Login

Request a demo

Channels

Features

Integration

Service

Use cases

RGPD regulations

Introduction

We follow the 6 steps of the CNIL (Commission Nationale Informatique & Libertés) special file.

Worth knowing: 

  1. Designate a pilot
  2. Mapping personal data processing
  3. Prioritize actions
  4. Managing risks
  5. Organizing internal processes
  6. Documenting compliance

 

Would you like to contact the person in charge of RGPD?

A data protection compliance management program was drawn up a few weeks ago. To this end, a Data Protection Officer has been appointed. 

To contact him: rgpd@weadvocacy.com

 

What personal data does we advocacy use (mapping)?

In order to operate, we advocacy requires the following personal data:

 

  • Directory data : 
    • email (required)
    • first name (optional)
    • Name (optional)
    • the employee's title or function in the company (optional)
    • Employee's work telephone number (optional)
    • Employee's work cell phone number (optional)
    • Company site address(es) (optional)
    • Company groups to which the user belongs (optional)

 

Directory data is : 

  • either taken from the G SUITE profile if the company is on G Suite and updated daily in we advocacy
  • either from the Office 365 profile if the company is on Office 365 and updated daily in we advocacy
  • or imported from a csv file in other cases, and updated manually by the we advocacy application administrator.
  • Usage data for external communication (signatures and banners)
    • Current signature model(s) assigned to the user
    • banner campaign(s) assigned to the user
    • Reporting data for each campaign: number of views, number of clicks and click-through rate
    • In certain cases (messaging systems using Gmail), the company also has the option of tracking clicks on banners relayed by its employees. In this case, additional data are stored: e-mails from recipients who clicked on the banner and the e-mail from the sender who sent the e-mail containing the banner.

 

  • Usage data for internal communication
    • the notification campaign(s) assigned to the user
    • Reporting data for each campaign:
      • Has the user seen the campaign? (optional)
      • Did the user click on the campaign? (optional)
      • Did the user like the video (optional)

 

  • Survey data
  • We Advocacy also enables its customers to distribute internal surveys to gather employee feedback (e.g. barometers, satisfaction surveys, post-event feedback, etc.).
  • The data collected in this context are as follows:
    • Individual responses to survey questions
    • Responding user ID (if the survey is not anonymous)
    • Associated reporting data: participation rate, completion rate, statistics by question 

⚠️ Depending on the parameters defined by the customerresponses can be anonymous or linked to an identified user.

Surveys are fully configurable by the customer, who remains responsible for the content of the questions and the management of the data data collected.

 

Where is the data stored?

The infrastructure on which we advocacy is based is hosted in Google data centers.

Data center location depends on customer location. 

  • The European customers are located in datacenters on the European plate. Data is therefore stored in Europe.
  • American American are on the American. The data is therefore stored in the USA.

What are the data retention periods?

The data collected is kept only for the time the service is used. 

  1. All user data is deleted when the user is removed from the we advocacy solution.
  2. All data is automatically deleted when the application is uninstalled from the domain (account closure).

 

How did we advocacy comply with the RGPD?

In accordance with RGPD regulations, each user has the option of:

  • Modify personal and professional data via the we advocacy application
  • Request the export of your personal data by contacting us by e-mail at the following address contact@weadvocacy.com

We've also included various purge modules to enable you to delete all data linked to one or more users.

Finally, we have set up a "safety" framework:

  • Raising our teams' awareness of data protection and security issues.
  • Commitment to confidentiality by our employees and service providers
  • Compliance of our Google Cloud infrastructures with requirements RGPD, (Infrastructure safety and Google Cloud Platform security)
    1. Encryption of our databases: we use Google encryption.
    2. Anonymization of data not required for processing
    3. Enhanced access management (systematic reviews and periodicals)
    4. Monitoring and detection of potential faults
    5. Deletion of personal data in compliance with European regulations
    6. Secure development taking into account best security practices and personal data protection (anonymized or fictitious test data)
    7. Setting up alert and incident escalation processes with our customers

 

What commitments have we advocated?

  • We only process the data entrusted to us for specific purposes and in order to provide the service for which our customers have subscribed.
  • We act on our customers' instructions
  • We guarantee data confidentiality and integrity
  • Our service providers and subcontractors are required to comply with our customers' obligations and instructions.
  • We work with our customers to help them meet these obligations, particularly in terms of exercising the rights of data subjects and carrying out impact assessments.
  • We ensure the security of your data
  • We are committed to the reversibility of the data entrusted to us.
  • We formalize and make available to our customers all the documentation necessary to demonstrate compliance with our obligations.
  • We ensure that the levels and rights of access granted to our employees depend on their position and role. Our employees have access to only the information they need to carry out their duties.

What are your commitments as a we advocacy customer?

    • As a customer, you are responsible for controlling the personal data of your employees that you provide to we advocacy when using our services. Your data controllers must, of course, define the purposes for which the personal data is to be used and how it is to be processed.
    • You are also responsible for implementing adequate technical and organizational measures to ensure and prove that data is processed in accordance with the GDPR. These obligations touch on the principles of lawfulness, fairness, transparency, purpose limitation, data minimization and accuracy, as well as respect for data subjects' rights with regard to their data.
  • As a customer, you are responsible for the processing of your employees' personal data provided to we advocacy in connection with the use of our services. We advocacy is only a processor of this personal data. It is your responsibility to comply with all your obligations regarding the protection of your employees' personal data, and in particular to inform them of the processing of personal data by the application.