Privacy policy

DPO Consulting attaches the utmost importance and care to the protection of privacy and personal data and to compliance with the relevant legal provisions in force.

This privacy policy (hereinafter the “Policy”) aims to provide simple, clear and complete information to individuals (“you”, “your”) about the processing of personal data concerning you and implemented by DPO Consulting in its capacity as data controller.

This policy covers data processing activities performed within the framework of:

For all these data processing activities, DPO Consulting is the entity that determines the means and purposes and thus acts as data controller within the meaning of the applicable regulations on personal data and in particular EU Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereafter “GDPR”).

In this Policy, “DPO Consulting”, “we”, “us” and “our” refer to :

DPO Consulting, a simplified joint stock company with registered office at 18 rue Pasquier, 75008 Paris, France, registered in the Paris Trade and Companies Register under number 817 754 138 and represented by Marine BROGLI in its capacity as President of DPO Consulting.

You can find all information about DPO Consulting on our legal notice page.

Within the framework of its audit, outsourced DPO and intra-companies training activities, DPO Consulting acts as a data processor within the meaning of the GDPR and only upon instructions from its clients, who act as data controllers. The implementation of the processing carried out within the framework of these activities are described in the Terms and Conditions and Sale of DPO Consulting or in the contract signed with the client and are not covered by this Policy.

The processing operations related to the websites and are also subject to separate policies and are not covered by this Policy.

2. General rules applicable to all data processing operations carried out by DPO Consulting

DPO Consulting ensures that the fundamental data protection principles are observed for each data processing operation. This section informs you about the general rules applicable to all data processing operations covered by this Policy. Section II details, for each data processing operation, the specific conditions and procedures for carrying out the operation.

a. Data minimisation

Each form on the website limits the collection of personal data to what is strictly necessary and indicates the purpose(s) for which the data is collected as well as the recipient(s) of the data.

The information required to manage your request is indicated by an asterisk on each form. If you do not fill in these mandatory fields, DPO Consulting will not be able to answer your requests and/or provide you with the requested services. Other information is optional and allows us to better manage your request and improve our communications and services to you.

b. Sharing your data with third parties and transferring your data outside the European Union

We never share your personal information with other companies for direct marketing purposes.

Each section dedicated to a data processing operation details the internal recipients responsible for accessing and processing the data concerned. The data may be transmitted to technical service providers chosen for their expertise and reliability who act on our behalf and according to our instructions (IT subcontractor, host of our servers, etc.).

We allow these providers to use your personal data only to the extent necessary to perform services on our behalf or to comply with legal requirements and we strive to ensure that your personal data is always protected.

DPO Consulting may also disclose your data to third parties when such disclosure is required by law, regulation or court order, or if such disclosure is necessary to protect and defend our rights.

All such third parties may come from countries inside or outside the European Union (“EU”), including countries that do not offer the same level of data protection as your country of residence. In such a case and to the extent required by applicable law, we will ensure that:

  • either to obtain your express and unambiguous consent to share your personal data with these third parties;
  • or to conclude data transfer contracts complying at least with the standard contractual clauses adopted by the European Commission;
  • or to ensure that these third parties located in the United States are companies that have joined the EU-U.S. Privacy Shield and registered as such with the US administration.

c. Security of your data

DPO Consulting is committed to protecting your personal data from loss, destruction, alteration, unauthorised access or disclosure. To this end, DPO Consulting implements appropriate technical and organisational measures, with regard to the nature of the data and the risks involved in its processing, to preserve the security and confidentiality of your personal data and, in particular, to prevent it from being distorted, damaged or accessed by unauthorised third parties.

These measures may include, but are not limited to, practices such as limited access to data by staff of the services authorised to access it because of their functions, contractual guarantees in the event of recourse to an external provider, privacy impact assessments, regular reviews of our privacy practices and policies and/or physical and/or logical security measures (secure access, authentication process, backups, antivirus software, firewall, etc.).

d. Data concerning minors

DPO Consulting services are not intended for minors. Therefore, we do not knowingly collect or process personal data relating to minors. In the event that we become aware of the collection of personal data from minors without the prior consent of the holder of parental responsibility, we will take appropriate measures to delete such personal data from our servers and/or those of our providers.

2. Data processing implemented by DPO Consulting

a. Management of the website and requests sent from online forms

When you browse the website, you may need to make a contact request via the “Contact us” or “Contact” form. This same form is also used when you click on “Support” at the bottom of the myDPO application.

Within the framework of these activities, and on the basis of your consent that you express by accepting and submitting the contact request, DPO Consulting processes and stores the following personal data concerning you to respond to your contact request: the information provided on the form, namely your identity, your contact details and, where applicable, the content of the message, as well as any information communicated subsequently during our exchanges. These data are processed by the department concerned by your request for the time necessary to answer you.

Depending on your request and the content of our exchanges, the data thus collected may be used for other purposes such as managing a request for a quote or a registration for a training course; these data processing operations are then subject to the terms and conditions relating thereto.

We also inform you that we make anonymous statistics about the number of visitors to the website, which do not allow us to identify you.

b. Processing for prospect, customer, service provider and partner management purposes

DPO Consulting may also process personal data concerning you when:

  • You request a quote for the myDPO solution via the online form on the website or directly by telephone with the commercial department;
  • Your company concludes a contract with DPO Consulting as a client, service provider or partner.
  • Your company concludes an online contract on the basis of one of the offers on the website to access the myDPO solution

In this context, DPO Consulting will collect information on:

  • the contact(s) indicated to DPO Consulting such as the contact indicated on the form, the main contact for the contract, the contact for invoices and any other contact (name, first name, business e-mail address, business telephone number, function), all information contained in the exchanges (nature of the request, etc.);
  • the signatory(ies) of the contract: surname, first name, function, signature.

This data is intended, where necessary, for employees responsible for monitoring the business relationship and/or partnership, accounting/invoicing and for employees of the departments involved in the request/contract.

They are collected and stored:

  • For quotation requests that do not result in the conclusion of a contract: the time required to study and follow up the request + one (1) year after the request is closed (or the last contact has taken place if applicable)
  • For contracts and in order to execute the contract: the duration of the contractual relationship
  • In order to meet our legitimate interest in ensuring the protection and defence of our rights in the event of litigation, for five (5) years following the end of the contractual relationship.

As part of the payment of the order, the customer is redirected to the payment intermediary of DPO Consulting, namely the Société Générale, which collects and processes the data collected necessary for payment in its capacity as data controller, in compliance with its own policy relating to the protection of personal data.  In order to organise payment, DPO Consulting only transmits the following data to the Société Générale: transaction reference, order number, merchant identifier and only receives acknowledgement of payment from the Société Générale.

c. Processing performed for the purposes of managing the myDPO Solution and client and/or associated user accounts

As the publisher of myDPO solution, DPO Consulting processes the personal data entered into myDPO. In this context, DPO Consulting acts as a processor of the clients using the solution and processes personal data for the following purposes:

  • The creation and technical management of the user account(s);
  • The management of the solution and the security of its information system;
  • Information request management;
  • The management of requests for access to personal data, requests for deletion, rectification, portability of personal data, as well as requests for limitation and opposition to the processing of personal data;
  • The management of the data provided by the client in the context of the execution of the Services by DPO Consulting.

The provision of personal data by the user is necessary for the execution of the contract concluded with the cient, under whose authority the user is placed. The user is therefore obliged to provide his/her personal data. Otherwise, the user will not be able to use and access the myDPO solution, in particular because a user account cannot be created for his/her benefit.

Personal data collected and used by DPO Consulting are only kept for a period of five (5) years after the termination of the Contract between DPO Consulting and the Client, for proof purposes.

DPO Consulting is committed to protecting Users’ personal data from loss, destruction, alteration, unauthorised access or disclosure.

3. Exercise of your rights and contact details of our Data Protection Officer

In accordance with the regulations in force, you have a right of access and of correction of your personal data and the right to request the deletion (right to be forgotten), the right to oppose the processing of your personal data and the right to obtain the limitation or portability of your personal data to the extent that this is applicable, subject to urgent, legitimate grounds DPO Consulting may show to retain your Data.

When you exercise your rights, our Data Protection Officer processes your personal data for the purposes of managing your request (title, surname, first name, copy of identity document, nature of the request, response provided). This data is kept for a period of three (3) years, with the exception of a copy of your identity document, which is kept for one (1) year.

For any information or exercise of your rights on the processing of personal data managed by DPO Consulting, you can contact our Data Protection Officer (DPO) by accompanying your request with a copy of an identity document bearing your signature (identity card, passport):

DPO Consulting

A l’attention du délégué à la protection des données (DPO)

18 rue Pasquier
75008 PARIS

You also have the right to complain to the Commission Nationale de l’Informatique et des Libertés (CNIL), 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07, about any complaint relating to the way in which DPO Consulting collects and processes your data.

4. List of subcontractors (data processors)

DPO Consulting is particularly attentive to the choice of the subcontractors to whom your personal data are entrusted in order to ensure a high level of security of the information systems as well as their respect of the legal provisions in force, in particular as regards the protection of personal data.

SubcontratorActivityData hosting
OVH – 2 rue Kellerman – 59100 ROUBAIX

Website hosting

Privacy policy available at the following address:

Google Cloud Platform – 1600 Amphitheatre Pkwy, Mountain View, CA 94043, États-Unis

myDPO Solution application hosting

Privacy policy available at the following address:

MongoDB – 229 W 43rd Street – 5th Floor – New York, NY 10036 – États-Unis

myDPO Solution application database hosting

Privacy policy available at the following address:

Belgium – #6 – 8 Tirgoņu iela Rīga, Latvia, LV-1050 – Lettonie

Instant messaging with the myDPO customer support from the myDPO Solution application

Privacy policy available at the following address:

European Union
Société Générale – 29 Boulevard Haussmann – 75009 Paris

For the e-commerce part of the website, processing of the basket data for the purpose of making payments to DPO Consulting

Privacy policy available at the following address:

Zoho Corporation – 4141 Hacienda Drive – Pleasanton, – California 94588, USA

Customer support ticket management for the myDPO Solution application

Privacy policy available at the following address:

European Union
MailJet – 13-13 bis, rue de l’Aubrac – 75012 Paris

Sending of the administration emails for the myDPO Solution application

Privacy policy available at the following address:

Cecurity – 75 rue Saint-Lazare – 75009 Paris

Electronic safe management of the Accountability module of myDPO Solution

Privacy policy available at the following address:


5. Information on cookies management

Our website uses cookies.

A « cookie » is a small text file that may be recorded in a dedicated space of the disk drive of your terminal (computer, tablet, smartphone, etc.) when you consult the Website.  A cookie allows its issuer (us or our audience measurement providers) to identify and recognize the terminal on which it is recorded, for the entire period of the cookie’s validity or recording (max 13 months).

When browsing the DPO Consulting website, you can decide on the cookie management banner whether or not to allow cookies to be stored on your computer. If you choose not to use cookies, you may be deprived of certain features on the site.

The website uses the following cookies:

Name of the cookiePurposeData retention period
SERVERID31394Cookie for processing the MySQL requests by the shared OVH servers1 hour
 cookie_notice_acceptedAllows us to check that the information notice concerning cookies has been read and acceptedexpires at the end of the session
festi_cart_for_woocommerce_storageFor the e-commerce part, contains information on the basket and its modificationsexpires at the end of the session
pll_languageDefines the language in which the pages are translated1 day
 woocommerce_cart_hashFor the e-commerce part, contains information on the basket and its modifications expires at the end of the session
woocommerce_items_in_cartFor the e-commerce part, contains information on the basket and its modificationsexpires at the end of the session
wp_woocommerce_session_For the e-commerce part, allows WooCommerce to link the user to his/her cartexpires at the end of the session

The myDPO solution at and its demo version at use the following cookies:

Name of the cookiePurposeData retention period
TawkConnectionTimeSupport via instant messagingexpires at the end of the session
__cfduidSupport via instant messagingexpires at the end of the session
__tawkuuidSupport via instant messaging180 days

We collect and store only information related to traffic on the website, anonymously, via an analytical solution: the number of unique visitors, the number of pages viewed, the country of origin of the connection to the website, the service that provided access (live, through a search engine or a social network), the type of device used (computer, mobile or tablet), the most viewed and shared articles and the time and date of attendance.

The setting of cookies can be made directly via your Internet browser and, depending on the type of browser used, allows the choice of systematically refusing cookies during browsing or their authorisation on a case-by-case basis. To learn more about the configuration to follow, consult the dedicated page on the CNIL website (

  1. Links to third-party websites

The DPO Consulting website may contain links to social media platforms managed on third-party servers by persons or organisations over which the company has no control.

As such, DPO Consulting can in no way be held responsible for the way your data will be stored or used on third-party servers. We advise you to read the applicable privacy policy of each third party website to which you will access via our website in order to assess how your personal data will be used.

  1. Changes to this Policy

DPO Consulting may modify this privacy policy from time to time. We will make sure that you are informed of these changes either by a special mention on our website or by a personalised warning in particular within the framework of our sending of newsletters.

Last update: October 26th, 2018