Docaposte's Code of Charter
Personal data protection and privacy protection
Why does Docaposte have a charter about the protection of personal data and privacy?
Under the framework of our internal and external activities, Docaposte is subject to regulations when applicable on the processing of personal data, in particular:
- Law No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties,
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Docaposte places the protection of your personal data at the core of (all of) its activities and services. Docaposte endeavours to guarantee the confidentiality of its employees, clients, suppliers, prospects as well as third party beneficiaries' personal data - hereafter referred to as relevant parties.
This charter on personal data and privacy protection (hereafter "The Charter" ) lays out our principles and guidelines on the protection of the personal data of relative parties and aims to inform them about:
- The personal data that Docaposte collects and why,
- The way in which your personal data is used,
- The rights of relevant parties regarding their personal data.
This charter applies to all entities of Docaposte and is an annex to the company rules and regulations.
What action is Docaposte taking to protect personal data?
Docaposte is committed to protecting the personal data and privacy of the relevant parties from the design stage of new products or services which require processing of personal data.
Measures have been put in place for security and to ensure the proper exercise of the rights of relevant parties regarding their personal data.
How does Docaposte use your personal data?
Docaposte undertakes to collect only information which is strictly relevant to its own data processing or that carried out on behalf of its clients.
In the event of non-compulsory personal data being requested :
- When the Docaposte Group acts as Data Controller, it will clearly inform relevant parties on the personal data required for said processing and that which can be voluntarily provided;
- When the Docaposte Group acts as a subcontracter delivering services on behalf of one of its clients, Docaposte will inform its client that relevant parties must be informed of the personal data that is required for the data processing in question and that which is non-compulsory.
Personal data is collected directly or indirectly from relative parties according to planned processing operations and is used only for purposes which they have been made aware of or for processing purposes entrusted to us by our clients.
Personal data collection of underaged persons / minors
Some of our data processing involves underaged persons / minors. In this case, consent is required from parents or legal guardians.
Which departments or companies receive my personal data?
Your personal data may be transferred / transmitted to:
- When the Docaposte Group acts as Data controller:
- Docaposte's internal teams: departments that are responsible for data processing operations, including Human Resources, Administration and Finance departments;
- Docaposte's subcontrators; technical service providers and sub-contractors;
- Docaposte's commercial partners, only after informing relevant parties and providing them with the opportunity to oppose.
- When the Docaposte Group acts a a subcontracter: only to teams responsible for personal data processing which has been entrusted to us by our clients.
Can my personal data be transfered outside the EU?
Your data at Docaposte is liable to data processing inside the European Union (EU) and territories outside of the EU.
When the Docaposte Group acts as Data controller, it will inform relevant parties of the location of the processing of their personal data.
When the Docaposte group acts as a subcontracter it is the responsibility of the client having entrusted Docaposte with the processing to inform relevant parties of the location of said personal data processing.
For certain specific services, Docaposte may use external subcontracters outside of the EU. Personal data used here is communicated strictly for use within the scope of the project. In this instance, and in compliance with current regulations, Docaposte demands that its subcontractors provide the necessary guarantees for the secure transfer and storage of personal data, for example by including standard contractual clauses to this effect.
How long does Docaposte store your personal data?
The length of time Docaposte stores your personal data is dependant on the level of data processing required. Docaposte is committed to storing personal data for the minimum duration necessary for processing, underpinned by laws and regulations imposed and applicable for the duration of data storage for processing.
Is my personal data protected?
Docaposte is committed to taking all required measures to ensure the security and confidentiality of your personal data and to prevent them from being damaged, deleted or accessed by non-authorised third parties.
In compliance with its contractual obligations, data processing carried out by Docaposte is subject to auditing.
In instances of personal data security incidents (destruction, loss, modification or disclosures), the Docaposte Group undertakes to report any such Violations of Personal Data:
- to the CNiL or the relevant supervisory authority, depending on the nature of the relevant parties, when the Docaposte Group acts as Data Controller;
- to the Data Controller when the Docaposte Group acts as a subcontractor.
What are the rights of relevant parties? / What are your rights?
➔ When the Docaposte Group acts as Data Controller
All relevant parties, including employees, clients, suppliers or prospective clients of the Docaposte group may, at any moment, exercise their rights as provided for in the applicable regulations concerning personal data processing and handling, subject to the following conditions:
- Your right of access to personal data ; You have the right to access your personal data processed by Docaposte;
- Your right to rectification: You have the right to amend or rectify your personal data provided to Docaposte;
- Your right to object to processing and to receive marketing communications: you reserve the right to object to direct marketing from the Docaposte Group or to object to your personal data being processed;
- Your right to erasure: you have the right to obtain deletion / erasure of your personal data
- Your right to restrict processing: you have the right to restrict the processing of your personal data
- Your right to data portability: You have the right to receive your personal data held by Docaposte in a digital format.
You can exercise your rights by writing to the following email: email@example.com. All demands must be accompanied by a personal identification document. Docaposte is committed to respond to all wanting to exercise their rights at the earliest convenience and in respecting legal deadlines.
➔ When the Docaposte Group acts as subcontractor :
Any relevant party whose personal data is processed by a client of the Docaposte Group which is the data controller may exercise their rights directly with the data controller of said client as provided for in the applicable regulations concerning personal data processing.
The Docaposte Group when acting as a subcontractor, will work with its client data controller:
- Either by providing all information in our possession to the data controller to respond to the request of the relevant person,
- or to modify or delete your personal data at the request of the data controller, according to the conditions of the contract between the Docaposte group and the data controller.
When Docaposte receives a request from a relevant party for whom it is acting as a subcontractor, Docaposte will immediately transfer said request to the data processor and act according to the instructions of the data controller, in accordance with the conditions of the contract between the Docaposte Group and the data controller.
Does Docaposte have a data protection officer?
Docaposte is an integral part of the La Poste Group. The appointment of a Data protection officer demonstrates the importance the La Poste Group places on the protection, security and confientiality of relevant persons' personal data that it processes.
The Docaposte Group, given the nature of its processing activities, and the La Poste Group, have appointed a data protection officer (DPO) to oversee all data processing activity. Docaposte's DPO has full delegation of authority from the President of the Docaposte Group. Docaposte's DPO works and collaborates closely with the La Poste Group's DPO.
Docaposte's Data Protection Officer (DPO) information:
Email : firstname.lastname@example.org
Postal Address: Madame la DPO Groupe DOCAPOSTE
Privacy-GDPR centre - ACI 6A1-602
45/47 boulevard Paul Vaillant Couturier
94766 Ivry-sur-Seine Cedex
Each term beginning with a capital letter has the meaning which is given thereafter.
« Charter for the protection of personal data » and « Charter »: refer to the current Charter describing all the measures taken for the processing, operating and management of personal data and the rights of relevant parties concerned by said data processing.
« La Poste's Data Protection Officer (DPO) »: refers to the natural person, who according to GDPR article 37, has been designated by the La Poste Group to carry out the functions specified in GDPR article 38 and to undertake the tasks referred to in GDPR article 39 for all processing activity of the La Poste Group whether it is acting as data controller or subcontractor.
« Personal data »: all information relating to an identified or identifiable natural person. A "physically identifiably person" is a natural person who can be identified, directly or indirectly, by a username, such as a name or identity number, location data, online username, or to one or more specific elements of their physical, psychological, genetic, psychological, economic, cultural or social identity.
« Data Protection Officer (DPO) » refers to the physical person, who according to article 37 of GDPR laws, has been designated by La Poste to carry out the functions specified in article 38 of GDPR laws and to ensure the tasks referred to in article 39 of GDPR laws are carried out under La Poste and to ensure the quality of its data processors and subcontracters.
« Docaposte Entity »: refers to a subsidary of the Docaposte Group.
« Docaposte Group »: refers to the subsidaries of Docaposte and Docaposte SAS.
« Relevant parties »: refers to any identified or identifiable person whose personal data is subject to data processing. For example, employees, clients, prospective clients, suppliers, service providers, third party beneficiaries etc…
« Data controller »: refers to the natural or legal person, the public authority, the department or other organisation who, alone or with others, determines the purposes and means of data processing.
« Subcontracter »: refers to the natural or legal person, the public authority, the department or other organisation who, alone or with others, determines the purposes and means of data processing on behalf of the data controller
« Third party beneficiary »: refers to a relevant party indirectly linked to Docaposte butwhose personal data is processed by Docaposte within the scope of its contractual data processing activities.
« Processing »: refers to the operation or series of operations, carried out or not with the aid of automated processes and applied to any form of personal data, such as the collection, saving, organising, structuring, conservation, adaptation or modification, extraction consultation, use, commucation and circulation or other forms of provision, reconciliation, interconnection, limiting, deleting or destruction.
« Personal data breach »: refers to a security breach of your personal data, accidental or illicit, leading to the destruction, loss, modification, disclosure or non-authorised access to the personal data of a relevant party.
Modification of the Personal Data page
This document is subject to modification.
Last updated 20/04/2022