Data protection policy

La Poste S.A. (hereinafter “La Poste”) places the protection of personal data at the heart of its missions and the services it offers you.

This Policy illustrates La Poste's commitment to respecting fundamental rights and freedoms, privacy and the protection of personal data. La Poste ensures that your Personal Data is processed fairly, lawfully and transparently.

This Policy sets out the principles and guidelines for the protection of your Personal Data and aims to inform you about the Personal Data collected and the reasons for this collection, the way in which this Personal Data is used and your rights with regard to your Personal Data when you use the merchant site www.francestampphilatelystore.laposte.fr (hereinafter “the Site”).

All operations on your Personal Data are carried out in compliance with the regulations in force and in particular with the General Data Protection (hereinafter “GDPR”), Law no. 78-17 “Informatique, Fichiers et Libertés” of January 6, 1978, as amended, and its implementing decrees (hereinafter “the Regulations” or “the Applicable Regulations”).

This Policy may change over time, in particular to take account of changes in the Regulations or La Poste’s adaptation to technological developments.

We recommend that you regularly consult it on the site.

1. WHO IS CONCERNED BY THIS DATA PROTECTION POLICY?

This Policy applies to all natural persons using the Site, whether private customers or prospective customers.

2. WHAT PERSONAL DATA DO WE COLLECT AND HOW DO WE OBTAIN IT?

La Poste respects the principle of data minimization, in that it undertakes to collect only the data strictly necessary for the direct or indirect provision of the services subscribed to, where these require the processing of customers' personal data.

In the event that optional data is requested, La Poste will clearly inform you of the Personal Data that is essential for the provision of the service.

Personal Data is mainly collected directly from you by La Poste and is only used for the purposes for which you have been informed.

Certain data processed by La Poste may, where necessary, be collected indirectly from the following sources:

- Either from customers, specifying information on subscribers, beneficiaries, contacts, recipients ;

- Third parties, such as business partners, other La Poste entities, fraud prevention organizations, data suppliers, organizations (World Customs Organization, etc.) and members of the Universal Postal Union;

- Publicly accessible sources (data from publications/databases made accessible by official authorities, data from websites/social networks containing information made public by the individual him/herself, etc.);

- Or from public administrations and authorities.

In the event of indirect collection, La Poste undertakes to inform the persons concerned in compliance with the conditions laid down in Article 14 of the GDPR.

The main categories of Personal Data likely to be collected are :

- Identification and contact data: surname, first name(s), postal address, e-mail address, telephone numbers;

- Connection data linked to the use of our online services: IP address, identification and authentication data for your connected areas, logs, cookies, website navigation data.

You can consult our cookie policy for more information on how we use cookies: francestampphilatelystore.laposte.fr/fr/politique-cookies

- Data relating to the habits and preferences of the persons concerned: as a result of the use of products and services subscribed to or interactions with La Poste ;

- Data collected as part of your interactions with La Poste.

3. WHY AND ON WHAT LEGAL BASIS DO WE COLLECT YOUR PERSONAL DATA?

The purpose of processing is the objective pursued by the Data Controller. La Poste undertakes to process the Personal Data it collects or holds about you for specific, explicit and legitimate purposes, and not to process it further in a way that is incompatible with these purposes.

La Poste uses Personal Data to enable you to place orders on the Site.

This information also enables us to get to know you better and to send you personalized offers on our products and those of our partners, subject to your consent when required.

The use of Cookies enables us to improve the Site's performance.

The various legal bases on which La Poste processes your data, as well as the main purposes associated with them, are as follows:

- The consent of the person concerned: for example, in the case of newsletter subscriptions, or in the case of canvassing of private individuals by electronic means (e-mail, SMS) for products that are not similar to those already subscribed to.

- The performance of a contract to which the data subject is a party, or the performance of pre-contractual measures taken at the data subject's request: for example, to manage your online product purchases, or your complaints about order tracking.

- Compliance with legal and regulatory obligations: for example, to handle disputes before the judicial authorities, to monitor and keep accounts, and to process your requests to exercise your rights.

- The legitimate interests pursued by La Poste: for example, to improve overall product quality, to carry out commercial prospecting operations that do not require your consent, or to combat fraud and cybercrime.

The legal bases and retention periods associated with each purpose for processing your personal data are described below:

4. TO WHICH DEPARTMENTS OR COMPANIES IS YOUR PERSONAL DATA COMMUNICATED?

Where La Poste is the data controller, the Personal Data you provide to La Poste may be passed on to the following recipients:

- Recipients internal to La Poste Groupe :

- La Poste departments, divisions and business units authorized to access this information;

- La Poste subsidiaries;

- External recipients outside La Poste :

- La Poste's technical service providers including their subcontractors, within the strict framework of the missions entrusted to them (where applicable, data is transmitted to our subcontractors under the conditions prescribed by Article 28 of the GDPR);

- La Poste's partners;

- Public bodies, court officers; ministerial officers, lawyers, administrative or judicial authorities, in order to comply with any law or regulation in force, or to respond to any judicial or administrative request, as part of compliance with the legal obligations incumbent on La Poste or to enable La Poste to ensure the defense of its rights and interests ;

- mediators, supervisory and control authorities authorized to receive such data.

-Control services such as statutory auditors and auditors, customs and postal authorities of the countries to which you send your goods.

5. HOW LONG IS YOUR PERSONAL DATA KEPT?

The length of time Personal Data is kept varies according to its nature and the purpose for which it is processed. When Personal Data is collected for several purposes, it is retained until the longest retention period has expired. La Poste undertakes not to retain your Personal Data beyond the time required to order products.

La Poste's main data retention periods are as follows:

For customer and product management purposes

- Management of online purchases: 3 years from the last transaction;

- Duration of the contractual relationship

For commercial prospecting: 3 years from the last contact with the prospect or until withdrawal of consent.

For detecting, preventing and combating fraud and cybercrime: 12 months from the date of the fraud alert.

For processing requests to exercise rights: 5 years for data relating to the processing of your requests, and 1 year for supporting identity documents.

For accounting purposes: 10 years from the end of the current financial year.

At the end of these periods, La Poste either destroys the data in accordance with its internal policy, or anonymizes it for statistical, archival or historical purposes.

6. CAN YOUR PERSONAL DATA BE TRANSFERRED OUTSIDE THE EU?

Personal Data processed by La Poste is hosted within the European Union (EU) or the European Economic Area (EEA). However, for certain specific services, La Poste may use subcontractors established outside the EU or the EEA, some of whom are located in countries that are not subject to an adequacy decision issued by the European Commission (e.g. Morocco, India, Senegal, Tunisia, Mauritius). These subcontractors perform operational tasks on behalf of La Poste or its subsidiaries in connection with the processing purposes described above. These subcontractors may have access to Personal Data strictly necessary for the performance of their tasks. In this case, in accordance with the regulations in force, La Poste requires its subcontractors to provide appropriate guarantees, in particular by signing the European Commission's standard contractual clauses and, where applicable, implementing additional measures or adopting Binding Corporate Rules.

7. HOW DOES LA POSTE PROTECT YOUR PERSONAL DATA?

La Poste undertakes to take into account the protection of your Personal Data and your privacy right from the design stage of new products offered to you, and to take all measures to ensure the security and confidentiality of Personal Data. In particular, La Poste implements all technical and organizational measures to guarantee the security and confidentiality of the Personal Data collected and processed, and in particular to prevent it from being distorted, damaged, destroyed or communicated to unauthorized third parties, by ensuring a level of security appropriate to the risks associated with the processing and the nature of the personal data to be protected. In accordance with European regulations, these measures may include encryption, anonymization, pseudonymization, compartmentalization or restricting access to data.

In addition, in the event of a personal data breach within the meaning of Article 4 of the GDPR affecting your Personal Data (destruction, loss, alteration or disclosure), La Poste undertakes to comply with the obligation to notify Personal Data breaches, in particular to the CNIL, as soon as possible and, as far as possible seventy-two (72) hours after becoming aware of any breach likely to give rise to a risk to your rights and freedoms.

8. WHAT RIGHTS DO YOU HAVE TO YOUR PERSONAL DATA AND HOW CAN YOU EXERCISE THEM?

You have the right to access the personal data we hold about you;

This includes the right to ask us for further information about:

- the categories of data we process

- the purposes of data processing

- the recipients and categories of recipient to whom your data has been transmitted

- where possible, the length of time your data will be kept, or where this is not possible, the criteria for determining this length of time.

You have the right to ask us to correct inaccurate or incomplete personal data concerning you;

You may object at any time to our use of your Personal Data;

You have the right to be “forgotten” by us by exercising your right to erasure of your data;

You have the right to request the suspension of the processing of your Personal Data;

You can ask for your Personal Data to be recovered in a structured, commonly used and readable format so that you can dispose of it and pass it on to another data controller;

You have the right to give instructions concerning the fate of your Personal Data after your death;

You may also withdraw your consent at any time, in cases where it has been requested. This will allow you to modify and/or withdraw your consent to commercial prospecting.

You can exercise your rights by proving your identity and specifying your surname, first name and the product concerned.

You can send your requests either :

- by e-mail to: contact-fsps.philaposte@laposte.fr

- or via the contact section of the Site.

9. HOW TO CONTACT THE DATA PROTECTION OFFICER APPOINTED BY LA POSTE GROUP?

You can contact the Data Protection Officer at the following address:

Le Délégué à la Protection des Données

CP Y412

9 rue du Colonel Pierre Avia

75015 PARIS

FRANCE

If, after contacting us, you feel that your rights with regard to your data have not been respected, you may submit a complaint to the Commission Nationale de l'Informatique et des Libertés (3 place de Fontenoy - TSA 80715 - 75334 Paris cedex 07; tel.: +33 1 53 73 22 22 - charges invoiced by the local operator may apply).

You may also submit a complaint to your supervisory authority, under Article 56(2) of the GDPR, “each supervisory authority shall be competent to handle a complaint lodged with it or a possible infringement of [the GDPR], if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State”.

10. LA POSTE'S COMMITMENT TO ARTIFICIAL INTELLIGENCE

As a result of the constant diversification of its activities, La Poste is increasingly required to make use of artificial intelligence (AI). As a result, in the context of the implementation of certain tools or services, the processing of your personal data is likely to involve the intervention of an artificial intelligence system (AIS).

However, we believe it is essential that:

- on the one hand, that these practices respect all the data protection principles detailed in this policy ;

- on the other hand, to always strive to measure, limit and above all control the impact that the use of AI may have on the processing of your data.

In this sense, La Poste makes the ethical use of artificial intelligence a priority, so that it always remains consistent with the values of trust that it upholds.

With this in mind, La Poste has adopted a specific ethical approach to any data processing involving an artificial intelligence system.

GLOSSARY

“Personal Data” means any information relating to an identified or identifiable natural person.

“Recipient": Refers to the department, company or organization that receives communication and may access your Personal Data.

“La Poste": Refers to La Poste SA.

“Groupe La Poste": Refers to La Poste SA and its subsidiaries.

“CNIL” : Refers to the French ‘lead’ authority is the French supervisory authority called the “Commission Nationale de l’Informatique et des Libertés” (CNIL).

“Privacy and Personal Data Protection Policy” and ‘Policy’: Refers to this Policy describing the measures taken for the processing, use and management of your Personal Data and your rights as a data subject.

“Data Controller": Refers to the entity of La Poste group that carries out the processing of your Personal Data.

“Processing": Refers to any operation or set of operations applied to your Personal Data.

“Personal Data Breach": Refers to a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to your Personal Data.

“Sub-processor": Refers to any natural or legal person, public authority, department or other organization that processes Personal Data on behalf of the data controller.