On May 25th, 2018 the European Union tightened its requirements for the protection of personal data. The General Data Protection Regulation (GDPR) reinforces the rights of individuals and the obligations of organizations that collect and process such data.
The purpose of this document is to make Living Actor customers aware of their regulatory obligations to comply with the GDPR, and to inform them of its impact on their Living Actor installation on end users’ computers.
Is Your Organization Impacted?
If you use Living Actor Assistant or Living Actor Chat, you are necessarily concerned by the GDPR. Indeed, it is a platform that allows you to answer questions and request information from people via a Chat interface.
Although these data are generally freely provided by users, they meet the definition of personal information in the regulation. So you must make sure you’re in compliance. In this document we distinguish 3 types of people who can be impacted:
- End User or User: Anyone who can interact via a Living Actor interface component with an Operator (Living Actor Chat) or a Virtual Assistant (Living Actor Assistant)
- Contributor: Anyone with access to the Living Actor platform to administer the data, the Operators and thus able to access the End User’s personal data.
- Operator: Anyone on the Living Actor Chat product who can Chat by Chat with the End User
Who is Responsible for the Data?
Your organization is the controller of the personal data stored on your Living Actor Platform, wherever those data are hosted (in the cloud or on your premises) and whatever they are used for.
When you have a subscription contract with Living Actor, we act as a processor because we sometimes host this data. But we also maintain the software that uses it. We are therefore subject to the responsibilities set forth in Article 28 of the regulation.
As such, we also have an obligation to assist you in your compliance efforts. In addition to the recommendations contained in this guide, we remain at your disposal through the support channel for any request for information or impact analysis concerning personal data.
Our engineers and consultants are aware of and trained in personal data protection matters. They have all the expertise and resources necessary to study your questions in relation to our software, and to propose remediation solutions or implementation advice.
What you Need to Know about Living Actor Products
Living Actor Cookies
Living Actor installs cookies for technical use on the End User’s computer and on the Contributors and Operators computer. This table summarizes the purpose of these cookies and their life span:
|Product||Origin of the cookie||Impacted Peolpe||Goal of the cookies||Duration|
|Living Actor Assistant||Living Actor||
|Keep the position of the End User Interface||Session Time|
|Living Actor Assistant||Living Actor||
Know if End User already played a notification
Living Actor Assistant
Living Actor Chat
|Cookies _utm Type to track Contributor and facilitate the navigation||2 Years Max|
|Living Actor Chat||Living Actor||End User||Know page visited by End User||1 Year|
|Living Actor Chat||Living Actor||End User||End User ID with a random character chain||1 Year|
|Living Actor Chat||Living Actor||End User||Session ID with a random character chain||1 Year|
Storage of your Data on Living Actor Assistant
Living Actor Assistant stores content that you create in knowledge bases. The Living Actor team can access this data when needed or at your request to perform support, or maintenance operations.
Living Actor Assistant only stores User entries anonymously but does not store conversations except when the Living Actor Assistant is used in supervision mode with Living Actor Chat.
Under no circumstances will Living Actor transfer your data to a third party except to the subcontractors mentioned in the chapter How Are the Data Processed?
Living Actor Assistant’s data is stored for the duration of the contract or destroyed before if you request it.
Particular case of the form proposed in Living Actor Assistant: When using the form offered in the Living Actor Assistant sequences, you can ask us to recover the data collected in the analyzes. This data is then stored on our servers.
You are also responsible (1) to inform the User that you are recovering this data and (2) the recipient of the form who will also receive this data.
Statistical data including data collected from the form are destroyed after 2 years.
Storage of your Data on Living Actor Chat
Living Actor Chat stores conversations between the Operator and the End User anonymously unless you have connected a system that identifies the User or if you request personal data during the conversation.
If you use Living Actor Chat in supervision mode with Living Actor Assistant, the Operator has visibility into the interactions between the User and Living Actor Assistant and stores the interactions of the corresponding Assistant session.
On the User interface, the user can at any time retrieve the conversation with the Operator via the “printer” icon.
On request from our sales team, we can add an information button on the User interface to give you legal information and give you the possibility to ask to delete your data.
Conversations of Living Actor Chat with the End User can be stored for 2 years or are destroyed before if you request it.
Accounts with Operator IDs are retained for the duration of the contract or destroyed before if you request it.
Access to the accounts is secured by an encrypted password. However, you should make sure that your Contributors and Operators can change their password to secure their data as soon as they think that their password may have been compromised. Resetting the password is a standard feature in Living Actor products that you should leave accessible from the login page.
Apart from the password, the data is not stored encrypted in the database. If you are hosting your own instance, you should ensure that your database management systems are sufficiently protected.
Finally, access to the service forces the use of the HTTPS protocol which encrypts the data in transit between the browser and the server. Our cloud hosting contractors are OVH, Google or Amazon, and you can check their RGPD compliance commitments here:
- OVH: https://www.ovh.co.uk/personal-data-protection/gdpr.xml
- Google: https://www.google.com/intl/en/cloud/security/gdpr/
- Amazon: https://aws.amazon.com/blogs/security/all-aws-services-gdpr-ready/
Our cloud hosting subcontractors are committed to optimal infrastructure security, including having implemented an information systems security policy and meeting the requirements of several standards and certifications (PCI-DSS certification, ISO / IEC 27001, certificates SOC 1 TYPE II and SOC 2 TYPE II, etc.).
What Are the Personal Data?
In Living Actor Assistant, the main personal data are:
- The access data to the accounts of your Contributors which include: surname, first name, email address
- The data requested on forms proposed by Living Actor and that you can use in your scenarios. This form is limited to: surname, first name, email address, telephone, address, company name. The User can freely enter a comment field.
- Any type of personal data that you can inform or ask Users in the scenarios.
In Living Actor Chat, the main personal data are:
- The access data to the accounts of your Contributors and Operators which include: surname, first name, email address, pseudonym, spoken languages and project-related skills
- Web pages where Users can trigger the Chat
- Any type of personal data that you may request from Users or provide information during the conversation.
How are the data processed?
Processing on Personal Data
Living Actor does not use the personal data of your Users, Contributors and Operators and does not transfer this data to third parties without your knowledge. As a software publisher, we are committed to directly protecting the data we host and allowing you to do the same when you host it yourself.
Be careful, however, if you have installed or connected additional add-ons not from Living Actor. We can not guarantee that third-party software installed on the platform does not access this data.
The data is either entered manually by administrators or the Users themselves, or synchronized with a company directory through an SSO add-on or active directory. Under this GDPR, this synchronization process should be logged in a record of processing activities that you must be able to produce upon request.
As part of our hosted offering, a data backup processing is performed. It is the data set that is treated indistinctly to be able to restore them in the event of an incident. These backups are made daily and stored on a redundant and separate secure infrastructure for up to 60 days.
Process on Other Data
In some cases, Living Actor may automatically transfer certain data to subcontractors for the purpose of enriching the product.
Living Actor Assistant offers the voice generation service offered by Acapela to transform the texts of your knowledge bases into audio files. This service is offered in SaaS version via the VaaS API. This service is hosted in Europe or on your servers. http://www.acapela-group.com/company/personal-data-gdpr/
At your request and during our commercial agreements, we can connect the Google Translate translation service to translate your Living Actor Assistant knowledge bases or conversations between Operators and the End User on Living Actor Chat. We use the Google Translate API. Your data can be transferred outside Europe. https://cloud.google.com/terms/data-processing-terms.
Keep the Users Informed
You must inform your users of the purposes for which you collect their personal data.
Cookies on your Web Applications
You will integrate the Living Actor Assistant and / or Living Actor Chat components into your web applications. Like any application, you must inform Users before inserting or reading cookies. However, Living Actor cookies are technical cookies and are therefore exempt from the consent of the User.
Contributors et Operators accessing to the Platform
Contributors and Operators of your projects are invited to read the Legal Notice of use of personal data and to accept it when connecting to the product.
As part of Living Actor, the profile data is only there to represent the digital identity of the person on the system. They are used in the context of collaborative and social functionalities mainly for representation purposes (to be identified, recognized, contacted and to be able to attribute contributions) and interaction (chat, mention, comment, etc.). For Operators, the other information in the profile remains on the profile sheet and is indexed in a database to find people according to their skills.
If you collect personal data through Living Actor Assistant, you are responsible for informing your Users. For this you can use 3 features Living Actor Assistant
- Scenario asking for personal data: At the beginning of the sequence, ask for the visitor’s consent (opt-in) in order to keep the data you want to collect.
- “Credit” sequence: (ask Living Actor to release this sequence for the needs of the RGPD) edit the sequence to facilitate access to any legal information that the User needs to grant his consent:
- Identity and coordinates of the data controller
- The information of the DPO
- The purposes of the processing of personal data and their legal basis
- The recipients of the personal data
- Form: You can create a sequence integrating a form if the User wishes to request the destruction of the data you have collected.
Your Users on Living Actor Chat
If you collect personal data through Living Actor Chat, you are responsible for informing your Users. For this, you can set the default responses in the console:
- Default answer / introduction: Modify the response to accommodate and also request the consent of the User (opt-in) in order to keep the conversation and report that it can make a request to delete data on the server.
- If you use supervision mode, also ask for consent to preview your activity with Living Actor Assistant
Enabling users to exercise their rights
Your Contributors and Operators who connect to the Living Actor product (Assistant or Chat) have the right to access or rectify their personal data. For this, the profile page or my account allows each user to modify all fieldsto exercise the first two rights.
For the right to delete a Contributor or Operator, the operation is possible by a project administrator. It consists in deleting the account of the Contributor or the Operator. Attention, this will prohibit access to the platform for this user in a definitive and irremediable way.
For the right to rectify or erase user data collected by the Living Actor form, the transaction is possible by a Living Actor administrator. You must then submit a “personal data” ticket to the Living Actor support team in order to obtain all the requested information within 15 days of the day of the request.
We are particularly sensitive to data protection and we take the utmost care in designing our software, in our internal procedures and in training our teams so that you can benefit from our services in complete safety and compliance with the regulation.
For any other request related to the confidentiality of the data, do not hesitate to contact our data privacy officer at DPO@livingactor.com