Privacy policy

DPO Consulting attaches the utmost importance and care to the protection of privacy and personal data and to compliance with the relevant legal provisions in force.

This privacy policy (hereinafter the “Policy”) aims to provide simple, clear and complete information to individuals (“you”, “your”) about the processing of personal data concerning you and implemented by DPO Consulting in its capacity as data controller.

This policy covers data processing activities performed within the framework of:

• The management of the website https://mydposolution.com and the requests sent from the online forms on this website
• The management of clients, prospects, service providers and partners of DPO Consulting
• The management of our myDPO Solution at https://app.mydposolution.com and its demo version at https://mydpo-demo.com/

For all these data processing activities, DPO Consulting is the entity that determines the means and purposes and thus acts as data controller within the meaning of the applicable regulations on personal data and in particular EU Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereafter “GDPR”).

In this Policy, “DPO Consulting”, “we”, “us” and “our” refer to :

DPO Consulting, a simplified joint stock company with registered office at 1-3 rue de Caumartin, 75009 Paris, France, registered in the Paris Trade and Companies Register under number 817 754 138 and represented by Marine BROGLI in its capacity as President of DPO Consulting.

You can find all information about DPO Consulting on our legal notice page.

Within the framework of its audit, outsourced DPO and intra-companies training activities, DPO Consulting acts as a data processor within the meaning of the GDPR and only upon instructions from its clients, who act as data controllers. The implementation of the processing carried out within the framework of these activities are described in the Terms and Conditions and Sale of DPO Consulting or in the contract signed with the client and are not covered by this Policy.

The processing operations related to the websites www.dpo-consulting.com and www.dpo-consulting.fr are also subject to separate policies and are not covered by this Policy.

2. General rules applicable to all data processing operations carried out by DPO Consulting

DPO Consulting ensures that the fundamental data protection principles are observed for each data processing operation. This section informs you about the general rules applicable to all data processing operations covered by this Policy. Section II details, for each data processing operation, the specific conditions and procedures for carrying out the operation.

a. Data minimisation

Each form on the website limits the collection of personal data to what is strictly necessary and indicates the purpose(s) for which the data is collected as well as the recipient(s) of the data.

The information required to manage your request is indicated by an asterisk on each form. If you do not fill in these mandatory fields, DPO Consulting will not be able to answer your requests and/or provide you with the requested services. Other information is optional and allows us to better manage your request and improve our communications and services to you.

b. Sharing your data with third parties and transferring your data outside the European Union

We never share your personal information with other companies for direct marketing purposes.

Each section dedicated to a data processing operation details the internal recipients responsible for accessing and processing the data concerned. The data may be transmitted to technical service providers chosen for their expertise and reliability who act on our behalf and according to our instructions (IT subcontractor, host of our servers, etc.).

We allow these providers to use your personal data only to the extent necessary to perform services on our behalf or to comply with legal requirements and we strive to ensure that your personal data is always protected.

DPO Consulting may also disclose your data to third parties when such disclosure is required by law, regulation or court order, or if such disclosure is necessary to protect and defend our rights.

All such third parties may come from countries inside or outside the European Union (“EU”), including countries that do not offer the same level of data protection as your country of residence. In such a case and to the extent required by applicable law, we will ensure that:

• either to obtain your express and unambiguous consent to share your personal data with these third parties;
• or to conclude data transfer contracts complying at least with the standard contractual clauses adopted by the European Commission;
• or to ensure that these third parties located in the United States are companies that have joined the EU-U.S. Privacy Shield and registered as such with the US administration.

c. Security of your data

DPO Consulting is committed to protecting your personal data from loss, destruction, alteration, unauthorised access or disclosure. To this end, DPO Consulting implements appropriate technical and organisational measures, with regard to the nature of the data and the risks involved in its processing, to preserve the security and confidentiality of your personal data and, in particular, to prevent it from being distorted, damaged or accessed by unauthorised third parties.

These measures may include, but are not limited to, practices such as limited access to data by staff of the services authorised to access it because of their functions, contractual guarantees in the event of recourse to an external provider, privacy impact assessments, regular reviews of our privacy practices and policies and/or physical and/or logical security measures (secure access, authentication process, backups, antivirus software, firewall, etc.).

d. Data concerning minors

DPO Consulting services are not intended for minors. Therefore, we do not knowingly collect or process personal data relating to minors. In the event that we become aware of the collection of personal data from minors without the prior consent of the holder of parental responsibility, we will take appropriate measures to delete such personal data from our servers and/or those of our providers.

2. Data processing implemented by DPO Consulting

a. Management of the mydposolution.com website and requests sent from online forms

When you browse the mydposolution.com website, you may need to make a contact request via the “Contact us” or “Contact” form. This same form is also used when you click on “Support” at the bottom of the myDPO application.

Within the framework of these activities, and on the basis of your consent that you express by accepting and submitting the contact request, DPO Consulting processes and stores the following personal data concerning you to respond to your contact request: the information provided on the form, namely your identity, your contact details and, where applicable, the content of the message, as well as any information communicated subsequently during our exchanges. These data are processed by the department concerned by your request for the time necessary to answer you.

Depending on your request and the content of our exchanges, the data thus collected may be used for other purposes such as managing a request for a quote or a registration for a training course; these data processing operations are then subject to the terms and conditions relating thereto.

We also inform you that we make anonymous statistics about the number of visitors to the mydposolution.com website, which do not allow us to identify you.

b. Processing for prospect, customer, service provider and partner management purposes

DPO Consulting may also process personal data concerning you when:

• You request a quote for the myDPO solution via the online form on the website or directly by telephone with the commercial department;
• Your company concludes a contract with DPO Consulting as a client, service provider or partner.
• Your company concludes an online contract on the basis of one of the offers on the website to access the myDPO solution

In this context, DPO Consulting will collect information on:

• the contact(s) indicated to DPO Consulting such as the contact indicated on the form, the main contact for the contract, the contact for invoices and any other contact (name, first name, business e-mail address, business telephone number, function), all information contained in the exchanges (nature of the request, etc.);
• the signatory(ies) of the contract: surname, first name, function, signature.

This data is intended, where necessary, for employees responsible for monitoring the business relationship and/or partnership, accounting/invoicing and for employees of the departments involved in the request/contract.

They are collected and stored:

• For quotation requests that do not result in the conclusion of a contract: the time required to study and follow up the request + one (1) year after the request is closed (or the last contact has taken place if applicable)
• For contracts and in order to execute the contract: the duration of the contractual relationship
• In order to meet our legitimate interest in ensuring the protection and defence of our rights in the event of litigation, for five (5) years following the end of the contractual relationship.

As part of the payment of the order, the customer is redirected to the payment intermediary of DPO Consulting, namely the Société Générale, which collects and processes the data collected necessary for payment in its capacity as data controller, in compliance with its own policy relating to the protection of personal data.  In order to organise payment, DPO Consulting only transmits the following data to the Société Générale: transaction reference, order number, merchant identifier and only receives acknowledgement of payment from the Société Générale.

c. Processing performed for the purposes of managing the myDPO Solution and client and/or associated user accounts

As the publisher of myDPO solution, DPO Consulting processes the personal data entered into myDPO. In this context, DPO Consulting acts as a processor of the clients using the solution and processes personal data for the following purposes:

• The creation and technical management of the user account(s);
• The management of the solution and the security of its information system;
• Information request management;
• The management of requests for access to personal data, requests for deletion, rectification, portability of personal data, as well as requests for limitation and opposition to the processing of personal data;
• The management of the data provided by the client in the context of the execution of the Services by DPO Consulting.

The provision of personal data by the user is necessary for the execution of the contract concluded with the cient, under whose authority the user is placed. The user is therefore obliged to provide his/her personal data. Otherwise, the user will not be able to use and access the myDPO solution, in particular because a user account cannot be created for his/her benefit.

Personal data collected and used by DPO Consulting are only kept for a period of five (5) years after the termination of the Contract between DPO Consulting and the Client, for proof purposes.

DPO Consulting is committed to protecting Users’ personal data from loss, destruction, alteration, unauthorised access or disclosure.

3. Exercise of your rights and contact details of our Data Protection Officer

In accordance with the regulations in force, you have a right of access and of correction of your personal data and the right to request the deletion (right to be forgotten), the right to oppose the processing of your personal data and the right to obtain the limitation or portability of your personal data to the extent that this is applicable, subject to urgent, legitimate grounds DPO Consulting may show to retain your Data.

When you exercise your rights, our Data Protection Officer processes your personal data for the purposes of managing your request (title, surname, first name, copy of identity document, nature of the request, response provided). This data is kept for a period of three (3) years, with the exception of a copy of your identity document, which is kept for one (1) year.

For any information or exercise of your rights on the processing of personal data managed by DPO Consulting, you can contact our Data Protection Officer (DPO) by accompanying your request with a copy of an identity document bearing your signature (identity card, passport):

• By email at: dpo@dpo-consulting.com
• By postal mail at:

DPO Consulting

A l’attention du délégué à la protection des données (DPO)

1-3 rue de Caumartin

75009 PARIS

You also have the right to complain to the Commission Nationale de l’Informatique et des Libertés (CNIL), 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07, about any complaint relating to the way in which DPO Consulting collects and processes your data.

4. List of subcontractors (data processors)

DPO Consulting is particularly attentive to the choice of the subcontractors to whom your personal data are entrusted in order to ensure a high level of security of the information systems as well as their respect of the legal provisions in force, in particular as regards the protection of personal data.