GDPR and Survey Space

GDPR Compliance and Survey Space

Survey Space complies with the European Union General Data Processing Regulation (GDPR)

At Survey Space, we believe that data protection and privacy are critically important. Survey Space has reviewed all internal processes, systems, documentation, published a Data Processing Agreement and revised our Privacy Policy to satisfy GDPR requirements effective on May 25, 2018. We are:

  • Ensuring our third-party vendors meet the requirements of the GDPR and permit us to lawfully transfer EU personal data and that they lawfully receive and process the data. Our primary third-party vendors, listed below, are committed to being GDPR Compliant before the due date.
    • SparkPost (www.sparkpost.com) who deliver a large percentage of the world’s email. SparkPost has committed to meeting GDPR requirements (https://www.sparkpost.com/gdpr/).
    • Liquid Web (www.liquidweb.com) who host our servers in the United States. Liquid Web is Safe Harbour compliant https://www.liquidweb.com/about-us/data-centers/us-central/.
    • Mailchimp (www.mailchimp.com) is committed to achieving GDPR Compliance.
    • Stripe (www.stripe.com) aims is to ensure that Stripe remains compliant with European data protection laws and also to assist users in doing so (https://support.stripe.com/questions/stripe-and-european-data-transfers)
    • Chargebee (www.chargebee.com) have advised that they “are compliant with EU-U.S. & Swiss-U.S. Privacy Shield framework and is effective as of Jan 10th 2018.
    • Zendesk (www.zendesk.com) is used by Survey Space to support our users and they have posted in regard to their GDPR compliance.
  • Analyzing our software features to determine whether enhancements or changes can be made to support users who are subject to the GDPR.
  • We are prepared to address any requests made by our customers related to their rights under the GDPR.
  • Implementing revised Privacy Policy and Terms & Conditions.
  • Implementing system changes to assist Survey Space users obtain consent from survey respondents for the use of personal information.
  • Implementing system changes to obtain consent to use personal information from existing Survey Space users

Survey Space customers affected by GDPR must also ensure they comply

Customers affected by GDPR should review their organization’s data privacy and security practices and ensure they comply with the requirements before GDPR comes into effect. Survey Space customers should seek appropriate legal advice to ensure that they will meet their GDPR requirements.

General Data Protection Regulation (GDPR). What is it?

General Data Protection Regulation (GDPR) is a European privacy law that will officially become enforceable on May 25, 2018. The GDPR will regulate, among other things, how individuals and organizations may obtain, use, store, and eliminate personal data, which will have a significant impact on businesses around the world. Organizations in breach of GDPR will be fined up to a maximum of 4% of annual global turnover or €20 Million (whichever is greater).

Approved by the European Commission in 2016, the GDPR will replace an existing European Union privacy directive known as Directive 95/46/EC as an EU-wide, binding act. The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world and set a new standard in global privacy rights and compliance.

Who will it affect?

The GDPR will affect all organizations (across all industries and sectors) that are either 1) established in the EU or 2) involved in processing personal data of EU citizens, regardless of which country those processing activities take place in. All organizations are therefore recommended to perform an analysis to determine whether or not they are processing this type of personal data.

What are the key changes?

While the GDPR is mostly built upon principles established in the previous Directive, it brings into effect some noteworthy changes:

  1. Expansion of scope: The GDPR will apply to any organization processing personal data of EU citizens, regardless of the organization’s location, while the Directive applied to data processing activities within the EU only.
  2. The definitions of personal data will change: As of May 25, 2018, personal data will refer to any information that could be used, on its own or in conjunction with other data, to identify an individual. It will include not only data considered to be personal in nature (e.g., social security numbers, names, physical addresses), but also data such as location data, biometric data, IP addresses, financial information, and more. It will even include personal data that has been “pseudonymized” if it can be linked to a particular individual.
  3. Expansion of individual rights: Under the GDPR, EU citizens will have several new rights including the right to have personal data deleted without undue delay, the right to object to certain data uses, the right to rectify any incorrect or incomplete data, the right to know what data of theirs is being processed and how, and the right to request personal data held by one organization be transported to another.
  4. Stricter consent requirements: Under the GDPR, organizations will need to obtain consent for every usage of personal data, and that consent must be applicable to specific, intended purposes only. Any further use of that same data will require separate consent. Silence, pre-ticked boxes or inactivity will not constitute consent.
  5. Stricter processing requirements: Organizations will need to provide individuals with “fair and transparent” information about each act of data processing including the data’s purpose, retention period, the legal basis of collecting that data and contact details of the Controller (the individual or organization that determines the purposes and means of data processing, as well as the specific personal data that is collected).

There are many other requirements introduced by the GDPR, so it is important to review the law in its entirety to ensure you have a full understanding of how they may apply to you.

Resources from EUGDPR.org

The EU GDPR Organisation provides additional resources at https://www.eugdpr.org/. Here is a selection of videos from that resource.

Survey Space customers need to consider their GDPR compliance requirements

In relation to a Survey Space account, the roles performed by our customers and Survey Space are important considerations.

Obligations vary for Controllers and Processors

When accessing personal data, you act as a Controller or a Processor. A Controller determines the aims and methods for processing the personal data. They also decide the specific personal data that will be collected and processed. A Processor is an organization that processes the data on behalf of the Controller. The GDPR has expanded the responsibilities of Controllers and Processors.

Controllers are primarily responsibile for data protection (including, obligations to report data breaches). Processors also have responsibilities under the GDPR. So it is important to understand the role you are in and whether you are act as a Controller or a Processor. You need to understand your responsibilities and take appropriate action, as well as implement systems and procedures to meet those responsibilities.

When using Survey Space software and services, our customers mostly act as the Controller. They decide what information is obtained and uploaded, imported or added into their Survey Space account. Customers also use Survey Space software to send messages and share survey results. They decide how Survey Space interacts with third party platforms such as Zapier, Linkedin, Mailchimp and Facebook.

Survey Space acts as a Processor when customers perform these actions and handle personal data for our customers.

How Survey Space customers can prepare for GDPR

Customers affected by GDPR should review their organization’s data privacy and security practices. They should seek appropriate legal advice to ensure that they will meet their GDPR requirements.

Considerations include:

  • What personal data do you hold?
  • Is the data secure? Assess whether your security needs should be upgraded.
  • Who has access to the data?
  • Where is the data transferred to?
  • How long is the data retained?
  • Are you required to have a Data Protection Officer under GDPR?

Specific actions to take include:

  • Ensure you have a system to monitor data breaches, and can act quickly if a breach is detected.
  • Review the personal data consent records you have collected:
  • Are there records for each data subject’s consent, for every purpose for which you use their data?
  • Have you received affirmative consent for each data subject, or was your consent reliant upon Privacy Policy, Terms of Service, or obtained by a soft opt-in approach. These will be inadequate under GDPR)?
  • Are you able to prove your consent if challenged?
  • Revise your Privacy Policy and Terms of Service to comply with GDPR.
  • If you work with third party providers, examine the process for sending personal data to them, ensure that measures are in place to protect the personal data and review contracts to ensure they meet GDPR requirements
  • Ensure all staff and contractors are aware of the GDPR regulations and responsibilities in relation to personal data.

Specific actions to assist Survey Space customers meet the GDPR requirements

Here are some actions and advices to help Survey Space customers with their GDPR compliance requirements.

Right to be forgotten

Customers may delete individual Respondents upon their request at any time. In addition, individual Respondents may contact Survey Space directly to request deletion of their data from individual Survey Space user’s accounts or across multiple Survey Space users’ accounts (to the extent the Respondent is on more than one Survey Space users’ list). It is important to remember that Survey Space projects work independently, and deleting a Respondent from one project does not ensure that same email address will also be deleted from other lists.

Right to rectification

Customers may access and update or edit Respondent/Contact lists within your Survey Space account at any time upon request. In addition, any data subject (including your Respondents and Contacts) may Contact Survey Space directly to access, correct, and/or delete information that Survey Space may hold about the data subject. Unless it is prohibited by law, we will remove any Personal Information about an individual, either our customer or a Respondent, at our customer’s or the Respondent’s request. There is no charge for an individual to access or update their Personal Information.

Right of access

Our Privacy Policy outlines the data we collect and how we use it. Customer survey Respondents or Contacts may contact us directly to request access to information that we hold about them.

Right of portability

Customers may export their project data at any time by accessing your Survey Space account.

Consent and processing requirements

Customers must lawfully obtain and process email addresses and other personal data from their Respondents and Contacts.

The personal data of our customer’s Respondents and Contacts may be collected and transferred to Survey Space via forms and processes made available in our application and projects designed by our customers. These projects and mail templates are important Survey Space tools customers can use to ensure GDPR compliance. They are easy to use and you can begin designing them to meet specific GDPR compliance needs now.

Customers should carefully design each project and mail template to make sure that language in the body and/or footer is clear, specific, and covers all possible reasons for using the information being solicited. Customers should ensure they are very specific about the intended use of the information they are collecting.

While the information customers collect via these projects is being transferred to Survey Space, it is the customer’s responsibility to ensure that they obtain consent from their customers and contacts to send their information to Survey Space for processing, so they should ensure that all your forms, processes and systems, etc. include language that provides this consent.

Customer survey Respondents and contacts should have easy access to withdraw consent or change their preferences.

If using an autoresponder system to deploy surveys and capture respondent personal data, an “unsubscribe” option should be automatically included in the footer of every campaign. This allows campaign recipient to easily unsubscribe from customer lists, thereby helping customers comply with their GDPR obligations.

Customers also have the option to include a “policies” link and other links in the footer of any survey project, which will give their survey Respondents information and knowledge about how their data will be used and how they may access and update their profile details.

When requested to do so by a Respondent or contact, customers need to ensure that they update information stored within the customer’s Survey Space account.

Customers should ensure that they maintain accurate records, especially of their Respondents and contacts’ consent permitting them to send them marketing emails and store and use their personal data.

Consent that customers obtain from Respondents and contacts must comply with the GDPR requirements, irrespective of when that consent was obtained. However, Recital 171 of the GDPR indicates that customers may be able to rely on any existing consent if it meets the GDPR standards for consent. This means that it is not necessary to re-request consent from your Respondents or Contacts provided you met the GDPR requirements when consent was initially obtained. Customers should seek legal advice to determine if consents obtained prior to the GDPR comply.

Customers should review any Survey Space integrations or add-ons, and the associated terms, to ensure that they adequately disclose data processing activities to Respondents and Contacts.

Customers should review the privacy statement and practices applicable to their organization and ensure they provide proper notice that the personal data of survey Respondents or Contacts will be transferred to Survey Space and processed by Survey Space.

The personal rights of Survey Space customers under GDPR

Specifically relating to our customer’s personal data held by Survey Space, we advise the following.

Your right to be forgotten

You may cancel your Survey Space account at any time, in which case we will permanently delete your account and all data associated with it. You may download the survey project results and data in pdf or csv prior to cancellation.

Your right to rectification

You may access and update your Survey Space account settings at any time to review or edit your account information. You may also Contact Survey Space at any time to access, correct, amend or delete information that we hold about you.

Your right of access

Our Privacy Policy describes the data we collect and how we use it. Please contact help@surveyspace.com for further information at any time.

Your right of portability

You may export your personal data at any time or contact us to assist.

For more information, please contact Survey Space by email at help@surveyspace.com.

Survey Software
Introduction to survey writing: goals and objectivesSurvey Space SurveysEmployee Surveys4 Survey Success Tips to get Quality Feedback