On May 15th, we had opened a discussion area dedicated to the GDPR (General Data Protection Regulation). We were committed to answering all your questions on the topic. In this FAQ, you will find answers to the questions that you asked us.
Question 1: It appears to me that you are the subcontractors of the personal data including the data created by your customers since you are hosting them. Is this true?
Our platform is used by our customers to enter personal data of European citizens. In this sense we are indeed the subcontractor of the personal data that they inject into the “Kizeo Forms” application. However, with regard to the GDPR, the users of the application are solely responsible for the personal data they collect. Our role is to provide our users with effective tools to guarantee the fundamental rights defined by the General Data Protection Regulation:
- Their identification
- Their removal
- Their modification
You must put in place rules to respect and actions to perform to identify what is personal data in your forms. For more information, do not hesitate to consult our article: “How to adapt your forms to make them comply with the GDPR“.
Question 2: Do you have subcontractors who are concerned with the personal data of your customers?
As a subcontractor, OVH is committed to implementing the following actions:
- Process personal data solely for the purpose of the proper performance of the services: OVH will never process our information for other purposes (marketing, etc.).
- Not to transfer our data outside the EU or outside the country recognized by the European Commission as having a sufficient level of protection.
- Inform us of any recourse to subcontractors who could process the personal data.
- Implement high security standards.
- Notify us as soon as possible in case of data breach.
- To assist us in meeting our regulatory obligations by providing us with adequate documentation.
Question 3: How do you ensure the security of the data entered?
All the data travels securely from end to end using HTTPS (TLS) streams with the Kizeo Forms application. In addition, the platform meets the requirements of the ISO / IEC 27001 standard, which aims specifically to guarantee the availability, security and durability of customer data. Furthermore, an Information Security Management System (ISMS) identifies security measures, within a defined scope, to ensure the protection of information assets. The goal is to protect the information from any loss, theft or alteration, and the computer systems from any intrusion and disaster.
Question 4: Do you have a registry of processing activities?
Point 1 of Article 30 of the GDPR requires the registry of processing activities. However, Point 5 of the same article specifies that this obligation does not apply to companies or organizations with fewer than 205 employees. Kizeo with fewer than 205 employees is not obligated to maintain a registry of processing activities. Nevertheless, we have made the choice to implement one, for ethical reasons.
Question 5: Knowing that the electronic signatures are personal data, do you meet the norms of the General Data Protection Regulation?
Since the law Number 2000-230 of March 13th, 2000, the electronic signature has the same convincing force as the handwritten signature. Article 1316-4 of the Civil Code provides that the electronic signature is a literal proof in the same way as a handwritten signature. In fact, Kizeo acts as a provider so it is your responsibility to identify the personal data of your customers. As a little trick, you can accept the collection of personal data via a form, proceeding as follows:
- 1st part of the form: Entry of the ‘classic‘ data (as follow-up site, making contact on a trade show, etc.)
- 2nd part of the form: GDPR Acceptance of personal data collection:
- Addition of a separator, named “Personal data – GDPR”
- Addition of a “fixed text” field or an “Attachment” field explaining that the customer collects personal data and wishes to have the consent of the prospect
- Addition of a “checkbox” field for acceptance
- Addition of a “Signature” field to validate acceptance
From the Back Office you can download this sample form in the “my library” section. Forms -> Library–> Authorization of personal data collection form
Question 6: Is it possible to attach to each programmed email, the Excel history of all the data of the concerned form?
You can actually create a custom Word/Excel template for the “GDPR” part of your form. Once programmed, it can be sent directly to the person of your choice. This configuration can be added to each of your forms. For more information do not hesitate to consult our article: “How to adapt your forms to make them comply with the GDPR“.
Question 7: How to identify personal data in the Kizeo Forms application?
On a simple email request from you, we can send you an Excel CSV export containing all the fields of your form. So you can easily identify the fields that may contain personal data. Since the beginning of July 2018, you can now identify fields that contain personal data (last name, first name, address) directly during the construction of your form (check box in the field’s preferences). Thanks to this new update on the application, we will be able to send you an export of the fields that you have tagged as “personal data”.
Question 8: Who is the DPO (Data Protection Officer) within Kizeo?
The Data Protection Officer is our president Philippe Gellet who is assisted in this task by Vincent Demonchy, R & D manager.