Xima Software GDPR Compliance

The aim of the GDPR is to protect all EU citizens from privacy and data breaches. The GDPR replaces the Data Protection Regulation Directive and was designed to harmonize data privacy laws across Europe, to protect all EU citizens data privacy, and to reshape the way organizations across the region approach data privacy. It was adopted on 14 April 2016 and became enforceable on 25 May 2018.

Navigating the new regulations of the GDPR can be difficult. To help, Xima has prepared this document to help you understand how to remain compliant while using Chronicall. For “your part” in complying with the GDPR, we have taken steps directly from the Information Commissioner’s Office’s 12 step guide.

Note: If you wish to see the Information Commissioner's Office 12 step guide, please click here.


  • Your Part: Make sure that decision makers and key people in your organisation are aware that the data protection law is changing to the GDPR. They need to acknowledge and prepare for the impact this is likely to have

  • Xima’s Part: We have produced this guide to help you understand our tools to facilitate compliance. We are aware of the changes and are ready to answer any questions you have.

Information You Hold

  • Your Part: Document what personal data you hold, where it came from, and who you share it with. You may need to organise an information audit, analyzing and evaluating your information systems.

  • Xima’s Part: Chronicall keeps personal data secure in its local database and does not share it with any entities, including Xima Software. A caller’s phone number, name, email address, web chat conversation text, as well as an audio recording of their call will be kept safely in your Chronicall database.

Communicating Privacy Information

  • Your Part: Review your current privacy notices and put a plan in place for making necessary changes in time for GDPR implementation. Plan and prepare to tell customers about your data retention periods and your lawful basis for processing the data.

  • Xima's Part: We are here to help you understand exactly what personal data is being collected through Chronicall in order for you to update any applicable privacy notices.

Individual's Rights

  • Your Part: Check your procedures to ensure they cover all the rights individuals’ have to their data protection.

  • Xima’s Part: We will comply with the GDPR by supplying information consistent with individuals’ rights. The three individual rights that apply to Chronicall are right of access, right of erasure, and right to object.

    • Right to Access: Customers can request a copy of their personal data which is stored in Chronicall.
    • Right to Erasure: Customers can demand that you delete any personal data that you have stored. Chronicall’s Privacy Tools makes deleting personal data simple.
    • Right to Object: Customers can revoke their consent to have their personal data collected

Subject Access Requests

  • Your Part: Update your procedures and plan how you will handle requests within the new timescales and be ready to provide additional data protection information.

  • Xima’s Part: We have created tools to make complying with data protection requests quick and simple. You can learn how to configure the Privacy Tools here.

Lawful Basis for Processing Personal Data

  • Your Part: Identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice.

  • Xima’s Part: We are here to help you understand exactly what personal data is being collected with Chronicall and solidify the justification of collecting that data.


  • Your Part: Review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.

  • Xima’s Part: Chronicall provides tools to accommodate revocation of consent.

    • To revoke consent for collection of External Number and Caller Name the customer should withhold their number by invoking the privacy feature with their service provider.
    • To revoke consent for audio recording Chronicall provides Recording Rules and a desktop utility to manually start and stop recordings.
    • To revoke consent for collection of web chat text and email address the agent can select the Do not store chat log option when initiating the web chat.


  • Your Part: Start thinking now about whether you need to put systems in place to verify individuals’ ages and when to obtain parental or guardian consent for any data processing

  • XIma's Part: Chronicall provides tools to accommodate revocation of consent, making it easy to comply with age restrictions.

Data Breaches

  • Your Part: Make sure you have the right procedures in place to detect, report, and investigate a personal data breach.

  • Xima's Part: Chronicall utilizes authentication and encryption to keep your data secure. However, because Chronicall is a software solution installed on your hardware within your network you are ultimately responsible for keeping that server secure and detecting data breaches.

Data Protection By Design & Data Protection Impact Assessments

  • Your Part: Familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out
    how and when to implement them in your organisation.

  • Xima's Part: Xima will notify all customers (regardless of whether or not they are located in the EU) if changes to our software will introduce a privacy risk or warrant a Protection Impact Assessment.

Data Protection Officers

  • Your Part: Designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.

  • Xima's Part: Xima has created tools within Chronicall to help your Data Protection Officer facilitate compliance with the new regulations.


  • Your Part: If your organisation operates in more than one EU member state, i.e,. you carry out cross-border processing, you should determine your lead data protection supervisory authority.

  • Xima’s Part: Chronicall stores all data in a single centralized database within your network.