Letsignit and GDPR
The General Data Protection Regulation (GDPR) is applicable since 2018 and strengthen the rights and duties relating to processing of personal data.
You are concerned because you necessarily process personal data for the operation of your business (customers, employees, suppliers ...).
When you use Letsignit, you will transfer data such as name, first name, email address of your employees on the platform, you will obtain metadata on the emails sent by your employees and statistics, etc.
Such data contain personal data and implies duties for both you and Letsignit.
What are Letsignit's obligations and commitments regarding the data transmitted on the platform?
Letsignit acts as “processor” (as defined by GDPR) in relation of the data of your employees when you use Letsignit, i.e. Letsignit processes your data only for the purposes of providing you the services and features of the platform (transmission, storage…).
Commitments of Letsignit, in compliance with GDPR, are detailed in the Terms and conditions and its appendix (confidentiality, security, warranties…)
What are your obligations and commitments regarding the data transmitted on the platform?
You act as “controller” (as defined by GDPR) in relation of the data of your employees (and other data subjects).
Then, you have to comply with GDPR and, when using Letsignit, you have to, for example:
- Process data lawfully, fairly and in a transparent manner in relation to the data subject: this includes information of the employees about the use of Letsignit and the data processing operated through it. If required, employees may have to give their consent (for example, to use the employee’s photography in the signature)
- Process data only for specified, explicit and legitimate purposes: for example, processing operations through Letsignit enable you to manage emails signatures of your employees, improve your communication, …
- Process data only in a way that is adequate, relevant and limited to what is necessary in relation to the purpose: do not process more data than necessary! Letsignit ensured that as little various data as possible is collected in relation to the features of the platform.
- Process accurate data: you should update your database, for example when an employee leaves the company. Such changes may be made on you own database before synchronization with Letsignit, or through Letsignit when data is manually uploaded. Letsignit enables users to change their data.
- Keep data for no longer than necessary: only keep anonymized records (statistics) and delete data when the employee leaves your company.
- Process data in a manner that ensures appropriate security: Letsignit commitments are detailed in the terms and conditions. You have also to take the required security measures in your company (authorizations, access control, anti-virus, ...)
We advise you to specifically train manager users about compliance with GDPR and personal data processed when using Letsignit.
What information in your record of processing activities?
As data controller, you have (in some cases) to maintain a record of processing activities in accordance with GDPR. Such records describe processing operations carried out by your company (categories of personal data, purposes, envisaged time limits for erasure of data…).
Here is some information that you can add to your record of processing activities in relation with the use of Letsignit:
(We let you check that this information is accurate in relation to your own processing operations!)
About monitoring of employees’ emails
The purposes of processing operations shall be specified and legitimate. Letsignit is an application to enable you to manage your email signatures and improve your communication: it is not designed to control your employees’ activities.
Letsignit wishes to protect employees’ privacy and limited the available information on the application (emails are technically accessible (transit) but are not stored except in case of failure in the delivery) and limited the number of manager users who can access it.
If you consider using tools to monitor your employees’ emails and computers, you have to, at least, inform them and employee representatives and respect their privacy and secrecy of correspondence.
This document has informative value and can in no way constitute an exhaustive list of the duties of the controller, nor a validation of the processing operations carried out. We recommend you to validate your company's compliance with the GDPR and other applicable regulations.
#GDPR #data #protection #privacy #policy #terms #use