FAQs: GDPR Compliance

Can data subject rights be raised through Portals?

Yes, the data subject can raise a request for their data rights through Portals.

Can the data subject use Portals to update his/her consent?

Yes, the data subject can update his/her consent through Portals.

Can I add a record that has been previously blocklisted back into CRM?

Yes, a record which has been previously blocklisted can be added again as a new record in CRM. Before you add the record, you will receive an alert saying it was previously blocklisted.

What is waiting period?

It is the amount of time you would like to wait, for a response to your consent email. The organization can set this waiting period. Once this waiting period is exceeded, all processing activities related to the record will be stopped.

Where can I update the data processing basis?

You can update the data processing basis for customers in the record details page. To do this, click on the Data Privacy tab, select or edit the data processing basis. The third way is through the consent overview dashboard. Go to Setup > Compliance Settings, click on the Overview tab, select the records and update the data processing basis. 

How can I restrict personal data from being shared?

To restrict personal data from being shared:
  1. Go to Setup > Users and Control > Compliance Settings.
  2. Click on the Preferences tab.
  3. Under  Personal Data Handling , select where you would like to restrict the data transfer (Zoho Apps, third-party apps, APIs, export).
  4. Click  Save .

Can I restrict personal data from being accessed outside Zoho CRM?

Yes, you can restrict the data subject's personal data from being accessed outside Zoho CRM. Once you've marked the data as personal and sensitive, you can:
  1. Restrict data transfer to Zoho Apps/Integrations.
  2. Restrict data access through APIs.
  3. Restrict Data in Export.
  4. Restrict Data Access to third-party apps.

I am using Zoho CRM, Survey and Campaigns. I have created a consent form, but cannot see alerts when a customer has already consented. Will I also receive notifications when the data is pushed into Campaigns from Zoho CRM?

The moment you get consent from your customers through the consent form in Zoho Campaigns, the data processing status changes to  Consented
You can view all the contacts who have given consent by clicking on  Subscribers > Manage Consent > Expressed.
You can also create a segment by creating the criteria 'O pt-in is true'  and filter out those contacts who have given consent.
To create this segment, click on  Subscribers > Mailing List > Create segment . There are currently no push notifications to push the consent from Zoho Campaigns to CRM, but it will be made available soon.

We are based in the US and have and have clients from both the USA and Canada. Will GDPR have any impact on us?

GDPR applies in those scenarios when:
  1. Your organization processes personal data of data subjects who are in the EU, irrespective of the company's location.
  2. Your organization offers goods/services to data subjects in the EU.
  3. Your organization monitors data subjects who are in the EU.
If you fall under any of these categories, GDPR applies to your organization.

How do I enable double opt-in for my web form?

To enable double opt-in:
  1. Go to  Setup > Developer Space > Webforms > Create Web Form .
  2. Drag and drop the fields that you want in your web form.
  3. Click  Next Step . In the  Form Details  page, enter the relevant form details.
  4. Select the  Enable Double Opt-In  slider and save the changes.

Can the fields in subforms also be marked as personal?

 Yes, you can also mark those fields which are supported for processing in subforms as personal. 

Once I've marked my data as personal, how will it affect data processing?

When you mark your data as personal, the data will be restricted from activities like exports, APIs and other connected services of Zoho CRM (Books, Finance, Campaigns etc).

How can I mark my data as personal?

To mark your data as personal
  1. Go to  Setup > Customization > Modules and Fields
  2. Hover your mouse pointer over the module that has the data subjects' personal information.
  3. Click  Manage Personal Fields  from the drop-down list. 
  4. In the  Manage Personal Fields  section, click  Mark Personal Field.
  5. Select the fields you want to mark as personal from the drop-down list.
  6. Select the data type as either  Normal  or  Sensitive .
  7. Click  Done .

Which field types can be marked as personal?

All fields, with the exception of the lookup, user lookup, formula and auto number fields can be marked as personal.

How many fields can I mark as personal?

You can mark a maximum of 30 fields in each module as personal.

Can I mark my data as personal?

Yes, you can mark your data as personal. Once you do that, you can additionally choose which fields you want to mark as normal and which fields you want to mark as sensitive.

My data currently resides in the US data center. How can I migrate this data to the EU data center?

If you need to migrate your data to the EU DC, you can send an email to  migrations@zohoaccounts.com  mentioning all the services you are using. This email will be forwarded to the relevant product teams, who will help you with migration. The ability maybe limited and the duration of the migration may vary across each service. 

Where can I find additional resources on GDPR?

Here are some links for additional reading on GDPR:
  1. Find your supervisory authority
  2. The EU Data Protection Supervisor
  3. The EU GDPR Website
  4. Rules for businesses and organizations
  5. Your organization's guide to GDPR
Zoho Corporation is not responsible for the content in these pages and does not endorse these links.

How often can I review the lawful basis of processing data?

As the data controller, you should periodically review the lawful basis under which you processed customers' data. This is because the lawful basis under which you initially processed personal data and the purpose of data collection can change over time. 

Who can access the compliance settings in Zoho CRM?

Those having the Administrator profile can access the compliance settings in Zoho CRM. 

Can data subjects edit or delete their own data before giving consent to the data controllers?

Yes, data subjects can edit and update their personal data before they give consent, through the  Right to Rectify (Article 16)  and the  Right to Erasure (Article 17) .

Can I filter leads and contacts based on their data processing basis?

Yes, you can filter leads and contacts based on their data processing basis. 

How can the data controller classify fields in Zoho CRM?

The data controller has the option to mark the user's fields as personal and sensitive in Zoho CRM. The controller can also decide to restrict these fields from activities like exports, APIs, and other connected services of Zoho CRM (Books, Finance, Campaigns etc).

What happens to the data if a customer doesn't respond to a consent email within a certain time period?

If the customer doesn't respond to a consent email, the data controllers can decide how long they want to wait for a response. Once it exceeds that time period, the status will be Not Responded and the data will not be processed.

Is double opt-in mandatory for data processing?

No, double opt-in is not mandatory for data processing. However, a double opt-in is recommended to ensure that the customers are authentic, and genuinely interested in the product. Under double opt-in, customers will receive an additional email to confirm their identity, once they've signed up through webforms.

How can the data controller keep track of the various processing activities that have taken place in Zoho CRM?

The data controller can go to the existing Timeline view and track the updates and changes made to the data processing activities in Zoho CRM.

Can data subjects request that their data be removed or deleted from Zoho CRM?

Data subjects can use the Right To Erasure (or Right to be Forgotten- Article 17), to request that their personal data be deleted or removed from Zoho CRM.
As a data controller, you will have to delete the data if the customer ask for it, unless you have overriding legal obligations for preserving the data. For more details, read Article 17 of EU GDPR .

I have turned compliance off. How will this affect the existing data process of my records?

When you go to the compliance settings and turn compliance off, the processing activities that you had previously done with the data subject's data will become ineffective, and the data will be processed without applying any data processing basis.

Can I use the encrypted field in a webform?

Yes, you can use an encrypted field in a webform.

Is encryption of data mandatory under GDPR?

No, GDPR doesn't mandate the encryption of customers' data. However, Zoho CRM allows you to encrypt fields manually in the Field Properties page.

My business isn't based in the EU. I don't have customers from the EU either. Do I still need to comply with GDPR?

GDPR is not mandatory if you neither have a business in the EU nor deal with EU residents. However, if you want to ensure better security and privacy of customers' data, it is recommended to have GDPR compliance turned on. You can do this by clicking on Setup > Users and Control > Compliance Settings and turning the compliance settings on. 

What will happen if organizations don't comply with GDPR?

Organizations can be fined upto 4% of their annual global turnover, or 20 million euros (whichever is higher), for the most serious data breaches or infringements, including not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
They could be fined 2% of their annual global turnover, or 10 million euros (whichever is higher), for not having their records in order, not notifying the supervisory authority and customer about a breach, or not properly conducting an LIA.

What are the different ways through which you can obtain consent from the customer?

You can obtain the customer's consent either through an email (manual email or a consent form attached to an email), through Portals, or orally through phone calls.

What rights will data subjects have under GDPR in Zoho CRM?

Data subjects will have five out of eight fundamental rights under GDPR in Zoho CRM:
  1. The Right To Access -  Customers have the right to know exactly what information is held about them and how it is processed. (GDPR Article 15).
  2. The Right to Rectify - Individuals/customers have the right to get their personal data rectified, in case it is inaccurate or incomplete.
  3. The Right to Portability - Customer-specific information can be exported, attached to an email, and sent to customers in a machine readable format (CSV), without being downloaded onto your device. (Article 20).
  4. The Right to Restrict Processing-  Individuals have the right to limit the purposes for which the controller can process their data (Article 18).
  5. The Right to Erasure - Also known as "The Right to be Forgotten," individuals have the right to have their personal data deleted or removed whenever they want.

How does Zoho CRM help in your compliance journey?

These are the ways through which Zoho CRM helps you with GDPR compliance.  
  1. Data source tracking:  Zoho CRM records the source of the data (direct sources like web forms and indirect sources like the UI, imports, APIs and other third-party integrations), and additional details, if any (eg. URL, IP address), in the record's Details page. These details are shared with the customer, on their request. 
  2. Marking personal fields:  Users can mark those fields containing personal data and also mark the sensitive fields.
  3. Data subject rights:  Your customers also have the right to ask to access, rectify, delete, export and restrict their data from being processed. As the data controller, you need to perform these actions.

What will happen to my existing data in Zoho CRM after GDPR takes effect?

After GDPR takes effect on May 25, all existing records in your Zoho CRM account will need to be marked under the appropriate lawful processing basis. You can do this through:
  1. The Overview Page
  2. List View of the relevant module
  3. Individual records

How can GDPR be enabled for existing customers?

You can enable GDPR for existing customers by clicking Setup > Users and Control > Compliance Settings, turning compliance settings on, and selecting those modules for which compliance will be applicable.

Who/what is a DPO?

A Data Protection Officer (DPO) assists you to monitor internal compliance, informs and advises you on your data protection obligations, provides advice regarding Data Protection Impact Assessments (DPIAs), and acts as a contact point between data subjects and the supervisory authority. 

A DPO also serves as the point of contact between the company and any Supervisory Authorities (SAs) who oversee activities related to data processing. It is recommended that every organization has a DPO.

What is LIA?

LIA stands for Legitimate Interests Assessment. It specifies the reason an organization wants to process a customer's personal data. The organization must also conduct an LIA to show that the processing is necessary. An LIA is split into three steps:
  1. The assessment of whether a legitimate interest exists.
  2. The establishment of the necessity for processing.
  3. The performance of the balancing test.

What are the lawful bases the data controller can use to process customer data?

The data controller can choose from six data processing bases. These are:
  1. Contract - This applies when you need to process the customer's personal data to fulfill your contractual obligations, or to take some action based on the customer's request (e.g. sending a quote or invoice).
  2. Legal Obligation - This applies when you have to comply with an obligation under any applicable law (e.g. providing information in response to valid requests, such as an investigation by an authority).
  3. Vital Interests - This applies to urgent matters of life and death, especially with regards to health data.
  4. Public Task - This applies to activities of public authorities.
  5. Legitimate Interests - These can include commercial interests, such as direct marketing, individual interests, or broader societal benefits.
  6. Consent-  Consent is also a lawful basis to process data. Consent of the data subject means "any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
The processing activities under these lawful bases should take place in ways that people normally expect. The controller must document and keep a record of decisions on legitimate interests in the form of a Legitimate Interests Assessment.

Who are the key stakeholders in GDPR?

  1. Data Subject-  Any person whose personal data you collect or process.
  2. Data Controller - The person who determines the purpose and methods for processing the data.
  3. Joint Controllers - Two or more controllers who jointly determine the purposes and methods of processing data.
  4. Data Processor - The person or company who processes data on the instructions of the controller.
  5. Data Sub-Processor - A third party individual or business which performs data processing for other companies, and is accountable for the data processed.
  6. Supervisory Authorities - Public authorities who monitor the application of GDPR.

Will GDPR compliance be applicable to all modules in Zoho CRM?

GDPR compliance is applicable only for the people-related modules in the organization. In Zoho CRM, it applies to the Leads, Contacts, Vendors, and custom modules.

Who will GDPR apply to?

GDPR will apply to companies located in the EU, as well as companies who do business with residents of the EU, irrespective of the company's location.

What is GDPR, and how will it impact organizations?

The General Data Protection Regulation (or GDPR) is a new regulation  developed by the European Union (EU) which involves the protection and free movement of personal data and the rights of individuals, including children. It is a  set of rules which will replace the existing Data Protection Directive (Directive 95/46/EC), and will be enforced across the EU. GDPR will empower EU citizens by putting them directly in control of how they want their data to be processed, and will protect their data privacy. 

What kind of information does the GDPR apply to?

The GDPR applies exclusively to personal data. The current Data Protection Directive defines personal data as, "any information that relates to an identified or  identifiable person, or a data subject. An identifiable person is one who can be  identified, directly or indirectly, either by reference to an identification  number or to  one or more factors specific to his physical, physiological, mental,  economic, cultural or social identity." 

    Zoho CRM Training Programs

    Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.

    Zoho CRM Training
      Redefine the way you work
      with Zoho Workplace

        Zoho DataPrep Personalized Demo

        If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.

        Zoho CRM Training

          Create, share, and deliver

          beautiful slides from anywhere.

          Get Started Now

            Zoho Sign now offers specialized one-on-one training for both administrators and developers.

            BOOK A SESSION

                        Still can't find what you're looking for?

                        Write to us:  support@zohoforms.com



                          Manage your brands on social media

                              Zoho Marketing Automation

                                Zoho Sheet Resources


                                    Zoho Forms Resources

                                      Secure your business
                                      communication with Zoho Mail

                                      Mail on the move with
                                      Zoho Mail mobile application

                                        Stay on top of your schedule
                                        at all times

                                        Carry your calendar with you
                                        Anytime, anywhere

                                              Zoho Sign Resources

                                                Sign, Paperless!

                                                Sign and send business documents on the go!

                                                Get Started Now

                                                        Zoho TeamInbox Resources

                                                                Zoho DataPrep Resources

                                                                  Zoho DataPrep Demo

                                                                  Get a personalized demo or POC

                                                                  REGISTER NOW

                                                                    Design. Discuss. Deliver.

                                                                    Create visually engaging stories with Zoho Show.

                                                                    Get Started Now

                                                                                          • Related Articles

                                                                                          • GDPR and Zoho CRM - An Introduction

                                                                                            On this page, we'll be taking a look at what the new rules in GDPR are and how Zoho CRM can help you comply with them. We'll also help you understand how to protect your customers’ data. General Data Protection Regulation (GDPR) is a new set of rules ...
                                                                                          • FAQs: HIPAA Compliance

                                                                                            How does Zoho CRM help organizations be HIPAA Complaint? At Zoho CRM, we allow organizations to be compliant with the HIPAA guidelines by providing the following options: Select modules that contain personal health data: All modules that contain ...
                                                                                          • GDPR Compliance

                                                                                            Enable GDPR Compliance and protect your customer data from unauthorized access Help guide GDPR and Zoho CRM - An Introduction Consent Management Data Subject Rights Data Privacy
                                                                                          • HIPAA Compliance with Zoho CRM

                                                                                            The Health Insurance Portability and Accountability Act (including the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act) ("HIPAA"), requires Covered Entities and Business ...
                                                                                          • FAQs: Deals

                                                                                            Why am I not able to enter the Expected Revenue for deals? The Expected Revenue is automatically calculated based on the Stage and Amount details that you specify for leads, accounts, deals, or any other module. Hence, you cannot enter that value in ...
                                                                                          Wherever you are is as good as
                                                                                          your workplace



                                                                                            Watch comprehensive videos on features and other important topics that will help you master Zoho CRM.


                                                                                            Download free eBooks and access a range of topics to get deeper insight on successfully using Zoho CRM.


                                                                                            Sign up for our webinars and learn the Zoho CRM basics, from customization to sales force automation and more.

                                                                                            CRM Tips

                                                                                            Make the most of Zoho CRM with these useful tips.

                                                                                              Zoho Show Resources