We follow the 6 steps from the special file of the CNIL (Commission Nationale Informatique & Libertés). To know :
- Designate a driver
- Map the processing of personal data
- Prioritize actions
- Manage risks
- Organize internal processes
- Document compliance
A data protection compliance management program has been developed for several weeks. For this purpose, a data protection officer has been appointed.
To contact him:firstname.lastname@example.org
What personal data does we advocacy use (mapping)?
To function, we advocacy requires the following personal data:
- Directory data:
- First name (optional)
- Lastname (optional)
- Title or function of the employee in the company (optional)
- The employee’s work landline number (optional)
- The employee’s work cell phone number (optional)
- The address(es) of the company’s sites (optional)
- The company groups the user belongs to (optional)
The directory data is:
- Either taken from the G SUITE profile if the company is on G Suite and updated daily in we advocacy
- Either from the Office 365 profile if the company is on Office 365 and updated daily in we advocacy
- Either imported from a csv file in other cases and updated manually by the administrator of the we advocacy application.
Usage data for external communication (signatures and banners)
- The current signature template(s) assigned to the user
- The banner campaign(s) assigned to the user
- Reporting data on each campaign: number of views, number of clicks and click-through rate
- In certain cases (email messages under Gmail), the company also has the possibility of setting up tracking of clicks on the banners which will be relayed by its employees. In this case, additional data is stored: Emails of the recipients who clicked on the banner and the email of the sender who sent the email containing the banner.
Usage data for internal communication
- The notification campaign(s) assigned to the user
- Reporting data on each campaign:
- Has the user seen the campaign?(optional)
- Did the user click on the campaign?(optional)
- Did the user like the video(optional)
Where is the data stored?
The infrastructure on which we advocacy is based is hosted in Google data centers. The location of data centers depends on the location of customers.
- The European customersare on the data centers of theEuropean plate.The data is thereforestored in Europe.
- Customers Americans are on the plateAmerican. The data is thereforestored in the United States
What are the data retention periods?
The data collected is only kept for the time the service is used.
- All user data is deleted when the user is removed from the we advocacy solution
- All data is automatically deleted when the application is uninstalled from the domain (account closure)
How did we advocacy comply with the GDPR?
In accordance with GDPR regulations, each user has the possibility to:
- Modify your personal and professional data via the we advocacy application
- Request the export of your personal data by contacting us by email email@example.com
We also planned different purge modules to allow you todelete all data linked to one or more users.
Finally, we have put in place a “security” framework:
- Raising awareness among our teams about data protection and security issues.
- Commitment to confidentiality of our employees and service providers
- Compliance of our Google Cloud infrastructures with requirementsGDPR, (Infrastructure security AndGoogle Cloud Platform Security)
- a. Encryption of our databases: we use Google encryption.
- b. Anonymization of data not necessary for processing
- c. Increased access management (systematic and periodic reviews)
- d. Monitoring and detection of possible vulnerabilities
- e. Deletion of personal data in compliance with European regulations
- f. Secure development taking into account good security practices and the protection of personal data (anonymized or fictitious test data)
- g. Implementation of processes with our clients for reporting alerts or incidents
What were the commitments made bywe advocacy ?
- We only process the data entrusted to usfor specific purposes and with the aim to provide the service for which our customers have subscribed
- We act on instructions from our clients
- We guarantee confidentiality and data integrity
- Our service providers and subcontractors are required to respect the obligations and instructions of our customers
- We collaborate with our clients so that they can meet these obligations, particularly in terms of exercising the rights of the persons concerned or carrying out an impact analysis.
- We ensure the security of the data entrusted
- We are committed to implementing the reversibility of the data entrusted
- We formalize and provide our customers with all the documentation necessary to demonstrate compliance with our obligations.
- We ensure that the access levels and rights granted to our employees depend on their position and role. Our employees have access to information and only that which is essential to the exercise of their function.
What are your commitments as a customer of the we advocacy application?
- As a customer, you are responsible for controlling the personal data of your employees that you provide to we advocacy in the context of the use of our services. Your data controllers must of course define the purposes of personal data and their processing methods.
- You are also responsible for putting in place adequate technical and organizational measures to ensure and prove that the data is processed in accordance with the GDPR. These obligations relate to the principles of legality, fairness, transparency, restriction of purposes, minimization and accuracy of data as well as respect for the rights of data subjects with regard to their data.
- As a customer, you are responsible for processing the personal data of your employees, provided to we advocacy in the context of the use of our services. We advocacy is only a subcontractor of this personal data. It is your responsibility to respect all of your obligations regarding the protection of the personal data of your employees, and in particular to inform them of the processing of personal data by the application.