This article is here to show you how the GDPR is managed in Qomon and what good practices we recommend you implement within your organisation.

The article particularly addresses the roles of super admin (organization pack), admin, and staff members within the Qomon platform, because these roles are responsible for managing certain parameters on the platform (contact info, tags or keywords, surveys, status, etc.) and invite members of their teams to Qomon by assigning them a role, which may give more or less (if any) access to personal data (see the different roles in Qomon).

The data collection must be fair and lawful, carried out for specific purposes (a fundraising campaign, an NGO awareness campaign, a consultation, an electoral campaign, a political movement, etc.), explicit (you must express the context to your interlocutor) and legitimate. Moreover, the data collected must be adequate and not excessive in terms of your purpose, kept in a format that allows the identification of people, and for a period that is necessary for the purposes (subject to legal duration).

ON QOMON

Every time you add a person, a survey, we remind your teams to clearly state the context of the collection with this "Pop Up".

We also ask you to confirm the person’s consent by checking a checkbox, which is not pre-selected, for each channel of communication (sms and email). Therefore, it is a consent per channel.

All the information then appears in the Qomon table which allows for each personal data to define and keep the information on: its origin (a file import, a survey, an addition), the time stamp (date and time), the consent, and the identity of the person who collected the consent or imported the data. You can then track the origin and evolution of personal data, their context, and the details of consent.

Most of you use an external email system either by clicking on "Send Email" on the platform (people database tab); it is then your default email platform that is launched (outside of Qomon), or through one of our APIs (integrations) with Mailchimp, Mailjet, SendingBlue, or Nationbuilder. It is within these external platforms that the GDPR is managed and that there is a possibility of opting-out.

You have an unsubscription system at the bottom of each email (opt-out system) that removes the email from the database.
You can also modify the footnotes of the email to supplement with context information.

You automatically have the "Stop SMS" function, which allows you to unsubscribe from the broadcast messages. However, depending on the nature of the message, you can remove this notice.

You certify the origin of your files as indicated on this declaration.

The person from whom you have collected data about them has a right of access to these data defined as the "right to ask to obtain information on the data held concerning them, as well as the purposes and transfers". 

You then have 2 months to reply.

The person can request a rectification on the data or oppose a treatment or a transfer of these data unless the data is considered public or if a treatment meets a legal obligation.

 go on your contact database, select all of the columns of the export, and export all of the data which you have on the person (this is where you may also find old completed surveys, for example).

You can also contact our support team or our Data Protection Officer ([email protected]) to obtain this export of the table, which is a sort of personal data registry on the person describing the movements and treatments.

In the case where Qomon receives a request for access to personal data, not being the owner of the data, we promptly transfer the request to you.

Should you wish to permanently delete the data concerning a person (at the request of the person or on your own), all you have to do as an admin is to permanently delete the person's card from the contact database.

Look out! Only admins or super admins can do most of these things.

You own the personal data on the Qomon platform. As such, you must be able to export all of the personal data from your space at any time.

You can do this from the "contact database" space, as shown below.

Qomon implements a number of processes to ensure the security of personal data such as "containerization", the encryption of personal data or the limited access to sensitive personal data for “ad hoc members”, or also the regular purge of passwords.

Moreover, our interfaces integrate a number of barriers (which can sometimes be a bit annoying for some users, they are there to ensure the respect of the rules or the principles of people’s rights and private life).

For example: a member cannot return to a card or search for a card in the contact database from the mobile app. If they are a member, personal data can only be accessed in a funnel: each person - if she/he has access to personal data - only has access to it in the context of a precise and adequate use. Then, the application does not allow some parameter filters (such as one’s origin), or the addition of tags from a mobile (see the article), etc.

You must also inform people about the treatment or eventual data transfers you may make.

At Qomon, for example, we inform our users in our Terms of Use, which we inform updates by email.

There are different roles in Qomon. Some roles, such as “member”, do not allow access or very limited access (like “field organizer”) to personal data. Find details here.

Give proportionate access to information within your team and remember that a member of your team (even if she/he is a volunteer) is under the responsibility of your organisation. It similar to an employee and company relationship.

During your first connection, the web platform will remind you of this!

You are an admin or super admin. With great power come great responsibility. In particular, you have access to your organization’s parameters, from which you can define status (there are some by default), contact forms, surveys, or tags for your entire organization)

We too, at Qomon, have a DPO: Julien. You can contact him at [email protected]

In the end, keep in mind that the use of a platform is much more virtuous than the old systems of paper or excel files that just keep piling up!

The software keeps the trace of the origin, the timestamp of the consent, the possibility of permanently deleting a contact (without dragging elsewhere), of centralizing the data, thus of being able to fully inform an individual of all the data you have on them! The systems are much more transparent and virtuous than old practices.