Skip to main content

DPA eComm Hub Terms

Between

Parcel Customer; and An Post, a company registered in Ireland with company number 98788 having its registered office at General Post Office, O`Connell Street Lower, Dublin 1, D01 F5P2, Ireland (“An Post”) each a “Party” and together the “Parties” have agreed on the following contractual clauses (the “Agreement”).

Background

  • An Post has agreed to provide the delivery and delivery related services to the Parcel Customer, as specified in the Service and Price Agreement (“the Service”).
  • The Parties hereby agree that the provisions of this Agreement govern the processing of Personal Data.  
  • The Parcel Customer is acting as a Controller and An Post is acting as the Processor.
  • The Parcel Customer has appointed An Post to Process data on its behalf.  The data to be Processed by An Post includes some Personal Data. Data Protection Legislation places certain obligations upon the Parcel Customer as a Controller, to ensure that any party it engages, such as An Post, to Process data on its behalf, has sufficient processes in place to ensure that the Processing of Personal Data carried out on its behalf is secure and takes place in compliance with Data Protection Legislation. 
  • An Post has agreed to provide the Services and to receive the Personal Data for Processing in accordance with the terms of this Agreement. 
  • The Parties have entered into this Agreement to ensure the fair Processing, compliant sharing and maintenance of security of the Personal Data, whether: (i) submitted to An Post by the Parcel Customer; and/or (b) accessed by An Post under the authority of the Parcel Customer; and/or (iii) all Personal Data otherwise received by An Post for Processing on behalf of the Parcel Customer and that all consequent Processing of the Personal Data pursuant to this Agreement takes place in compliance with Data Protection Legislation.

Now It Is Hereby Agreed As Follows; 

  • This Agreement governs the processing of personal data by An Post on behalf of users (“Parcel Customers”) who use the Service.
  • By tendering any postal item for transmission by An Post, the Parcel Customer agrees to the terms of this Agreement.
  • “Competent Authority” shall mean the Irish Data Protection Commissioner and any replacement or successor authority or other data privacy supervisory authority with jurisdiction over a party;
  • “Parcel Customer" shall mean the individual or company who has contracted with An Post to deliver their shipments (whether or not a Service and Price Agreement has been executed);
  •  “Data Protection Legislation” means any applicable legislation in force from time to time in relation to the use of Personal Data including without limitation any legislation or regulations which implement European Community Directive 95/46/EC and Directive 2002/58/EC, (as amended by Directive 2006/24/EC and 2009/136/EC),) including the Data Protection Acts 1988, 2003 and 2018, the General Data Protection Regulation EU No 2016/679 and any amendments, revisions or replacement in respect of the foregoing and all Irish and European Union (with direct effect) laws and regulations relating to processing of personal data and privacy and all other industry guidelines (whether statutory or non-statutory) or applicable codes of practice and guidance notes issued from time to time by a Competent Authority relating to the processing of Personal Data or privacy;
  • The terms “Data Controller”, “Data Subject”, “Personal Data” and “Processing” shall have the same meanings as in the Data Protection Legislation and “Processed” and “Process” shall be construed in accordance with the definition of “Processing”;
  • “Service and Price Agreement” means the service and price agreement to be completed and executed by the Customer and to which this Agreement is appended; 

  1. An Post acts as a Data Processor in respect of the Personal Data it Processes on behalf of Parcel Customer as set out in Annex 1.  
  2. An Post agrees that to the extent that it Processes Personal Data for or on behalf of the Parcel Customer, it is subject to, and agrees to comply with the Data Protection Legislation.
  3. An Post shall cooperate with the Parcel Customer and shall take such reasonable steps as are requested by the Parcel Customer where such is required for the Parcel Customer to comply with any notification or other obligations applicable to the Parcel Customer under the Data Protection Legislation.
  4. In respect of the Processing of Personal Data by An Post or its sub-processors under or in connection with this Agreement, An Post shall, and shall procure that its sub-processors shall:
    1. only Process the Personal Data to the extent required to provide the Services in accordance with the terms of this Agreement or otherwise in accordance with documented instructions of the Parcel Customer from time to time;
    2. not otherwise modify, amend or alter the contents of the Personal Data or disclose or permit the disclosure of any of the Personal Data to any third party unless specifically authorised to do so in writing by the Parcel Customer;
    3. promptly comply with any written request from the Parcel Customer requiring An Post to amend, transfer or delete any Personal Data;
    4. implement appropriate technical and organisational security measures to:
      1. protect the security and confidentiality of all Personal Data against unauthorised or unlawful Processing and against accidental or unlawful loss, destruction, damage, alteration, or disclosure which measures shall be in accordance with the requirements of Data Protection Legislation including, without prejudice to the generality of the foregoing, Article 32 of the GDPR; and
      2. comply with Data Protection Legislation; 
    5. each of its employees, agents and sub-processors are made aware of and are trained in, the obligations under this Agreement with regard to the security, handling and protection of the Personal Data and shall require that they have committed themselves to confidentiality obligations with An Post in order to maintain the levels of security and protection provided for in this Clause 4;
    6. not do or permit anything to be done which might cause the Parcel Customer to be in breach of the Data Protection Legislation;
    7. provide such written evidence of the An Post’s compliance with Data Protection Legislation as may be reasonably requested by the Parcel Customer from time to time;
    8. cooperate and assist, as reasonably requested by the Parcel Customer, and put appropriate technical and organisational measures in place to enable the Parcel Customer to comply with any exercise of rights by a Data Subject under the Data Protection Legislation in respect of Personal Data processed by the An Post under this Agreement (including, without limitation, in relation to the retrieval and/or deletion of a Data Subject’s Personal Data);
    9. not process the Personal Data anywhere outside of the European Economic Area (EEA) without the prior written consent of the Parcel Customer (and subject then, in the event of any transfer outside the EEA, to the execution of any document or agreement which, in the reasonable opinion of the Parcel Customer, is required in order to lawfully effect any such transfer of Personal Data) ;
    10. inform the Parcel Customer, prior to processing the Personal Data, of any legal requirement required by EU or Irish law which obliges the An Post to transfer the Personal Data outside the EEA; 
    11. at the reasonable request of the Parcel Customer or any competent regulatory or supervisory authority, submit for audit the Processing activities (and related facilities) carried out pursuant to this Agreement which audit shall be carried out by the Parcel Customer, its authorised sub-contractor (bound by a duty of confidentiality) and/or the relevant regulatory or supervisory authority; and
    12. cease Processing the Personal Data immediately upon the termination or expiry of this Agreement or, if sooner, the termination of the Services to which it relates and as soon as possible thereafter, at the Parcel Customer’s option and request, either return, or delete from An Post systems, the Personal Data and any copies of it or of the information it contains and An Post shall confirm in writing that this sub-clause has been complied with in full. The provisions of this sub-clause shall not apply to the extent An Post is obliged or permitted by applicable law in force in Ireland or in the EU to keep copies of the Personal Data.
  5. An Post shall notify the Parcel Customer as soon as reasonably practicable:
    1. and in any event within forty eight (48) hours of receiving any legally binding request for disclosure of Personal Data by a law enforcement or other Competent Authority unless prohibited by law from doing so; 
    2. of receiving any request directly from a Data Subject without responding to that request, unless required by law or unless it has been otherwise authorised by the Parcel Customer to do so;
    3. of receiving any correspondence, notice or other communication whether orally or in writing from a Competent Authority relating to the Personal Data; and
  6. Without prejudice to any other provision of this Agreement, the Parcel Customer may, on reasonable notice, request a detailed written description of (i) the technical and organisational methods employed by the An Post and its sub-processors (if any) for the Processing of Personal Data; and/or (ii) the Processing activities carried out by the An Post on behalf of the Parcel Customer containing at least the amount of detail as required by Article 30(2) of the GDPR.  Within thirty (30) days of receipt by the An Post of the Parcel Customer’s written request (which shall include a detailed description of the Parcel Customer’s requirements), An Post shall deliver a written report to the Parcel Customer in sufficient detail that the Parcel Customer can reasonably determine whether or not any applicable Personal Data is being or has been Processed in compliance with the Data Protection Legislation and in accordance with this Agreement.
  7. If An Post or any of its sub-processors becomes aware of any Data Protection Incident, then An Post shall promptly and without undue delay (but in any event within twenty-four (24) hours of discovery) notify the Parcel Customer of the said Data Protection Incident. An Post shall provide the Parcel Customer with all assistance and cooperation as are reasonably required by the Parcel Customer for the Parcel Customer to notify the Competent Authority of a Data Protection Incident and for the Parcel Customer to provide such reports or information as may be requested by it in relation to such Data Protection Incident and/or for Parcel Customer to notify the relevant Data Subjects of such Data Protection Incident, as applicable. For the purposes of this sub-clause, “Data Protection Incident” means a breach of security on the part of An Post leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
  8. An Post shall provide the Parcel Customer with such assistance as is reasonably required by the Parcel Customer for Parcel Customer to discharge its duties pursuant to Articles 35 and 36 of the GDPR insofar as they relate to Processing by An Post hereunder including, but not limited to, providing information at the request of the Parcel Customer in respect of any data protection impact assessment which the Parcel Customer conducts.
  9. The Parcel Customer consents to the sub-processors, who are on terms which are substantially the same as those set out in this Agreement, listed in Annex 2 and to such other sub-processors as are notified in writing to the Parcel Customer from time to time which are not promptly objected to by the Parcel Customer.
  10. Where An Post appoints or otherwise uses the services of a sub-processor, An Post shall be liable to the Parcel Customer for the performance, acts and omissions of such sub-processor. 
  11. An Post agrees not to use any Personal Data which it processes on behalf of the Parcel Customer for direct marketing purposes without the prior written authorisation of the Parcel Customer.
  12. An Post shall promptly notify the Parcel Customer of any breach of its obligations under this Agreement.

Annex 1 - Personal Data that is processed by An Post on behalf of Parcel Customer

Subject matter of processing:An Post populates a text file with Track and Trace data relating to the Parcel Customer’s items and returns the file to the Parcel Customer.
Duration of Processing:For as long as the delivery process is in train.  An Post also retains this data for up to 12 months in case of queries, returns and for billing purposes.
Nature of Processing:An Post processes personal data of any client of the Parcel Customer which is contained in the pre-address file.
Business Purposes:The Parcel Customer is a Company that engages in some mail order work.  They provide a pre-advice file to An Post, and An Post then provides Track and Trace information to the Parcel Customer.
Personal Data Categories:Names, Addresses, Email Addresses and Mobile Phone Numbers of parcel recipients.

Annex 2 - Approved Sub-Processor 

Sub-Processor Name TypePurposeLocation of ProcessingSafeguards
Full legal nameIs the organisation an affiliate organisation or a separate entity etc.For what purpose is the sub-processor engaged with specific regard to data controller personal data.Where does the sub-processor’s processing take place?What safeguards are in place to ensure the sub-processor adheres to their data protection obligations?
Where an international transfer takes place, please also include information about the transfer mechanism used.
Twilio (SendGrid)Separate entityEmail Messaging for customer delivery informationUSContractual obligations, Third Party Risk Management Policy (inc ongoing management) and vendor Due Diligence processes in place
Vodafone Ireland Limited through their sub-processor - PhonovationSeparate entitySMS messaging for customer delivery informationEEAContractual obligations, Third Party Risk Management Policy (inc ongoing management) and vendor Due Diligence processes in place
Air Business Ltd.Wholly owned subsidiaryeCommerce software provider which Customer will connect toEEA and UKContractual obligations, Third Party Risk Management Policy (inc. ongoing management) and vendor Due Diligence processes in place.
Scurri Web Services LimitedSeparate entityeCommerce software provider which Customer will connect toEEAContractual obligations, Third Party Risk Management Policy (inc. ongoing management) and vendor Due Diligence processes in place.

You've exceeded the maximum login attempts
Your account has been locked for 30 minutes to prevent fraudulent activity
Your session has timed out
Would you like to log in again to continue?
Marketing Preferences

We have updated our Marketing preferences to give a customised experience of when and how we can contact you.

Let's stay in touch

Get the latest offers and news from the An Post group of companies by:

We have updated our terms of service