General Data Protection Regulation (GDPR) Compliance for Franstorm CRM Software

Effective Date: June 10, 2023

Version: 1.0 

Last Updated: September 12, 2024

Franstorm CRM is dedicated to maintaining the privacy and security of the personal data it handles. This GDPR Compliance Policy provides a detailed outline of how Franstorm CRM collects, processes, and protects personal data in compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679.

1. Scope and Purpose

This policy applies to all personal data processed by Franstorm CRM, whether it pertains to employees, customers, vendors, or any other individual. The purpose of this policy is to ensure compliance with the GDPR and to establish a framework for processing, storing, and handling personal data.

2. Definitions

Personal Data: Any information relating to an identified or identifiable natural person (‘data subject’), such as names, identification numbers, location data, online identifiers, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

Processing: Any operation or set of operations performed on personal data, such as collection, recording, organization, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.

Data Controller: The entity that determines the purposes and means of processing personal data.

Data Processor: The entity that processes personal data on behalf of the data controller.

Data Subject: The individual to whom the personal data relates.

3. Principles of Data Processing

Franstorm CRM adheres to the following principles when processing personal data:

1. Lawfulness, Fairness, and Transparency: Personal data will be processed lawfully, fairly, and in a transparent manner.
2. Purpose Limitation: Personal data will be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
3. Data Minimization: Personal data collected will be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
4. Accuracy: Personal data will be accurate and, where necessary, kept up to date.
5. Storage Limitation: Personal data will be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
6. Integrity and Confidentiality: Personal data will be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
7. Accountability: Franstorm CRM will be responsible for and able to demonstrate compliance with these principles.

4. Lawful Bases for Processing

Franstorm CRM processes personal data only when there is a lawful basis for doing so. These bases include:

Consent: The data subject has given explicit consent for the processing of their personal data for one or more specific purposes.

Contractual Necessity: Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the data subject’s request before entering into a contract.

Legal Obligation: Processing is necessary for compliance with a legal obligation to which the controller is subject.

Vital Interests: Processing is necessary to protect the vital interests of the data subject or another natural person.

Public Task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Legitimate Interests: Processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

5. Data Collection and Processing Activities

Franstorm CRM collects and processes personal data from its users and customers for the following purposes:

Customer Relationship Management: Including contact information, communication history, purchase history, and support tickets.

Marketing and Communications: Including email marketing, newsletters, and product updates, where consent has been obtained.

Analytics and Product Development: Including usage data, feedback, and surveys to improve services.

Compliance with Legal Requirements: Including data necessary for compliance with laws and regulations.

6. Data Subject Rights

Under the GDPR, individuals (data subjects) have the following rights with regard to their personal data:

1. Right to be Informed: Data subjects have the right to be informed about the collection and use of their personal data.
2. Right of Access: Data subjects have the right to access their personal data and obtain a copy of the data undergoing processing.
3. Right to Rectification: Data subjects have the right to request correction of inaccurate or incomplete personal data.
4. Right to Erasure: Data subjects have the right to request the deletion of their personal data in certain circumstances.
5. Right to Restriction of Processing: Data subjects have the right to request the restriction of processing of their personal data under specific conditions.
6. Right to Data Portability: Data subjects have the right to receive their personal data in a structured, commonly used, and machinereadable format and to transmit those data to another controller.
7. Right to Object: Data subjects have the right to object to the processing of their personal data based on legitimate interests, direct marketing, or processing for research/statistical purposes.
8. Rights in Relation to Automated DecisionMaking and Profiling: Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or significantly affects them.

7. Data Security and Integrity

Franstorm CRM implements appropriate technical and organizational measures to protect personal data, including but not limited to:

Data Encryption: Encryption of data at rest and in transit.

Access Controls: Rolebased access control, password policies, and multifactor authentication.

Regular Audits: Regular audits, security assessments, and vulnerability testing.

 Data Anonymization and Pseudonymization: Use of techniques to reduce the identification risk of personal data where possible.

8. Data Retention Policy

Personal data will be retained only for as long as necessary to fulfill the purposes for which it was collected or as required by applicable law or regulation. After this period, personal data will be securely deleted, destroyed, or anonymized.

Franstorm CRM maintains the following retention periods for personal data:

Customer Data: Retained for the duration of the customer relationship and for [number of years] years thereafter.

Marketing Data: Retained until the data subject withdraws consent or opts out.

Employee Data: Retained for the duration of employment and [number of years] years thereafter.

9. Data Transfers

Franstorm CRM may transfer personal data to third parties or to countries outside the European Economic Area (EEA) only when appropriate safeguards are in place, including:

Standard Contractual Clauses approved by the European Commission.

Adequacy decisions where the European Commission has determined that a third country ensures an adequate level of protection.

Binding Corporate Rules (BCRs).

10. ThirdParty Processors and Subprocessors

Franstorm CRM may engage third party service providers (subprocessors) to support its operations. All third party processors are required to comply with GDPR requirements and enter into data processing agreements (DPAs) to ensure the protection of personal data. These processors are only permitted to process personal data as instructed by Franstorm CRM.

11. Data Breach Notification

In the event of a personal data breach, Franstorm CRM will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. If the breach poses a high risk to data subjects, Franstorm CRM will also inform the affected individuals without undue delay.

12. Data Protection by Design and by Default

Franstorm CRM integrates data protection principles into its product development and business processes. This includes conducting Data Protection Impact Assessments (DPIAs) where processing activities are likely to result in a high risk to the rights and freedoms of data subjects.

13. Accountability and Governance

Franstorm CRM maintains documentation to demonstrate compliance with GDPR, including:

Records of processing activities.

Internal data protection policies and procedures.

Training records.

Data processing agreements.

14. Changes to this Policy

Franstorm CRM reserves the right to modify this policy at any time. Any changes will be communicated to data subjects where required by law. Data subjects are encouraged to review this policy periodically to stay informed about how Franstorm CRM protects their personal data.

16. Contact Information

For any questions or requests regarding this policy or data protection practices, please contact:

Data Protection Officer (DPO) 

Franstorm CRM 

Email: contact@franstorm.com

Phone:  +1(980) 300-9945

Address: 2108 South Blvd #211 Charlotte, NC -28203, United States

This policy provides an indepth framework for GDPR compliance. Franstorm CRM should review it regularly and update it to align with evolving regulations and business practices.