GDPR Compliance Consent Management and Data Protection

The General Data Protection Regulation (GDPR) regulates how companies handle personal data. For CRM communication, these rules are crucial.

What is GDPR?

• EU legislation: In effect since May 25, 2018
• Purpose: Protection of personal data
• Applies to: All companies processing EU citizen data
• Fines: Up to €20 million or 4% annual revenue

GDPR Principles for Communication

1. Lawfulness: You must have a legal basis (consent, contract, legitimate interest)
2. Transparency: Clearly communicate why you collect data
3. Purpose limitation: Only use data for what permission was given
4. Data minimization: Don't collect more data than necessary
5. Accuracy: Keep data up-to-date
6. Storage limitation: Don't retain longer than necessary
7. Integrity: Store securely

GDPR for Email, SMS, WhatsApp

Email Marketing:

• Opt-in required for marketing emails
• Opt-out link mandatory in every email
• Clear sender identification

SMS Marketing:

• Explicit consent needed
• "STOP" functionality mandatory
• Costs transparently communicated

WhatsApp Business:

• Opt-in for business initiated messages
• Clear communication purpose
• 24h window for free messages

Configure Consent Types

1. Go to Settings > Privacy > Consent Types
2. Tesoro has default consent types:
   • Email Marketing: Receive marketing emails
   • SMS Marketing: Receive SMS messages
   • WhatsApp Marketing: Receive WhatsApp messages
   • Phone Marketing: Phone contact
   • Data Processing: Processing personal data
3. Adjust or add custom types

Record Consent

When Creating Contact:

1. Open new contact form
2. Section Consent & Privacy
3. Check per channel:
   • ☑️ Email Marketing (opt-in)
   • ☑️ SMS Marketing (opt-in)
   • ☑️ WhatsApp (opt-in)
4. Fill in:
   • Consent Date: When permission given
   • Consent Method: How (form, phone, in-person, etc.)
   • Consent Source: Where (website form, event, etc.)
5. Save contact

Consent via Web Forms

For online forms:

<form>
  <input type="checkbox" name="consent_email" required>
  I agree to receive marketing emails
  
  <input type="checkbox" name="consent_sms">
  I agree to receive SMS messages
  
  <!-- Link to privacy policy -->
  <a href="/privacy">Read our privacy policy</a>
</form>

Tesoro automatically saves consent on form submission.

Double Opt-in Email

For extra security:

1. Customer fills in form
2. Tesoro sends confirmation email
3. Customer clicks "Yes, sign me up" link
4. Consent is activated
5. Customer enters email list

Consent History

All changes are logged:

• 2024-01-15: Email consent given (via website form)
• 2024-02-20: SMS consent given (via phone call)
• 2024-03-10: Email consent withdrawn (via unsubscribe link)

Automatic Opt-out Links

Tesoro automatically adds unsubscribe links:

Email Footer:

Don't want to receive marketing emails anymore?
[Unsubscribe] | [Adjust preferences]

{{company.name}}
{{company.address}}

SMS Opt-out:

Reply STOP to no longer receive SMS.

Opt-out Handling

When customer unsubscribes:

1. Processed immediately: Registered within seconds
2. Consent withdrawn: Email/SMS consent = false
3. Suppression list: Contact goes on do-niet-contact list
4. Sequences stopped: All active sequences are paused
5. nietification: Agent gets message

Preference Center

Give customers control:

1. Link in email footer: "Adjust preferences"
2. Customer sees form with options:
   • ☑️ New property alerts
   • ☐ Newsletter
   • ☑️ Important news
   • ☐ Promotions and offers
3. Choose frequency:
   • Daily
   • Weekly
   • Monthly
4. Save preferences

Opt-out Reporting

Track unsubscribe rates:

• Go to Reports > Consent & Privacy
• Dashboard shows:
  • Unsubscribe rate per email
  • Unsubscribe rate per sequence
  • Top reasons for unsubscribing
  • Trend over time

Re-engagement

Contact who opted out:

• No more contact: For marketing
• Transactional emails OK: E.g., confirmations, invoices
• Re-opt-in possible: Via new form submission or explicit request

Types of Data Subject Requests

Under GDPR, customers have rights:

1. Right to Access: See all data about them
2. Right to Rectification: Correct incorrect data
3. Right to Erasure: "Right to be forgotten"
4. Right to Restriction: Limit processing
5. Right to Data Portability: Export data
6. Right to Object: Object to processing

Request Handling in Tesoro

Access Request:

1. Customer sends email: "I want to see all my data"
2. In Tesoro: Open contact → ... menu → Export Data
3. Choose format: PDF Report (for customer) or JSON (technical)
4. PDF contains:
   • Contact details
   • Communication history (emails, SMS, calls)
   • Properties viewed
   • Deals
   • Consent history
   • notes
5. Send within 30 days to customer

Deletion Request:

1. Customer sends email: "Delete all my data"
2. In Tesoro: Open contact → ... menu → Delete Contact
3. Tesoro shows confirmation:
   • "Are you sure? This canniet be undone."
   • "This will delete: Contact, Communication, notes, Deals"
   • "Properties and Documents remain (legal obligation)"
4. Check GDPR Deletion Request (logging for audit)
5. Click Confirm Delete
6. Confirm deletion to customer

Legal Holds

Some data MUST be retained:

• Accounting: Invoices 7 years (statutory)
• Contracts: Signed agreements
• Legal disputes: During procedures

Tesoro marks this data as "Canniet be deleted (legal hold)".

Request Logging

All data subject requests are logged:

• 2024-03-15: Access request received
• 2024-03-20: Data export sent to customer
• 2024-04-10: Deletion request received
• 2024-04-11: Contact deleted (GDPR compliance)

Tesoro Security Measures

Tesoro protects your data with:

• Encryption at rest: AES-256 database encryption
• Encryption in transit: TLS 1.3 for all connections
• Access control: Role-based permissions (RBAC)
• Two-factor authentication: 2FA for all accounts
• Audit logging: All data access is logged
• Regular backups: Daily encrypted backups
• Pen testing: Annual security audits
• SOC 2 Type II: Certified compliance

User Permissions

Limit data access per teamlid:

• Admin: Full access
• Manager: Team data + reports
• Agent: Own contacts + assigned
• Read-only: View only, no editing

Data Retention Policy

Set retention periods:

1. Go to Settings > Data Retention
2. Configure per data type:
   • Inactive contacts: 3 years → automatically delete
   • Email history: 2 years → archive
   • Call logs: 1 year → delete
   • Closed deals: 7 years → legal hold
3. Tesoro executes automatically

Data Processing Agreement (DPA)

Tesoro offers GDPR-compliant DPA:

• Download via Settings > Legal > DPA
• Sign and upload
• Required for EU companies
• Describes responsibilities

Data Breach Protocol

If data breach occurs:

1. Detection: Tesoro detects breach
2. nietification: You get message within 24h
3. Assessment: Impact analysis
4. Reporting: If necessary, report to authority (within 72h)
5. Mitigation: Measures to limit damage
6. Communicatie: Inform affected customers