Frequently asked questions about our tool GDPR Folder

As you go through the questionnaire, you will have to answer potentially 100 questions organized in 13 sections in total (from Profile to Treatment Record).

You can navigate from one section to another with the "Previous" or "Next" arrows or simply "Save" to save all your answers to date.

You can therefore answer the questionnaire in several parts and take your time.

If you click on "Questionnaire" at the top, you will get an overview of all sections of the RGPD.

The ? on a blue blue background means that you have not finished answering the question.

The green green means that the item is complete and that there are no non-compliance points.

Finally, the ! on a red red means that there are some problematic points in the section in question.

Ideally, everything should be green!

In general, you choose YES or NO. If you don't know or think this question doesn't apply to you, don't answer and a ? on an orange orange background will be displayed.

If your answer is correct, you will see a green green mark.

On the contrary, if the answer is not conform, a ! on a red red background will appear.

Depending on your answers, your compliance score displayed on the bar at the top of your file changes in real time.

This score gives an indication of your level of compliance based on your responses. It is not not an absolute score because the RGPD is based on a set of principles that must be interpreted and not on a list of immutable criteria.

If you are largely "in the green", it means that you are fairly compliant. On the contrary, if you have a lot of red, it means that there are important issues that need to be addressed to bring you into compliance.

All questions have been written to address the most common cases encountered in small and medium-sized companies. They are not specific to any particular field of activity.

Some questions may not seem relevant or appropriate for you. For example, in the Operational Security section, there is a question about an alarm system to secure your premises.

In general, it is preferable to have this type of system to secure your premises and therefore your data. On the other hand, it is possible that your premises do not need to be protected because you are already in a secured complex (secured building, business center, shopping center...).

We advise you in this type of case to leave the question unanswered (in which case it will appear in orange) to avoid having a non-conforming answer that would not necessarily be justified.

The GDPR has established principles to protect personal data, the regulation does not give precise and detailed rules to cover all aspects.

These principles must be interpreted when filling out your file: you must take into account, among other things, the size and nature of your business.

For example, the HR provisions aim to ensure that staff are regularly made aware of the issue and trained in it. The means used will necessarily be more modest for very small companies versus companies with dozens of employees. In the event of an audit for a small company, it will be easier to justify a red or orange response.

The questionnaire gives you a "picture" at the moment to assess your GDPR compliance. It allows you to document your provisions in the matter and will be able to justify your steps in case of control.

The goal is to allow you to take ownership of the process and to push it further by updating your file regularly.

The fact that you have taken the time to fill out your application seriously already shows your willingness to respect and secure personal data.

NO, GDPR FOLDER is a declarative tool and it is up to you to answer and complete the file in a sincere manner.

Our tool does not audit your procedures or verify your statements.

We do not audit your activity but our tool has been adopted by organizations to equip their members which testifies to the seriousness and quality of the approach.

It is important to periodically check back to see if your file is still up to date. There are two reasons why it may need to be updated:

• your activity has evolved and you have to fill in a new processing form
• We have made the RGPD file evolve according to the evolution of the regulation. See in the blog the updated section

Once the questionnaire is completed, you will immediately see the non-compliant answers by clicking on the red area of the compliance bar. You can begin to address these items.

You can then review the answers in orange (the ones we did not answer).

For some questions, we ask you to justify certain steps by attaching a document to your file. You just have to go and get the corresponding document on your computer in PDF version for example. This can be the case of your Privacy Policy.

If you do not have such a document, you will click NO and we will propose you a model to put you in order. All you have to do is copy the content, customize it for your company and put it on an internal document that you can then attach to your file.

It is entirely possible, and even desirable, to complete your compliance in several stages. You can therefore return to your file several times to clarify and complete the information.

Each time, be sure to save your answers by clicking on the button in the bottom middle. This will automatically update your file.

successive versions of your file are kept. 

do not forget, even when you have finished completing the file, to come back periodically to check if it is still in accordance with the reality of your organization and the legislation.

You can download your file as often as you like to keep it as a PDF on your computer or network. Simply select the FILE tab at the top of the page and generate an updated version.

You just have to download the latest version.

Successive versions are kept and remain available to you in the tool.

We suggest you start with the Data Protection Officer section and end with the Processing Log. Once you have completed the Register of Processing, you may need to go back and review your Privacy Policy, but that is of little consequence.

You may choose a different order that would be more convenient for you, it does not impact your file.

It is mandatory to appoint a DPO when you belong to the public sector or when you process a large amount of personal data (more than 10,000 persons concerned) or if you process a lot of sensitive data (health, political, philosophical, etc.)

Nevertheless, it can be useful to have an external DPO to help you with his experience and to answer your questions.

The DPO has an advisory and monitoring role.

• It advises the organization to bring it into compliance
• It monitors compliance independently

When the appointment of a DPO is not mandatory, it is nevertheless advisable to appoint an internal person in charge of the GDPR compliance.

This person can be any employee of the organization

The DPO must be independent of the organization's management.

He/she cannot be the leader of the organization, nor a member of its management.

It is a global information communicated to the personnel concerning the RGPD. The form is free and can be one or two pages long. This document must explain the global context of the RGPD, the implications for the company and some points of vigilance without going into detail.

This provision concerns mainly companies of a certain size and structure that need to formalize their approach to the subject. The intention is to ensure that the subject is reviewed on a regular basis by the management and the executive teams.

This also applies to very small structures or self-employed people who need to regularly review the subject. On the other hand, less is expected in terms of formalization.

This question concerns companies that process personal data for statistical and marketing purposes: datamining, algorithms, scoring, risk assessment, marketing targeting...

For this type of study, personal data should be anonymized to avoid potential risks.

Typically, it is important that not everyone has access to all the data. It is important to "compartmentalize" the areas to avoid, for example, that anyone has access to HR or accounting data.

It is therefore necessary to give different roles to each contact person with specific access rights.

If your company has servers on its premises, it is important to secure the physical access to these machines.

These solutions in general provide a good level of security but it is recommended to use European companies that are more likely to comply with the RGPD.

Whether the servers are internalized or externalized (cloud), you must have a policy allowing you to regularly back up your data with the possibility of restoring them in case of incident. This is a point to discuss with the hosting company.

This can concern for example the hosting of the website or certain business applications.

It happens in small structures that a person "centralizes" the passwords to be able to answer customers' requests in case of absence of a collaborator.

While this may be temporarily "tolerated" in very small structures, this process is dangerous from a data security point of view.

It is recommended to use a tool, a third party or a service provider that will allow access to the accounts on a temporary basis and to inform the absent person.

It is desirable, but not mandatory, to encrypt personal data to prevent easy access by a malicious person.

This is particularly the case for sensitive, very "voluminous" data or data that is regularly exchanged from one system to another.

This usually involves the use of an encryption tool.

It is desirable to have a process for employees who leave the organization. This includes archiving and/or deleting data, closing access to the network and internal tools, deleting passwords, etc.

It is common for IT teams to ask you for access in order to set up / fix certain problems on your computer. This is acceptable as long as there is a clear agreement each time a tool is used for remote access.

However, it is not recommended to use the free versions of such tools or to use them systematically (without verification).

Whether it's a simple showcase site or a transactional site, your website must be secure to protect your data and those of your customers.

Your host or the agency that designed your site will be able to do the necessary.

There are several aspects to consider:

• Install an SSL certificate (to switch your site to HTTPS)
• Use secure passwords
• Update your site and its plugins regularly
• Set up daily backups

Most websites set cookies or trackers to ensure the smooth operation of the site, sometimes to personalize the experience based on visitor profiles or retarget them for marketing purposes.

In any case, you must inform your visitors and allow them to accept or refuse these cookies. We propose you a text which allows you to inform your visitors.

To manage cookies, contact your host or agency who can advise you and implement the right solution.

Your site can allow you to collect personal data such as name / first name / company / email / phone ... this can be done in a contact form or by offering a newsletter etc.

You must always inform the person that his or her data is being collected and may be processed, and specify the broad outlines.

The target person must be able to give consent to this processing, for example by checking an opt-in box.

Also called Personal Data Protection Policy, it is a mandatory part of the RGPD. It is necessary when data is collected, which is the case for all sites (at least IP address...). A policy is also necessary in cases where data is collected in physical locations, for example when the customer visits the office, agency, point of sale...

This document must be written to inform the visitors of your site (your prospects, customers, partners) of your policy on the collection and protection of personal data. It is usually located in the footer of the page next to the Legal Notice.

It must be easily understandable by all. It must notably address the type of data collected, the legal basis for this collection, the retention periods, specify the rights of the persons concerned, etc.

It is not enough to have a generic document that states in a few lines that data is collected and kept for as long as necessary. It must be specific on the durations and modalities and include all the data imposed by Article 13 of the GDPR.

An appropriate privacy policy must be offered to data subjects at the time of any data collection.

We offer a template that you can customize for your business that follows this framework.

This document is mandatory for any professional site and is the "identity card" of your site. Generally one page long, these mentions are displayed in the footer of the site. The Service-public.fr site specifies what is required.

Legal information on the Service Public website

The company has two general obligations: to inform and train employees about personal data.

Whether it concerns personal data on paper or on digital media (email, intranet...), the company must inform its employees about the RGPD by specifying the basic principles, the implication for the company and the procedure to follow.

Among the HR procedures, it is important that the subject of personal data is explicitly integrated / discussed at the time of the entry into service of new employees. Reference can be made to the internal documents already mentioned.

It is recommended to have the receipt of such documents signed.

If you work on a regular basis with people who are not employees but who use your tools, your premises, your processes and even more so if it is an exclusive relationship, they must be considered as employees from an RGPD point of view.

Indeed, these people are required to manage, process and use your customer data as employees. The HR provisions of the GDPR apply.

If they are occasional services, you should consider them as subcontractors.

Any person, whether or not you have collected his or her personal data, has the right to request access to the data collected. In case of data collection, these persons also have the right to have this data corrected if it is inaccurate, and even to ask you to delete it. Please note that you have a period of one month to respond.

As for any organization, you probably have files or databases containing personal data which you may not know if you have obtained the authorization to process the data of these persons. It is therefore necessary to make an inventory of these files and to verify if you can process these data in compliance with the RGPD.

The provisions in this section are meant to cover all your databases (CRM, billing...) even if the rules may differ slightly from one tool to another.

The goal is for the company to look at all of its databases to verify compliance with the GDPR in each case.

Most tools and business software have taken the necessary steps to comply with the RGPD. In addition to securing data, they allow you to manage differentiated rights, access and even delete data in accordance with the regulation.

As part of your business, you probably have access to several compliant tools and software.

This does not exempt you from compliance, as it is the procedures put in place around these tools that are important. For example, you are the one that customers and prospects contact if they want to delete their data. And you are probably required to copy, export, transpose data from one tool to another.

In other words, simply using potentially compliant tools does not exempt you from compliance.

A data breach is an unauthorized access, loss of data, theft of data, destruction of data - in short, a security problem.  

It is essential to note that you have 72 hours to make a decision to remedy this data breach if possible, Your decision may be to 

• consider that the problem has been solved and that there is no risk for a person concerned (for example if a lost PC was quickly found)
• consider that there is a problem for the persons concerned and so you notify the CNIL
• consider that there is a serious problem (e.g. disclosure of health data) for the persons concerned and you must then notify the CNIL and the persons concerned

Once you have made your decision and possibly informed the CNIL and/or the persons concerned, it is important to put in place the necessary measures to ensure that this incident does not happen again

A processor is a supplier who processes data for you and according to your instructions. A marketing agency that carries out an email campaign for you is a subcontractor, for example.

To identify the subcontractors in the sense of the RGPD the easiest way is to start from the list of suppliers, because all subcontractors are suppliers. It will be enough to look for those who process data for you and according to your instructions. You will then have to send them the subcontracting contract which is proposed to you by GDPRFolder.

Obviously, if your subcontractor is a large company like OVH, Google or others, it is useless to send them your subcontract. It is recommended that you look for the contract they offer on their website and download it and insert it in your file.

If you are processing data on behalf of another organization, such as a web agency or delivery company, the data controllers will offer you a subcontracting agreement. If you accept it, sign it and put it in your file.

Of course, if you wish, you can have the legality of this contract checked by a lawyer. If you sign it, include it in your file.

In the case of important data processing, or sensitive data, it is necessary, as specified by the CNIL, to conduct an impact analysis (AIPD). 

This is quite rare as VSEs and SMEs are rarely in cases where this action is necessary. Nevertheless, if in doubt, check what the CNIL says.

One of the first objectives of the RGPD is to encourage companies to make an inventory of data processing within their organization in order to secure this processing and minimize data collection and processing (by abandoning unnecessary data collection and removing redundant or unnecessary data). This is known as a data processing map.

The register of processing operations allows us to summarize this work by presenting the data processing operations and their characteristics. Each processing operation is materialized by a processing sheet that includes the data concerned, the objective pursued, the storage periods, etc.

In order to simplify your approach, we have already defined numerous "standard" treatment sheets for companies like yours.

Some are automatically included in your file while others can be added upon request.

You may need to add new records that are not available in the standard records offered

You will be able to generate a new ad hoc treatment form by following the blue button at the bottom right. You will just have to fill in the different fields indicated to simply add a new treatment form specific to your activity.