GDPR register - Weagree


Comply with GDPR automatically

For many, complying strictly with data protection regulations is challenging. Maintaining your GDPR register and complying with GDPR and other national privacy legislations has many aspects. Weagree enables you to comply with all GDPR requirements (or equivalent data protection legislation). The Weagree CLM and entity management provide you all GDPR-required functionality.

Weagree’s GDPR-enforcing features include:

  1. Weagree CLM is your GDPR register
  2. Data retention periods are reinforced automatically
  3. Data integrity protection against data loss
  4. Managing user access rights is easy
  5. Information classification supported
  6. Strong security measures

Note that neither Weagree nor your integrator-service provider can access your data unless you have specifically granted access, and then only for as long as you have granted such access. You do not want any outsiders to curiously look into your affairs – we take your privacy and confidentiality concerns seriously.

Weagree as GDPR register

If you want, Weagree CLM is your complete GDPR register. Weagree’s CLM-integrated GDPR register enables a data protection officer (DPO) or corporate information security officer (CISO) to:

  • keeping the GDPR register automatically up to date,
  • act promptly upon discovering a data breach or receiving a request made by a ‘data subject’, and
  • create mailing lists of all data protection officers and security officers throughout the supply chain and sales channels.

Weagree’s CLM-configuration options also prevent unnecessary data breach notices and allow one-click insight in your required course of action. Moreover, Weagree’s GDPR register will automatically stay up to date as end-users work with Weagree’s CLM.

The Weagree CLM comes with a template for your GDPR register, but if more granular data or insights are needed, the flexibility to adjust to your needs is there. As a data controller (managing your own business’s personal data) GDPR article 30 requires that your GDPR register contains:

  1. The details of your legal entity (jointly) controlling certain personal data (incl. the inhouse legal counsel and the responsible DPO for that legal entity).
  2. The purposes of the processing.
  3. A description of the categories of data subjects and of the categories of personal data.
  4. The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations.
  5. If applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and documentation of safeguards (see second subparagraph of GDPR article 49(1)).
  6. Envisaged data retention periods for erasing the various categories of data.
  7. If applicable, descriptions of the internal technical and organisational security measures (GDPR article 32(1)).

Where your organisation processes data on behalf of third parties, Weagree’s CLM supports your compliance with data protection laws, by also recording, per such third party, the categories of data processing activities and furthermore such details as GDPR article 30(2), 49(1) and 32(1) may require.

Obviously, signed DPA’s (data processing agreements) can be saved and managed in the Weagree CLM repository alongside the underlying contract with that counterparty. But you may as well store it in the entity management for that supplier, customer or partner (as you may know, Weagree’s entity management can be used for both ‘own entities’ and ‘other parties’).

Weagree’s GDPR register enables you to implement GDPR registrations consistently and to monitor all GDPR-governed activities across your entire organization. To make this easier, you can define the relevant GDPR-parameters in a so-called ‘global CLM block’ and reuse this CLM block in each CLM contract sheet. Configuring your CLM has never been as easy as with Weagree.

Data retention

…reinforced automatically

It is a challenge to comply with data retention periods:

  • If information and personal data are not retained long enough, you might have problems with local authorities
  • If personal data are retained too long, your organization is not only in violation of GDPR but also the risk of data leaks increases

The Weagree Wizard will take care of compliance with the data retention periods you define: automatic deletion of (personal and contract) data can be defined granularly, differentiating for the contract stage (precontractual vs. post-termination), the type of data subjects (legal entities vs. individuals), their functions or roles (contact persons vs. end-users):

  • Draft contracts (unsigned contracts)
  • CLM-managed (signed) contracts – for each CLM contract sheet as well as for each individual contract, a different retention period may be defined
  • Other parties’ details (suppliers, customers, partners), differentiating for legal entities vs. individuals
  • Your legal entities’ officers
  • Individuals’ ID or personal documents – automated deletion of officers’ copy-passport or other IDs
  • Deactivated Weagree users

In addition to the above automated enforcement of data retention periods, it is possible to automatically remove the suer-names from draft contracts after the lapse of time. At some stage, for example after seven or ten years, the identified ‘owner’ of a contract entry probably does not matter anymore. Time to remove the owner (and the contract remains accessible).

Data integrity

Weagree preserves data integrity and prevents fraudulent or careless data removal

The Weagree Wizard contains adequate protection measures to prevent inadvertent, negligent or intentional, fraudulent deletion of any contract, contract data, legal entities or persons involved. Any deleted data can be recovered from the admin recycle bin for as long as it is not deleted permanently. You can configure yourself what duration applies between user-deletion and permanent deletion.

Logging of user activity is a key aspect of ascertaining data integrity: that is why all actions by every end-user is logged, if only for ‘forensic purposes’, anywhere in the Weagree Wizard. In respect of CLM-managed, signed contracts, every change to the CLM metadata is logged (authorized users can review the logging details).

Information classification

…managed well in Weagree CLM

While access rights enable high level access rights, not every contract may be seen by everyone. Weagree enables users to mark a contract as ‘confidential’ (or sensitive) and keep it out of sight of (and inaccessible for) colleagues.

At the same time, your organisation must remain able to know all its rights and obligations. Therefore, certain qualified users can be authorised to see which (and access) contracts are marked confidential.

In projects and transactions, it is possible to keep the contracting parties involved in the project or transaction invisible in Weagree’s CRM. Especially for super-confidential transactions (seen in law firms), this a power safeguard.

Data access rights


Of course, the visibility and accessibility of contracts and contract data across the organisation can be managed with Weagree’s user groups functionality.

But Weagree does not stop here: thanks to our enterprise-grade user management functionality, you can define as many user roles, user profiles and user groups as may be necessary, and grant access rights and enable end-users to use such functionalities as they need in their role or position. The access rights and related AD-groups can be managed through your Azure AD (synchronising upon the user’s single sign-on (SSO) access).

From an IT security perspective, you should be concerned about the external parties that may access your data. Good news: Weagree’s employees and third-party integrators cannot indefinitely access your contracts or contract data: you must give us and each of them access. And such access right expires after the period that you define for us or for them. For individual support, also an end-user can grant ad hoc (one-time) access to a Weagree-integrator. In such case, the integrator can be given short period access.

Other GDPR-compliance aspects

Who is your DPO? Weagree’s integrated legal entity management provides on a per-legal entity-basis the possibility to identify who is the responsible Data Protection Officer (DPO) for that legal entity.

Strong organisational and security measures: see our high-level description of our IT security measures.

Terms of Use

I hereby accept (or reconfirm my acceptance of) Weagree’ Terms of use, in which:

Terms of Use

I hereby accept (or reconfirm my acceptance of) Weagree’ Terms of use, in which: