You’ve downloaded a Notion template to build your company’s CRM or track all sales prospects ? You’ve created your own job interview kit or organize your staff performance review process in a Notion ?
You seem to be using Notion as a database to gather, store and consolidate information about clients, students, employees, volunteers, subscribers or some other people.
Because they are European Union residents or because you are situated in a country part of the European Union, you will need to use Notion in compliance with the General Data Protection Regulation (GDPR) 👉 the legislation ruling how personal information must be protected.
But how? 🤔
Your use of Notion can be GDPR compliant and we’ll show you how to easily do so:
Notion was created to be nothing else than a note taking platform. It’s not organically built, in terms of infrastructure or security, to be robust enough to deal with sensitive information.
Whether considered sensitive by the GDPR or for your business’ reputation or prosperity, this information needs extra protection that you can find in dedicated software 🔐
Avoid storing documents like bank statements, legal notice, plain text passwords, health related or biometrical information, criminal record extract, religious beliefs, etc.
The thing with Notion is that you have the ability to create as many fields and boards as you want, giving the impression that all this information is necessary and shall be collected. It’s a trap 😅
With the GDPR, the justification « in case we’ll need it later » doesn’t work and is prohibited. If you don’t need it, you should not store a personal information (for e.g. a phone number when you only send emailing newsletter…).
Furthermore, even if you needed an information in the past doesn’t always mean you will need it in the future. So take the time to review your database and to remove the information you’re no longer required to store.
⚠️ Careful not to delete information you would still need to provide your service or for legal purposes (like billing obligations for example). Better archive it if you don’t need it in active base.
Notion is a company situated in the United States and of which servers are hosted in the United States. For this reason, and because the United States don’t offer an appropriate level of data protection equivalent to the one in the European Union, legal safeguards must be put in place.
A simple action you can implement to make your information transfer to US servers compliant with the GDPR is to contact Notion’s privacy team at email@example.com to obtain a signed version of their Data Processing Agreement available here: https://www.notion.so/Data-Processing-Addendum
This document is of legal value as it states how Notion secures the personal information transferred to the US and commits to inform you in case of change.
Here’s a template for your request:
Hello Privacy team,
Within the context of the use of Notion for certain services and processing activities involving personal data conducted by [Name of the company], Notion is considered a data processor.
Therefore, I would like to obtain a signed version of your Data Processing Addendum (including the Standard Contractual Clauses for transfers outside the European Union) in its latest version for our contractual management and GDPR compliance.
In case you're using Docusign or another provider for electronic signature:
- Our company is called [Name of the company]
- The person who will sign the DPA on our part is [Name of your CEO or yourself]
- You can directly send the link of the DPA for signature at [Email address of your CEO or yourself]
Did you implement all the above? Well done 👏