Data Protection Policy

Information on the processing of personal data

Article 1: Preface

Protection of personal data is one of our major concerns. Our privacy policy falls within a legal context defined by the European Data Protection Regulation (EU Regulation 2016/679 of 27 April 2016), applicable since 25 May 2018 and the French Data Protection Act No 78-17 of 6 January 1978, as amended, relating to data processing, files and freedoms.

The purpose of this data protection policy is therefore to present you with:

  • The personal data controller
  • How your data is collected and processed. Personal data is data allowing a natural person to be identified
  • Your rights regarding the use of your personal data
  • The recipients to whom your data is transmitted
  • The website’s cookie management policy

This privacy policy is complementary to the legal notices on the website

Article 2: Glossary

Personal Data is any information relating to an identified or identifiable person, that is to say allowing them to be identified directly (e.g. surname and first name) or indirectly (e.g. cookies).
Data Processing is any operation or set of operations (automated or not) applied to personal data or sets of data, such as for example: collection, recording, organisation, storage, transmission of data, etc.
The Data Controller determines the purposes (the objectives of the processing) and the means of processing.
The Data Processor processes personal data on behalf of the Data Controller and under its instructions.

Article 3: General principles

In accordance with the provisions of Article 5 of the General Data Protection Regulation (GDPR), the collection and processing of your personal data complies with the following principles:

  • Legality, loyalty and transparency: the collection and processing of personal data can only take place on a legal basis defined beforehand (performance of a contract, legal obligation, consent, legitimate interest, preservation of vital interests)
  • Limited purposes: the collection and processing of personal data can only be carried out to meet one or more defined objectives
  • Minimisation of data collection and processing: only the data strictly necessary for the proper execution of the objectives pursued will be collected
  • Data retention limited in time: the data controller is obliged to define retention periods concerning the personal data processed
  • Integrity and confidentiality of the data collected and processed: the data controller undertakes to guarantee the integrity and confidentiality of the data collected.

Article 4: Data controller and processor

As data controller, the VECTORYS GROUP undertakes to comply with the obligations arising from the Regulation and the amended Data Protection Act concerning the collection and processing of personal data. In accordance with Article 32 of the GDPR, we implement all technical and organisational measures to ensure the protection of your personal data.

As data processor, the VECTORYS Group undertakes to process the customer’s personal data only insofar as this proves necessary for the performance of the contract entered into. VECTORYS FRANCE undertakes to follow the written instructions of the customer, in accordance with Article 28 of the GDPR.

Article 5: Personal data collected and processed: what data?

In accordance with the principle of minimisation, we only collect the data necessary to carry out our missions. To this end, and in the context of our international freight transport and logistics activity, the VECTORYS GROUP is likely to collect and process the following information:

As part of the management of disputes and claims, we may be required to know sensitive data such as medical data (work stoppages, work accidents), disability, judicial data (criminal record) and the social security number, in particular concerning our staff.

Being aware of the level of sensitivity of this information, we are committed to guaranteeing you a maximum level of confidentiality, and we also commit to complying with our legal and regulatory obligations. All the data collected is therefore strictly necessary for the accomplishment of the mission you have entrusted to us.

Article 6: Personal data collected and processed: for what reason?

In all of these situations, VECTORYS FRANCE acts as “Data Controller” within the meaning of the GDPR.

As part of our mission of international freight transport and logistics, we can manage the customs obligations of our customers, and transport your customers’ freight on your behalf. In such cases, the VECTORYS GROUP acts as a “processor” on behalf of its customers:

As a data processor, the VECTORYS GROUP complies with its processing obligations in accordance with the recommendations of the French data protection authority CNIL.

Article 7: Personal data: who has access to your personal?

The VECTORYS GROUP undertakes to transmit your personal data only to internally authorised persons and authorised third parties, such as the tax, customs or economic administrative authorities, the judicial, police or gendarmerie authorities, or the social action and health administrative authorities.

The VECTORYS GROUP may possibly transmit your personal data to subcontractors for the hosting and management of its database, for the hosting of its website, or to carry out accounting assignments (accounting firm for example), consulting assignments (law firms), or customs services. The use of these service providers is necessary for the proper performance of our services. We are committed to verifying and guaranteeing compliance with the GDPR and the amended Data Protection Act. The use of these service providers is necessary for the proper performance of our services. We are committed to verifying and guaranteeing compliance with the GDPR and the amended Data Protection Act.

Apart from the recipients mentioned above, our subsidiaries, carriers, shipping companies, drivers or freight forwarders of our customers, the VECTORYS GROUP undertakes not to transmit your personal data to third parties or external bodies without your express consent.

The VECTORYS GROUP does not and will not make any sale, transfer or communication of your personal data to unauthorised third parties.

The VECTORYS GROUP does not use any automated decision based on your personal data. No profiling is carried out during processing, and the data we collect will never be used without human intervention.

Article 8: Your rights

8.1 Your rights

In accordance with the regulations in force, you have the following rights concerning your personal data:

8.2 The DPO
The VECTORYS GROUP has appointed a Data Protection Officer (DPO). In order to exercise your rights, you can therefore contact our Data Protection Officer (DPO) at the following address:

ZA La Palun
Or by email at the following address:

8.3 Complaint to the CNIL
You can lodge a complaint at any time with the competent authority, namely the French data protection authority (Commission National de l’Informatique et des Libertés – CNIL), via the following link:

Article 9: Security measures

The VECTORYS GROUP is responsible for the security of personal data, which it undertakes to process in a secure manner, and only for the time necessary to achieve the purpose pursued.
The VECTORYS GROUP has put in place technical and organisational measures to ensure an adequate level of data protection in relation to the nature and purpose of the processing.
To this end, in accordance with Article 32 of the GDPR relating to the security of processing, the VECTORYS GROUP has put in place:

  • The means to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • The means to restore the availability of data and access to it within an appropriate time frame in the event of a physical or technical incident;
  • A procedure for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.

Nevertheless, the obligation of security remains an obligation of means, that is to say that we make every effort to guarantee the confidentiality and integrity of your personal data.

All persons with access to your personal data have been made aware of best data protection practices. They are bound by an obligation of confidentiality, and are liable to disciplinary action in the event of non-compliance with this provision.

Article 10: Data transfers outside of the European Union

As part of our activity, and to manage your requests, we may be required to transfer data outside of the European Union, in particular to host your data in our service provider’s Data Centre in SWITZERLAND, or to exchange information about you with our subsidiaries in Tunisia and Morocco. However, before any transmission of your personal data, we carry out checks of the applicable rules on data transfers outside of the European Union. As such, SWITZERLAND has been the subject of an adequacy decision by the European Union, and is therefore declared to provide a level of protection equivalent to the GDPR.

Article 11: Cookies

As for most websites, our website uses cookies which can be classified into four categories

If you do not wish to be tracked, we recommended that you refuse them by default via the cookie management banner that we have set up on our website.

In our cookie policy, you can also find the procedure to follow to accept, customise or refuse cookies by expressing your choice using the banner that appears at the bottom of your screen.

Article 12: Updates to the Data Protection Policy

This personal data protection policy is subject to change.

The last update was made on 08/06/2022