Privacy Policy

I- Purpose and scope of the privacy policy

Capitalized terms used in this General Privacy Policy (hereinafter the “Policy”) are defined in the Appendix “Definitions”.

A. Policy’s purpose

DPO Consulting attaches the utmost importance and care to the protection of privacy and personal data and to compliance with the relevant legal provisions in force.

This privacy policy (hereinafter the “Policy”) aims to provide simple, clear and complete information to individuals (“you”, “your”) about the processing of personal data concerning you and implemented by DPO Consulting in its capacity as data controller.

B. Scope of application

This policy covers data processing activities performed within the framework of:

  • The management of the website and the requests sent from the online forms on this website;
  • Sending the DPO Consulting newsletter
  • Recruitment of DPO Consulting staff
  • Management of clients, prospects, service providers and partners of DPO Consulting
  • Management of inter-company training courses organised by DPO Consulting

For all these data processing activities, DPO Consulting is the entity that determines the means and purposes and thus acts as data controller within the meaning of the applicable regulations on personal data and in particular EU Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereafter “GDPR”).

In this Policy, “DPO Consulting”, “we”, “us” and “our” refer to:

DPO Consulting, a simplified joint stock company with headquarters at 18 rue Pasquier, 75008 Paris, France, registered with the Paris Trade and Companies Register under number 817 754 138 and represented by Marine BROGLI in her capacity as President of DPO Consulting.

You can find all the information about DPO Consulting on our legal notice page.

Within the framework of its audit, outsourced DPO and intra-companies training activities, DPO Consulting, acts as a data processor within the meaning of the GDPR and only upon instructions from its clients, who act as data controllers. The implementation of the processing carried out within the framework of these activities are described in the Terms and Conditions and Sale of DPO Consulting or in the contract signed with the client and are not covered by this Policy.

II- General rules applicable to all data processing operations carried out by DPO Consulting

DPO Consulting ensures that the fundamental data protection principles are observed for each data processing operation. This section informs you about the general rules applicable to all data processing operations covered by this Policy. Section II details, for each data processing operation, the specific conditions and procedures for carrying out the operation.

A. Data minimization

Each form on the website limits the collection of Personal Data to that which is strictly necessary and indicates the purpose(s) of the collection of such Data as well as the Recipient(s) of the Data. The information required to manage your request is indicated by an asterisk on each form. If you do not fill in these mandatory fields, DPO Consulting will not be able to answer your requests and/or provide you with the requested services. Other information is optional and allows us to better manage your request and improve our communications and services to you.

For minimisation purposes and insofar as DPO Consulting’s activities are offered to professionals, the forms on the DPO Consulting website have been set to accept professional email addresses only (with the exception of the job application form). In other words, email addresses whose extension is that of a public email provider such as gmail, yahoo, hotmail,, etc. will block the sending of the form; in this case, you are invited to send us an email at

B. Sharing Your Data with Third Parties and Transferring Your Data Outside the European Union

We never share your Personal Information with other companies for marketing purposes. Each section dedicated to a Processing operation details the internal Recipients who may access and process the Data concerned. The Data may be transmitted to technical service providers chosen for their expertise and reliability who act on our behalf and according to our instructions (IT subcontractor, host of our servers, etc.). We only allow these service providers to use your Personal Information to the extent necessary to perform services on our behalf or to comply with legal requirements and we endeavour to ensure that your Personal Information is protected at all times. DPO Consulting may also disclose your Data to Third Parties when such disclosure is required by law, regulation or court order, or if such disclosure is necessary to protect and defend our rights.

All such third parties may come from countries inside or outside the European Union (“EU”), including countries that do not offer the same level of data protection as your residence country. In such a case, the Data we collect when you use our platform or services may be transferred to other countries. This is for example the case if some of our service providers are located outside the European Economic Area. In the event of such a Transfer, we guarantee that it will be carried out :

  • To a country that provides an adequate level of protection, i.e. a level of protection equivalent to that required by European Regulations;
  • Within the framework of standard contractual clauses;
  • Within the framework of internal company rules.

C. Security of your data

DPO Consulting is committed to protect your Personal Data from loss, destruction, alteration, unauthorised access or disclosure. To this end, DPO Consulting implements appropriate technical and organisational measures, with regard to the nature of the data and the risks involved in its processing, to preserve the security and confidentiality of your personal data and, in particular, to prevent it from being distorted, damaged or accessed by unauthorised third parties.

These measures may include, but are not limited to, practices such as limited access to data by staff of the services authorised to access it because of their functions, contractual guarantees in the event of recourse to an external provider, privacy impact assessments, regular reviews of our privacy practices and policies and/or physical and/or logical security measures (secure access, authentication process, backups, antivirus software, firewall, etc.).

D. Data concerning minors

DPO Consulting services are not intended for minors. Therefore, we do not knowingly collect or process personal data relating to minors. In the event that we become aware of the collection of personal data from minors without the prior consent of the holder of parental responsibility, we will take appropriate measures to delete such personal data from our servers and/or those of our providers.

III- Processings implemented by DPO Consulting

A. Management of DPO Consulting website and requests sent from online forms

When you browse the DPO Consulting website, you may need to:

  • Completing a response form to an actual recruitment
  • Request a quote
  • Download documents
  • Make a request for a brochure and/or information about a service

Within the framework of these activities, and on the basis of your consent that you express by accepting and submitting the contact request, DPO Consulting processes and stores the following personal data concerning you to respond to your contact request: the information provided on the form, namely your identity, your contact details and, where applicable, the content of the message, as well as any information communicated subsequently during our exchanges. These data are processed by the department concerned by your request for the time necessary to answer you.

Depending on your request and the content of our exchanges, the data thus collected may be used for other purposes such as managing a request for a quote or a registration for a training course; these data processing operations are then subject to the terms and conditions relating thereto.

We also inform you that we make anonymous statistics about the number of visitors to the DPO Consulting website, which do not allow us to identify you.

B. Processing(s) for promotion of DPO Consulting’s services and events

DPO Consulting collects and uses the Identification Data and business contact information of prospects and clients, including the Public Data available on the Internet, for the purpose of promoting the services and events of DPO Consulting.This Processing is based on the legitimate interest of DPO Consulting to promote its activities to professional profiles likely to be interested in the services and products of DPO Consulting. You may object to receiving our newsletter at any time and without justification, by clicking here or on the unsubscribe link integrated in the email or by notifying DPO Consulting directly via the contact means identified in section III.

The Data are treated and preserved for this purpose by the commercial service of DPO Consulting, subject to a request of unsubscription:

  • For the prospects: during 3 years as from the last contact
  • For the clients: the time of the commercial relation then during 3 years as from the end of the commercial relation. In the event of indirect collection of your data for purposes of marketing communication, in particular of public Data on Internet, DPO Consulting will take care to inform you as of the first communication, and in any event in the month following the collection of the Data, of the envisaged use and of your possibility of opposing the processing of your Data to commercial purposes.

C. Processing for prospect, customer, service provider and partner management purposes

DPO Consulting may also process personal data concerning you when:

  • You request a quote for audit, advice, outsourced DPO or training, via the form filled online or directly by phone;
  • Your company concludes a contract with DPO Consulting as a client, provider or partner.

In this context, DPO Consulting is going to collect information on:

  • The contact(s) indicated to DPO Consulting such as the contact indicated on the form, the main contact for the contract, the contact for invoices and any other contact (name, first name, business e-mail address, business telephone number, function), all information contained in the exchanges (nature of the request, etc.);
  • The signatory(ies) of the contract: surname, first name, function, signature.

This data is intended, where necessary, for employees responsible for monitoring the business relationship and/or partnership, accounting/invoicing and for employees of the departments involved in the request/contract.

They are collected and stored:

  • For quotation requests that do not result in the conclusion of a contract: the time required to study and follow up the request + one (1) year after the request is closed (or the last contact has taken place if applicable);
  • For contracts and in order to execute the contract: the duration of the contractual relationship;
  • In order to meet our legitimate interest in ensuring the protection and defence of our rights in the event of litigation, for five (5) years following the end of the contractual relationship.

Your contact details may also be used to send you the DPO Consulting Newsletter on DPO Consulting services and events. For more information, please see section B. “Processing for the purpose of promoting DPO Consulting services and events”.

D. Processing(s) carried out for recruitment purposes

DPO Consulting is led to process Personal Data concerning you when you submit an unsolicited application or when you apply to an advertisement posted by DPO Consulting (via the “Careers” area of the DPO Consulting website).

In this context, Personal Data about you is collected:

  • Directly from you during the recruitment process;
  • Indirectly from Third Parties for the verification of your diplomas and references, with your consent.

The Data collected are the following: surname, first name, email address, telephone number, professional experience as well as all the information that you communicate to us via the transmission of your application and/or your curriculum vitae and/or interviews: photo, skills, level of education, languages spoken, salary expectations, personal address, hobbies, family situation, etc.

If you communicate us the coordinates of a reference, it is your responsibility to ensure that this one is informed and gave you its agreement.

These Data are collected and kept only within the framework of the management of your candidature, on the basis of the legitimate interest of DPO Consulting and/or of your Consent and are not used for any other purpose, in particular commercial.

They are kept:

  • In the event of a positive outcome to an application: the Data relating to an employee are preserved for the time of its presence within DPO Consulting and after its departure for the applicable legal duration of conservation;
  • In the event of negative outcome of an application: one (1) year, unless you object.

Your Personal Data will in any case be destroyed upon your request (see section on DPO contact details), within a maximum period of 1 month from your request.

These data are processed by the collaborators in charge of the recruitment within DPO Consulting only and, in an incidental way, for technical and logistic reasons, to the data controllers of DPO Consulting.

E. Processing carried out for the purpose of managing inter-company training courses

DPO Consulting is led to process Personal Data concerning you when you register for a training course organised by DPO Consulting, via the online registration form or by telephone with the Training Department.

In this context, DPO Consulting will collect information relating to :

  • The trainees: surname, first name, e-mail and postal addresses, telephone number, level of knowledge in the field of personal data;
  • Company representatives (training and finance departments): surname, first name, title, e-mail and postal addresses, telephone number.

These Data are collected and treated by DPO Consulting’s training department in order to register the trainees with the trainings corresponding to their level of knowledge, to address the supports of training to them and to invoice the services.

They are kept for the duration of the training contract and, in order to meet our legitimate interest to ensure the protection and the defences of our rights in the event of litigation, for five (5) years following the end of the contractual relationship.

It is also used by the sales department in order to communicate on the services and events of DPO Consulting, under the conditions of section B.

IV- Exercise of your rights and contact details of our Data Protection Officer

In accordance with the regulations in force, you have a right of access and of correction of your personal data and the right to request the deletion (right to be forgotten), the right to oppose the processing of your personal data and the right to obtain the limitation or portability of your personal data to the extent that this is applicable, subject to urgent, legitimate grounds DPO Consulting may show to retain your Data.

With regard to personal data relating to your application, we invite you to keep your information up to date by notifying DPO Consulting.

In addition, you may at any time and without justification, request to no longer receive our newsletter and, more generally, our communications relating to our services, news and events by using the hyperlink provided for this purpose in each email we send you.

When you exercise your rights, our Data Protection Officer processes your personal data for the purposes of managing your request (title, surname, first name, copy of identity document, nature of the request, response provided). This data is kept for a period of three (3) years, with the exception of a copy of your identity document, which is kept for one (1) year.

For any information or exercise of your rights on the processing of personal data managed by DPO Consulting you can contact our Data Protection Officer (DPO):

  • By email at the following address:
  • By postal mail at the following address:

DPO Consulting
To the Data Protection Officer (DPO)
18 rue Pasquier
75008 PARIS

If there is reasonable doubt about the identity of the applicant, proof of identity may be requested.

You also have the right to complain to the Commission Nationale de l’Informatique et des Libertés (CNIL), 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07, about any complaint relating to the way in which DPO Consulting collects and processes your data.

V - Cookies management policy

Our website uses cookies.

A “cookie” is a small text file which can be registered on the user’s hard drive (computer, digital tablet, smartphone, etc.) while you are navigating on the website. A cookie allows its sender (us or any audience measurement supplier) to identify and recognise the terminal on which it is registered, during the whole validity or registration period of the cookie (13 months maximum).

Our website uses 3 types of cookies:

  • Internal cookies necessary for the functioning of the website: these cookies allow the website to function optimally. They allow you to navigate from one page to another. Their deposit is functional and essential for the total optimisation of the website. You cannot object to them.
  • Cookies to measure the audience: in order to adapt the website to the visitors’ requests, we measure the traffic on our website, in an anonymous way, via an analytical solution. This solution measures the number of unique visitors, the number of pages viewed, the country of origin of the connection to the website, the access service (live, via a search engine or a social network), the type of device used (computer, mobile or tablet), the most consulted and shared articles, as well as the time and date of visit. You can opt out of these cookies via our cookies banner on your first visit or by clicking on “revoke previously accepted cookies” at the bottom of your browser
  • Advertising cookies: our social networks may place cookies in your browser to enable you to navigate from these networks to our website. You can object to these cookies by clicking on our cookies banner on your first visit or by clicking on “revoke previously accepted cookies” at the bottom of your browser.

We do not use cookies for commercial purposes such as retargeting. You can follow our offers and news by subscribing to our newsletter by clicking here.

Cookies can be set directly via your Internet browser and, depending on the type of browser used, can be systematically refused during navigation or authorised on a case-by-case basis.

A. Links to third-party websites

DPO Consulting’s website can contain links to social media plateforms managed from third-party servers, by people or entities on which DPO Consulting has no control.

On this basis, DPO Consulting cannot be held responsible of the way your personal data are stored or used on the third-party’s servers. Our advice is to be aware of the personal data protection policy applicable to each third-party’s website on which you will navigate in order to appreciate the way your personal data will be used by such websites.

VI - Modifications of the present Policy

DPO Consulting may modify the data protection policy if needed. We will ensure that you are aware of any modification of this policy by special mention on the website, or by a personalised warning, for example by a special mention in the newsletter.


Consent: Any free, specific, informed and unambiguous expression of will by which the Data Subject accepts, by a declaration or by a clear positive act, that Personal Data concerning him or her may be processed.

Data Protection Officer (or “DPO”): The person appointed by DPO Consulting in charge of the protection of Personal Data within DPO Consulting and the compliance of DPO Consulting with the applicable Legislation.

Recipient: Natural or legal person, public authority, service or any other body that receives communication of Personal Data, whether or not it is a Third Party.

Personal Data/Data: Any information relating to a Data Subject including by reference to an identifier such as a name, identification number, ID card number, salary, health records, bank account information, driving or consumption habits, location Data, online identifier, etc. The term “Personal Data” includes sensitive Personal Data.

Sensitive Personal Data/Sensitive Personal Data: Means Personal Data revealing or based on:

  • Racial or ethnic origin, political, religious or philosophical opinions
  • Membership of a trade union
  • Physical or mental health
  • Sexual orientation or sex life
  • Genetic and biometric Data
  • Data relating to criminal convictions, offences or related security measures.

Applicable legislation: Set of regulations relative to the protection of the personal Data and applicable to the processings of personal Data carried out by DPO Consulting, namely the European Regulation n°2016/679 relative to the protection of the Data to personal character (GDPR), the Data-processing law and freedoms modified, and any other regulation which would be relative to it, applicable to DPO Consulting.

Data Subject: A natural person who is the subject of Personal Data and who can be identified or identifiable, directly or indirectly, through that Personal Data. This includes former and current customers, prospects, and employees.

Controller: The natural or legal person who, individually or jointly, decides what Personal Data is collected, why and how it is collected and processed.

GDPR: Abbreviation of the European Regulation n°2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

Processor: Any natural or legal person, Public Authority, agency or other body that processes Personal Data on behalf of the Controller and according to its instructions (e.g. contractors or suppliers).

Third party: Any natural or legal person, public authority, agency or other body other than the Data Subject, the Controller, the Processor and those persons who, under the direct authority of the Controller or the Processor, are entitled or authorised to process the Data.

Processing: Any operation or set of operations carried out or not by means of automated processes and applied to Personal Data, such as collecting, accessing, recording, copying, transferring, keeping, storing, cross-referencing, modifying, structuring, making available, communicating, recording, destroying, whether automatically, semi-automatically or otherwise. This list is not exhaustive.

Transfer of Data: Any communication, copying or movement of Data over a network, or any communication, copying or movement of such Data from one medium to another, irrespective of that medium, of Personal Data to a country outside the European Union or to an international organisation which is or is intended to be Processed after such Transfer.