Personal data policy

Personal data protection policy of the "Colissimo Box" website

  1. Who processes your personal data?

  2. What personal data is processed by our services?

  3. Why do we process your personal data?

  4. How long is your personal data stored?

  5. How is your personal data protected?

  6. With whom is your personal data shared?

  7. Is your personal data transferred outside the European Union?

  8. What are your rights and how can you exercise them? 

  9. How can I contact our Data Protection Officer (DPO)? 

  10. Table of different processing operations

1.    Who processes your personal data?

La Poste-Colissimo places the protection of your personal data at the heart of its concerns.
This privacy policy sets out the principles and guidelines for the protection of your personal data and aims to inform you about: 

  • What personal data we collect and why we collect it,
  • How your personal data is processed,
  • Your rights with regard to your personal data.

We undertake to comply with the regulations in force regarding the processing of personal data and in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter "RGPD") as well as any applicable national regulations (hereinafter "the Regulations").

2.    What personal data is processed by the Colissimo Box services?

Poste-Colissimo undertakes to collect from its customers or visitors only the data strictly necessary for the direct or indirect provision of the services offered on the Colissimo Box website. 
La Poste-Colissimo mainly processes personal data that it collects directly from its customers or visitors, such as :

  • Identification data: surname, first name, postal address, e-mail address, telephone numbers, etc.
  • Connection data: IP address, logs, browsing data, etc.

The personal data used on this site is that which is collected or displayed via :

  • The various forms made available to customers or visitors. 
  • The secure colissimo customer area, which includes franking tools, tracking, consumables, invoicing data, etc.).
  • Colissimo company contracts.

3.    Why do we process your personal data?

We undertake to process your personal data for specified, explicit and legitimate purposes and not to process it further in a way incompatible with those purposes.

Legal basis:

Each processing operation carried out on the Colissimo Box website, in its capacity as Data Controller, is based on one of the legal grounds provided for by the regulations in force, namely:

  • The performance of a contract to which the data subject is a party, or the performance of pre-contractual measures taken at the data subject's request,
  • Compliance with legal and regulatory obligations to which the Company is subject,
  • Safeguarding the vital interests of the data subject or of another natural person,
  • the performance of a task in the public interest,
  • The legitimate interests pursued by the Company in the context of respect for the interests, freedoms and fundamental rights of the person concerned,
  • And/or to obtain the consent of the person concerned for one or more specific purposes.

Purposes:

We process your personal data in particular for the following purposes and on the legal basis set out in the table below.

  • Manage the commercial relationship between customers and La Poste-Colissimo.
  • Enable customers and visitors to contact the corporate customer service department.
  • Manage the address book of customer references.
  • Allow customers to file complaints about parcels (parcel tracking tool).
  • Allow users of the same customer account to connect to their secure company portal. 
  • Allow customers to track the dispatch of their parcels.
  • Produce statistics and satisfaction surveys.
  • Carry out commercial prospecting.
  • Enable customers and visitors to communicate via instant messaging (iadvize chat).

4.    How long is your personal data kept?

The length of time we keep your personal data depends on the products and services subscribed to and the processing of personal data carried out by the Colissimo Box website. We undertake not to retain your personal data beyond the period necessary for the provision of these products or services in accordance with your contract.

Some of your personal data may be kept for longer periods in application of specific legal or regulatory provisions, or to respond to requests from authorities or authorised third parties.

Personal data which, by virtue of its use for various processes, is subject to several retention periods, is subject to the longest retention period.

Except in the cases mentioned above, the retention of any personal data is limited by the sole purpose(s) for which it is processed, unless you are informed otherwise.

At the end of these periods, we destroy the data in accordance with our internal policy or render it anonymous, in order to use it for statistical purposes.

5.    How is your personal data protected? 

In accordance with the regulations in force, we undertake to implement all appropriate technical and organisational measures to guarantee your personal data a level of security that is appropriate and proportionate to the risk. These measures (e.g. partitioning, anonymisation, encryption, access restriction, etc.) aim to guarantee the confidentiality, integrity, availability and resilience of your personal data.

The Colissimo Box website undertakes to take into account the protection of your personal data and privacy from the design stage of new products or services offered to you. To ensure security and guarantee that your rights are respected and properly exercised, measures are taken to protect your personal data.

As the data controller, we notify the competent supervisory authority, the Commission Nationale de l'Informatique et des Libertés (CNIL), of any personal data breach as soon as possible and, as far as possible, seventy-two (72) hours after becoming aware of any personal data breach likely to pose a risk to your rights and freedoms. You will be notified as soon as possible of any breach of your personal data likely to pose a high risk to your rights and freedoms, in accordance with the regulations in force.

6.    With whom is your personal data shared?

Your personal data is collected directly from you and is only used for the purposes of which you have been informed.

Your personal data may be communicated to the following recipients in particular, for the purposes set out above:

  • To any subsidiaries of the Company and the Group to which it belongs, to internal departments: the departments responsible for providing the services you have subscribed to, in particular Customer Services, the Sales Department, the Information Systems Department, etc.
  • Subcontractors, partners or service providers who carry out services on your behalf or on our behalf,
  • To commercial partners, after informing you in advance and allowing you to express your choices by ticking a box,
  • To authorised administrative or judicial authorities or, more generally, to any authorised third party (lawyers, auditors, etc.), in order to comply with our legal or regulatory obligations.

7.    Is your personal data transferred outside the European Union?

We process all your Personal Data within the European Union (EU).

However, for certain specific services, La Poste group may use subcontractors established outside the EU or the EEA. These subcontractors may have access to personal data that is strictly necessary for the performance of their tasks. 
In this case, in accordance with the regulations in force, La Poste group requires its subcontractors to provide the appropriate guarantees, in particular the signing of standard contractual clauses by the European Commission or the adoption by the latter of Binding Corporate Rules.

8.    What are your rights and how can you exercise them?

When we collect your personal data, you will receive clear and transparent information on the processing carried out and on how to exercise your rights. According to the regulations, you have the right to exercise your rights provided you meet the conditions.

These rights are:

  • the right to access the personal data we hold about you. 
    This includes the right to ask us for further information about : 
    • the categories of data we process
    • the purposes for which we process the data
    • the recipients and categories of recipients to whom your data has been transmitted,
  • the length of time we will keep your data where possible, or where this is not possible the criteria for determining this length of time;
  • the right to have us correct inaccurate or incomplete Personal Data concerning you;
  • the right to object at any time to our use of your Personal Data; 
  • the right to be "forgotten" by us by exercising your right to erasure of your Personal Data; 
  • the right to request the suspension of the processing of your Personal Data (right to limitation);
  • the right to request that your Personal Data be retrieved in a structured, commonly used and readable format so that you may have access to it and transmit it to another data controller (right to portability); 
  • the right to provide instructions on what should happen to your personal data after your death;
  • the right to withdraw your consent at any time, in cases where it has been requested. In particular, this will allow you to modify and/or withdraw your consent to commercial prospecting.

All requests must include your surname, first name and the address to which you wish to receive a reply. You must provide proof of your identity. If there is any doubt about your identity, you may be asked to provide proof of identity (a copy of both sides). It will be kept for as long as it takes to process your request, and will then be permanently deleted.

These rights may be exercised by contacting us :

The Company undertakes to respond to your requests to exercise your rights as quickly as possible and in any event within the legal time limits.

If, after contacting us, you feel that your rights with regard to your data have not been respected, you may submit a complaint to the Commission Nationale de l'Informatique et des Libertés (CNIL):

CNIL - 3 place de Fontenoy - TSA 80715 - 75334 Paris Cedex 07 - France
Or by telephone: 01 53 73 22 22.

9.    How can I contact our Data Protection Officer (DPO)?

La Poste Groupe, the group to which our Company belongs, has appointed a Data Protection Officer (DPO) with the CNIL.

You can contact the Data Protection Officer at the following address

Le Délégué à la Protection des Données
CP CY412
9 rue du Colonel Pierre Avia
75015 PARIS

10.    Table of different treatments

Processing

 Purpose

Storage life

Legal status
Availability of the Colissimo Box

-Access to the Colissimo Box service and the secure customer area.

-Keep you informed of developments in your account and changes to our offers.

-Respond to your requests via the contact form or other forms made available to you. 

-Manage the address book of customer references in the Coliship franking tool.

-Enable customers to track the dispatch of their parcels via the tracking tool.

Duration of the contractual relationship

Duration of the contractual relationship

1 year

Six months at the end of the commercial relationship

14 months

 Performance of the Entreprise Colissimo contract
Marketing research and satisfaction surveys Marketing studies carried out by Colissimo (satisfaction surveys, surveys on offers, etc.), with business customers and customers receiving parcels. Duration of the study Legitimate interest
Managing unpaid bills and disputes Handling of recoveries and litigation before the judicial authorities. 5 years from termination of the contract and in the event of proceedings, limitation period Performance of the contract
Sales prospecting

-Carrying out commercial canvassing and marketing operations by electronic means or by post (advertising messages, competitions, sponsorship, all promotional operations, surveys, loyalty campaigns, etc.).

-Analysing your data, in particular to personalise the products and services we offer according to your profile, to send you messages, personalised or otherwise, concerning our products or services.

 3 years from the end of the commercial relationship or until the right to object is exercised Legitimate interest of the body responsible (the Company, Group subsidiaries or partners).
General and subsidiary accounting

-Monitoring and keeping accounts in accordance with legal obligations.

-Keeping invoices and other compulsory documents relating to transactions in accordance with our obligations.

View invoices online for 1 year.

Requesting invoices from technical support for 3 years.

The current financial year, plus ten (10) years from the end of the financial year.

 Legal obligation
Cookie management Management of cookies, tags, tracers, etc.
Computer traces to detect security incidents and improve service quality.

Data will be kept for a maximum of 13 months

Until consent is changed

 Legitimate interest
Consent (for cookies requiring it)
Management of requests to exercise rights Processing your requests to exercise your rights.

Data relating to the processing of requests: 5 years from the date of the reply sent to the person concerned 

Identity documents kept as evidence: 1 year

 Legal obligation
iadvize chat management

Allow customers and visitors to use instant messaging 

Track your browsing in real time on our site (not saved) and preview your messages (not saved).

 The chat conversation and its processing data are kept for 3 years for the public part and 1 year for customers who already have an account in the customer area. Legitimate interest
We collect and keep a record of chat conversations in order to provide you with the best possible support and to improve our products and services.
Sending notifications Notification for a parcel subject to customs control to inform you that an important piece of information is missing from a document in order to ensure customs clearance of your parcel. 6 years from the date your parcel is picked up in the La Poste network Legal obligation