about how, when and where they want to receive parcels;
  • Enable the simple and easy return of parcels;
  • Continuously improve our parcel delivery and collection service and exceed our Customers and Consignees expectations;
  • To keep our Customers, Consignees and members of the public safe;
  • To comply with our legal and contractual obligations.
Are we allowed under the law to collect and use your personal information?

DPD UK must have a legal basis to process your personal information. This privacy notice explains what our lawful basis is in respect of each purpose for which we keep and use information about you.

Generally, we are allowed to process your personal information where:

  • you have provided consent for us to do so;
  • it is necessary in connection with a contract between us (such as a contract to supply our services to you as a Customer);
  • it is necessary in order for us to comply with our legal obligations, or
  • it is necessary for the purposes of a legitimate interest that we or a third party are pursuing, save where we determine that your rights override our interest.
Your personal information in detail - Customers
Data TypesWhat does this include?How do we use this information?Lawful Basis for processing
Your identity and contact detailsIndividual and business contact name and address

Authorised signatory

Telephone number

Email address
To enter into a contract for delivery

Deal with queries and complaints

To make contact
Contract
Your identity and contact detailsAuthorised signatory To prevent fraud Legitimate Interest
Your identity and contact detailsIndividual and business contact name and address (including country and Customer Ref number) Prevent the export transit of parcels to and from individuals and businesses on international sanction and embargo lists Legal Obligation
Your identity and contact detailsEmail address Customer communications Consent
Financial InformationBilling addressFor billing and invoicingContract
Financial InformationBank account detailsFor billing and invoicingContract
MyDPDMyDPD login dataTo allow you to use the platform, manage deliveries and assist with technical issuesContract
Your personal information in detail - Consignees

Where do we get your personal information from?

Our Customers

We receive your personal information from our Customers. This information is shared with us as they have entered into an agreement with DPD UK to send and collect parcels to and from Consignees.

Directly from you

You may provide us with your personal information directly whenever you:

  • contact us directly;
  • use our websites, chatbots or Apps;
  • fill in one of our forms;
  • apply online for a service from us; or
  • use or receive our services

Data TypesHow do we use this information?What is our legal basis for processing your information?How long do we store your information?
Your identity and contact detailsFull name

Address

Telephone number

Email address
To deliver or collect a parcel

To contact you in the event assistance is required to deliver the parcel

To assist with any queries or complaints

To provide delivery notifications to our Customers and Consignees as part of our ‘Predict’ & ‘Follow My Parcel’ tracking services

To send you requests to complete delivery experience surveys

To investigate the loss of parcels that you have not received
Legitimate Interest

Consent
Your identity and contact details Contact name and address (including country)s Prevent the export transit of parcels to and from individuals and businesses on international sanction and embargo lists Legal Obligation
Your delivery preferences and locationAddress, neighbour or safe place

A map pinpoint of your address including What3Words location

Proof of delivery notes and or a photo of your property

Details of whether you require more time to answer the door when a delivery driver calls at your address
Assist with parcel delivery and collectionsLegitimate Interest
Records of enquiries ref queries, complaints and claimsData held within or delivery systems, emails, letters, chatbot and and social media messages, call recordings and any other records of means used to contact us in relation to a parcel delivery complaint, query or claim

Specific details relevant to your complaint, query or claim which may include special category or ‘sensitive data’ that you have shared with us including information on your health, religion or ethnicity)
To assist you with your complaint

Records of your complaint or enquiry may be used to investigate any claims or complaints made against DPD UK
Legitimate Interest
CCTV and audio recordingsImages recorded on CCTV and other surveillance devices used to protect our Customers, employees and property

Call recordings
We use CCTV footage and surveillance images on our properties, vans and delivery robots for insurance purposes and to keep our Customers, Consignees, and staff safe

In some instances, we record calls for training and monitoring purposes
Legitimate Interest
YourDPD App YourDPD username and password To allow you to access the App and assist with technical issuesLegitimate Interest
YourDPD App Profile Photo We enable you to take a photo in order to personalise your app experience

This is only personal information if the photo taken can be used to identify you from the information you provide in your profile
Consent
YourDPD App Home, work or other address(s) To deliver to the address provided to us Legitimate Interest
YourDPD App Phone number

Email address
We use your mobile phone number and/or email address for app verification purposes

We will identify your deliveries using your mobile phone number and email address

We use your mobile phone number to contact you in the event assistance is required to deliver the parcel & to provide you with delivery notifications

Your mobile phone number is also used to track your parcel in the app by matching your phone number with your delivery address
Legitimate Interest
YourDPD App Your delivery preferences including:

Address,

A map pinpoint of your address including What3Words location

Photo of your property (delivery location)

Whether you require more time to answer the door
To assist with parcel delivery Consent
YourDPD App Ideas submitted via YourDPD Design Space MySpace which includes your user comments and feedback

We may collect information relating to you in a personal capacity that you choose to disclose in your feedback and ideas that have been submitted to us
To enhance DPD services Consent
YourDPD App Delivery history including:

Parcel number
name of sender and recipient
date and time of delivery
We use this information to:

Provide Consignees with confirmation of when their parcel was delivered and to who.

We also use parcel history if you need help with your delivery.
Legitimate Interest
Details provided to us in relation to alleged criminal offences / incidents against DPD UK Investigation notes which may include:

A description of identifying personal characteristics of alleged offenders

A description of any alleged criminal offences which you may relate to you
To investigate, prevent and detect unlawful acts Legitimate Interest
General Public

Where do we get your personal information from?

Directly from you

Unless you have specifically requested or used our services you may provide us with your personal information directly whenever you:

  • contact us directly;
  • use our websites, chatbots or Apps;
  • fill in one of our forms;
  • apply online for a service from us; or
  • use or receive our services

Data TypesWhat might this include?What is our legal basis for processing your information?How long do we store your information?
Your identity and contact detailsFull name

Address

Mobile telephone number or landline

Email address
To assist with any queries, complaints or claims Legitimate Interest
Records of enquiries ref queries, complaints and claims Data held within our systems, emails, letters, chatbot and social media messages, call recordings and any other records of means used to contact us in relation to a complaint, query or claim

Specific details relevant to your complaint, query or claim which may include special category or ‘sensitive data’ that you have shared with us including information on your health, religion or ethnicity)
To assist you with your complaint

Records of your complaint or enquiry may be used to investigate any claims or complaints made against DPD UK
Legitimate Interest
Details provided to us in relation to alleged criminal offences / incidents against DPD UKInvestigation notes which may include:

A description of identifying personal characteristics of alleged offenders

A description of any alleged criminal offences which may relate to you
We use this information to investigate, prevent and detect unlawful acts Legitimate Interest
CCTV and audio recordingsImages recorded on CCTV and other surveillance devices used to protect our Customers, employees and property

Call recordings
We use CCTV footage and surveillance images on our properties, vans and delivery robots for insurance purposes and to keep our Customers, Consignees, and staff safe

In some instances, we record calls for training and monitoring purposes
Legitimate Interest
How do we protect your personal information?

DPD UK is committed to protecting your personal information and ensuring that we have appropriate technical and organisational measures in place to do so.

DPD UK Ltd (DPD UK) is an ISO/IEC 27001:2013 and ISO/IEC 27701:2019 approved company. You can view our certificates of accreditation below:

ISO/IEC 27001:2013
ISO/IEC 27701:2019

ISO/IEC 27001 is the world’s best-known standard for information security management systems (ISMS) and their requirements. Additional best practice in data protection and cyber resilience is covered by the standards in the ISO 27701. Complying with the requirements of ISO 27001 and 27701 enables us to manage the security of our data assets such as financial information, intellectual property, and information entrusted to us by our Customers and Consignees.

ISO 27701 is a framework for data privacy that builds on ISO 27001. This standard guides us on best practices on policies and procedures that should be in place to comply with data protection laws and other data protection/privacy regulations.

ISO 27701 is a way of demonstrating to our Customers, Consignees, external organisations and internal stakeholders, that mechanisms are in place to keep data safe and to comply with the data protection laws.

The transmission of information over the internet is inherently insecure, and we cannot guarantee the security of personal information sent over the internet. Once we have received your information, we will use strict procedures and security features to prevent unauthorised or unlawful processing and accidental loss, destruction, or damage of your personal information in line with our global industry-standard ISO 27001 & 27701 certification and accredited policies and procedures.

Where we have given you (or where you have chosen) a password that enables you to access certain parts of our service, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

In the unfortunate event that a personal data breach incident should occur, we have industry standard processes to deal with such instances. If the personal data breach incident involves your personal information and if it is deemed as a high risk, we will let our Customers & Consignees know without undue delay and inform the UK’s data protection supervisory authority, the Information Commissioner's Office (ICO) within 72 hours.

Overseas transfer of personal information

We may transfer your personal information outside the UK and the European Economic Area (EEA) with other 3rd party organisations who provide various services in order for us to manage our delivery service business.

Before DPD UK allows any personal data to be shared, we will first seek to transfer data to countries which are considered to offer an adequate level of protection by the UK and European Commission. However, should DPD UK send personal information to a country which is not deemed to be adequate, DPD UK will ensure that your personal information receives an adequate level of protection, by entering into appropriate Standard Contractual Clauses (UK SCC’s) including international data transfer agreements (IDTAs) or UK Addendum. We also ensure that 3rd parties are certified under appropriate data protection and IT Security schemes.

You can read more about international transfers here

To find out more about transfers of personal information outside of the UK or EU, please see the ‘Contact Us’ section below.

Third party links

You may find links to third party websites on our websites. These third party websites should have their own privacy notices which you should check before sharing any personal information. We do not accept any responsibility or liability for any processing of your personal information by such third parties because it is out of our control. Always check their privacy notice first.

How you can help keep your personal information secure

We will take all appropriate and adequate measures to ensure that the personal information you provide to DPD UK is held and managed securely at all times.

The system used by DPD UK runs on a secure HTTPS platform, and incorporates sophisticated security devices to protect your personal information. However, you can help keep your personal information safe – not just on our website, but whenever you provide information online.

Here are some simple ways you can improve the security of your information:

  • Ensure that your devices always have the latest security updates;
  • Use strong passwords and do not reuse them across multiple websites;
  • Keep your passwords private;
  • Learn about how email scams operate and exercise caution when using email - learn more here
How long do we keep your personal information for?

The data protection laws state that we are only allowed to keep personal information for as long as is necessary.

Who do we share your personal information with?

Third party suppliers

In order for DPD UK to comply with our responsibilities as a parcel delivery services provider, we may share your personal information with third-party suppliers (data processors) and other entities in DPD Group who help us to run our business.

DPD UK only allows its third-party suppliers to handle your personal information when they have confirmed that they can apply appropriate data protection and security controls. We also impose strict contractual obligations on third-party suppliers relating to data protection and security as dictated by the data protection laws. Such third party suppliers can only use your personal information to provide services to DPD UK and for no other purposes.

Vehicle CCTV Recordings

DPD delivery vehicles are equipped with cameras that record video images. These images are used for insurance and security purposes. Vehicles may use equipment mounted on the outside of vehicles, or other devices inside of vehicles.

DPD is committed to protecting your privacy while recording images. If you have comments or questions about this process, your privacy rights, or would like to request that a face, license plate, or your own house be censored, please contact us via dpo@dpdgroup.co.uk.

See Annex A (below) for further information regarding the reasons the third-party suppliers (data processors) process your personal information.

Where required by law or for regulatory purposes

We may also share your personal information with other organisations and regulatory bodies to prevent and detect crime or to protect someone's rights, property or safety. These organisations may include the Police, law enforcement agencies and fraud prevention agencies to name a few.

We may also have to share your information with:

  • The courts, and people or organisations with which we are in dispute, as part of legal action; and
  • Regulators such as the Information Commissioner, to meet our legal or regulatory responsibilities

In some circumstances, such as under a court order, we are legally obliged to share information. We may also share information about you with third parties including government agencies and external auditors. For example, we may share information about you with HMRC for the purpose of collecting tax.

Your data protection rights

Right to be informed

DPD UK has a legal obligation to provide you with clear, informative, and easily accessible information about your personal information and our use of it. This is in the form of this privacy notice.

You can read more about this right here.

Right of access

You have the right to ask DPD UK for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.

You can read more about this right here.

If you would like a copy of your personal information, our dedicated data subject access request team can assist you. Please email the team with details of your request at: sars.request@dpdgroup.co.uk.

Right to rectification

If we hold information about you that you believe is incorrect or incomplete, you have the right to have inaccurate personal information rectified, or completed if it is incomplete. This right always applies.

You can read more about this right here.

If you would like to exercise this right, please contact: dpo@dpdgroup.co.uk.

Right to be forgotten/erasure

You have the right to ask us to erase your personal information in certain circumstances.

You can read more about this right here.

If you would like to exercise this right, please contact: dpo@dpdgroup.co.uk.

Right to portability

You have the right to obtain your personal information from an organisation in a way that is accessible and machine-readable, for example as a csv file.

You also have the right to ask an organisation to transfer your personal information to another organisation. They must do this if the transfer is “technically feasible”.

This right only applies to personal information you have provided to DPD UK.

You can read more about this right here.

If you would like to exercise this right, please contact: dpo@dpdgroup.co.uk.

Right to object

To direct marketing

You can tell us at any time that you would prefer that we do not use your information for direct marketing purposes. This is an absolute right.

To processing for our legitimate interests or those of a third party

Sometimes, we use your personal information to achieve goals that will help us as well as you. This includes:

  • When we tell you about products or services that are similar to ones that you have already bought;
  • When we use your information to help us make our business better;
  • When we contact you to interact, communicate or let you know about changes we are making

We aim to always ensure that your rights and information are properly protected.

You can tell us at any time that you would prefer that we do not process all or some of your information for our legitimate interests or those of a third party.

You must give specific reasons why you are objecting to the processing of your personal information data based upon your particular situation.

This is not an absolute right, and DPD UK can refuse to comply if:

  • We can demonstrate compelling legitimate grounds for the processing, which override your interests, rights, and freedoms; or
  • The processing is for the establishment, exercise, or defence of legal claims;
  • If an exemption or restriction applies, or if the request is manifestly unfounded or excessive

You can read more about this right here.

If you would like to exercise this right please contact: dpo@dpdgroup.co.uk.

Right to restrict processing

You have the right to ask us to stop processing your personal information in any way other than simply keeping a copy of it. This right is available where:

  • You have informed us that the information we hold about you is inaccurate, and we have not yet been able to verify this;
  • You have objected to us using your information for our legitimate interests and we are in the process of considering your objection;
  • We have used your information in an unlawful way, but you do not want us to delete your personal information;
  • We no longer need to use the information, but you need it in connection with a legal claim

You can read more about this right here.

Rights in relation to automated decision making including profiling

We will not use automated decision-making or profiling to make any decisions that will have a legal effect upon you or otherwise significantly affect you, and you have the right not to be subject to such decisions.

You can read more about this right here.

Right to withdraw your consent to our use of your personal information

If you have agreed that we may use your personal information, you can withdraw that agreement at any time.

To withdraw your consent, please contact dpo@dpdgroup.co.uk.

Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

How to exercise your rights
  • You can make a data subject rights request verbally or in writing, including via chatbot or social media;
  • To maintain the security of your information, for the right of access requests we will need to reasonably verify your identity before we provide you with a copy of any information we may hold;
  • We have one calendar month from the date of receipt of your request or receipt of the identification information requested in which to provide you with the information referred to above and copies of your information.
  • Your request may be extended by an additional two months if the request is complex or if you submit a number of requests;
  • We are obliged to inform you within the first month if we need to exercise our right to extend the disclosure period by up to an additional two months;
  • There is no charge or fee for the provision of this information in the first instance however, manifestly unfounded or excessive requests plus subsequent copies may attract a reasonable administration fee;
  • DPD UK can refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive

If you wish to exercise any of your data subject rights, please get in touch using the Contact Us section below.

Changes to our privacy notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates.

We may also notify you in other ways from time to time about the processing of your personal information.

If you have any questions about this privacy notice, please contact dpo@dpdgroup.co.uk.

Complaints

If you have a query in relation to a parcel or delivery, please note that the Data Protection Team is unable to assist you as we do not have access to parcel systems. Instead, you will need to contact our Customer Services Team in one of four ways via our website: https://www.dpd.co.uk/content/how-can-we-help/contact.jsp.

You have the right to lodge a complaint with the ICO, (the UK supervisory authority for data protection issues) if you are not satisfied with the way in which we have handled your personal information. The ICO can be contacted at the following address:

Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire
SK9 5AF

or:

Helpline number: 0303 123 1113

Email: www.ico.org.uk/global/contact-us/email

Website: http://www.ico.org.uk

Contact Us

Data Protection Officer

We have appointed a DPO to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information you can contact Donna McMullan at:

dpo@dpdgroup.co.uk
or via our postal address address:

Data Protection Officer,
Legal Office
DPD UK
Roebuck Lane
Smethwick
B66 1BY

If you have a query in relation to a parcel or delivery, please note that the Data Protection Team is unable to assist you as we do not have access to parcel systems. Instead, you will need to contact our Customer Services Team in one of four ways via our website:

DPD (UK) Contact Us

If you have any queries or requests relating to any Data Protection matters, please contact our Data Protection Team at dpo@dpdgroup.co.uk.