gdpr bpm'online compliance

GDPR & Creatio

Creatio is a process-based CRM company with roots in Europe. The company ensures they are processing data and offering security options that align with GDPR requirements. Creatio recognizes its role as both a data controller and data processor, depending on the situation. They break down their compliance perspectives into three areas:

Creatio as a Data Processor

As a processor, the company has an assigned data protection officer (DPO) to respond to requests for blocking personal information from processing. Individuals, controllers, or supervisory authorities who’d like to contact the DPO can do so via a form on the bpm’online website or through direct mail. Personal data is collected from Web forms, with the consent of the data subject. Creatio does not endorse the collection of personal data through any “indirect” means such as purchasing contact lists. Privacy policy statements are available at

As a processor, the company also holds accountability for up-to-date security policies and regulations. Data protection policies such as pseudonymization are in effect and regular information impact security assessments are scheduled regularly. If an impact assessment indicates that processing would be high-risk in the future, the company’s DPO conducts consultations on it.

Creatio uses technical and organizational measures for information security. Their Cloud-based SaaS platform is accessed via a secure connection and uses encryption to store all personal data on the database side.

Creatio as a Data Controller

As a controller, Creatio offers several tools that allow a DPO to maintain compliance and provide data subjects with a copy of their personal information. Some of these tools include:

  • Global search and filters
  • Ability to create a DPO workplace
  • Deletion functions
  • Change logs to keep track of processing alterations
  • Storage & access tools
  • Information portability functions
  • Customer portal accessibility
  • Ability to export list data for data subject requests
  • MS Word report templates for data subject requests
  • Attachments and notes for data subject requests
  • Record permissions and editing
  • Ability to create object permissions
  • Landing pages and Web forms
  • Ability to establish organizational roles
  • Audit and change logging
  • Section wizard to add necessary subject information

The company also performs data protection risk assessments as a controller. After Creatio did initial impact assessments, they preemptively instituted several “mitigation measures” to prevent any high-risk processing activities.

Your Organization’s GDPR Compliance as a Data Processor Through Creatio

Creatio wants its customers to understand what’s expected of them as a data processor. Any company using bpm’online is a data processor because they are keeping information on subjects. The company recommends appointing a DPO, which may not be applicable to all businesses. However, if an organization decides it is necessary to hire a DPO, that DPO should create a DPO workplace within Creatio. The organization should also make it easy for individuals to contact the DPO about their data.

It’s important for companies to use their CRM to set up audit and change logs as well as logging on the DBMS level. Make sure those functions are enabled in your Creatio instance. Any publicly available privacy statements should be reviewed for GDPR compliance and gone over with customers. Creatio stresses the importance of companies understanding the sources of their data and having information security policies and regulations in place.

To comply with the GDPR requirements for data protection by design/default, organizations must also audit their information security risks. Are there companies you work with that act as joint controllers of your data? Mutual responsibilities must be agreed on.

As a data processor, your company is responsible for obtaining consent from any other processors or controllers as well. Data Protection Officers will need to demonstrate GDPR compliance at all levels if ever asked by a supervisory authority. Additional GDPR compliance measures include:

  • Setting up user and role structure/access rights
  • Making sure https is enabled
  • Using encryption tools on the DBMS level
  • Conducting data protection impact assessments (Deeper assessments will be necessary for organizations using the on-site version of the software.)
  • Informing individuals about their rights to lodge a complaint with a supervisory authority via your website, license agreements, or another preferred means

To learn more about bpm’online’s GDPR compliance, please reference this PDF or visit their GDPR webpage.

Danine Midura's picture
Danine Midura
Director of Marketing

Danine is the Director of Marketing for Technology Advisors Inc. She spearheads TAI events, marketing campaigns, and social media efforts. Prior to her work at TAI, Danine was a copywriter in the B2B publishing industry. Her interests include blockbuster disaster movies, tank tops in an array of colors, used book stores, Clint Eastwood, and being surrounded by trees. 

Related Articles

March 22, 2018

What is Infor CRM doing to prepare its system for the GDPR? Let’s take a quick look at how Infor is approaching GDPR compliance and the steps its teams are taking to ensure success.

March 14, 2018

GDPR is fast approaching, and as companies prepare, they are assessing not only their own data, but the systems that house that data. One of the biggest software investments for companies across all industries is CRM. In the next few weeks, we’ll look at some of the major CRM systems and how they are preparing their products for GDPR compliance — starting with SugarCRM. Here’s what we know about Sugar’s plans for GDPR compliance.