This Policy illustrates the Group’s commitment to respect for fundamental rights and freedoms, privacy and the protection of . The Group ensures that the Personal Data entrusted to it is processed fairly, lawfully and with complete transparency.
This Policy thus sets out the principles and guidelines followed to protect your Personal Data and is intended to inform you about:
the Personal Data that the Group collects and the reasons for this collection,
how this Personal Data is used,
your rights concerning your Personal Data.
This Policy applies to all Personal Data processed as part of the provision of the Group’s services and products, excluding those offered by the Group’s partners. All operations on this Personal Data are carried out in accordance with the regulations in force and in particular the European General Data Protection Regulation (hereinafter the ‘GDPR’), the French Data Protection Act no. 78-17 of 6 January 1978, as amended, as well as its implementing decrees (hereinafter the ‘Regulations’ or ‘Applicable Regulations’).
This Policy may change over time in order, in particular, to take into account changes in the Regulations or to indicate the adaptation of the Group's practices to technological developments. We recommend that you consult it regularly on the website.
This Policy applies to any person whose data is processed by the Group or a Group entity located in France or the European Union. Some subsidiaries may have their own policy, which may supplement these provisions.
La Poste Groupe complies with the data minimisation principle, in that it undertakes to collect only the data strictly necessary for the direct or indirect performance of the services subscribed to, when they require the of customers' personal data. If optional data is requested, the Group will provide clear information about the Personal Data essential for the performance of the service. The Group mainly collects Personal Data directly from you, and it is only used for the purposes that have been brought to your attention.
Where necessary, certain data processed by the Group may be collected indirectly from the following sources:
Customers, providing information on subscribers, beneficiaries, assignees, contacts, ;
Third parties, such as business partners, fraud prevention bodies, data providers, organisations (World Customs Organization, etc.) and members of the Universal Postal Union
Sources accessible to the public (data from publications/databases made accessible by official authorities, data from websites/social networks containing information made public by the person themselves, etc.);
Public administrations and authorities.
In the event of indirect collection, the Group will inform the data subjects in accordance with the conditions laid down in Article 14 of the GDPR. The main categories of Personal Data that may be collected include:
Identification data and contact details;
Data on personal life;
Login data related to the use of our online services or mobile applications;
Data on the habits and preferences of data subjects;
Data collected as part of your interaction with Group entities
In addition, some services may be used by minors. In this case, in the event of direct collection, the Group will ensure that the consent of minors is obtained from their legal representatives.
The purpose of processing corresponds to the objective pursued by the . The Group shall process the Personal Data that it collects or holds for specific, explicit and legitimate purposes, and not process it thereafter in a manner incompatible with those purposes.
The various legal bases on which the Group relies to process data, as well as the main purposes associated with them, are as follows:
Obtaining the consent of the data subject;
The performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
Compliance with legal and regulatory obligations;
The legitimate interests pursued by the Group;
The performance of a task carried out in the public interest or in the exercise of official authority vested in the Group.
You can view the complete list of the purposes of the processing as well as their legal basis and the retention periods for personal data resulting from the processing carried out by the Group by clicking on the following links:
- For processing concerning individual customers, click here.
- For processing concerning business customers, click here.
In general, the purposes, retention period and legal basis differ depending on the services and products concerned.
The Group may also act as a within the meaning of the GDPR. In this case, it shall comply with the obligations laid down in that respect by the applicable regulations as well as its contractual obligations towards the instructing party, in particular with regard to the purposes and legal bases determined by the Data Controller. The Group therefore only processes personal data upon documented instructions from the Data Controller.
o The Group’s partners, after your prior agreement;
o Other contracting parties, beneficiaries of the services, authorised assignees or any third party designated by customers or users of our services and/or products, by virtue of contractual relations;
o Public bodies, judicial officers, ministerial officers, lawyers, administrative or judicial authorities, in order to comply with any law or regulation in force, or to respond to any judicial or administrative request, as part of the Group’s compliance with its legal obligations or to enable it to defend its rights and interests;
o Mediators, and regulatory and supervisory authorities authorised to receive such data;
o Control departments such as the statutory auditors, auditors, customs and post offices of the countries to which you ship your goods.
The departments, divisions and business units making up the Group authorised to access this information;
The Group's subsidiaries
The Group's technical service providers, including its subcontractors, within the strict framework of the tasks entrusted to them;
The Group’s partners, after your prior agreement;
Other contracting parties, beneficiaries of the services, authorised assignees or any third party designated by customers or users of our services and/or products, by virtue of contractual relations;
Public bodies, judicial officers, ministerial officers, lawyers, administrative or judicial authorities, in order to comply with any law or regulation in force, or to respond to any judicial or administrative request, as part of the Group’s compliance with its legal obligations or to enable it to defend its rights and interests
Mediators, and regulatory and supervisory authorities authorised to receive such data;
Control departments such as the statutory auditors, auditors, customs and post offices of the countries to which you ship your goods
The retention period for Personal Data varies depending on its nature and the purpose of the processing concerned. When Personal Data is collected for several purposes, it is retained until the expiry of the longest retention period. The Group shall not retain Personal Data for longer than is necessary to provide these products or services.
The Group’s main retention periods for personal data are:
For the management of the customer and the products and services offered by the Group:
o Subscription and opening of a ‘Mon Compte La Poste’ account, management, compliance with legal and regulatory obligations related to account management: 3 years from the last login or from the date of account deletion, provided that no service associated with ‘Mon Compte La Poste’ is still active.
o Online purchasing management: 3 years from the last transaction.
o Management of delivery preferences: 5 years.
o Term of the contractual relationship.
For marketing: 3 years from the last contact with the potential customer or until consent is withdrawn
For recordings of telephone conversations as part of customer service: 6 months from the recording date.
For detecting, preventing and combatting fraud and cybercrime: 12 months from the date of the fraud alert.
For processing requests to exercise rights: 5 years for data relating to the processing of your requests and 1 year for proof of identity documents.
For accounting purposes: 10 years from the end of the current financial year.
At the end of these periods, the Group shall destroy it in accordance with its internal policy or anonymise it for statistical, archiving or historical purposes.
When the Group entity acts as a data processor, at the end of the service and as decided by the Data Controller provided for in the contract, it deletes or returns to the Data Controller the personal data it has processed on its behalf, subject to ongoing claims and legal and regulatory obligations.
The Personal Data processed by La Poste Groupe is hosted within the European Union (EU) or the European Economic Area (EEA). However, for certain specific services, certain Group entities may use data processors established outside the EU or EEA, some of which are located in countries not subject to an adequacy decision issued by the European Commission (e.g.: Morocco, India, Senegal, Tunisia, Mauritius, United States). These data processors perform operational tasks on behalf of the Group entity within the framework of the processing purposes determined by the entity concerned. These data processors may have access to the Personal Data strictly necessary for the performance of their tasks. In this case, in accordance with the regulations in force, the Group requires its data processors to provide the appropriate safeguards, in particular signing the standard contractual clauses of the European Commission and, where applicable, implementing additional measures or adopting Binding Corporate Rules.
La Poste Groupe shall take into account the protection of Personal Data and the privacy of data subjects from the design of the new products or services offered to them, and shall thus take all measures to ensure the security and confidentiality of Personal Data. In particular, the Group implements all technical and organisational measures to safeguard the security and confidentiality of the Personal Data collected and processed and, in particular, to prevent it from being distorted, damaged, destroyed or disclosed to unauthorised third parties, by ensuring a level of security appropriate to the risks related to the processing and the nature of the personal data to be protected. Under European regulations, these measures may include, among others, encryption, anonymisation, pseudonymisation, partitioning, or restrictions on data access.
In addition, the Group requires each recipient of Personal Data to comply with the appropriate security and confidentiality safeguards. In the event of a within the meaning of Article 4 of the GDPR affecting the Personal Data processed (destruction, loss, alteration or disclosure), the Group shall comply with the obligation to notify Personal Data breaches, in particular to the CNIL [the French Data Protection Authority], without undue delay and, where feasible, seventy-two (72) hours after becoming aware of any breach likely to result in a risk to rights and freedoms
When La Poste Groupe collects your Personal Data, you will receive, through information notices, clear and transparent information on the processing carried out as well as on your rights and how you can exercise them.
Under the regulations:
You have the right to access the personal data we hold about you. This includes the right to ask us for further information on:
- the categories of data we process
- the purposes of the data processing
- the recipients and categories of recipients to whom your data has been transmitted
- where possible, the retention period for the data or where this is not possible, the criteria for determining that period.
You have the right to ask us to rectify inaccurate or incomplete personal data about you.
You may object at any time, for reasons relating to your particular situation, to the processing of your personal data where it is based on our legitimate interest, unless those legitimate interests override your own interests, rights and freedoms, or the processing is necessary for the establishment, exercise or defence of legal claims. We will also continue to use your personal data where we are required to do so by law or where we need to do so to perform a contractual obligation.
You may also, at any time, object to the processing of your personal data when that processing is carried out for marketing purposes electronically or by post, including when the processing concerned constitutes profiling.
You have the right to be ‘forgotten’ by us by exercising your right to erasure of your data, unless its retention is necessary for the Group’s compliance with a legal obligation, or to ensure the performance of an ongoing contract with you, enable the Group to exercise or defend its rights in court or for archiving, historical or scientific purposes.
You have the right to request that the processing of your Personal Data be suspended, in particular to dispute the accuracy of your Data or if you object to your data being processed.
You may request that your Personal Data be collected in a structured, commonly used and readable format in order to use it and transmit it to another data controller, provided that the exercise of this right does not infringe the rights of third parties whose data is transmitted following a request for portability.
You may give instructions on what should be done with your Personal Data after your death.
You may also withdraw your consent at any time, in cases where consent has been requested. In particular, this will allow you to change and/or withdraw your consent regarding marketing.
You may exercise your rights by providing proof of your identity, specifying at least your surname, first name and the product or service concerned.
For processing carried out by La Poste SA (parent company), fill in our form provided for this purpose by clicking here.
You may also exercise your rights by contacting: La Poste, BP 10245, 33506 Libourne Cedex
If you have a ‘Compte La Poste’ account, you can also amend your personal data by logging into ‘Mon Compte La Poste’, accessible on the laposte.fr website. For processing carried out by a Group subsidiary, contact the department indicated by each subsidiary. Its contact details are given in the information notices of the service that you have subscribed to or on the website of the subsidiary concerned in its .
When the Group acts as a data processor, it shall assist the Customer, as far as possible, in fulfilling its obligation to action the requests made by data subjects with a view to exercising their rights.
You can contact the Data Protection Officer at the following address: Le Délégué à la Protection des Données CP Y412 9 Rue du Colonel Pierre Avia 75015 PARIS If you consider, after contacting us, that your rights to your data have not been respected, you may send a complaint to the Commission Nationale de l’Informatique et des Libertés [French Data Protection Authority] (3 Place de Fontenoy, TSA 80715, 75334 Paris cedex 07; tel.: +33 (0)1 53 73 22 22).
Due to the constant diversification of its activities, La Poste Groupe is increasingly required to make use of artificial intelligence (AI). Therefore, as part of the implementation of certain tools or services, the processing of your personal data may involve the intervention of an artificial intelligence system (AIS).
However, we believe that it is essential:
firstly, that these practices comply with all the data protection principles detailed in this policy;
secondly, to always strive to assess, limit and above all control the impact that the use of AI can have on the processing of your data.
In this sense, La Poste Groupe makes the ethical use of artificial intelligence a priority, so that it always remains consistent with the value of trust that the Group holds.
In this respect, La Poste Groupe has adopted a specific ethical approach for any data processing involving an artificial intelligence system.