Personal data - Docaposte

Docaposte Charter - Protection of personal data - Privacy

Why a Charter on the Protection of Personal Data and Privacy?

In the context of its internal and external activities, the Docaposte Group is subject to compliance with the regulations applicable to the Processing of Personal Data and in particular:

Law No. 78-017 of 6 January 1978 relating to information technology, files and civil liberties (known as the Data Protection Act)
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such Data (GDPR).

The Docaposte Group places the protection of Personal Data at the heart of its missions and the services it offers. In this sense, the Docaposte Group wishes to guarantee its Employees, customers, suppliers, prospects as well as Third-Party Beneficiaries – hereinafter the "Data Subjects" – the respect of their Data Personnel.La this Charter on the Protection of Personal Data and Privacy (hereinafter the "Charter"), sets out the principles and guidelines for the protection of the Personal Data of Data Subjects and aims to Information on:

The Personal Data that the Docaposte Group collects and the reasons for this collection,
How this Personal Data is used,
The Rights of Data Subjects over their Personal Data.

This Charter applies to all Docaposte Group Entities and is annexed to the internal regulations.

How does the Docaposte Group take into account the protection of Personal Data?

The Docaposte Group undertakes to take into account the protection of Personal Data and the privacy of Data Subjects from the design of new products or services that are offered or that are intended to allow the Processing of Personal Data.
To ensure security and to guarantee the respect and proper exercise of the rights of Data Subjects, measures to ensure the protection of their Personal Data are implemented.

How is Personal Data used by the Docaposte Group?

The Docaposte Group undertakes to collect only the data that is strictly necessary to carry out its Processing or the Processing carried out on behalf of its customers. In the event that optional Personal Data is requested:

when the Docaposte Group acts as Data Controller, clearly informs the Data Subjects about the Personal Data necessary to carry out the Processing in question and those that may be voluntarily provided;
when the Docaposte Group acts as a Data Processor and provides a service on behalf of one of its customers, the Docaposte Group informs its customer that the Data Subjects must be informed by it of the categories of Personal Data necessary to carry out the Processing in question and those that are optional and may be voluntarily provided.

Personal Data is collected directly or indirectly from the Data Subjects depending on the Processing envisaged and is only used for the uses that have been brought to their attention or for the Processing purposes entrusted to us by our customers.

How does the collection of Personal Data from minors work?

Some Processing may involve minors. In this case, the consent of their parents or legal guardians is required.

To which departments or companies is Personal Data disclosed?

Personal Data may be transmitted:

When the Docaposte Group acts as Data Controller:
- To the internal departments of the Docaposte Group: the departments that are in charge of the execution of the Processing carried out, in particular the Human Resources Department, the Administrative and Financial Department, etc.
- To Subcontractors of the Docaposte Group: technical service providers, including subcontractors;
To the Docaposte Group's business partners, after having previously informed the Data Subjects and allowed them to object to it.
When the Docaposte Group acts as a Data Processor: only to the teams in charge of carrying out the Personal Data Processing that has been entrusted to us by our customers.

Can Personal Data be transferred outside the European Union?

The Docaposte Group is likely to carry out Personal Data Processing on the territory of the European Union (EU) and outside the territory of the European Union. When the Docaposte Group acts as Data Controller, the Docaposte Group informs the Data Subjects of the place of Processing of their Personal Data. When the Docaposte Group acts as a Data Processor, it is the responsibility of its customers who have entrusted it with the performance of the Processing to inform the Data Subjects of the place of Processing of their Personal Data.

For certain specific services, the Docaposte Group may use Subcontractors external to the Docaposte Group established outside the EU. Certain Personal Data may then be communicated to them for the strict needs of their missions. In this case, in accordance with the regulations in force, the Docaposte Group requires its Subcontractors to provide the necessary guarantees to supervise and secure these transfers, in particular by signing standard contractual clauses.

How long does the Docaposte Group keep Personal Data?

The duration of the retention of Personal Data depends on the Processing carried out. The Docaposte Group undertakes not to retain Personal Data beyond the period necessary to carry out the Processing, increased by the retention period imposed by the regulations and Legislation applicable to the Processing carried out.

Is Personal Data protected?

The Docaposte Group undertakes to take all measures to ensure the security and confidentiality of Personal Data and in particular to prevent it from being damaged, erased or accessed by unauthorised third parties.
In accordance with its contractual commitments, the processing carried out by Docaposte may be subject to audit. In addition, in the event of a security incident affecting Personal Data (destruction, loss, alteration or disclosure), the Docaposte Group undertakes to comply with the obligation to notify Personal Data Breaches:

to the CNIL or the competent Supervisory Authority, and, where applicable, to the Data Subjects, when the Docaposte Group acts as Data Controller,
to the Data Controller when the Docaposte Group acts as a Data Processor.

What are the rights of Data Subjects?

➔ When the Docaposte Group acts as Data Controller

Any Data Subject, whether they are employees, customers, suppliers, or prospects of the Docaposte Group, has the right to exercise the rights provided for by the regulations in force applicable to the Processing of Personal Data with the Docaposte Group at any time, provided that they meet the following conditions:

Right of access: communication of their Personal Data subject to Processing by the Docaposte Group.
Right to rectification: updating of their Personal Data or rectification of their Personal Data processed by the Docaposte Group.
Right to object, in particular to receive commercial communications: request to no longer receive commercial communications from the Docaposte Group or request that their Personal Data no longer be subject to Processing.
Right to erasure: request the deletion of their Personal Data.
Right to restriction: request the suspension of the Processing of their Personal Data.
Right to portability: ask the Docaposte Group to retrieve their Personal Data in order to dispose of it, in a digital format.

Data Subjects may exercise their rights at the following address: mesdroits.rgpd@Docaposte.fr. All requests must be accompanied by proof of identity.

The Docaposte Group undertakes to respond to requests to exercise rights as soon as possible and in any event in compliance with the legal deadlines.

➔ When the Docaposte Group acts as a Data Processor

Any Data Subject whose Personal Data is processed by a Customer Data Controller of the Docaposte Group, has the option at any time to exercise directly with his or her Data Controller the rights provided for by the regulations in force applicable to the Processing of Personal Data. collaborates with its client Data Controller:

Either by providing all the information in its possession allowing the Data Controller to respond to the Data Subject;
Or by carrying out operations to modify or delete Personal Data at the request of the Data Controller, under the conditions defined in the contract entered into between the Docaposte Group and the Data Controller.

When the Docaposte Group receives requests from Data Subjects to whom it is a Data Processor, it undertakes to transmit them without delay to the Data Controller and to act in accordance with the instructions of the Data Controller, under the conditions defined in the contract entered into between the Docaposte Group and the Data Controller.

Has the Docaposte Group appointed a Data Protection Officer?

The Docaposte Group is an integral part of the La Poste Group. The appointment of a Data Protection Officer demonstrates the La Poste Group's commitment to the protection, security and confidentiality of the Personal Data of the Data Subjects of its Processing.

The Docaposte Group, in view of the Processing activities carried out, and the La Poste Group, have agreed to appoint a DPO Delegate within the Docaposte Group. The Deputy DPO of the Docaposte Group has a delegation of power entrusted by the President of the Docaposte Group. The Docaposte Group's DPO is functionally linked to the La Poste Group's Data Protection Officer and works in close collaboration with him.

Contact details of the DPO Delegate within the Docaposte Group:

Email address: privacy@Docaposte.fr

Postal address:
Docaposte
PRIVACY-RGPD Unit
45/47 boulevard Paul Vaillant Couturier
94200 Ivry-sur-Seine

Glossary

Each capitalized term has the meaning given to it below.

Data Controller : means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law ;
Data Processor : means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
"Data Subject": means any identified or identifiable person whose Personal Data is being Processed. For example: employees, customers, prospects, suppliers, service providers, third-party beneficiaries, etc.
"Delegated DPO" or "Delegated Data Protection Officer": Refers to the natural person who, pursuant to Article 37 of the GDPR, has been appointed by the President of the Docaposte Group and the Data Protection Officer of the La Poste Group in order to take up the functions specified in Article 38 of the GDPR and to carry out the missions referred to in Article 39 of the GDPR for all Processing activities carried out by the Docaposte Group, whether it acts as a Data Controller or a Data Processor.
"Docaposte Entity": refers to a subsidiary belonging to the Docaposte Group.
"Docaposte Group": refers to the subsidiaries belonging to the Docaposte Group and Docaposte SAS
Personal data breach : means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed ;
"La Poste Data Protection Officer": refers to the natural person who, pursuant to Article 37 of the GDPR, has been appointed by Groupe La Poste to take up the functions specified in Article 38 of the GDPR and to carry out the tasks referred to in Article 39 of the GDPR for all Processing activities carried out by Groupe La Poste, whether it acts as a Data Controller or a Data Processor.
"Personal Data Protection Charter" and "Charter": refers to this Charter describing the measures taken for the Processing, use and management of Personal Data and the rights of the Data Subjects by the Processing(s).
Personal Data or Data : refers any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person ;
"Processing": means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available, the reconciliation or interconnection, limitation, erasure or destruction.
"Third-Party Beneficiary": Refers to a Data Subject who is not directly linked to Docaposte but whose Personal Data Docaposte processes within the framework of the Processing purposes for which it is responsible.

Privacy Policy Docaposte - Business customers

Docaposte informs its customers about the processing of personal data carried out on their behalf in the context of the activities they entrust to it.

As part of its approach to implementing the legal and regulatory provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, the LA POSTE Group has appointed a Data Protection Officer (DPO) and each of its its subsidiaries, including Docaposte, has identified a DPO referent. Docaposte has also set up the Privacy-GDPR Department, under the responsibility of the Legal and Compliance Department of the Docaposte Group.

Docaposte is committed to ensuring the protection, confidentiality and security of the personal data entrusted to it.

Docaposte processes personal data in accordance with the provisions specified in the contract signed with its customers.
Docaposte ensures that the persons authorised to process personal data undertake to respect confidentiality or are subject to an obligation of confidentiality.
Docaposte trains its employees to comply with the regulations applicable to the processing of personal data and each year compiles a training plan that considers the latest regulatory developments in this area.
When Docaposte uses a subcontractor to carry out personal data processing activities on behalf of the Client, the same personal data protection obligations as those set out in the contract between the Client and Docaposte are required.
Docaposte assists the Client, as far as possible, in fulfilling its obligation to respond to requests submitted by the persons concerned in order to exercise their rights.
Docaposte helps the Client to ensure compliance with security obligations, given the nature of the processing and the information at its disposal. This implies in particular that Docaposte notifies the Client of any personal data breaches as soon as possible, after their discovery.

Docaposte keeps a register of all categories of processing activities carried out on behalf of the Client. Docaposte provides the Client with all the information necessary to provide proof of compliance with its obligations.

At the end of the service and in accordance with the terms of the contract, Docaposte deletes or returns to the Client the personal data that it has processed on its behalf, subject to ongoing claims and legal and regulatory obligations.

Prospect mentions

Identity of the Data Controller and subject matter of the information

Docaposte is a simplified joint-stock company, whose registered office is 45/47 boulevard Paul Vaillant Couturier, 94200 Ivry-sur-Seine, and whose Unique identification number of 493 376 008 (RCS of Créteil). Docaposte is represented by Mr. Olivier VALLET, its president. Docaposte is committed to ensuring the protection, confidentiality and security of your personal data, as well as to respecting your privacy.

Contact and data protection officer - Docaposte

In accordance with the General Data Protection Regulation, Docaposte has appointed a DPO (Data Protection Officer) as a Delegate, reporting to the DPO of the La Poste Group, whom you can contact at the following address: mesdroits.rgpd@docaposte.fr.

Purposes and legal bases of the processing

In the context of commercial prospecting, for individuals (B2C), the legal basis for the processing of your personal data is consent.

In the context of commercial prospecting, for professionals (B2B), the legal basis for the processing of your personal data is the legitimate interest pursued by DOCAPOSTE and its subsidiaries (hereinafter "the Docaposte group").

Your personal data has been collected directly from you or indirectly in the context of events or professional exchanges. Your personal data is processed by the Docaposte group in order to follow up on actions relating to commercial prospecting, such as:

send you personalized advertising messages, including news about our products, special offers, invitations to events;
to send you advertising messages relating to the products, special offers and services of the Docaposte group's partners, in connection with similar services or likely to be of interest to you in relation to your profession;
respond to your requests to exercise rights in relation to your personal data;
to monitor our activities;
to ensure the management of the push list in the context of opposition to the prospecting campaigns of Docaposte and/or its subsidiaries and partners, for the persons concerned.

Categories of Personal Data that are subject to processing

The categories of personal data processed by the Docaposte Group are, where applicable:

Your identification data: surname, first name, contact details (email address, telephone number, postal address)
Your data relating to your professional activities: data relating to membership of a company, employee status, history of our communications (Docaposte User/Group).
Your connection data: IP address, session identifier.
Your data on the device: data relating to the use of the tools and services made available by the Docaposte group.

The persons concerned by the processing of personal data are prospects and customers whose personal data is processed.

Retention periods for your personal data

In order to carry out the Purposes of the processing, Docaposte group is required to process sets of Personal data that can be linked directly or indirectly to its users. The sets of Personal data processed by Docaposte group are as follows:

Processing purposes	Personal Data Processed	Personal data retention period
Management of the commercial relationship with the Docaposte Group's Prospects	Data relating to the identity of the Prospect (First name, last name, email address, telephone number)	3 years from the last contact with the Prospect or until the person concerned requests an objection.
Management of the commercial relationship with the Docaposte Group's Customers and Partners	Data relating to the identity of the Client (First name, last name, Email address, telephone number) Data relating to the professional life of the person concerned (data relating to membership of a company, employee status, history of our communications (User/Docaposte Group).	Duration of the contractual relationship with the Client
Organization and management of registrations for Docaposte Group webinars	Data relating to the identity of the Client (First name, last name, Email address, telephone number) Data relating to the professional life of the person concerned (data relating to membership of a company, employee status, history of our communications (User/Docaposte Group). Data relating to the participation of the data subject in webinars.	Prospect data kept for 3 years from the last contact or until the person concerned requests an objection.
Management of surveys, reviews, prospects and customers	Data relating to the identity of the Client (First name, last name, Email address, telephone number)	6 months after the survey was carried out
Management of the pusher list	Fingerprint of the email address used for prospecting	3 years from the expression of the objection of the person concerned.

The recipient of your personal data

Your personal data is processed by Docaposte and its subsidiaries.

Transfers of Personal Data outside the European Economic Area (EEA)

The Personal Data processed by the Docaposte group is hosted within the European Union (EU) or the European Economic Area (EEA).

However, in some cases, your Personal Data may be subject to a Transfer outside the European Economic Area, through certain Subcontractors of the Docaposte group.

As such, the Docaposte group undertakes to take all necessary measures to ensure the compliance of the Transfer of Personal Data, by carrying out an impact assessment of the Transfer, by signing the Standard Contractual Clauses of the European Commission in their version of June 4, 2021 (Implementing Decision 2021/914) and by putting in place all the additional guarantees necessary for this purpose.

The Docaposte Group undertakes to ensure that these obligations are respected by their Subcontractors with regard to their own Subcontractors.

The list of recipients of Personal Data located outside the European Economic Area giving rise to Transfers of Personal Data between the Docaposte group and its Subcontractors is available in the "Recipients or categories of recipients of the personal data " section below.

Recipients or categories of recipients of the personal data

Regarding the processing purposes, the data processed on Docaposte group is intended for the following Recipient.

These Subcontractors operate within a scope that complies with the General Data Protection Regulation (GDPR):

Third Party – Data Recipient	Type of Processing performed	Transfer of Personal Data
SALESFORCE	CRM database of our customers and prospects	Not Concerned
HUBSPOT	Database and CRM generation for marketing prospecting campaigns and pushlist management	Not Concerned (GERMANY) – *Where applicable, subject to the application of Binding Corporate Rules (BCRs).
WEBIKEO	Platform for managing the organization and management of webinar registrations.	Not Concerned
BREVO	Communication prospecting campaign management tool.	Not Concerned (OVH FRANCE/GERMANY)
MAILJET	Database and CRM Management	Concerned (USA) (GOOGLE CLOUD – GERMANY/BELGIUM)
BOOND MANAGER	Tool for steering and managing prospects and customers.	Not Concerned

Security of Personal Data

Your Personal Data is stored in appropriate conditions of security and confidentiality, the DOCAPOSTE Group having deployed a security policy providing for organizational and technical measures that comply the state of the art and the applicable standards.

Rights of the data subject

In accordance with the European legislation on the protection of personal data, you have rights regarding your data:

Right of access: you have the right, without prior justification, to ask directly to Docaposte to access the personal data concerning you. Thus, any user will have the right to access the Data recovered by contacting the service in charge of data protection.
Right to rectification of your personal data: in case of Processing of your Personal data, Docaposte implements appropriate measures to guarantee the accuracy of your Data and their update for the Purposes for which they were collected. If your Personal data are inaccurate or incomplete, you have the right to obtain their rectification.
Right to erasure of your personal data: you have the right to request, in certain specific situations, that Personal data concerning you be erased.
Right to data portability: you have the possibility of recovering part of your Personal data in an open and readable format for re-use for personal purposes.
Right to object or right to withdraw consent: You have the right, at any time, to object to your Data being processed.

Depending on the situation, one or more of these rights may not be exercised, for example:

If there are compelling legitimate grounds for continuing to process your Personal data;
If your Personal Data are necessary for the establishment, exercise or defense of legal claims;
If a legal obligation requires us to retain your Data.

For all requests relating to the exercise of your rights, you may contact Docaposte at the following address: mesdroits.rgpd@docaposte.fr

You can also object to the sending of emails by clicking on the unsubscribe link systematically offered at the end of the content of the emails.

Right to file complaint with the CNIL

We remind you that you have the right to lodge a complaint with the supervisory authority, la Commission Nationale de l'Informatique et des Libertés (CNIL), via their website: www.cnil.fr or by post by writing to: CNIL - Service des Plaintes - 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07.

Automated decision-making about your personal data

Docaposte informs you that your data is not subject to any automated decision-making or profiling.

Specific notices on the processing of data on the website

In accordance with the General Data Protection Regulation (GDPR), Docaposte informs you that it places the protection of personal data at the heart of its missions and the services offered to you. This Policy sets out the principles and guidelines for the protection of Personal Data for users of the Docaposte.com website.

Definitions

Cookie: file stored by a server in a User's terminal (computer, phone, etc.) and associated with a web domain. This file is automatically returned on subsequent contacts with the same domain.
Data controller: natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of such processing.
Data processor: natural or legal person, public authority, agency or other body that processes Personal Data on behalf of the controller.
Data Subject: means any identified or identifiable natural person to whom the Personal Data processed relates. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier (e.g. name, identification number, online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity). In the context of Docaposte's website, the visitor to the website who is a natural person is the Data Subject.
Data recipients: means the natural or legal person, public authority, agency or other body which receives communication of personal data, whether or not it is a third party.
Personal Data, Personal Data or Data: corresponds to any information relating to an identified or identifiable Data Subject that allows him or her to be directly or indirectly identified.
Personal Data Breach: any breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Processing of Personal Data or Processing relates to all operations or sets of operations (whether automated or not) performed on Personal Data or sets of Personal Data.
Purpose of Processing or Purpose: purpose/object of the Processing of Personal Data.
Retention period: the period imposed by law and/or chosen by the data controller, at the end of which the documents may be destroyed.
Transfer of Personal Data or Transfer: any action of sending, communicating, copying, transmitting, disseminating or remotely accessing Personal Data, regardless of the medium or means of communication used.
Users: refers to visitors to Docaposte's website, whether they are customers, prospects or simple visitors to the website.

Data controller

Your data is processed by Docaposte, a simplified joint-stock company with a capital of €89,446,010, whose registered office is 45/47 boulevard Paul Vaillant Couturier, 94200 Ivry-sur-Seine, chaired by Mr. Olivier VALLET, with a Unique Identification Number of 493 376 008 (RCS of Créteil).

Purpose of the processing

Docaposte provides all its Users with a website promoting the offers and services of Docaposte and its subsidiaries and providing visitors to the website with information on the news of the Docaposte group.
The processing of personal data carried out from the website concerns in particular:

The instruction of the contact forms made available to you. There are four forms:
- Two forms in the "Contact us" tab. The first allows you to contact customer service and the second allows you to contact the sales department.
- Forms for the teams in charge of offers.
Carrying out marketing and sales campaigns (sending B2B type communications and managing push lists.
The management of unsolicited applications and responses to job offers sent to users of the website, if applicable.
The production of statistics, targeted advertising campaigns, analyses and audience research through cookies placed on the terminals of Users of the Docaposte website.
The Docaposte website also allows you to be redirected to the websites of our partners or subsidiaries to allow the promotion of the various Docaposte brands and offers, commercial prospecting and to process applications sent for the various job offers published by Docaposte. The conditions for processing your data are specified on each of these partner sites.

Legal basis for data processing

The legal basis for processing your personal data varies depending on the nature of the data processing. Indeed, for certain purposes, the legitimate interest pursued by Docaposte prevails. However, certain subsequent processing sub-purposes may be based on the consent of the Website Users.

Processed personal data and associated retention periods

In the context of the achievement of the processing purposes, Docaposte is required to process the sets of personal data that can be directly and indirectly linked to its users. The personal data sets processed within the framework of Docaposte's institutional website are as follows:

Processing purposes	Personal data processed	Personal data retention periods
The sending and processing of forms by the various departments of Docaposte.	Data relating to the civil status and identity of Users (Title, Surname, First Name, Email Address, telephone number, residence). Data relating to professional life (company name, company to which they belong, etc.). Any data that may be indicated in the free fields.	Customer data: kept for the duration of the contractual and pre-contractual relationship. Lead data: Retained for 3 years from the last contact from the prospect.
Realization of marketing and sales communication campaigns and management of the push list	Data relating to the civil status and identity of Users (Surname, First Name, Email Address, etc.) Data relating to professional life (company name, company to which they belong, etc.). Push list: imprint of an email address used for prospecting; temporal data related to the expression of the objection by the Data Subject.	>Customer data: kept for the duration of the contractual and pre-contractual relationship. Data relating to prospects: kept for 3 years from the last contact from the prospect. Push list: information allowing the opposition to be considered kept for 3 years.
Management of applications and responses to Docaposte job offers	Data relating to the candidate's civil status and identity (surname, first name, professional or personal email address. Data relating to professional life: any data likely to be indicated on the candidate's CV and cover letter.	See privacy policy "Docaposte Recrute"
Cookies and trackers used on the website to optimise the User experience and to carry out statistics and audience measurement.	Data relating to the User's browsing on the website (title of the pages viewed, URL of the pages, date of consultation, browsing behaviour, etc.). Connection data (IP address of the website visitor, session ID).	The lifespan of cookies and the retention periods of the processed data are specified in the cookie management policy.

Categories of data subjects

The persons concerned by the processing of personal data carried out on the Docaposte.com website are prospects, customers, and more generally all natural visitors to the website whose personal data is processed.

Transfer of personal data outside the European Economic Area (EEA)

The Personal Data processed by the Docaposte group is hosted within the European Union (EU) or the European Economic Area (EEA). However, in some cases, your Personal Data may be subject to a Transfer outside the European Economic Area, through certain Docaposte Subcontractors.

As such, Docaposte undertakes to take all necessary measures to ensure the compliance of the Transfer of Personal Data, by carrying out an impact assessment of the Transfer, by signing the Standard Contractual Clauses of the European Commission in their version of June 4, 2021 (Implementing Decision 2021/914) and by putting in place all the additional guarantees necessary for this purpose.

Docaposte undertakes to ensure that their Data Processors comply with these obligations with respect to their own Data Processors. A list of recipients of Personal Data located outside the European Economic Area giving rise to Personal Data Transfers between Docaposte and its Data Processors is available in the "Recipients or categories of recipients of Data" section below.

Recipients or categories of data recipients

In view of the various purposes specified above, the data collected through the forms is intended for the sales, marketing, communication and human resources departments of Docaposte using the data processing support applications below. Docaposte, as the Data Controller of personal data processed on its website, is a direct recipient of the data that passes through the website when the forms are completed by the users of the website.

The recipients of indirect data are the following Data processors and partners of Docaposte:

Third-Party Recipient	Type of processing performed	Transfer of personal data outside the EU
SALEFORCE	Publisher of the CRM used for customer relationship monitoring by Docaposte.	Concerned via Sub-processor (EU Hosting – Ireland)
TALENTSOFT	Publisher of the tool used for the management of candidates for job offers published by Docaposte and unsolicited applications.	Not concerned
HUBSPOT	Publisher of the Hubspot Marketing hub tool used for the management of B2B marketing and sales campaigns with Docaposte's prospects and customers.	Not concerned

Security of personal data

Your Personal Data is stored in appropriate conditions of security and confidentiality, the Docaposte Group having deployed a security policy providing for organizational and technical measures that comply the state of the art and the applicable standards.

Rights of the data subject

The legal basis for the processing carried out by Docaposte is based on consent or legitimate interest depending on the processing sub-purpose concerned. These legal bases are likely to affect the rights and freedoms of the data subjects. Regarding these legal bases for processing, we remind you that you can exercise the following rights, under European data protection law:

Right of access: you have the right, without prior justification, to request directly from Docaposte to access the Personal Data concerning you. Thus, any user will have the right to access his or her Data by contacting the department in charge of data protection.
Right to rectification of your Personal Data: in the event of processing your Personal Data, Docaposte implements appropriate measures to ensure that your Data is accurate and up to date for the Purposes for which it was collected. If your Personal Data is inaccurate or incomplete, you have the right to have it corrected.
Right to erasure of your Personal Data: you have the right to request, in certain special situations, that Personal Data concerning you be erased. This right to erasure may be exercised by the Data Subjects.
Right to restriction: If you can contest the accuracy of the Data used by Docaposte or object to your Data being processed, the Data Controller is authorised to examine your request. During this period of investigation of the data, you can ask Docaposte BPO to freeze the use of your Data while keeping it.
Right to portability: you have the possibility to recover part of your Personal Data in an open and readable format for reuse for personal purposes.
Right to object or to withdraw consent: You have the right, at any time, to object to your Data being subject to Processing.

Depending on the situation, one or more of these rights cannot be satisfied, for example:

If there are compelling legitimate grounds(es) that require us to continue processing your Personal Data.
If your Personal Data is necessary for the establishment, exercise or defence of legal claims.
If there is a legal obligation to keep your Data.

For any requests relating to the exercise of your rights, you can contact Docaposte at the following address: mesdroits.rgpd@docaposte.fr.

Right to file complaint with the CNIL

Contact and Data Protection Officer

The appointment of a Data Protection Officer appointed by the DPO of La Poste Groupe demonstrates the Docaposte Group's commitment to the protection, security and confidentiality of its customers' Personal Data.
If you have any questions regarding this Privacy Policy and the data processing activities implemented by Docaposte, or if you wish to exercise any of your rights under the GDPR, please contact:

Postal Address:
DPO Délégué Groupe Docaposte
Pôle Privacy-RGPD - ACI 6A1-602
45/47 boulevard Paul Vaillant Couturier
94766 Ivry-sur-Seine Cedex

By email:
privacy@docaposte.fr

Standard Cookie Management Policy

You can find out more about our privacy policy, which sets out how we handle the personal data we collect and that you provide to us: Privacy Policy.

Please read this policy carefully and the information below to understand our practices regarding the processing of your personal data through our use of cookies.

Our commitments to protecting the privacy of your personal data

Docaposte offers a wide range of tailor-made or turnkey B to B products and services for companies and administrations, and we also attach great importance to the respect of the privacy of visitors to its institutional site and of all natural persons using its services (hereinafter referred to as the Persons). With this privacy statement, Docaposte would like to explain how it manages your personal data that may be collected on its website.

You will read important information about how Docaposte may use your personal data.

Why and how we use personal data

a. What is Personal Data?

Personal Data is any information that can be used to identify (directly or indirectly) a natural person, such as name, telephone number, date of birth or IP address.

b. What Personal Data does Docaposte collect?

The Personal Data collected varies according to the context of the Person's interaction with Docaposte, the choices you make on our site. The data we collect may include the following:
Identification data: first and last name, email address, postal address, telephone number, company name, function, sector of activity, size of the company;
Connection data: IP address, location, browsing history ;
Data on the device: type of device used (computer, mobile, tablet).

c. If collected, for what purposes will your personal data be used and for how long will it be stored?

The purpose of the processing

Docaposte uses the Personal Data collected, where applicable, on its website, for statistical purposes to improve its services, to communicate with you in a personalised way through promotional and/or informational emailing, invitations to events, surveys, campaigns on social networks and to offer you thematic content.

Retention period

Customer Personal Data used for commercial prospecting purposes may be kept by Docaposte for a period of three to 3 years from the end of the commercial relationship.
The Personal Data of non-customer prospects may be kept for a period of 3 years from their collection by Docaposte or from the last contact from the prospect.

At the end of this three-3-year period, Docaposte undertakes to contact the person concerned again to find out if he or she wishes to continue to receive commercial solicitations.

In the absence of a positive and explicit response from the person concerned, Docaposte undertakes to delete or archive the said Personal Data in accordance with the provisions in force.

Tool name	Description	Retention period
Tarteaucitron	Saving user's consent choices (CMP)	12 months (CMP technical cookies not subject to consent)
Piwik	Used to analyse and improve the service. Privacy on this site: We collect and process your data on this site to better understand how it is used. You can opt in or out at any time:	13 months (cookies not subject to consent)
Youtube	Integration of youtube videos in the content of the pages	6 months with the use of www.youtube-nocookie.com
Clarity	Used to analyse and improve the service	12 months
Google Ads	Used to analyze marketing campaigns	13 months
Google Tag Manager	Used to put tags linked to marketing	Does not deposit cookies directly
Bing Ads	Used to analyze marketing campaigns	13 months
Linkedin Insight	Optimisation of marketing campaigns: personalised tracking of the site's audience	13 months
Facebook Pixel	Optimisation of marketing campaigns	12 months
Hubspot	User tracking on the website and form hosting	12 months
Matomo Analytics	Used to analyse and improve the service	12 months
ZBO	Used to track marketing campaigns	12 months
Weborama	Used to analyze marketing campaigns	10 months
Criteo	Used to analyze marketing campaigns	13 months
Hcaptcha	Used to stop boots in forms	Session (cookie deposited in case of click to fill out a form)
Chat SalesForce	Online chat	Session (cookie deposited in case of click for use)

d. Right of access, opposition, limitation, rectification, erasure, not to be subject to automated decision-making:

You have the possibility to access your Personal Data, object to its processing or limit its processing, request its deletion or rectification, in particular in the event of any errors.
You can exercise your rights by email, accompanied by a copy of any identity document: mesdroits.rgpd@Docaposte.fr.

e. Where is your data stored?

Your data is stored in compliance with French legislation and European regulations.

The site is hosted by Docaposte.
45/47 boulevard Paul Vaillant Couturier
94200 Ivry-sur-Seine
Tel: 01 56 29 70 01

The data of our service provider Salesforce is stored in Germany and France. (Germany (SFDC Germany Data Center GmbH) / France (SFDC France Data Centre Sarl))

Cookies

a. What is a cookie?

A cookie is a text file that is stored on your device (computer, phone, tablet) when you visit a website. It enables its issuer to identify your equipment in a unique way during its period of validity and to store information relating to your visit, in particular, in order to simplify your browsing on our websites or to offer you content tailored to your interests.

b. What does Docaposte use cookies for?

Storage of information you provide to a website: When you provide information on Docaposte's websites, we store the personal data in a cookie in order to remember the information you have added. Docaposte prevents you from re-entering the same information each time you visit our websites.
Optimization: Cookies are also used to optimize the performance of our websites and mobile sites. For example, they make it easier for you to navigate and help you find specific content faster.
Interests: Docaposte uses cookies to collect data about your online activity and identify your interests, so that we can provide you with content and/or advertisements tailored to your preferences.
Analytics: Docaposte uses cookies, for example, to count the number of unique visitors to a page or web service and to develop other statistics on the functioning of its services via third-party analytics.

c. What types of cookies are used on our sites?

Technical and browsing cookies

These cookies are placed on all of our websites, mobile sites and mobile applications. They make it easier for you to navigate between pages on our sites and apps and automatically expire when you close your browser. You can choose to disable these cookies through your internet browser, without altering access to our services.

Audience measurement and browsing tracking cookies

This cookie is placed on all our websites, mobile sites It allows us to collect anonymous statistical data on the use of our sites and applications to improve their ergonomics and user experience.

Social media share button cookies

Some of our websites include social media cookies that enable content sharing.

We cannot control these cookies and the data collected by social media. For more information about these cookies, we invite you to consult the privacy policies specific to each of these social media sites. The data collected through these cookies is used by Docaposte in accordance with their purposes.

Web beacons and analytics services

Docaposte's web pages may contain electronic links and/or images known as web beacons (also known as web beacons) that we use to place cookies on our websites, count users who visit those websites, and provide quality services.

In addition to placing web beacons on our own websites, we sometimes work with other companies to place our web beacons on their websites or in their advertisements. This helps us to compile statistics to know how often a click on an advertisement on a Docaposte website leads to an action on the advertiser's website.

Finally, Docaposte's services may contain web beacons or similar technologies from third-party analytics providers, which help us compile aggregate statistics on the effectiveness of promotional campaigns or other operations. These technologies allow analytics providers to place and read their own cookies or other identifiers on your device, through which they can collect information about your online activities in apps, websites, or other services. However, we do not allow these analytics providers to use web beacons on our sites to collect or access information that directly identifies you (such as your name or email address).

Here are some details about the cookies used on the www.Docaposte.com site:

TarteAuCitron :

We use the TarteAuCitron tag manager in order to better manage the consent of our users and all the cookies associated with the DOCAPOSTE website, in accordance with the recommendations of the GDPR.

Expiration of the cookie : 12 months

Name	Description	Retention period
_pk_id	Cookie for Id	13 months
stg_returning_visitor	Local cookie	12 months
stg_last_interaction	Local cookie	12 months
csrftoken	Local cookie	11 months

Name	Description	Retention period
ADS_VISITOR_ID	Cookie for Id	3 months
NID	Local cookie	6 months
OGPC	Local cookie	10 days
NID	Local cookie	6 months
SEARCH_SAMESITE	Local cookie	9 days
SOCS	Local cookie	6 months

Clarity :

We use Clarity to analyze user behavior and improve the service.

Name	Description	Retention period
_clck	Cookie for Id	12 months
_clsk	Cookie for multiple session	12 months

Name	Description	Retention period
_gcl	Local cookie	3 months
ADS_VISITOR_ID	Local cookie	2 months
IDE	Local cookie	12 months
AEC	Local cookie	2 months
APISIS	Local cookie	13 months
OPGC	Local cookie	12 months
SAPISID	Local cookie	12 months
SEARCH_SAMESITE	Local cookie	12 months
SID	Local cookie	12 months
SIDCC	Local cookie	12 months
SOCS	Local cookie	6 months
SSID	Local cookie	13 months
UULE	Local cookie	Session

Name	Description	Retention period
MUID	Local cookie	13 months
XANDR_PANID	Local cookie	3 months
anj	Local cookie	3 months
_uetsid	Local cookie	1 day
_uetvids	Local cookie	1 day
uuid2	Local cookie	3 months

Name	Description	Retention period
bcookie	Cookie for Id	13 months
lidc	Cookie for routing	1 day
li_gc	Local cookie	6 months

Name	Description	Retention period
_fbp	Local cookie	3 months

Name	Description	Retention period
__cf_bm	Local cookie	12 months
__hs_cookie_cat_pref	Local cookie	6 months
_cfuvid	Local cookie	Session
hubspotutk	Local cookie	6 months

Name	Description	Retention period
_pk_id	Cookie for Id	13 months
_pk_ses	Cookie for session	30 mn

Name	Description	Retention period
zebestof.com	Local cookie	12 months

Name	Description	Retention period
AFFICHE_W	Local cookie	10 months

Name	Description	Retention period
cto_bundle	Local cookie	13 months
uid	Local cookie	10 months

Name	Description	Retention period
ph_phc	Local cookie	11 months

Name	Description	Retention period
BrowserId	Cookie for Id	9 months
CookieConsentPolicy	Local cookie	3 months
LSKey-c$CookieConsentPolicy	Local cookie	3 months
X-Salesforce-CHAT	Local cookie	Session

d. How long is cookies retention?

The data collected by the audience measurement cookies deposited directly or indirectly by DOCAPOSTE have a maximum retention period of 13 months (excluding Google). Consents and refusals given via Tarteaucitron for the activation of cookies are kept for a period of 12 months. The Facil'ity cookie is permanent but remains local without third-party data sharing.

e. How to set cookies in your browser?

Docaposte allows you to set the parameters of cookies placed on your device using the interface accessible directly from the cookie banner or from the consent management platform provided for this purpose.

We inform you that you can also configure your browser to handle cookies. The configuration of each browser is different. You can find out how to change your cookie settings by consulting our online help:

Video Surveillance, Video Protection, and Data Protection

Purpose and data controller

The images captured by the video surveillance and video protection cameras placed in Docaposte's establishments are subject to processing, within the meaning of the regulations relating to data protection, for which the person responsible is: DOCAPOSTE SAS, whose registered office is located at 45/47 boulevard Paul Vaillant Couturier, 94200 Ivry-sur-Seine.

Legal basis for processing

These cameras allow Docaposte and its entities to ensure the safety and security of people and property, in its legitimate interest and, for video protection cameras, in application of the Internal Security Code (art L.251-2).

Retention period and exercise of rights

Images are kept for a maximum of thirty (30) days. They can be viewed by Docaposte's staff in charge of safety and security as well as by external service providers involved for the same purpose.

In the event of an incident related to the safety of people and property, the images can be extracted. They are then kept on another medium, while the procedures related to this incident are settled, and accessible only to the persons authorised in this context. They may also be consulted by the authorized public authorities upon judicial requisition.

You have a right of access to images concerning you, which you can exercise by the following means:

Contact details of the DPO Delegate within the DOCAPOSTE Group

Email address:
mesdroits.rgpd@docaposte.fr

Mailing address:
DPO Délégué Groupe DOCAPOSTE
Pôle Privacy-RGPD - ACI 6A1-602
45/47 boulevard Paul Vaillant Couturier
94766 Ivry-sur-Seine Cedex

In the event of a difficulty in connection with the management of your personal data, you have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL).

Appointment of a Data Protection Officer

As part of its personal data protection policy, Docaposte has appointed a shared Data Protection Officer:

Data Protection Officer of the La Poste Group
CP C703 – 9 rue du Colonel Pierre Avia 75015 PARIS

Privacy Policy amendments

This Privacy Policy may be modified in whole or in part at any times by Docaposte.

Last updated 2025/06/06