NewJoin our newsletter for post-purchase and CX insights Subscribe →

GDPR Compliance

Last updated: January 15, 2026

1. Our Commitment to GDPR

parcelLab GmbH is fully committed to complying with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). As a company headquartered in Munich, Germany, and serving customers across the European Union and worldwide, we recognize the importance of protecting personal data and upholding the rights of data subjects.

This page provides an overview of how we ensure GDPR compliance across our operations, products, and services.

2. Roles and Responsibilities

2.1 parcelLab as Data Processor

When providing our post-purchase experience platform to customers, parcelLab acts as a data processor on behalf of our customers (the data controllers). We process personal data only in accordance with our customers' documented instructions and applicable data processing agreements.

2.2 parcelLab as Data Controller

For our own business activities — such as operating our website, managing customer relationships, and conducting marketing — parcelLab acts as a data controller. In this capacity, we determine the purposes and means of processing personal data and are directly responsible for GDPR compliance.

3. Data Processing Agreement

We offer a comprehensive Data Processing Agreement (DPA) to all customers, in accordance with Article 28 of the GDPR. Our DPA covers:

  • Subject matter, duration, nature, and purpose of processing
  • Types of personal data processed and categories of data subjects
  • Obligations and rights of the data controller
  • Subprocessor engagement and management
  • Data breach notification procedures
  • Data deletion and return upon contract termination

To request a copy of our DPA or to execute an agreement, please contact your account manager or reach out to privacy@parcellab.com.

4. Technical and Organizational Measures

parcelLab implements robust technical and organizational measures (TOMs) to ensure the security of personal data, as required by Article 32 of the GDPR. Key measures include:

4.1 Encryption

All data is encrypted in transit using TLS 1.2 or higher, and at rest using AES-256 encryption. Database backups and stored credentials are also encrypted.

4.2 Access Controls

Access to personal data is restricted to authorized personnel on a need-to-know basis. We enforce multi-factor authentication, role-based access control, and regular access reviews.

4.3 Infrastructure Security

Our platform is hosted on enterprise-grade cloud infrastructure within the European Union. We conduct regular vulnerability assessments, penetration testing, and maintain intrusion detection systems.

4.4 Monitoring and Logging

We maintain comprehensive audit logs and monitoring systems to detect and respond to potential security incidents in real time.

5. Subprocessors

parcelLab engages a limited number of subprocessors to deliver our services. We carefully vet all subprocessors for GDPR compliance and maintain binding data processing agreements with each. Our current list of subprocessors is available upon request and is regularly updated.

We provide our customers with prior notice of any intended changes to subprocessors, giving them the opportunity to object in accordance with their DPA.

6. Data Subject Rights

parcelLab supports the exercise of data subject rights as set out in Articles 15–22 of the GDPR. When we act as a data processor, we assist our customers in fulfilling data subject requests. When we act as a data controller, we handle requests directly. These rights include:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure / right to be forgotten (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)
  • Rights related to automated decision-making and profiling (Article 22)

7. Data Breach Notification

In the event of a personal data breach, parcelLab will notify affected customers without undue delay and no later than 72 hours after becoming aware of the breach, in accordance with Articles 33 and 34 of the GDPR. Our notification includes the nature of the breach, data categories affected, likely consequences, and measures taken to address and mitigate the breach.

8. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to the rights and freedoms of data subjects, as required by Article 35 of the GDPR. DPIAs are reviewed and updated periodically and whenever significant changes to processing activities occur.

9. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), we ensure compliance with Chapter V of the GDPR through appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions by the European Commission
  • Transfer impact assessments where required

10. Data Protection Officer

parcelLab has appointed a Data Protection Officer (DPO) who oversees our GDPR compliance program and serves as a point of contact for data protection matters. You can reach our DPO at:

Data Protection Officer
parcelLab GmbH
Landwehrstraße 39
80336 Munich, Germany
Email: dpo@parcellab.com

11. Certifications and Audits

parcelLab undergoes regular third-party audits and maintains relevant certifications to demonstrate our commitment to data protection and information security. Details of current certifications are available upon request.

12. Contact

For questions about our GDPR compliance practices, to request our DPA, or to raise a data protection concern, please contact:

parcelLab GmbH
Landwehrstraße 39
80336 Munich, Germany
Email: privacy@parcellab.com