Social Media

Data Privacy and Legal Guidelines

Before you open a social media account, it’s important to understand your country’s copyright and data protection regulations. This guide provides general password security, data protection, legal, and privacy guidelines.

Data Privacy and Legal Guidelines
  • The basics
  • Password security
  • Data Protection
  • Legal guidelines
  • Get Support

The basics

In most cases, the use of social media involves the processing of personal data, sometimes on a large scale. Even if users accept the social network’s data processing conditions when they open an account, they are entitled to certain fundamental rights and freedoms – particularly their right to the protection of personal data.

Before opening a DHL social media account, please review and understand your country’s copyright and data protection laws and regulations. Also, be sure to familiarize yourself with the rules for each social media network you are using.

Password security

Make sure to create strong, unique passwords for all your social media accounts and management/monitoring tools. This is the best way to protect your accounts from unauthorized use. Please follow these guidelines when creating passwords:

  • Create strong, unique passwords
  • Use two-factor authentication where possible
  • Replace default passwords with strong ones where applicable
  • Create different passwords for each account
  • Don’t share your passwords with others. 
  • Avoid keeping paper records of passwords; use a password safe like Keepass instead.
  • Create long passwords (>12 characters)
  • Don’t use words from the dictionary or simple patterns (e.g., number or letter sequences)
  • Use a combination of uppercase and lowercase letters, numbers, and symbols.
  • Change passwords regularly.
  • Change your password immediately if there is any indication it may have been compromised.

IMPORTANT: Do not use a DPDHL password (i.e., a password you use to access DPDHL devices or services) for your social media accounts. This rule also applies to all non-DPDHL services, such as third-party websites, private computers, or private email accounts.

For further instructions, please review the password guidelines on myNet or contact your local IT security department.

Data Protection

In the age of social media, protecting data and maintaining data privacy is a complex challenge. Social media often involves the processing of personal data. Users are entitled to personal data protection rights (GDPR: data subject rights), even if they accept the terms and conditions of the social media channel and allow their data to be processed.

All DPDHL Group social media managers must adhere to data privacy and security standards. This ensures that our social media activities comply with data protection requirements (e.g., operating social media profiles, using social plugins, social media targeting, and social media monitoring).

PLEASE NOTE: In Germany, the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) is asking all public bodies operating a Facebook fan page to shut them down by the end of 2021 because they are deemed in violation of personal data protection. The BfDI indicates that from January 2022 it will make use of the powers available according to Article 58 of the GDPR. Although the BfDI only refers to public bodies to date, we assume that the same will apply to non-public bodies, such as DPDHL companies, and that they may take action to impose sanctions. Please also note that the BfDI is examining the legality of other social media platforms such as Instagram, TikTok, and Clubhouse. For more details, please see the BfDI’s letter here (German only).

Follow these steps to ensure data protection compliance:

  1. Contact your local data protection officer (DPO) to coordinate the DPR/PIA process (Data Protection Record/Privacy Impact Assessment) and demonstrate compliance with applicable data protection law.  

  2. Ensure that the data processing is based on the legal requirements in your country.

  3. Provide a privacy notice that is easily accessible (maximum of two clicks). The privacy notice should describe your data processing activities in a clear and comprehensible manner (see below for more details). 

  4. Ensure that data subjects (users) can effectively exercise their rights.

  5. Make any necessary joint controller arrangements or controller-processor agreements with the social media provider. Please note that with many social media providers you automatically enter into such agreements by accepting the terms of use (e.g., Facebook, Instagram, and Linkedin). Be sure you understand the rights and obligations (especially liability) regulated there.

  6. Ensure that the technical and organizational measures are adhered to, particularly data security and data protection through privacy by design and privacy by default.

With these steps in mind, here are several aspects of data privacy to consider when using social media:

Privacy Notice

A privacy notice informs data subjects (users) about how their data will be collected and processed. According to the EU’s General Data Protection Regulation (GDPR), companies must make a privacy notice available on their social media channels. The information must be permanently accessible via a link entitled “Privacy Notice” (maximum two clicks from the homepage or placed as a separate item on the navigation menu).

The content of your privacy notice will depend on the social media network or service in use. Also, regulations vary from country to country. Therefore, please ensure that your social media channels comply with the rules in your country.

Social Plugins

Social plugins are tools developed by social media providers that allow you to quickly share your experiences on other websites with your social channel. Examples of social plugins are the “Like” and “Share” buttons.

Social plugins often collect personal user data, transmit it back to the related service (e.g., Facebook or LinkedIn), and combine it with existing data. For example, the “Like” button on Facebook collects data for web analytics. 

In some countries, laws may require you to integrate social plugins in a way that ensures no data is transferred immediately when a user visits a website for the first time. In such cases, you may be able to comply with this requirement by using a two-click solution. A two-click process ensures that when a user visits a website, only the desired page is loaded at first. Placeholders (integrated as pictures) replace the actual buttons, and the user must click on the placeholder to activate the button. Users receive a data protection warning via mouse-over before they click for the first time. Once a user clicks on the button, the button is activated, establishing a server connection with a social network. A second click executes the button’s actual function. Another solution is to use cookie consent management. See the Social Media Guideline on myNet for more details.

Social Media Monitoring

Social media monitoring (i.e., social listening) involves tracking and analyzing posts, comments, and other engagements on social networks. The insights gained by “listening” to what’s being said about our company help us understand our target markets. Because personal data is processed, social listening is subject to national data protection laws. Therefore, it’s important to understand the rules and consult your local data protection officer before engaging in social listening.

IMPORTANT: Your social media monitoring activities should be limited to publicly accessible social media profiles and data only.

Contact Your Data Protection Officer

Whether you have questions about data privacy or not, it’s best to get in touch with your local data protection officer if you have identified a particular issue or to ensure you are handling data privacy correctly.

Go to this page on myNet to find your local Data Protection Officer.

Legal guidelines

Copyright

Copying and using third-party content has become too easy in today’s digital world. However, checking whether you have the right to use that content is still an essential step in the content creation process. Literary works, pictures, videos, music, paintings, drawings, graphic designs, and computer software are usually copyright protected. Copying and using such content in a commercial setting would be a clear violation of the copyright owner’s exclusive rights.

Before you post content on social media, be sure to check if you have the right to use it – and if not, obtain the appropriate rights before you do.

Copyright checklist 

  • Find out if there is a copyright on the material you wish to use (e.g., imagery, videos, music, software, etc.) copyright. 
  • Find out whether your intended use would violate the copyright. For example, uploading third-party content to a website or social media is almost always a copyright violation. 
  • If copyright exists and your intended use violates it, obtain explicit permission (e.g., license) to use the content before posting it. You can do this by contacting your purchasing department, a performance rights organization (e.g., GEMA in Germany), or the copyright owner directly.
  • If you are unsure about any of these steps, have a legal question, or require support, please contact Legal Services: (benjamin.heinke@dpdhl.com).

Legal Notice

All websites must have a legal notice, including company social media pages. The legal notice text must specify the company that operates the page or posts the information on it. 

In Germany, for example, the law stipulates that legal notices must include a wide range of information about the company (e.g., commercial registry court, contact details, value-added tax [VAT] identification number). This information must appear in full in the legal notice. The required information varies by country and legal entity and must be reviewed on a case-by-case basis.

On the main page of your social media channel, the legal notice must be:

  • Accessible via a permanent link
  • Labeled “Legal Notice” or “Provider Identification”

Each DPDHL Group social media channel must include a legal notice. For Facebook, for example, the legal notice must be visible immediately when users arrive on the main page.

For support with legal notices, please contact Legal Services (Sabine.Knieper@dpdhl.com).

Promotional Contests

Legal Services must approve all promotional contests. When planning a promotional competition, we recommend preparing the following before seeking approval:

Pre-approval checklist

  • Determine the types of activities you expect participants to carry out
  • Determine how long your contest should run
  • Prepare a draft landing page
  • Prepare draft entry conditions (see list of the required information below)

Information required for approval

  • Organizer
  • Participant pool and any restrictions, if applicable (e.g., we advise limiting participation to persons over eighteen years of age)
  • Mode of participation (email, social media, registration on the landing page, etc.)
  • Term: opening and closing registration dates
  • Winner announcement process
  • Winner notification process
  • Exclusion of legal recourse (and, if applicable, payout)
  • Data protection clause: What happens to the participants’ data? (if appropriate, coordinate with your data protection officer)
  • On some social media networks (e.g., Facebook), you will need to consider the network’s advertising guidelines.
  • For support with promotional contests, please contact Legal Services (Sabine.Knieper@dpdhl.com).

Liability for Third-Party Content

Although the laws and regulations governing this area are very inconsistent, they do leave room for the possibility of holding a social media channel operator liable for blatantly illegal third-party content. External legal costs for related citations or preliminary applications for injunctions should therefore be taken into account when planning your budget.

IMPORTANT: Make sure you have direct access to all your social media accounts and can remove content at a moment’s notice.

Get Support

If you need help with any data privacy issues, please contact your data protection officer.

If you need help with any legal issues, please contact Legal Services.