Personal data

Docaposte is subject to compliance with the regulations applicable to the Processing of Personal Data

Join us

                   

Docaposte Charter - Protection of personal data - Privacy

Why a Charter on the Protection of Personal Data and Privacy?

In the context of its internal and external activities, the Docaposte Group is subject to compliance with the regulations applicable to the Processing of Personal Data and in particular:

  • Law No. 78-017 of 6 January 1978 relating to information technology, files and civil liberties (known as the Data Protection Act)
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such Data (GDPR).

The Docaposte Group places the protection of Personal Data at the heart of its missions and the services it offers. In this sense, the Docaposte Group wishes to guarantee its Employees, customers, suppliers, prospects as well as Third-Party Beneficiaries – hereinafter the "Data Subjects" – the respect of their Data Personnel.La this Charter on the Protection of Personal Data and Privacy (hereinafter the "Charter"), sets out the principles and guidelines for the protection of the Personal Data of Data Subjects and aims to Information on:

  • The Personal Data that the Docaposte Group collects and the reasons for this collection,
  • How this Personal Data is used,
  • The Rights of Data Subjects over their Personal Data.

This Charter applies to all Docaposte Group Entities and is annexed to the internal regulations.

How does the Docaposte Group take into account the protection of Personal Data?

The Docaposte Group undertakes to take into account the protection of Personal Data and the privacy of Data Subjects from the design of new products or services that are offered or that are intended to allow the Processing of Personal Data.
To ensure security and to guarantee the respect and proper exercise of the rights of Data Subjects, measures to ensure the protection of their Personal Data are implemented.

How is Personal Data used by the Docaposte Group?

The Docaposte Group undertakes to collect only the data that is strictly necessary to carry out its Processing or the Processing carried out on behalf of its customers. In the event that optional Personal Data is requested:

  • when the Docaposte Group acts as Data Controller, clearly informs the Data Subjects about the Personal Data necessary to carry out the Processing in question and those that may be voluntarily provided;
  • when the Docaposte Group acts as a Data Processor and provides a service on behalf of one of its customers, the Docaposte Group informs its customer that the Data Subjects must be informed by it of the categories of Personal Data necessary to carry out the Processing in question and those that are optional and may be voluntarily provided.

Personal Data is collected directly or indirectly from the Data Subjects depending on the Processing envisaged and is only used for the uses that have been brought to their attention or for the Processing purposes entrusted to us by our customers.

How does the collection of Personal Data from minors work?

Some Processing may involve minors. In this case, the consent of their parents or legal guardians is required.

To which departments or companies is Personal Data disclosed?

Personal Data may be transmitted:

  • When the Docaposte Group acts as Data Controller:
    • To the internal departments of the Docaposte Group: the departments that are in charge of the execution of the Processing carried out, in particular the Human Resources Department, the Administrative and Financial Department, etc.
    • To Subcontractors of the Docaposte Group: technical service providers, including subcontractors;
  • To the Docaposte Group's business partners, after having previously informed the Data Subjects and allowed them to object to it.
  • When the Docaposte Group acts as a Data Processor: only to the teams in charge of carrying out the Personal Data Processing that has been entrusted to us by our customers.

Can Personal Data be transferred outside the European Union?

The Docaposte Group is likely to carry out Personal Data Processing on the territory of the European Union (EU) and outside the territory of the European Union. When the Docaposte Group acts as Data Controller, the Docaposte Group informs the Data Subjects of the place of Processing of their Personal Data. When the Docaposte Group acts as a Data Processor, it is the responsibility of its customers who have entrusted it with the performance of the Processing to inform the Data Subjects of the place of Processing of their Personal Data.

For certain specific services, the Docaposte Group may use Subcontractors external to the Docaposte Group established outside the EU. Certain Personal Data may then be communicated to them for the strict needs of their missions. In this case, in accordance with the regulations in force, the Docaposte Group requires its Subcontractors to provide the necessary guarantees to supervise and secure these transfers, in particular by signing standard contractual clauses.

How long does the Docaposte Group keep Personal Data?

The duration of the retention of Personal Data depends on the Processing carried out. The Docaposte Group undertakes not to retain Personal Data beyond the period necessary to carry out the Processing, increased by the retention period imposed by the regulations and Legislation applicable to the Processing carried out.

Is Personal Data protected?

The Docaposte Group undertakes to take all measures to ensure the security and confidentiality of Personal Data and in particular to prevent it from being damaged, erased or accessed by unauthorised third parties.
In accordance with its contractual commitments, the processing carried out by Docaposte may be subject to audit. In addition, in the event of a security incident affecting Personal Data (destruction, loss, alteration or disclosure), the Docaposte Group undertakes to comply with the obligation to notify Personal Data Breaches:

  • to the CNIL or the competent Supervisory Authority, and, where applicable, to the Data Subjects, when the Docaposte Group acts as Data Controller,
  • to the Data Controller when the Docaposte Group acts as a Data Processor.

What are the rights of Data Subjects?

When the Docaposte Group acts as Data Controller

Any Data Subject, whether they are employees, customers, suppliers, or prospects of the Docaposte Group, has the right to exercise the rights provided for by the regulations in force applicable to the Processing of Personal Data with the Docaposte Group at any time, provided that they meet the following conditions:

  • Right of access: communication of their Personal Data subject to Processing by the Docaposte Group.
  • Right to rectification: updating of their Personal Data or rectification of their Personal Data processed by the Docaposte Group.
  • Right to object, in particular to receive commercial communications: request to no longer receive commercial communications from the Docaposte Group or request that their Personal Data no longer be subject to Processing.
  • Right to erasure: request the deletion of their Personal Data.
  • Right to restriction: request the suspension of the Processing of their Personal Data.
  • Right to portability: ask the Docaposte Group to retrieve their Personal Data in order to dispose of it, in a digital format.

Data Subjects may exercise their rights at the following address: mesdroits.rgpd@Docaposte.fr. All requests must be accompanied by proof of identity.

The Docaposte Group undertakes to respond to requests to exercise rights as soon as possible and in any event in compliance with the legal deadlines.

When the Docaposte Group acts as a Data Processor

Any Data Subject whose Personal Data is processed by a Customer Data Controller of the Docaposte Group, has the option at any time to exercise directly with his or her Data Controller the rights provided for by the regulations in force applicable to the Processing of Personal Data.  collaborates with its client Data Controller:

  • Either by providing all the information in its possession allowing the Data Controller to respond to the Data Subject;
  • Or by carrying out operations to modify or delete Personal Data at the request of the Data Controller, under the conditions defined in the contract entered into between the Docaposte Group and the Data Controller.

When the Docaposte Group receives requests from Data Subjects to whom it is a Data Processor, it undertakes to transmit them without delay to the Data Controller and to act in accordance with the instructions of the Data Controller, under the conditions defined in the contract entered into between the Docaposte Group and the Data Controller.

Has the Docaposte Group appointed a Data Protection Officer?

The Docaposte Group is an integral part of the La Poste Group. The appointment of a Data Protection Officer demonstrates the La Poste Group's commitment to the protection, security and confidentiality of the Personal Data of the Data Subjects of its Processing.

The Docaposte Group, in view of the Processing activities carried out, and the La Poste Group, have agreed to appoint a DPO Delegate within the Docaposte Group. The Deputy DPO of the Docaposte Group has a delegation of power entrusted by the President of the Docaposte Group. The Docaposte Group's DPO is functionally linked to the La Poste Group's Data Protection Officer and works in close collaboration with him.

Contact details of the DPO Delegate within the Docaposte Group:

Email address: privacy@Docaposte.fr

Postal address:
Docaposte
PRIVACY-RGPD Unit
45/47 boulevard Paul Vaillant Couturier
94200 Ivry-sur-Seine

Glossary

Each capitalized term has the meaning given to it below.

  • Data Controller : means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law ;
  • Data Processor : means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  • "Data Subject": means any identified or identifiable person whose Personal Data is being Processed. For example: employees, customers, prospects, suppliers, service providers, third-party beneficiaries, etc.
  • "Delegated DPO" or "Delegated Data Protection Officer": Refers to the natural person who, pursuant to Article 37 of the GDPR, has been appointed by the President of the Docaposte Group and the Data Protection Officer of the La Poste Group in order to take up the functions specified in Article 38 of the GDPR and to carry out the missions referred to in Article 39 of the GDPR for all Processing activities carried out by the Docaposte Group,  whether it acts as a Data Controller or a Data Processor.
  • "Docaposte Entity": refers to a subsidiary belonging to the Docaposte Group.
  • "Docaposte Group": refers to the subsidiaries belonging to the Docaposte Group and Docaposte SAS
  • Personal data breach : means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed ;
  • "La Poste Data Protection Officer": refers to the natural person who, pursuant to Article 37 of the GDPR, has been appointed by Groupe La Poste to take up the functions specified in Article 38 of the GDPR and to carry out the tasks referred to in Article 39 of the GDPR for all Processing activities carried out by Groupe La Poste,  whether it acts as a Data Controller or a Data Processor.
  • "Personal Data Protection Charter" and "Charter": refers to this Charter describing the measures taken for the Processing, use and management of Personal Data and the rights of the Data Subjects by the Processing(s).
  • Personal Data or Data : refers any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person ;
  • "Processing": means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available,  the reconciliation or interconnection, limitation, erasure or destruction.
  • "Third-Party Beneficiary": Refers to a Data Subject who is not directly linked to Docaposte but whose Personal Data Docaposte processes within the framework of the Processing purposes for which it is responsible.

Privacy Policy amendments

This Privacy Policy may be modified in whole or in part at any times by Docaposte.

Last updated 2025/06/06