Data protection by design and by default

In order to comply with Article 25 of the GDPR, which provides for the principle of ‘privacy by design & by default’, we have developed the management part of the Smartprofile data model. Thus, the feature allowing the setting of personal data for your account now also allows:

Integrate the strongest data protection measures in your project design. The objective is thus to be able to minimize, with more restrictive formats, the values collected in the solution (for example: birthday date fields: day and month without year if this is not necessary).

Ensure the most protective measures for hosted personal data throughout the project, such as the implementation of a highly secure password policy or the implementation of controls or access to data or the limitation of the lifetime of the data.

To go further, we have implemented for all the data in Smartprofile the management and the parameterization of the following processes.

To ensure that Smartprofile is fully compliant with your personal data management policy, we have updated our platform.

This update consists of the management of the data collected and managed in Smartprofile so that the management of each data associated with your processes is in accordance with the following main principles of the GDPR.



The data present in the database and linked to a natural person may be anonymized in a personalized manner. This ensures the protection of individuals while maintaining the ability to access statistics or history on data that can no longer be linked to a person.

Automatic processing is carried out daily to apply these rules and to ensure that the settings are correctly taken into account.



Similarly, a custom archiving process has been put in place to keep data separate and inaccessible because it is no longer of interest but should not or cannot be deleted immediately.

The length of time from which the data are archived is variable and depends on the nature of the data and the purposes of the processing.



A method for purging the data has also been developed to allow the setting, for each data item, of a delay to perform a total and definitive deletion of this data. Thus, data after x days, weeks, months or years will be purged, i.e. permanently deleted from the database.

This delay is fully configurable to match your policy.

This method also makes it possible, by purging the data from the database and archives, to be able to trigger semi-automatically the erasure of the data attached to an individual at his request within the framework of the right to be forgotten.


Who owns the data?

Contractually, Smartprofile acts as a subcontractor on behalf of our customers on whose behalf the solution is deployed.

Thus, the data collected in Smartprofile is the sole and full property of our customers who act as controller in the context of the service we perform.

All data collected and processed by Smartprofile is therefore the property of our customers, who have sole ownership, control and enjoyment of it.

We undertake never to transmit or communicate the data collected on behalf of a client to a third party except at its express request, in particular in the context of the certification of its audience with the ACPM.


What are the rights of users?

With the GDPR, users have rights to manage their personal data:

Easy access to their data.

An opportunity to modify / rectify / delete their data.

The right to be forgotten by asking for the total deletion of their data, including copies and archives.

The right to portability.

The right to limit the treatment concerning you.


To guarantee these rights of individuals, the solution is set up so that users or teams of Smartprofile can manage all of these actions for each contact:





The principle of the right to be forgotten has been implemented in Smartprofile by purging data made at the request of a user for a contact or by the contact directly.

Contacts of Smartprofile users can request access to view and modify or delete their data or to be forgotten. This request must be made either to the user (company) who collected the data or online at Smartprofile at

Your requests will be processed within 30 days in accordance with the regulations