Dolead & the GDPR

Abstract

In short, the GDPR has forced organisations to be more thoughtful in their approach to collecting and processing personal data, which we fully welcome and adopt. From the start, our Dolead Campaign Manager offers and more recently, our Dolead Performance offer, are based on a free contract with users.

Furthermore, we have appointed a Data Protection Officer (DPO) to guide our compliance programme and ensure that Dolead complies with its obligations under the GDPR.

Our DPO will assist the Dolead teams through the data privacy impact assessment process (as required by Article 35 of the GDPR) to recognise and minimise data protection risks.

The Privacy by Design principle is an integral part of our product engineering process.

Finally, as part of our privacy programme, all our employees have received privacy training and will continue to receive this training annually, in addition to specific security training for certain employees.

We have also developed a process to verify our personal data protection policy in order to continuously improve.

Introduction

On 25 May 2018, the General Data Protection Regulation (RGPD) will come into force. This is the most important regulation on the protection of personal data for more than twenty years. The GDPR replaces the 1995 European Data Protection Directive and aims to strengthen individual rights of European citizens. The GDPR has a very broad scope. It is likely to apply to all processing of personal data of a resident of the European Union, regardless of the place of processing. Failure to comply with the GDPR may result in heavy fines that can reach up to €20 million or 4% of global turnover.

Dolead is very committed to protecting the data of its clients and users and makes every effort to comply with the new requirements. We have put in place a GDPR compliance plan to comply with the new obligations and enable our customers to use Dolead tools and services in accordance with the GDPR. Below is a summary of Dolead’s personal data protection policy.

What is our status?

When you use our services, we are, with you, the data controllers for the data of users and the prospects we collect. The GDPR defines the controller as the person “who, alone or jointly with others, determines the purposes and means of processing”. As our client, you determine the purpose of the collection. On the other hand, we freely determine the means of this collection as we make our digital marketing service and know-how available to you. We are, therefore, jointly responsible for processing and are therefore equally responsible to users and prospects. This responsibility is, moreover, a guarantee of quality for users and prospects.

Dolead scrupulously complies with the client’s instructions regarding the purpose of processing the collected data.

We are also responsible for processing the personal data on our clients that we collect.

The foundations of our processing 

Firstly, as a co-processor, we ensure that we have a legal basis for the processing of the personal data that we implement. As regards our users and prospects, this foundation is almost always the contract. When a user completes an interface for connecting with a professional, we provide a service, even though this service is free of charge. Sometimes we may collect additional data which then needs to be voluntarily entered by the user or the prospect. In the latter case, the foundation of the processing will be consent. We always ensure that there is express consent by submitting a tickbox to the user or prospect to validate their request. We remind you that as our client you are responsible for processing and it is your responsibility to determine the purpose of the collection and the data to be collected. The principle of minimalisation that you must also respect requires you to collect only the data strictly necessary for your purpose. It is your responsibility to carefully determine the data to be collected by us and to use this data exclusively for the specified purpose.

Assistance to clients and rights of persons concerned

The GDPR grants broad rights to individuals with respect to their personal information. Today, as yesterday, the individuals concerned by the collection (hereinafter referred to as “data subjects”) have a right to access their personal data as well as a right to correct inaccurate or incomplete data. In some cases, data subjects have the right to erase (right to be forgotten) and the right to object to processing. A new right is the restriction of processing, applicable in certain hypotheses, and the right to data portability.

These rights involve a more efficient internal organisation and more detailed personal data management for data controllers so that they can respond to these requests in a short time frame.

Dolead has, in its capacity as co-processor, developed tools that meet these requirements and that will be useful to our clients for them to be compliant with the GDPR. As co-data controllers, data subjects can exercise their rights towards each of us and we must be able to coordinate and respond quickly to requests.

We have developed tools to delete and export end-user data. When we started thinking about the GDPR, it was important for us to create sufficiently sophisticated data export and deletion tools to provide a precise response to our clients, to users and to prospects, rather than providing a single generic tool. Our engineering team has built a tool that can export or delete event data for a specific form_id or delete specific properties. This tool can handle any type of request. Dolead will be able to retrieve or delete a specific property for a single user or all data for a specific form.

Requests to delete and export events will be processed by our support team via an email form sent to your account manager. You will soon receive additional information on how to submit a request for access to rights. We will also open an external deletion API ready to be used by clients by the end of May.

With regard to data deletion, several situations may arise:

  • A deletion request is sent to you directly; in this case, either you have the technical capacity to delete the data stored by Dolead in the interface we make available to you, or you transfer the request to us and we delete it;
  • We receive a request for deletion; we will transfer this request to you without delay and, when the request is justified, immediately delete the data.

Retention period

We have done particular work on the retention period for the user and prospect data that we collect. The GDPR requires us to retain data only for a period of time necessary for collection purposes. Since being put in contact with a professional is an instant execution contract, we have settled on the limitation period and will delete the data at the end of 5 years after collection. This will allow any disputes to be avoided. At the end of 3 years after collection, we archive the data.

If you have any questions, you can always contact help@dolead.com.

Organisational and technical security at Dolead

We have updated our internal organisation to ensure that our employees’ access to the personal data of our clients, our users and our prospects is limited to the strictly necessary. To do this, we have checked our systems and updated access permissions.

Within Dolead, access rights are based on job function and role. We use the concepts of “least privilege” and “need to know” to match access privileges to defined responsibilities. In addition, Dolead employees must comply with our policies on secure data management.

Only those we have designated as “Need to Know” can access data processed by Dolead.

We have also improved our events system. We are able to know who accesses what data and who has manipulated or changed the data.  Our employees are informed of this traceability.

Our employees must sign a confidentiality agreement and will be trained on the protection of personal data.

We analyse software vulnerabilities and have an information and security event management platform that provides monitoring and alerts us 24/7 in case of breaches or technical problems.

Dolead will inform clients, users and prospects without delay in the event of destruction, loss, modification, disclosure or accidental, unauthorised or illegal access to personal data. We will assist our clients in their obligations under Articles 32-36 of the GDPR.

Updating our documentation

To bring us into line with the GDPR, we have modified our conditions of use, developed a charter for the protection of personal data and updated our cookie charter.  

Subcontractors and Dolead

As co-data controller, Dolead uses subcontractors.

For example, Dolead uses Amazon Web Service (“AWS”) as a cloud storage subcontractor and does not host client data on its premises. AWS is a leading cloud supplier with industry-leading security certifications, such as SOC2 and ISO27001.

All our subcontractors are carefully selected in collaboration with our technical and legal support.

We have put in place a process to assess the risks of subcontractors and ensure that they comply with the GDPR.

Some subcontractors may be located outside the European Union. In this case, we ensure that they comply with a valid basis for the transfer of personal data outside the EU. As a general rule, we mainly work with non-European companies that have joined the Privacy Shield.

It should be noted that Dolead's own servers are located in Europe.

You will find a list of our subcontractors here.  

Contact us

If you would like more information or to ask additional questions, please contact us at legal@dolead.com.