What is GDPR?

GDPR (RODO) is a regulation of the European Parliament and of the Council (EU) 2016/679) adopted 27. April 2016 which intends to strenghten and unify the data protection law with regards to processing of personal data and the free movement of the data, and repealing directive 95/46/EC.The final version of GDPR is available here. The Polish regulation is being discussed and will probably become enforceable in 2018.

The most important changes introduced by GDPR

  • Your personal data (the personal data of your clients) must be stored on the EU territory,
  • Your customer has the right to be forgotten and you must allow the deletion of all the data from your database,
  • Your customer has the right to demand his data to be transferred to another entity,
  • You still need to collect the consents to process the personal data,
  • You need to respect the data protection regulation from the project stage of creating IT solutions,
  • The increased sanctions for data breaches – up to 20 mln Euro,
  • The new rule of accountability – you, as the administrator, are responsible for abiding by the rules and you must ensure that the data processing complies with the regulations,
  • You are required to maintain records of data processing,
  • You are obliged to report any incidents of data breach.

How does SALESmanago prepare for the new regulation?

Legislative changes

Contractual changes

To use SALESmanago one has to sign in the licence contract and the agreement for entrusting the data for processing by Benhauer, which should include: the range of data given (e.g. name and surname, email address, IP address) and the range of processing (in most cases it is storage, but in case of dedicated service it is possible to extend this range).

Clients' documentation

SALESmanago as the entity that processes the personal data, implemented the Security Policy and IT System Management Instruction, which is available to the clients. This documentation allows to ensure, in case of an audit, that the technical and organizational data protection is properly applied.

Data storage

In compliance with the regulation, the data transfer outside of EU will be possible only if the adequate level of protection is granted (the decision of European Council) and the proper warranties are ensured, ie based on model clauses, binding corporate rules, approved codes of conduct and if both the sender and the receiver has the "European Data Protection Certificate".To put it simply, the personal data, and the servers on which the data is stored, as well as other documentation need to be physically stored on the territory of Europe. We are ready for it! Both the main headquarters and our servers are located in Poland, so this requirement is 100% met.

System adjustments

'Forget me' button

GDPR gives the natural persons, whose data is processed, a new set of allowances. One of the most important is "the right to be forgotten"which means the permanent deletion of the personal data by the company on the basis of marketing consent. The law applies to data stored both in digital and paper form, as well as the backup version. If the data is processed on a contractual basis, then it is necessary, in the first place, to terminate the contract. For this purpose SALESmanago will get the new button on the contact card – forget me.

Data export

Another advantage of GDPR will bring the consumers the right to demand the transfer of data e.g to a different entity when the contract is changed. It applies to processing:

  • - on the basis of marketing consent
  • - under the contract
  • - if this is an automated processing

The right to request the data to be transferred by the administrators directly will be executed only if it is feasible technologically, e.g. the systems are compatible. Our platform is ready to this regulation as well. In SALESmanago you can easily transfer all contact data to external systems in a convenient form – as a flat file or via the API.


GDPR gives the opportunity to consent on both processing the data and profiling using the internet browser settings. Moreover, in SALESmanago there is an option to switch on/off the monitoring of a particular contact. The contact can be monitored only when he agrees on that – it means for example filling in the form and submitting the consent again.

Specifying the source of data.

The platform will allow the realization of new obligation imposed by GDPR, including revealing the source of the data.


There is no need to modify the contact forms. It is not necessary to include any additional consents.

Monitoring the anonymous contacts

GDPR gives the opportunity to consent on both processing the data and profiling using the internet browser settings. There are no strict regulations on the exact form of this consent. It is significant for the companies to be able to demonstrate that the information (e.g.a pop-up window) about using cookies was given.

What about my current database?

The law is not retroactive, it means that using behavioural profiles acquired legally, before the GDPR entry into force, will be possible. Deleting the data will be necessary when the interested party submits a request.

How to acquire a valid and verifiable consent?

A consent is the expression of the user's will and it needs to be: voluntary (e.g. the contract signing cannot depend on obtaining the data), conscious (one must know what he agrees on), specific and unamibiguous (the requirement of separating one consent of the others), a distinct action – a declaration or confirmation (it cannot be obtained by silence).

What I need to do to act in appliance with the law?

Prepare the necessary documentation, including:
  • Security Policy,
  • IT System Management Instruction,
  • Procedure of Users Management and Access (the evidence of authorized persons),
  • Register of Data Processing Operations,
  • Monitoring and Response Policy to Data Protection Breaches,
  • Incident Register,
  • Backup Management Policy,
  • Applied Security Standards.

How does the audit look like? What documentation should I prepare?

In case of an audit based on the GDPR regulations, it is necessary to demonstrate the compliance of the data processing with the regulation, especially to demonstrate that: the data has been obtained on the basis of a consent or other legal provisions, those who process the data are authorized to do so (written authorization given by the data controller), an incident register is kept (the cases of loss or unlawful disclosure of personal data), incidents are reported to the supervision authority within the 72-hour deadline. Before the audit the written notification is sent and the control itself involves the visit of the controllers, who check the documentation and the way of handling the personal data (including the achieved level of security).

SALESmanago as the entity that processes the data implements procedures in line with GDPR, including: the procedure of users management and access (record of authorized persons), register of personal data processing operations, monitoring and response policy to data protection breaches, incident register, backup management policy, applied security standards. The system will allow performing the new responsibilities, such as execution of the user's right to be forgotten or encryption of personal data sent by customers.

Let us know if you have any additional questions