Disclaimer: The content below is provided for informational purposes only and the information shared here is not meant to serve as legal advice. You should work with legal and other professional counsel to determine exactly how the GDPR may or may not apply to you.

What is GDPR?

The General Data Protection Regulation (GDPR) will come into force with effect from May 25th, 2018 in the European Union and it will have a fundamental affect on how companies manage data collected from individuals in accordance with the new privacy laws. With effect from May 25th 2018, all surveys collected with a Survtapp Account operated by an EU entity are required to be GDPR Compliant. However non-EU Survtapp accounts can also switch on GDPR Compliance under the manage account settings.

As part of compliance with GDPR, Survtapp is committed to ensure online surveys and data collected for market research, customer feedback, employee feedback or any other purpose is in accordance with GDPR and Privacy Laws.

Key Impact of GDPR Compliance:

  1. Increased Territorial Scope - applies to companies worldwide whether a registered company in EU or any company from the rest of the world working with individuals in EU.
  2. Penalties/Fines - greater of up to 4% of annual global turnover or 20 million Euros.
  3. Embodied & strengthened consent - purpose of the data processing is now attached to the consent.
  4. Data Subject Rights:
    1. Breach Notification - 72 hours from being aware.
    2. Right to Access - what data is being used and for what.
    3. Right to be Forgotten - data subject has more control of what data can be kept.
    4. Data Portability - access to the data subjects data and ability to move it.
    5. Privacy by Design - systems are designed with privacy up front.
    6. Data Protection Officers - assigned person to oversee privacy compliance.

Survtapp GDPR Compliance

  1. Information Collected
    1. We have completed data audits to ensure what personal data is collected, where it came from, who has access to it and how we manage it.
  2. Accountability & Governance
    1. We have necessary data protection policies, controls and contracts.
  3. Management Responsibility
    1. Decision makers at Survtapp support and value processes for data protection and promote a positive attitude towards data protection compliance.
  4. Data Protection by Design
    1. Survtapp has implemented appropriate technical and organisational measures to ensure we have considered and integrated data protection into our processing activities.
  5. Encrypted Data Storage
    1. All our data is stored on AWS Servers encrypted with AES 256 encryption with advanced security protocols to protect data of our customers.
  6. Training and awareness
    1. Survtapp provides data protection awareness training for all staff.
  7. Data processing contracts
    1. Survtapp only processes data on the documented instructions of a controller and there is a written contract outlining the respective responsibilities and liabilities of the controller and our business.
  8. The use of sub-processors
    1. Survtapp has sought prior written authorization from the controller before engaging the services of a sub-processor, and there is a Data Processing Addendum (DPA) in place.
  9. Operational base
    1. Survtapp operates inside and outside of the EU.
  10. Breach notification
    1. Survtapp has effective processes to identify and report any personal data breaches to its controller.

Survtapp Platform Features

  1. Survtapp Privacy Policy and Survey Opt-In Consent Process
  2. View or Delete Individual Response Data: Survey participants can find and view responses provided by them using the convenient View Responses Tool.
  3. Survtapp Open App allows for anonymous responses.

GDPR Rights

The right to be informed.
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under GDPR.

The right of access.
Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing.

The right to rectification.
Individuals have the right to have inaccurate personal data rectified, or completed if it is incomplete. An individual can make a request for rectification verbally or in writing. Organisations have one calendar month to respond to a request.

The right to erasure.
Individuals have the right to have personal data erased. This right is also known as “the right to be forgotten.” Individuals can make a request for erasure verbally or in writing. Organizations have one calendar month to respond to a request. This right is not absolute and only applies in certain circumstances.

The right to restrict processing.
Individuals have the right to request the restriction or suppression of their personal data. When processing is restricted, organizations are permitting to store the personal data, but not use it. Organizations have one calendar month to respond to a request. This right is not absolute and only applies in certain circumstances.

The right to data portability.
Individuals can obtain and reuse their personal data for their own purposes across different services. This right allows individuals to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. This right enables consumers to take advantage of applications and services which can use this data to find them a better deal, or help them understand their spending habits.

The right to object.
Individuals have the right to object to:

  • Data processing based on legitimate interested or the performance of a task in the public interest/exercise of official authority (including profiling);
  • Direct marketing (including profiling);
  • Data processing for purpose of scientific/historical research and statistics.

Rights in relation to automated decision and profiling.
This right protects individuals if organizations are carrying out solely automated decision-making that has legal or similarly significant effects on them.

Frequently Asked Questions

What happens when I make a data rights request as a survey respondent?
Survtapp will identify the Controller of your information (our customer) and will convey your request to them. As they own and control your data, they are responsible for taking requested actions.

Why do you need my email address when I make a request?
The link is used to identify the customer who sent you the survey, and in turn, is responsible for ensuring your request is honored.

What happens when I make a data rights request as a survey creator?
We will make all reasonable attempts to comply with your request directly. However, please understand that some information may not “forgotten” as a Customer, due to our obligations to be able to contact you.

What if I need additional information about my company’s GDPR compliance?
It is recommended that you confer with counsel to ensure your specific requirements under GDPR and other international law are followed. Survtapp can only assist with meeting compliance requirements by providing controls to aid in meeting obligations.

What does Survtapp do with the information I provide in a survey?
Survtapp only provides the platform used by our customers to conduct surveys. The individual responses to surveys are the property of the survey creator. Survtapp does not interact with your data except where explicitly permitted by the customer.