Can data subject rights be raised through Portals?
Yes, the data subject can raise a request for their data rights through Portals.
Can the data subject use Portals to update his/her consent?
Yes, the data subject can update his/her consent through Portals.
Can I add a record that has been previously blocklisted back into CRM?
Yes, a record which has been previously blocklisted can be added again as a new record in CRM. Before you add the record, you will receive an alert saying it was previously blocklisted.
What is waiting period?
It is the amount of time you would like to wait, for a response to your consent email. The organization can set this waiting period. Once this waiting period is exceeded, all processing activities related to the record will be stopped.
Where can I update the data processing basis?
You can update the data processing basis for customers in the record details page. To do this, click on the Data Privacy tab, select or edit the data processing basis. The third way is through the consent overview dashboard. Go to Setup > Compliance Settings, click on the Overview tab, select the records and update the data processing basis.
How can I restrict personal data from being shared?
To restrict personal data from being shared:
Go to Setup > Users and Control > Compliance Settings.
Click on the
Personal Data Handling
, select where you would like to restrict the data transfer (Zoho Apps, third-party apps, APIs, export).
Can I restrict personal data from being accessed outside Zoho CRM?
Yes, you can restrict the data subject's personal data from being accessed outside Zoho CRM. Once you've marked the data as personal and sensitive, you can:
Restrict data transfer to Zoho Apps/Integrations.
Restrict data access through APIs.
Restrict Data in Export.
Restrict Data Access to third-party apps.
I am using Zoho CRM, Survey and Campaigns. I have created a consent form, but cannot see alerts when a customer has already consented. Will I also receive notifications when the data is pushed into Campaigns from Zoho CRM?
The moment you get consent from your customers through the consent form in Zoho Campaigns, the data processing status changes to
You can view all the contacts who have given consent by clicking on
Subscribers > Manage Consent > Expressed.
You can also create a segment by creating the criteria 'O
pt-in is true'
and filter out those contacts who have given consent.
To create this segment, click on
Subscribers > Mailing List > Create segment
. There are currently no push notifications to push the consent from
Zoho Campaigns to CRM,
but it will be made available soon.
We are based in the US and have and have clients from both the USA and Canada. Will GDPR have any impact on us?
GDPR applies in those scenarios when:
Your organization processes personal data of data subjects who are in the EU, irrespective of the company's location.
Your organization offers goods/services to data subjects in the EU.
Your organization monitors data subjects who are in the EU.
If you fall under any of these categories, GDPR applies to your organization.
How do I enable double opt-in for my web form?
To enable double opt-in:
Setup > Developer Space > Webforms > Create Web Form
Drag and drop the fields that you want in your web form.
. In the
page, enter the relevant form details.
Enable Double Opt-In
slider and save the changes.
Can the fields in subforms also be marked as personal?
Yes, you can also mark those fields which are supported for processing in subforms as personal.
Once I've marked my data as personal, how will it affect data processing?
When you mark your data as personal, the data will be restricted from activities like exports, APIs and other connected services of Zoho CRM (Books, Finance, Campaigns etc).
How can I mark my data as personal?
To mark your data as personal
Setup > Customization > Modules and Fields
Hover your mouse pointer over the module that has the data subjects' personal information.
Manage Personal Fields
from the drop-down list.
Manage Personal Fields
Mark Personal Field.
Select the fields you want to mark as personal from the drop-down list.
Select the data type as either
Which field types can be marked as personal?
All fields, with the exception of the lookup, user lookup, formula and auto number fields can be marked as personal.
How many fields can I mark as personal?
You can mark a maximum of 30 fields in each module as personal.
Can I mark my data as personal?
Yes, you can mark your data as personal. Once you do that, you can additionally choose which fields you want to mark as normal and which fields you want to mark as sensitive.
My data currently resides in the US data center. How can I migrate this data to the EU data center?
If you need to migrate your data to the EU DC, you can send an email to
mentioning all the services you are using. This email will be forwarded to the relevant product teams, who will help you with migration. The ability maybe limited and the duration of the migration may vary across each service.
Where can I find additional resources on GDPR?
Here are some links for additional reading on GDPR:
Find your supervisory authority
The EU Data Protection Supervisor
The EU GDPR Website
Rules for businesses and organizations
Your organization's guide to GDPR
Zoho Corporation is not responsible for the content in these pages and does not endorse these links.
How often can I review the lawful basis of processing data?
As the data controller, you should periodically review the lawful basis under which you processed customers' data. This is because the lawful basis under which you initially processed personal data and the purpose of data collection can change over time.
Who can access the compliance settings in Zoho CRM?
Those having the Administrator profile can access the compliance settings in Zoho CRM.
Can data subjects edit or delete their own data before giving consent to the data controllers?
Yes, data subjects can edit and update their personal data before they give consent, through the
Right to Rectify (Article 16)
Right to Erasure (Article 17)
Can I filter leads and contacts based on their data processing basis?
Yes, you can filter leads and contacts based on their data processing basis.
How can the data controller classify fields in Zoho CRM?
The data controller has the option to mark the user's fields as personal and sensitive in Zoho CRM. The controller can also decide to restrict these fields from activities like exports, APIs, and other connected services of Zoho CRM (Books, Finance, Campaigns etc).
What happens to the data if a customer doesn't respond to a consent email within a certain time period?
If the customer doesn't respond to a consent email, the data controllers can decide how long they want to wait for a response. Once it exceeds that time period, the status will be Not Responded and the data will not be processed.
Is double opt-in mandatory for data processing?
No, double opt-in is not mandatory for data processing. However, a double opt-in is recommended to ensure that the customers are authentic, and genuinely interested in the product. Under double opt-in, customers will receive an additional email to confirm their identity, once they've signed up through webforms.
How can the data controller keep track of the various processing activities that have taken place in Zoho CRM?
The data controller can go to the existing Timeline view and track the updates and changes made to the data processing activities in Zoho CRM.
Can data subjects request that their data be removed or deleted from Zoho CRM?
Data subjects can use the Right To Erasure (or Right to be Forgotten- Article 17), to request that their personal data be deleted or removed from Zoho CRM.
As a data controller, you will have to delete the data if the customer ask for it, unless you have overriding legal obligations for preserving the data. For more details, read
Article 17 of EU GDPR
I have turned compliance off. How will this affect the existing data process of my records?
When you go to the compliance settings and turn compliance off, the processing activities that you had previously done with the data subject's data will become ineffective, and the data will be processed without applying any data processing basis.
Can I use the encrypted field in a webform?
Yes, you can use an encrypted field in a webform.
Is encryption of data mandatory under GDPR?
No, GDPR doesn't mandate the encryption of customers' data. However, Zoho CRM allows you to encrypt fields manually in the Field Properties page.
My business isn't based in the EU. I don't have customers from the EU either. Do I still need to comply with GDPR?
GDPR is not mandatory if you neither have a business in the EU nor deal with EU residents. However, if you want to ensure better security and privacy of customers' data, it is recommended to have GDPR compliance turned on. You can do this by clicking on Setup > Users and Control > Compliance Settings and turning the compliance settings on.
What will happen if organizations don't comply with GDPR?
Organizations can be fined upto 4% of their annual global turnover, or 20 million euros (whichever is higher), for the most serious data breaches or infringements, including not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
They could be fined 2% of their annual global turnover, or 10 million euros (whichever is higher), for not having their records in order, not notifying the supervisory authority and customer about a breach, or not properly conducting an LIA.
What are the different ways through which you can obtain consent from the customer?
You can obtain the customer's consent either through an email (manual email or a consent form attached to an email), through Portals, or orally through phone calls.
What rights will data subjects have under GDPR in Zoho CRM?
Data subjects will have five out of eight fundamental rights under GDPR in Zoho CRM:
The Right To Access
- Customers have the right to know exactly what information is held about them and how it is processed. (GDPR Article 15).
The Right to Rectify
- Individuals/customers have the right to get their personal data rectified, in case it is inaccurate or incomplete.
The Right to Portability
- Customer-specific information can be exported, attached to an email, and sent to customers in a machine readable format (CSV), without being downloaded onto your device. (Article 20).
The Right to Restrict Processing-
Individuals have the right to limit the purposes for which the controller can process their data (Article 18).
The Right to Erasure
- Also known as "The Right to be Forgotten," individuals have the right to have their personal data deleted or removed whenever they want.
How does Zoho CRM help in your compliance journey?
These are the ways through which Zoho CRM helps you with GDPR compliance.
Data source tracking:
Zoho CRM records the source of the data (direct sources like web forms and indirect sources like the UI, imports, APIs and other third-party integrations), and additional details, if any (eg. URL, IP address), in the record's Details page. These details are shared with the customer, on their request.
Marking personal fields:
Users can mark those fields containing personal data and also mark the sensitive fields.
Data subject rights:
Your customers also have the right to ask to access, rectify, delete, export and restrict their data from being processed. As the data controller, you need to perform these actions.
What will happen to my existing data in Zoho CRM after GDPR takes effect?
After GDPR takes effect on May 25, all existing records in your Zoho CRM account will need to be marked under the appropriate lawful processing basis. You can do this through:
The Overview Page
List View of the relevant module
How can GDPR be enabled for existing customers?
You can enable GDPR for existing customers by clicking Setup > Users and Control > Compliance Settings, turning compliance settings on, and selecting those modules for which compliance will be applicable.
Who/what is a DPO?
A Data Protection Officer (DPO) assists you to monitor internal compliance, informs and advises you on your data protection obligations, provides advice regarding Data Protection Impact Assessments (DPIAs), and acts as a contact point between data subjects and the supervisory authority.
A DPO also serves as the point of contact between the company and any Supervisory Authorities (SAs) who oversee activities related to data processing. It is recommended that every organization has a DPO.
What is LIA?
LIA stands for Legitimate Interests Assessment. It specifies the reason an organization wants to process a customer's personal data. The organization must also conduct an LIA to show that the processing is necessary. An LIA is split into three steps:
The assessment of whether a legitimate interest exists.
The establishment of the necessity for processing.
The performance of the balancing test.
What are the lawful bases the data controller can use to process customer data?
The data controller can choose from six data processing bases. These are:
- This applies when you need to process the customer's personal data to fulfill your contractual obligations, or to take some action based on the customer's request (e.g. sending a quote or invoice).
- This applies when you have to comply with an obligation under any applicable law (e.g. providing information in response to valid requests, such as an investigation by an authority).
- This applies to urgent matters of life and death, especially with regards to health data.
- This applies to activities of public authorities.
- These can include commercial interests, such as direct marketing, individual interests, or broader societal benefits.
Consent is also a lawful basis to process data. Consent of the data subject means "any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
The processing activities under these lawful bases should take place in ways that people normally expect. The controller must document and keep a record of decisions on legitimate interests in the form of a Legitimate Interests Assessment.
Who are the key stakeholders in GDPR?
Any person whose personal data you collect or process.
- The person who determines the purpose and methods for processing the data.
- Two or more controllers who jointly determine the purposes and methods of processing data.
- The person or company who processes data on the instructions of the controller.
- A third party individual or business which performs data processing for other companies, and is accountable for the data processed.
- Public authorities who monitor the application of GDPR.
Will GDPR compliance be applicable to all modules in Zoho CRM?
GDPR compliance is applicable only for the people-related modules in the organization. In Zoho CRM, it applies to the Leads, Contacts, Vendors, and custom modules.
Who will GDPR apply to?
GDPR will apply to companies located in the EU, as well as companies who do business with residents of the EU, irrespective of the company's location.
What is GDPR, and how will it impact organizations?
The General Data Protection Regulation (or GDPR) is a new regulation developed by the European Union (EU) which involves the protection and free movement of personal data and the rights of individuals, including children. It is a set of rules which will replace the existing Data Protection Directive (Directive 95/46/EC), and will be enforced across the EU. GDPR will empower EU citizens by putting them directly in control of how they want their data to be processed, and will protect their data privacy.
What kind of information does the GDPR apply to?
The GDPR applies exclusively to personal data. The current Data Protection Directive defines personal data as, "any information that relates to an identified or identifiable person, or a data subject. An identifiable person is one who can be identified, directly or indirectly, either by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity."