Everything you need to know about signing up, logging in and taking the survey
Start on our site on the page price list and in a few clicks you can start your file. You have to choose between the different options with or without subscription.
The secure payment is made online by credit card with our partner Stripe.
Once the payment is validated, you can start your file.
Open the email you received after signing up and click on the link that will take you to your RGPD file.
You must first fill in your company profile: manager, address, legal form... Unless otherwise instructed, leave your business sector as "generic".
You can then start by following the arrow at the bottom right. Do this without delay because the connection link expires after 24 hours.
To access your file the next time, remember to add the address to your favorites / bookmarks.
If not, just go to GDPRFOLDER.com and click on Login at the top right.
Our site does not remember a password but keeps your session active for a while. When you go to your file, you will be directly connected to your file.
After a while, a window will ask you to enter your email again to receive a new "magic link".
Attention, don't delay, this link is only valid for 24 hours.
Be careful, this email with the connection link may end up in your spam folder, so remember to check it.
Once you have logged into your file, your invoice is available by clicking on the billing tab at the top. You will be able to download your paid invoice.
Once connected, you can invite other people to work on the file by adding their email address after clicking on the "contributors" button
They will receive an email with a login link.
Prefer this to sharing your email.
Each legal entity must have its own file, even within the same group.
You can therefore subscribe to several files.
Once you have logged in with the correct email, you will be able to switch between folders by scrolling down the menu on the top right.
We advise you to quickly go through the questionnaire. For example, take 1 hour to answer as many questions as possible in each section.
Each time, remember to save your answers by clicking on "Next".
Being compliant is good, making it known is even better. Based on this principle, we offer you a compliance badge GDPR FOLDER that you can display on your website or in your email signatures.
It evolves according to your level of compliance, from 3 to 5 stars. For your customers, prospects and partners, it shows your investment in personal data protection.
To integrate it on your site, you just have to copy and add a line of code to display it in the right place, for example in the footer near the data policy.
Your level of compliance evolves with your answers and according to the documents added
As you go through the questionnaire, you will have to answer potentially 100 questions organized in 13 sections in total (from Profile to Treatment Record).
You can navigate from one section to another with the "Previous" or "Next" arrows or simply "Save" to save all your answers to date.
You can therefore answer the questionnaire in several parts and take your time.
If you click on "Questionnaire" at the top, you will get an overview of all sections of the RGPD.
The ? on a blue blue background means that you have not finished answering the question.
The green green means that the item is complete and that there are no non-compliance points.
Finally, the ! on a red red means that there are some problematic points in the section in question.
Ideally, everything should be green!
In general, you choose YES or NO. If you don't know or think this question doesn't apply to you, don't answer and a ? on an orange orange background will be displayed.
If your answer is correct, you will see a green green mark.
On the contrary, if the answer is not conform, a ! on a red red background will appear.
Depending on your answers, your compliance score displayed on the bar at the top of your file changes in real time.
This score gives an indication of your level of compliance based on your responses. It is not not an absolute score because the RGPD is based on a set of principles that must be interpreted and not on a list of immutable criteria.
If you are largely "in the green", it means that you are fairly compliant. On the contrary, if you have a lot of red, it means that there are important issues that need to be addressed to bring you into compliance.
All questions have been written to address the most common cases encountered in small and medium-sized companies. They are not specific to any particular field of activity.
Some questions may not seem relevant or appropriate for you. For example, in the Operational Security section, there is a question about an alarm system to secure your premises.
In general, it is preferable to have this type of system to secure your premises and therefore your data. On the other hand, it is possible that your premises do not need to be protected because you are already in a secured complex (secured building, business center, shopping center...).
We advise you in this type of case to leave the question unanswered (in which case it will appear in orange) to avoid having a non-conforming answer that would not necessarily be justified.
The GDPR has established principles to protect personal data, the regulation does not give precise and detailed rules to cover all aspects.
These principles must be interpreted when filling out your file: you must take into account, among other things, the size and nature of your business.
For example, the HR provisions aim to ensure that staff are regularly made aware of the issue and trained in it. The means used will necessarily be more modest for very small companies versus companies with dozens of employees. In the event of an audit for a small company, it will be easier to justify a red or orange response.
The questionnaire gives you a "picture" at the moment to assess your GDPR compliance. It allows you to document your provisions in the matter and will be able to justify your steps in case of control.
The goal is to allow you to take ownership of the process and to push it further by updating your file regularly.
The fact that you have taken the time to fill out your application seriously already shows your willingness to respect and secure personal data.
NO, GDPR FOLDER is a declarative tool and it is up to you to answer and complete the file in a sincere manner.
Our tool does not audit your procedures or verify your statements.
We do not audit your activity but our tool has been adopted by organizations to equip their members which testifies to the seriousness and quality of the approach.
It is important to periodically check back to see if your file is still up to date. There are two reasons why it may need to be updated:
General instructions for updating your file. Questions related to each topic of the GDPR are discussed below
Once the questionnaire is completed, you will immediately see the non-compliant answers by clicking on the red area of the compliance bar. You can begin to address these items.
You can then review the answers in orange (the ones we did not answer).
For some questions, we ask you to justify certain steps by attaching a document to your file. You just have to go and get the corresponding document on your computer in PDF version for example. This can be the case of your Privacy Policy.
If you do not have such a document, you will click NO and we will propose you a model to put you in order. All you have to do is copy the content, customize it for your company and put it on an internal document that you can then attach to your file.
It is entirely possible, and even desirable, to complete your compliance in several stages. You can therefore return to your file several times to clarify and complete the information.
Each time, be sure to save your answers by clicking on the button in the bottom middle. This will automatically update your file.
successive versions of your file are kept.
do not forget, even when you have finished completing the file, to come back periodically to check if it is still in accordance with the reality of your organization and the legislation.
You can download your file as often as you like to keep it as a PDF on your computer or network. Simply select the FILE tab at the top of the page and generate an updated version.
You just have to download the latest version.
Successive versions are kept and remain available to you in the tool.
We suggest you start with the Data Protection Officer section and end with the Processing Log. Once you have completed the Register of Processing, you may need to go back and review your Privacy Policy, but that is of little consequence.
You may choose a different order that would be more convenient for you, it does not impact your file.
It is necessary to designate one for those organizations that are in the conditions provided by the RGPD
It is mandatory to appoint a DPO when you belong to the public sector or when you process a large amount of personal data (more than 10,000 persons concerned) or if you process a lot of sensitive data (health, political, philosophical, etc.)
Nevertheless, it can be useful to have an external DPO to help you with his experience and to answer your questions.
The DPO has an advisory and monitoring role.
When the appointment of a DPO is not mandatory, it is nevertheless advisable to appoint an internal person in charge of the GDPR compliance.
This person can be any employee of the organization
The DPO must be independent of the organization's management.
He/she cannot be the leader of the organization, nor a member of its management.
Additional details to help you answer the questions in this section
It is a global information communicated to the personnel concerning the RGPD. The form is free and can be one or two pages long. This document must explain the global context of the RGPD, the implications for the company and some points of vigilance without going into detail.
This provision concerns mainly companies of a certain size and structure that need to formalize their approach to the subject. The intention is to ensure that the subject is reviewed on a regular basis by the management and the executive teams.
This also applies to very small structures or self-employed people who need to regularly review the subject. On the other hand, less is expected in terms of formalization.
This question concerns companies that process personal data for statistical and marketing purposes: datamining, algorithms, scoring, risk assessment, marketing targeting...
For this type of study, personal data should be anonymized to avoid potential risks.
Typically, it is important that not everyone has access to all the data. It is important to "compartmentalize" the areas to avoid, for example, that anyone has access to HR or accounting data.
It is therefore necessary to give different roles to each contact person with specific access rights.
Additional details to help you answer the questions in this section
If your company has servers on its premises, it is important to secure the physical access to these machines.
These solutions in general provide a good level of security but it is recommended to use European companies that are more likely to comply with the RGPD.
Whether the servers are internalized or externalized (cloud), you must have a policy allowing you to regularly back up your data with the possibility of restoring them in case of incident. This is a point to discuss with the hosting company.
This can concern for example the hosting of the website or certain business applications.
It happens in small structures that a person "centralizes" the passwords to be able to answer customers' requests in case of absence of a collaborator.
While this may be temporarily "tolerated" in very small structures, this process is dangerous from a data security point of view.
It is recommended to use a tool, a third party or a service provider that will allow access to the accounts on a temporary basis and to inform the absent person.
It is desirable, but not mandatory, to encrypt personal data to prevent easy access by a malicious person.
This is particularly the case for sensitive, very "voluminous" data or data that is regularly exchanged from one system to another.
This usually involves the use of an encryption tool.
It is desirable to have a process for employees who leave the organization. This includes archiving and/or deleting data, closing access to the network and internal tools, deleting passwords, etc.
It is common for IT teams to ask you for access in order to set up / fix certain problems on your computer. This is acceptable as long as there is a clear agreement each time a tool is used for remote access.
However, it is not recommended to use the free versions of such tools or to use them systematically (without verification).
Additional details to help you answer this question
Whether it's a simple showcase site or a transactional site, your website must be secure to protect your data and those of your customers.
Your host or the agency that designed your site will be able to do the necessary.
There are several aspects to consider:
Most websites set cookies or trackers to ensure the smooth operation of the site, sometimes to personalize the experience based on visitor profiles or retarget them for marketing purposes.
In any case, you must inform your visitors and allow them to accept or refuse these cookies. We propose you a text which allows you to inform your visitors.
To manage cookies, contact your host or agency who can advise you and implement the right solution.
Your site can allow you to collect personal data such as name / first name / company / email / phone ... this can be done in a contact form or by offering a newsletter etc.
You must always inform the person that his or her data is being collected and may be processed, and specify the broad outlines.
The target person must be able to give consent to this processing, for example by checking an opt-in box.
Also called Personal Data Protection Policy, it is a mandatory part of the RGPD. It is necessary when data is collected, which is the case for all sites (at least IP address...). A policy is also necessary in cases where data is collected in physical locations, for example when the customer visits the office, agency, point of sale...
This document must be written to inform the visitors of your site (your prospects, customers, partners) of your policy on the collection and protection of personal data. It is usually located in the footer of the page next to the Legal Notice.
It must be easily understandable by all. It must notably address the type of data collected, the legal basis for this collection, the retention periods, specify the rights of the persons concerned, etc.
It is not enough to have a generic document that states in a few lines that data is collected and kept for as long as necessary. It must be specific on the durations and modalities and include all the data imposed by Article 13 of the GDPR.
An appropriate privacy policy must be offered to data subjects at the time of any data collection.
We offer a template that you can customize for your business that follows this framework.
This document is mandatory for any professional site and is the "identity card" of your site. Generally one page long, these mentions are displayed in the footer of the site. The Service-public.fr site specifies what is required.
Additional details to help you answer the questions in this section
The company has two general obligations: to inform and train employees about personal data.
Whether it concerns personal data on paper or on digital media (email, intranet...), the company must inform its employees about the RGPD by specifying the basic principles, the implication for the company and the procedure to follow.
Among the HR procedures, it is important that the subject of personal data is explicitly integrated / discussed at the time of the entry into service of new employees. Reference can be made to the internal documents already mentioned.
It is recommended to have the receipt of such documents signed.
If you work on a regular basis with people who are not employees but who use your tools, your premises, your processes and even more so if it is an exclusive relationship, they must be considered as employees from an RGPD point of view.
Indeed, these people are required to manage, process and use your customer data as employees. The HR provisions of the GDPR apply.
If they are occasional services, you should consider them as subcontractors.
Additional details to help you answer the questions in this section
Any person, whether or not you have collected his or her personal data, has the right to request access to the data collected. In case of data collection, these persons also have the right to have this data corrected if it is inaccurate, and even to ask you to delete it. Please note that you have a period of one month to respond.
Additional details to help you answer the questions in this section
As for any organization, you probably have files or databases containing personal data which you may not know if you have obtained the authorization to process the data of these persons. It is therefore necessary to make an inventory of these files and to verify if you can process these data in compliance with the RGPD.
The provisions in this section are meant to cover all your databases (CRM, billing...) even if the rules may differ slightly from one tool to another.
The goal is for the company to look at all of its databases to verify compliance with the GDPR in each case.
Most tools and business software have taken the necessary steps to comply with the RGPD. In addition to securing data, they allow you to manage differentiated rights, access and even delete data in accordance with the regulation.
As part of your business, you probably have access to several compliant tools and software.
This does not exempt you from compliance, as it is the procedures put in place around these tools that are important. For example, you are the one that customers and prospects contact if they want to delete their data. And you are probably required to copy, export, transpose data from one tool to another.
In other words, simply using potentially compliant tools does not exempt you from compliance.
Additional details to help you answer the questions in this section
A data breach is an unauthorized access, loss of data, theft of data, destruction of data - in short, a security problem.
It is essential to note that you have 72 hours to make a decision to remedy this data breach if possible, Your decision may be to
Once you have made your decision and possibly informed the CNIL and/or the persons concerned, it is important to put in place the necessary measures to ensure that this incident does not happen again
Additional details to help you answer questions about this topic
A processor is a supplier who processes data for you and according to your instructions. A marketing agency that carries out an email campaign for you is a subcontractor, for example.
To identify the subcontractors in the sense of the RGPD the easiest way is to start from the list of suppliers, because all subcontractors are suppliers. It will be enough to look for those who process data for you and according to your instructions. You will then have to send them the subcontracting contract which is proposed to you by GDPRFolder.
Obviously, if your subcontractor is a large company like OVH, Google or others, it is useless to send them your subcontract. It is recommended that you look for the contract they offer on their website and download it and insert it in your file.
Additional details to help you answer the questions in the section.
If you are processing data on behalf of another organization, such as a web agency or delivery company, the data controllers will offer you a subcontracting agreement. If you accept it, sign it and put it in your file.
Of course, if you wish, you can have the legality of this contract checked by a lawyer. If you sign it, include it in your file.
Additional details to help you deal with an AIPD
In the case of important data processing, or sensitive data, it is necessary, as specified by the CNIL, to conduct an impact analysis (AIPD).
This is quite rare as VSEs and SMEs are rarely in cases where this action is necessary. Nevertheless, if in doubt, check what the CNIL says.
Additional details to help you answer the questions in this section
One of the first objectives of the RGPD is to encourage companies to make an inventory of data processing within their organization in order to secure this processing and minimize data collection and processing (by abandoning unnecessary data collection and removing redundant or unnecessary data). This is known as a data processing map.
The register of processing operations allows us to summarize this work by presenting the data processing operations and their characteristics. Each processing operation is materialized by a processing sheet that includes the data concerned, the objective pursued, the storage periods, etc.
In order to simplify your approach, we have already defined numerous "standard" treatment sheets for companies like yours.
Some are automatically included in your file while others can be added upon request.
You may need to add new records that are not available in the standard records offered
You will be able to generate a new ad hoc treatment form by following the blue button at the bottom right. You will just have to fill in the different fields indicated to simply add a new treatment form specific to your activity.