GDPR: Frequently Asked Questions (and Answers)

We continue the cycle started with the GDPR: 5 Things You Must Know Before May 2018. For today’s article, we have collected the questions that we hear the most often from our clients when it comes to GDPR. Below you can find a summary of mentioned questions followed by the answers.

What is GDPR and how the final version of the Regulation will look like?
How does SALESmanago prepare for changes that will be introduced next year? Do you already have any solutions/mechanisms that will allow us to maintain our cooperation in accordance with the law and maybe expand it with new tools?
Will the company using SALESmanago have to obtain additional customer consent to forward their data to SALESmanago?
Who is responsible, I as a company using the system, or SALESmanago?
How do we deal with new regulations? Will anything change in the way we use the platform? How will the changes affect the databases/contacts that clients have in the system?
Will the appearance of the pop-up window and other forms change? Will double opt-in practice still apply?
Is the use of SALESmanago 100% legal?
GDPR will require the consent to monitor contacts. What will happen to the existing behavioral profiles? Will it be possible to continue using this data, or will I have to delete it?
What happens when the contact hits the “unsubscribe” button in a mailing? Does this mean that you have to completely remove their data from the database?
Do I have to fill out some documents?
Do you have any model documents?
How will the inspection work and what will I have to demonstrate?

Question #1 – What is GDPR and how the final version of the Regulation will look like?

GDPR is REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

The final version of GDPR is available here: https://publications.europa.eu/en/publication-detail/-/publication/3e485e15-11bd-11e6-ba9a-01aa75ed71a1/language-en

Question #2 – How does SALESmanago prepare for changes that will be introduced next year? Do you already have any solutions/mechanisms that will allow us to maintain our cooperation in accordance with the law and maybe expand it with new tools?

SALESmanago as a data-processing company implements procedures in line with GDPR, including, for example the procedure of user management and access (record of authorized persons), register of personal data processing operations, monitoring and response policy to data protection breaches, incident register, backup management policy, applied security standards. The system will allow performing new responsibilities, such as the execution of the user’s right to be forgotten or encryption of personal data sent by customers.

Question #3 – Will the company using SALESmanago have to obtain additional customer consent to forward their data to SALESmanago?

No separate consent will be required for transferring data to SALESmanago.

Question #4 – Who is responsible, I as a company using the system, or SALESmanago?

SALESmanago as the entity that processes the data bears responsibility for the use of appropriate technical and organizational measures for the processing of your data in the SALESmanago system. However, the responsibility for personal data processed in your infrastructure in the company rests with you.

Question #5 – How do we deal with new regulations? Will anything change in the way we use the platform? How will the changes affect the databases/contacts that clients have in the system?

The platform will facilitate the execution of new obligations introduced by GDPR, including, in particular, the execution of the right to be forgotten.

Question #6 – Will the appearance of the pop-up window and other forms change? Will double opt-in practice still apply?

There won’t be any revolution in this area.

Question #7 – Is the use of SALESmanago 100% legal?

Yes, it is.

Question #8 – GDPR will require the consent to monitor contacts. What will happen to the existing behavioral profiles? Will it be possible to continue using this data, or will I have to delete it?

We would like to remind you that the law is not retroactive, i.e. the use of behavioral profiles acquired in a legal manner before the entry into force of GDPR will be possible. The deletion of data will be necessary when the interested party submits such a request.

Question #9 – What happens when the contact hits the “unsubscribe” button in a mailing? Does this mean that you have to completely remove their data from the database?

No. This is just a withdrawal of consent to send commercial information. Personal data may still be processed (stored).

Question #10 – Do I have to fill out some documents?

To use SALESmanago one has to sign a license agreement and the one for entrusting data for processing. After the entry into force of GDPR, the obligation to submit a set of personal data for registration will disappear.

Question #11 – Do you have any model documents?

Documentation confirming compliance with GDPR is an individual matter of every entrepreneur who adopts procedures to the specifics of his business. SALESmanago as the entity that processes personal data has a Security Policy and an Instruction of the IT System Management. They will be available for our clients. This documentation will allow you to demonstrate, in case of an audit, the application of appropriate technical and organizational safeguards for data security.

Question #12 – How will the inspection work and what will I have to demonstrate?

During the audit based on the GDPR regulations, it is necessary to demonstrate the compliance of the data processing with the Regulation, especially to demonstrate that:

data has been obtained on the basis of contacts’ consents or legal provisions,
people who process data are authorized to do so (written authorization – they are given by the data controller),
an incident register is kept (cases of loss or destruction or unlawful disclosure of data),
incidents are reported to the supervision authority within the 72-hour deadline.

Before the audit, the company should receive a written information about it out. The inspection itself involves the visit of controllers from the proper institution, who check the documentation and the way of handling the personal data (including the achieved level of security).