GDPR compliance

GDPR compliance

      Achieving compliance with the General Data Protection Regulation (GDPR) is a cornerstone of our commitment to data security and confidentiality at Magnétis.

This documentary base has been crafted to offer a transparent and detailed overview of the documents, procedures, and actions implemented to ensure our compliance with the GDPR. From the meticulous collection of data to its secure processing, every facet of our approach is documented to reflect our dedication to protecting the personal information of our clients and users.

By making this article available, Magnétis underscores its commitment to fostering a culture of data protection, ensuring responsible management in line with the strictest European standards.

1. Record of Processing Activities

This document is pivotal for GDPR compliance. It enumerates all personal data processing activities conducted by Magnétis, including the purposes of processing, the categories of data processed, and the recipients of the data.

The processing activities are listed in the table below. Each process also has a detailed internal datasheet at Magnétis.
Processing ActivityPurpose of ProcessingSensitive Data ?
ActivityN° / RefCreated atUpdated atYes / No
Magnetis Client Account ManagementFR-00110/5/201818/1/2024Client Management, Collection of contact details of business clients (B2B) and the company's responsible personNo
Management of Client Sub-AccountsFR-00210/5/201818/1/2024Management of client sub-accounts created by network clients and partner clients (communication agencies, consulting firms). Organization of data through compartmentalizationNo
Access Management to the Magnétis PlatformFR-00310/5/201818/1/2024Access management to client accounts and sub-accountsNo
Management of Transferred Telephone Call DataFR-00410/5/201818/1/2024Statistics Management, Collection of incoming call data on tracked numbers provided to clients. Compilation of the call log. Compilation of overall statistics (volumes) by communication channelNo
Web Module ManagementFR-00510/5/201818/1/2024Web module management for displaying tracked numbers based on the origin channel of the web visitor or the individualized visitorNo
Billing ManagementFR-00610/5/201818/1/2024Billing Management, sending of invoices (email), monitoring of client payment balances, remindersNo
Prospect ManagementFR-00710/5/201818/1/2024Prospect Management, monitoring of relational events (meeting, telephone exchanges, and email)No
Payment ManagementFR-00812/3/201918/1/2024Online payment management, debits on bank cards, and SEPA direct debitNo
Email Tracking ManagementFR-00912/3/201918/1/2024Statistics Management, Collection of individual received emails and consultation of volume statistics by communication channelsNo
Technical Support ManagementFR-01029/11/201918/1/2024Technical support management, monitoring of client onboarding, assistance with installation and configurationNo
Phone Call RecordingFR-01112/12/201918/1/2024Collection of phone call recordings, consultation of audio filesNo
Payroll and HR ManagementFR-01212/12/201918/1/2024Payroll Management, Calculation of remunerations, Calculation of payment amounts sent to social organizationsNo
SMS Sending on Lost CallsFR-01312/9/202329/3/2024Management of telephone numbers, network events, and click eventsNo
Landing Pages with Form ManagementFR-01412/9/202329/3/2024Consent management, collected data management, and notification of receiptNo

2. Privacy Policy

Our Privacy Policy is available at the following link, explaining how Magnétis collects, uses, and protects the personal data of individuals and its users: Magnétis Privacy Policy [https://www.magnetis.fr/politique-de-confidentialite/]

The General Terms and Conditions of Use (GT&C), although primarily focused on defining the terms of use of a service or product, play a significant role in the context of the GDPR: General Terms and Conditions of Use of the service [https://app.magnetis.fr/console/assets/cgv/cgv-cgu-magnetis.pdf]

3. Information Notices

These elements inform individuals at the time of collecting their personal data about the use that will be made of this data, the legal basis for processing, and their rights under the GDPR. The collection of commercial data and prospecting is conducted through our product forms and contact forms on our website www.magnetis.fr:
  1. Request for demonstration link: Magnetis (Finesime SARL) processes your personal data to enable you to obtain a demo of our call-tracking platform and information about our solutions. To learn more about the management of your personal data and to exercise your rights, please refer to our Privacy Policy.
  2. Downloading of whitepapers and pricing: Magnetis (Finesime SARL) processes your personal data to enable us to send you information, including pricing, regarding our call-tracking platform and the services offered. To learn more about the management of your personal data and to exercise your rights, please refer to our Privacy Policy.
  3. Contact form: Magnetis (Finesime SARL) processes your personal data to allow us to contact you back and answer your questions. To learn more about the management of your personal data and to exercise your rights, please refer to our Privacy Policy
When a user subscribes to our call-tracking platform via the link https://app.magnetis.io/register, accepting the general terms and conditions of use of the service confirms the information and acceptance by our clients of the clarification of roles and responsibilities, information on data processing, users' rights, data security, consent in the use of certain services, and the logic of modifications and updates to these conditions.

In the context of our SMS alert service with contact landing page (SMS/LP), specific conditions apply when collecting contact information from callers. You can find these elements in the dedicated article Compliance of the SMS/LP feature [https://support.magnetis.io/portal/en/kb/articles/compliance-sms-lp-feature].

4. Data Processing Agreements

When we engage subcontractors to process personal data on our behalf, we ensure that these relationships are governed by contracts specifying each party's data protection obligations.

We have Data Processing Agreements (DPAs) with our subcontractors, including:
  1. Infrastructure and Cloud service providers
  2. Telephony providers
  3. Providers of solutions for managing our corporate data, especially our CRM suite, online storage, and email messaging systems
  4. SMS sending providers
  5. Online payment solution providers
  6. Partners with whom we exchange data via streams or SFTP
We ensure that the data processing addendums cover the following points:
  1. GDPR Compliance: That data processing activities are in full compliance with GDPR requirements. This includes securing data, limiting processing to what is explicitly authorized by the data controller, and ensuring sufficient rights for the individuals concerned.
  2. Clarification of Responsibilities: The addendum clearly defines the responsibilities and obligations of each party in terms of data protection, thus reducing the risk of misunderstandings and increasing the transparency of data processing.
  3. Security Measures: It details the specific technical and organizational measures that the subcontractor must implement to protect personal data against unauthorized access, loss, or disclosure.
  4. Data Breach Management: Provisions on how data breaches are managed and communicated, including notification obligations to the supervisory authorities and, where applicable, to the affected individuals.
  5. Subcontracting: It specifies the conditions under which the subcontractor is allowed to engage additional subcontractors and the obligations associated with this process.
  6. International Transfers: When personal data is transferred outside the European Economic Area, the addendum must ensure that these transfers comply with the strict conditions of the GDPR for international data transfer.
Within the framework of our call-tracking service, the personal data processing activities carried out by our company are not systematically subject to obtaining the consent of the individuals concerned, in accordance with the General Data Protection Regulation (GDPR). Indeed, the GDPR recognizes several legal bases for processing personal data beyond consent. For the operation of our standard call-tracking service, we primarily rely on the legal basis of legitimate interests pursued by our company or our clients. This approach is justified by the need to analyze telephone interactions to improve service quality, optimize communication strategies, and provide effective customer support. We ensure that the assessment of legitimate interests is meticulously conducted to ensure that they do not override the rights and freedoms of the individuals concerned, in line with the requirements of the GDPR.

However, the use of the call-tracking module with visitor journey tracking installed on the website requires the implementation of visitor consent tools.

Our call-tracking web module use the following cookie to achieve the service : 
NameDescriptionDelay
mgt_visitorMagnetis Cookie. Universally Unique Identifier30 days

This consent must be obtained in compliance with the guidelines of July 4, 2019, adjusted to reflect the decision of the Conseil d’État (Council of State) of June 19, 2020. We recommend adding a paragraph in your privacy policy dedicated to pre and post-call processing (cross-referencing with third-party tools, using the caller's number, etc.). You may contact your account manager to provide you with the standard clauses we use with our clients. To facilitate the collection, management, and justification of consent, we recommend the following dedicated tools:
  1. Piwik Pro - https://piwikpro.fr/gdpr-consent-manager/
  2. Axeptio - https://www.axeptio.eu/fr/home
  3. Didomi - https://www.didomi.io/fr/

6. Technical and Organizational Measures

To ensure the proper functioning of its services and their operational maintenance, Magnétis has implemented the following actions or tools :
  1. Hosting of Personal Data on servers located within the European Union on the territory of a member country;
  2. Awareness-raising among its personnel who handle Data of Data Subjects, notably through a Charter relating to the use of data and IT resources of the company;
  3. User authentication devices with personal and secure access via robust, confidential, and regularly changed usernames and passwords;
  4. Authorization management procedure (definition and review of authorization profiles according to the profile of users of its information system, removal of obsolete accesses);
  5. Access tracking devices, connection logging, incident management, and, where appropriate, encryption of certain Personal Data;
  6. Regular implementation of internal audits and, where appropriate, differentiated penetration tests to control and evaluate the effectiveness of the security measures in place;
  7. Physical security of premises (codes, keys, and access badges) and workstations (automatic session locking, antivirus, and firewall).
  8. Encryption of storage tools in the Cloud and on machines
  9. Systematic encryption of web exchanges (https)
  10. Centralization of antivirus management, malware monitoring, and system updates
  11. Online (XTS-AES 256-bit) and offline (with 7-digit hardware authentication) backup and restoration tools
  12. Automated backup plan based on policies
  13. Business Continuity Plan
  14. Ongoing training plan for teams on cyber risks and data management
  15. Cyber Risk insurance
These elements are the subject of detailed internal documentation.

7. Data Breach Register

The register is structured to contain details of any personal data breach, including the effects and corrective measures taken. It is crucial not only for internal management but also for obligations to notify the supervisory authorities. In the event of a Data Breach, Magnetis undertakes to notify the CNIL in accordance with the requirements of the Applicable Regulations and, if said breach poses a high risk to the Data Subjects, to inform them and provide them with any necessary information and recommendations. Notification will be made via the dedicated online service https://notifications.cnil.fr/notifications/.

Internally, documentation of any personal data breach is structured according to the following points:
  1. The nature of the breach
  2. If possible, the categories and approximate number of individuals affected by the breach
  3. The categories and approximate number of personal data records affected
  4. Description of the likely consequences of the data breach
  5. Description of the measures taken or planned to prevent recurrence of this incident or mitigate any negative consequences.
The breach register is currently empty.

8. Procedures for the rights of data subjects

Magnétis has established procedures to enable individuals to exercise their rights under the GDPR, such as the right of access, rectification, erasure, and data portability.

Any individual directly or indirectly using the call-tracking service can submit their request through the following form: https://www.magnetis.fr/formulaire-acces-donnees/

Magnétis undertakes, based on the recommendations of the CNIL, to respond within a maximum period of one month from the date of receipt of the request.

9. Data Protection Impact Assessment (DPIA)

Our call-tracking service has been designed and implemented with particular attention to privacy protection and data security, meticulously adhering to the principles of the GDPR.

After a thorough assessment of our data processing processes, we have concluded that a Data Protection Impact Assessment (DPIA) is not necessary in our case. This decision is based on the finding that our processing activities do not present a high risk to the rights and freedoms of data subjects. Indeed, the data processed within the scope of our call-tracking service is limited to essentially technical information and does not involve sensitive data or pose a risk to individuals' privacy.

Furthermore, our security measures and privacy practices ensure effective protection against unauthorized access or misuse of data. Consequently, in accordance with GDPR guidelines, we consider that our proportionate approach and risk assessment justify the absence of the need to conduct a DPIA for our service.

10. Data Retention Policy

This policy sets out the retention periods for different categories of personal data, in alignment with legal obligations and operational needs. The management of retention periods is automated and daily.

The main processes in place for data retention are :
Affected DataRetention PeriodCustomizableImpact on Application DatabaseImpact on Hardware Storage
Aggregate of application, commercial management, and prospecting data3 years after the last usageNoYesYes
CSV files - Lost calls alerts7 daysNoNoYes
CSV files - Synthesis reports7 daysNoNoYes
SFTP files25 days by defaultYesNoYes
Recording audio files25 days by defaultYesNoYes
Voicemail audio files25 days by defaultYesNoYes
API logsIn database : 25 last calls per API key. Then uploaded to the hardware storageNoYesYes
Webhook logsIn database : 25 last calls per API key. Then uploaded to the hardware storageNoYesYes
Web module and user eventsIn database : 30 days by default. The client can customize this duration in the interfaceYesYesNo
Email-tracking25 days by default if content collection is enableYesYesYes

11. Assessment of the level of security of personal data

The overall assessment of the level of security of personal data is conducted following the Data Security Guide provided by the CNIL and based on the guidelines of the ISO 27001 standard. A summary of the processing statuses for each point is available in the table below:
SubjectMeasureState
1
Managing Data Security
Making security a shared concern and a priority for the management teamValidated
Regularly assessing the effectiveness of implemented security measures and adopting a continuous improvement approachValidated
2
Defining a framework for users
Drafting an IT charter including the terms of use of IT systems, security rules, and existing administrative measuresValidated
Giving the charter binding force and reminding of the sanctions incurred in case of non-complianceValidated
3
Engaging and training users
Raising awareness among individuals handling dataValidated
Adapting the content of awareness sessions to the targeted audience and their tasksValidated
4
Authenticating users
Assigning a unique identifier ("login") to each userValidated
Adopting a password policy compliant with CNIL recommendationsValidated
Requiring users to change their automatically assigned or administrator-assigned passwordEnhancement
5
Managing authorizations
Defining authorization profilesValidated
Removing outdated access permissionsValidated
Conducting an annual review of authorizationsValidated
6
Securing workstations
Implementing an automatic session lock procedureValidated
Installing and configuring a software firewallValidated
Regularly using updated antivirus softwareValidated
Obtaining user consent before any intervention on their workstationValidated
7
Securing mobile computing
Raising awareness among users about specific risks related to nomadismValidated
Implementing encryption methods for mobile devicesValidated
Requiring a password for unlocking smartphonesValidated
8
Protecting the computer network
Limiting network traffic to what is strictly necessaryValidated
Securing Wi-Fi networks, especially by implementing the WPA3 protocolValidated
Securing remote access to mobile computing devices through VPNValidated
Segmenting the network, including by setting up a DMZ (demilitarized zone)Enhancement
9
Securing servers
Uninstalling or disabling unnecessary services and interfacesValidated
Limiting access to tools and administrative interfaces to authorized personnel onlyValidated
Promptly installing critical updates after testing, if necessaryValidated
10
Securing websites
Securing data exchange flowsValidated
Ensuring that no confidential or personal data passes through URLsValidated
Verifying that user inputs match what is expectedValidated
11
Supervising IT developments
Taking data protection into account from the design stageValidated
Offering privacy-respecting settings by defaultValidated
Conducting thorough tests before making a product available or updating itEnhancement
Using fictitious or anonymized data for development and testingValidated
12
Protecting premises
Restricting access to premises using locked doorsValidated
Installing intrusion detection alarms and periodically checking themValidated
13
Securing external exchanges
Encrypting data before transmissionValidated
Ensuring that the correct recipient is targetedValidated
Transmitting the password separately and through a different channelValidated
14
Managing subcontracting
Including specific clauses in subcontractor contractsValidated
Providing conditions for the return and destruction of dataValidated
Ensuring the effectiveness of the planned guarantees (e.g., security audits, visits)Validated
15
Supervising hardware and software maintenance and end-of-life
Recording maintenance interventions in a logValidated
Supervising third-party interventions by an organization's representativeValidated
Erasing data from any equipment before disposalValidated
16
Tracking operations
Planning a logging systemValidated
Informing users about the implementation of the logging systemValidated
Protecting logging equipment and logged informationValidated
Regularly analyzing traces to detect incidentsValidated
17
Backing up
Performing regular backupsValidated
Protecting backups, both during storage and transportationValidated
Regularly testing the restoration of backups and their integrityIn progress
18
Planning for business continuity and recovery
Planning for business continuity and recoveryValidated
Conducting regular exercisesIn progress
19
Managing incidents and breaches
Handling alerts raised by the logging systemValidated
Providing internal procedures and responsibilities for incident management, including the procedure for notifying regulators of personal data breachesValidated
20
Risk analysis
Conducting a risk analysis, even minimal, on the envisaged data processingEnhancement
Monitoring the progress of the action plan decided after the risk analysis over timeEnhancement
Regularly reviewing the risk analysisEnhancement
21
Encryption, hashing, signing
Using recognized and secure algorithms, software, and librariesValidated
Securely storing secrets and cryptographic keysValidated
22
Cloud: Cloud computing
Including cloud services in the risk analysisValidated
Evaluating the security provided by the supplierValidated
Ensuring the distribution of security responsibilities in the contractValidated
Ensuring the same level of security in the cloud as on-premisesValidated
23
Mobile applications: Design and development
Taking into account the specificities of the mobile environment to reduce collected personal data and limit requested permissions
Encapsulating communications in a TLS channel
Using the cryptographic suites of the operating system and hardware protections for secrets
24
Artificial intelligence: Design and learning
Adopting applicable security best practices for software developmentIn progress
Ensuring the quality and integrity of data used for learning and inferenceIn progress
Documenting the operation and limitations of the systemIn progress
25
API: Application programming interfaces
Organizing and documenting access security to APIs and dataValidated
Limiting data sharing only to intended individuals and purposesValidated

12. Contact our DPO  

For any further information, you can address your requests via the contact details below or through the Magnétis team.
  1. Par mail : Magnetis –Demande RGPD – 47 rue de Bitche, 92400 Courbevoie, France

    • Related Articles

    • Conformité RGPD - Base documentaire

      La mise en conformité avec le Règlement Général sur la Protection des Données (RGPD) est un pilier essentiel de notre engagement envers la sécurité et la confidentialité des données au sein de Magnétis. Cette base documentaire a été conçue pour ...