Demonstration
To process your request, we need to process your personal data. Find out more about the processing of your personal data here.

1. Compliance of the digital platform

The GDPR compliance GDPR your digital platform is a key element. This is where the most personal data often passes through and therefore where the risks are greatest. It is necessary to either audit the platform or take action speaker the design speaker .

A report must be producedto demonstrate compliance with the rules or areas for improvement. These areas may mainly relate to the provision of information to individuals, consent, or retention periods.

✅ INFORMATION: Users must be informed precisely and clearly of their data protection rights. This is reflected in a privacy policy that is easily accessible on the platform.

✅ CONSENT: Rules onobtaining consentmustalso be verified. The collection of certain data requires the consent of the individual. For example: an email in B2C.

✅ Data retention DURATION: You must comply with the Data retention durations stipulated by the GDPR. It is therefore important that your platform or a process provides for the deletion of personal data. The full list of durations is available on our site in resources.

 ❌ Special cases. Are you a "processor ? Do you process personal data from other companies?

It should be noted that the GDPR rules apply equally to data controllers and processors. If, for example, you make a platform available to the employees of company 'X' in order to provide them with a concierge service, human resourcesHR) management, etc., then you are considered to be a processorwithin the meaning of the GDPR. 

In this case, you are processing the personal data of third-party companies. However, given that theCNIL (National Commission for Information Technology and Civil Liberties)requirescompanies to work only withorganizations that are compliant, you will be much stronger by complying with GDPR, and will win more and more bids. Your clients therefore check your compliance to ensure their own. In this regard, following audits by their clients, many companies that are not compliant could lose some of their clients .

Main risk of GDPR non-compliance!

It mainly concerns the business side. For a start-up, the risk of being audited by the CNIL (National Commission for Information Technology and Civil Liberties) remains low. On the other hand, the CNIL requires companies to work only with compliant organizations that are capable of safeguarding the personal data they process. As a result, by becoming GDPR, you'll be able to unlock a competitive advantage, and therefore win more and more tenders.

In addition, complying with GDPR allows GDPR to strengthen user trust, as your platform will meet security and privacy standards. It will be able to protect your users' data against breaches and leaks.

CASE STUDY

French Tech 120 startup: LeHibou

LeHibou is a modern, intuitive IT freelance platform that brings together the best IT experts. With more than 500 clients placing their trust in them, the platform offers : 

  • A comprehensive and intuitive search tool for clients ;
  • Partnerships a dynamic ecosystem for their freelance community;
  • A Freelance Management System dedicated to buyers from major groups.

LeHibou provides support to guarantee the qualification of the profiles selected, and to find the rare expertise their clients are looking for.

To do this, they collect and process the personal data of freelance users of the platform such as :

  • names,
  • first names,
  • personal or professional e-mails,
  • telephone,
  • or offer access and registration via Google or Linked In. Accesses that use the sso protocol, for Single Sign-On.

The data collected and processed in various ways must have been validated by freelancers and users. Dipeeo and LeHibou have put in place the technical and legal framework to ensure full compliance of data collection and processing.

Dipeeo is now their referent at the CNIL (National Commission for Information Technology and Civil Liberties) and manages all of the startup's GDPR issues.

startup GDPR
Startup GDPR

2. Commercial prospecting: myths and legal realities

To prospect in accordance with best practices, you need to be familiar with the GDPR rules GDPR two reasons:

  1. to avoid the risk of sanctions or loss of reputation.
  2. so as not to be limited in its commercial practices!

Indeed, due to a lack of knowledge, many companies apply false rules, often beliefs. For example, the need for consent for B2B prospecting...

✅ It is not mandatory to obtain a person's consent for B2B (business-to-business) prospecting,

✅ To be compliant, you need to choose your databases carefully. In BtoC, consent must be explicitly requested prior to prospecting. Otherwise, you're bound to get complaints from some of the people you contact. In this case, you risk a fine of up to 20 million euros or 4% of your sales. 

✅ Once you've collected your databases and contacted your prospects, you need to keep within the limits of the Data retention retention periods provided for by the GDPR. For more information on this subject, please see our article on the Data retention periods for personal data which deals with the subject in detail. 

✅ By complying with the GDPR, you can show your commitment to protecting the personal data you process. Something that will boost confidence of your future clients, and will enable you to have longer-lasting relationships with them. Moreover, complying with the GDPR with regard to commercial prospecting offers you the possibility of having better quality databases.

In other words, to be GDPR, you need to ensure that the data you collect is up to date. As a result, the effectiveness of your prospecting campaigns will only continue to improve.

By complying with all these rules, you won't have any complaints or claims, for the simple reason that you'll be more likely to respect your prospects' privacy. Especially since the CNIL (National Commission for Information Technology and Civil Liberties) generally only intervenes if it receives numerous complaints from prospects or clients of an organization that is not compliant. 

startup GDPR

3. GDPR HR rules HR constraints and added value

 The subject has become one of the most sensitive as GDPR complaints filed by employees against their employers explode.

Employers must respect basic rules, such as only collecting data that is necessary for the smooth running of the company. In some cases, it may be necessary to carry out an Impact Analysis to determine whether it is indeed possible to collect this information.

Informing employees

Employee information is key.

A comprehensive privacy policy must inform employees of :

  • processing of personal data,
  • Data retention retention periods,
  • different employee rights regarding their data.

Furthermore, the GDPR enhances the employer brand. Turning into an HR argument, GDPR is proof of transparency and credibility and therefore positively impacts candidates and employees. In addition to boosting your employees' confidence, GDPR compliance allows you to have a fairly high level of transparency.

In other words, since the GDPR requires you to provide clear and precise information to your employees, you'll be able to improve the trust and transparency of your practices in terms of personal data protection.

Dipeeo is a SAAS whose mission is to make GDPR simple and accessible by offering an all-inclusive service, and end-to-end support. Dipeeo is part of the emerging legaltech trend aimed at simplifying legal matters and making them accessible. 

Two other examples of FT120 startups that process personal data

Alan is a health and welfare insurance provider and all-in-one health partner. It is a group that enables teams to work and live life to the fullest thanks to a proactive and holistic approach to health. Among the services it offers: 

  • Personalized health and wellness coaching;
  • Simple, paperless health insurance ;
  • Unlimited psychological follow-up with qualified psychologists.

" Alan, it's like having a doctor in your pocket..." as one of their clients put it. 

Through its service, Alan processes health data, considered sensitive by the CNIL (National Commission for Information Technology and Civil Liberties). Something that requires GDPR compliance. 

Qonto is a regulated payment institution, authorized and supervised by the French Prudential Supervision and Resolution Authority (ACPR). Qonto has more than 350,000 clients and processes their financial data, particularly with regard to:

  • clients and supplier invoices;
  • Managing team expenses ;
  • Accounting & Reporting. 

This, too, requires GDPR compliance, with a view to securing such processing. 

Dipeeo
Dipeeo