Personal data and security
Verified 13 July 2022 - Directorate for Legal and Administrative Information (Prime Minister)
The technical platform of service-public.fr was the subject of extensive preparatory work with the CNIL (Commission nationale de l'Informatique et des Libertés) in order to offer users all the guarantees regarding the security and confidentiality of their data.
The service-public.fr platform is hosted on a site whose premises and access to operating machines are controlled. Data flows and personal data are encrypted to prevent attempts to misuse information. Access to the platform is maintained in order to ensure its traceability.
The Directorate of Legal and Administrative Information (DILA), represented by its director Anne Duclos-Grisier, is responsible for the processing of personal data for the website service-public.fr.
The DILA coordinates are as follows:
26 rue Desaix, 75727 Paris cedex 15
Tel. Standard: 01 40 58 75 00
The DILA undertakes to ensure that the processing of personal data carried out on service-public.fr complies with the General Data Protection Regulation (GDPR) and the Data Protection Act.
As part of the provision of online service, the DILA transmits the information collected to the partner administrations competent to instruct the steps carried out via service-public.fr.
The data can to some extent be made accessible to the providers (subcontractors within the meaning of the regulations) of the DILA under its control, for the strict needs and within the limits of their missions. These subcontractors are subject to an obligation of confidentiality and may only use the personal data in accordance with the applicable law and the contractual provisions specifically concluded.
As the controller, DILA undertakes to take all necessary measures to guarantee the security and confidentiality of the information provided by the user. It undertakes not to market any information and documents transmitted by the user through the service-public.fr website, and not to communicate them to third parties, except in cases provided by law, in particular, in case of judicial requisition.
The DILA implements the processing of personal data, on the basis of the public interest tasks entrusted to it, for the following purposes:
- The creation and management of a personal account;
- Provide online storage for the public;
- Simplify the administrative procedures and formalities carried out by the public by making online services available to them, and ensure their traceability and follow-up;
- Respond to the public on any administrative questions or procedures via a contact form;
- Make the Administration's directory available to the public;
- Ensure the proper functioning of the site and improve your browsing experience.
DILA issues a public information letter based on the consent of its subscribers.
The data collected in the context of the implementation of each of the purposes described above are limited to what is strictly necessary.
The categories of data that may be processed according to the purpose pursued are:
- Data relating to the identification of the person;
- Data necessary to complete an administrative formality;
- Data relating to navigation on websites (timestamp, IP address of users, etc.)
- Data relating to the audience measurement of the site.
The DILA undertakes that your data will be kept for a period that does not exceed that necessary for the purposes for which they are processed.
- The data necessary for the creation of the account and its management and the data recorded in the personal storage space are kept for as long as the account is active.
- The data needed to carry out an administrative procedure shall be kept until the request has been forwarded to the partner administration responsible for examining the request.
- The data collected via the contact form is kept for five years.
- The data disseminated in the directory shall be kept for as long as the public official concerned is in post.
- Log data is kept for 1 year.
- The data necessary for the production of statistics on the audience and use of online services are kept for 25 months in a format that does not allow the identification of individuals by their IP address, and include an identifier (relating to the cookie) kept for a maximum period of 6 months unless the data subject objects.
You can access and obtain copies of your data, object to the processing of this data, have it rectified if it is inaccurate or have it erased in specific cases. You also have the right to limit the processing of your data and the right to withdraw your consent for the future at any time, if it was used as a legal basis for the processing of your data.
You can exercise your rights or obtain information concerning the processing of your personal data directly from the controller by email at the following address: email@example.com.
If the user is not satisfied with the answer, he or she can then contact the data protection officer of the Prime Minister's Office by e-mail at the following address: firstname.lastname@example.org and by mail to:
Prime Minister's Office
To the Data Protection Officer (DPO)
56 rue de Varenne
We invite you to include with your application any document justifying your identity and the validity of your application.
In any case, the user also has the right to lodge a complaint or complaint with the National Commission of Informatics and Freedoms via the following address: https://www.cnil.fr/fr/plaintes
Technical cookies strictly necessary for the operation of the website
Audience measurement cookies
Our site uses audience measurement cookies. Some of these cookies are strictly necessary for the operation and day-to-day administration of the site.
Our site also uses audience measurement cookies that go beyond these purposes, and allow us to improve the user experience of browsing our site. As these cookies are not strictly necessary, they are subject to your consent during your first visit on service-public.fr. You can change your choice at any time by going to the “Cookie Management” page.
Third-party cookies to improve site interactivity
The service-public.fr website relies on certain services provided by third parties that allow:
- viewing multimedia content;
- display information flows from social networks;
*A “cookie” is a collection of information, usually small and identified by name, that can be transmitted to your browser by a website on which the user connects. The web browser of the user will keep it for a certain period of time, and will send it back to the web server each time the user reconnects to it.
To access the cookie management page, you must activate java script in your browser, then click on "cookie management" at the bottom of the page.
The service-public.fr website is protected by an electronic certificate, materialized for the vast majority of browsers by a lock.
This protection contributes to the confidentiality of exchanges, but also allows users to ensure the authenticity of the site with regard to possible attempts at phishing:
Under no circumstances will the services associated with service-public.fr initiate e-mails to request the entry of personal information. In particular, the password which remains under the exclusive control of the users. Only and in certain circumstances identifiable by the user, legitimate emails could be sent to him for information purposes or to invite him to continue an electronic process.
When connecting to the service-public.fr website, it is recommended to copy or manually enter the reticular address (URL) in the browser, and to avoid clicking on links that would have been received by email or that would be accessible from non-reputable sites.
The certificate that serves the site complies with the requirements of the General Safety Repository (GSR) and is issued by a qualified Electronic Certification Provider (ECSP). The list of qualified providers is available at:
Choose your password
To protect your access and data, it is necessary to choose and use strong passwords, which are difficult to find using automated tools and to guess by a third party. The strength of a password depends on its length and the characters that make it up. The website service-public.fr requires at least 8 characters, including at least one upper case letter, at least one lower case letter and at least one digit
For your information, you can refer to the recommendations of the National Commission on Informatics and Freedoms (CNIL)
Protect your authentication methods
In order not to compromise the security of your authentication means and your environment of use, it is recommended to:
- Never ask a third party to create a password for you;
- Change your password regularly;
- Avoid configuring software, including your web browser, to retain passwords;
- Do not send passwords in plain text over the Internet, such as personal e-mail;
- Do not write down or store passwords in an open source file or document, or on a computer device connected to the Internet;
- Navigate with an up-to-date browser. Before using any browser, it should be ensured that it is up to date as soon as possible. The latest browsers all offer automatic updating and anti-malware features, such as phishing. What is true in terms of updating for a browser is also true for the operating system and the software that is settled to it.
A practical solution to meet these requirements with a minimum of comfort is to use a software vault of the Keepass type to store passwords: http://www.ssi.gouv.fr/entreprise/certification_cspn/keepass-version-2-10-portable/
Consult the infographic of the National Agency for Information System Security "Good Reflexes on the Internet": http://www.ssi.gouv.fr/uploads/2016/06/surfezzen_mini.jpg
Detecting a malicious email on the advice of the CNIL:
Threats on the Internet
In addition to the security focus, here are some key Internet threats to watch out for:
- Malicious code: PCs used to access the personal space must be protected (anti-virus and updated security patches) against malicious code to ensure legitimacy of account access. The main risk on service-public.fr would be the hacking of its password.
- Threading: the site could be copied with the simple objective of attracting users to log in and retrieve their passwords. For service- public.fr, an electronic certificate issued by a recognized authority in browsers and qualified within the meaning of the General Safety Repository, allows users and their browser to verify the legitimacy of the site to which they access.
- Spam: Sending unsolicited emails (SPAM) would be the main vehicle to encourage users to authenticate on illegitimate sites (phishing) or infect their computers via malicious links or attachments.
- Order No. 2005-1516 of 8 December 2005 on electronic exchanges between users and administrative authorities and between administrative authorities.
- Decree No. 2016-186 of 24 February 2016 amending Decree No. 2009-730 of 18 June 2009 on online accessible storage space pursuant to Article 7 of Ordinance No. 2005-1516 of 8 December 2005 on electronic exchanges between users and administrative authorities and between administrative authorities.
- Order of 6 November 2000 on the creation of a website entitled ‘service-public.fr’.
- Order of 24 February 2016 integrating into the ‘service-public.fr’ website an online service enabling the user to complete all or part of the paperless administrative procedures and to have access to personalized information services.
- Deliberation No. 2015-411 of 12 November 2015 delivering an opinion on a draft decree on the implementation of processing of personal data incorporated in the service-public.fr system to enable, at a unified access point for the user, all or part of the paperless administrative procedures to be carried out and personalized information services to be provided (request for an opinion No 1878256).