The EU General Data Protection Regulation (GDPR), which went into effect on May 25, 2018, replacing the Data Protection Directive 95/46/EC is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens and residents (Individuals) data privacy and to reshape the way organizations across the region approach data privacy. The introduction of the UK GDPR that forms part of the Data Protection Act 2018 after the Brexit transition, is similarly designed to expand the rights with respect to personal data of individuals in the United Kingdom.
With GDPR in place, Individuals from the European Union and UK can now exercise greater control over their data and decide the extent to which businesses can store & manage the same.
As a global service provider, SurveySparrow recognizes the value of data protection, and has committed to address and implement stringent processes and procedures in accordance with the applicable data protection regulation. The following sections outline our approach and dedication towards the GDPR.
Who is affected by GDPR?
The scope of the GDPR is very broad and it will affect:
- All organizations established inside the European Union.
- All organizations involved in processing personal data of EU citizens.
- GDPR will apply to any organization processing personal data of EU citizens, regardless of where it is established, and regardless of where its processing activities take place. This means that GDPR could apply to any organization anywhere in the world.
Are you a controller or processor?
When you access personal data, you do so either as a controller or a processor. There are different requirements and obligations depending on which category you fall under:
- A controller is an organization that determines the purposes and means of processing personal data. A controller also determines the specific personal data that is collected from a data subject for processing.
- A data processor is a person or organization who deals with personal data as instructed by a controller for specific purposes and services offered to the controller that involve personal data processing.
Our GDPR Responsibilities
Where SurveySparrow processes the personal data of individuals in the EU or the UK, it has certain obligations under the GDPR. These obligations include the following:
- Obtaining explicit consent from individuals before collecting, using, or disclosing your personal data.
- Ensuring that personal data is collected and processed lawfully, fairly, and transparently.
- Ensuring that personal data is collected for specified, explicit, and legitimate purposes and is not processed in a manner that is incompatible with those purposes.
- Ensuring that personal data is accurate, up-to-date, and is kept for no longer than is necessary for the purposes for which it is processed.
- Ensuring that personal data is processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
- Being transparent about the processing of personal data, including providing individuals with information about how your personal data is being used and how they can exercise your rights under the GDPR.
- Providing individuals with access to your personal data and the right to rectify or erase data, or to restrict or object to its processing, in certain circumstances.
- In the event of a personal data breach, taking appropriate measures to notify individuals and the relevant authorities, as required by the GDPR.
Your GDPR Responsibilities
When using our services to collect, store or process your personal data, including that of your customers or users, you are the Data Controller and we are a Data Processor. You must ensure that any services you use to process personal data are doing so in compliance with the GDPR. This means that when you use any of our services to collect and/or process your personal data you need to ensure certain contractual terms are in place.
Under the General Data Protection Regulation (GDPR), you as a customer have certain obligations with regard to personal data that you collect or use. These obligations include:
- Ensuring that the personal data you provide to SurveySparrow is accurate and up-to-date.
- Cooperating with SurveySparrow in order to enable it to comply with its obligations under the GDPR.
- Refraining from providing false or misleading information to SurveySparrow.
- Respecting the privacy of other individuals and not collecting or using their personal data without a lawful basis for doing so.
- Protecting your personal data by not giving unauthorized access to the SurveySparrow platform.
SurveySparrow’s ongoing GDPR Commitment
We stride by Transparency, Privacy and Security and help in facilitating data processing and management simple for you. You control and own your data, here is a summary of the measures adopted by SurveySparrow to be fully in compliance with the GDPR:-
Data Processing: The processing of personal data on behalf of an Individual shall be only based on an Individual’s documented instructions and for the purpose of rendering the agreed services which shall be governed by the Terms of Service and Data Processing Agreement (DPA) updated in accordance with the recent developments in the GDPR.
Data Processing Agreement: Regulates the processing of personal data for performing the agreed services. We have an up-to-date Data Processing Agreement in place that elucidates our approach towards GDPR. The DPA details our commitment and obligations as a data processor to our customers (controllers), addressing the principles of processing, the measures adopted for securing the data, the rights of the data subjects and the responsibilities of the controllers and processors. We acknowledge that the GDPR will help us adopt the highest operational standards and will thereby facilitate the protection of customer data in the best way possible.
International Data Transfers: In order to ensure that transfer of personal data continues to benefit from a high level of protection, we have incorporated the new Standard Contractual Clauses (“SCC”) adopted on 4 June 2021 by the European Commission replacing the old SCCs that were adopted under the previous Data Protection Directive(Directive 95/46, into our DPA for the lawful transfer of personal data outside the EEA and UK.
Training on GDPR: SurveySparrow Inc. is committed to ensuring that our employees, customers, suppliers and all other relevant stakeholders we work with understand the importance of the General Data Protection Regulation (GDPR). We emphasize regular training as an essential part of GDPR compliance and as part of this we specifically train all personnels to understand their roles and responsibilities in the organizational requirement for GDPR compliance. We ensure all personnels receive an internal employee awareness certification by completing the training and assessment on GDPR and information security requirements.
Personal Privacy of customers’ data is absolute at SurveySparrow . While we process customer data in accordance with the documented instructions, the right to edit, delete , retain or transfer the data resides with the customer at all times.
Customers at any point in time can get in touch with us and reasonably request for required information to prove our GDPR compliance. They can approach the Data Protection Officer (DPO) by sending an email to firstname.lastname@example.org and ask for any information pertaining to their account. If deemed necessary, customers can also verify their logs to confirm upon specific events related to their personal data.
We have developed and implemented a comprehensive information security program and internal controls in accordance with the international standards (SOC 2 Type II and ISO 27001).We promise to adopt utmost security standards so that your personal data does not get compromised at any point you have a valid account with SurveySparrow. We have tightened our IT infrastructure, data security platform & IT policies so as to offer our customers enhanced end-to-end security.You may refer to our Security Page for a detailed description on our security measures.
Being the data owner, it is completely your call to decide on where & with whom your data must reside. We’ll help you port your data out of our ecosystem in a safe and secure manner. However, the transfer of data to another IT environment/processor will purely depend on the technical feasibility at both ends.
Our GDPR Readiness Checklist
- DPA updated
- Terms of service updated
- Data Protection Officer appointed
- GDPR training given to all employees that handle customer data
Frequently Asked Questions:
1. What is considered personal data under GDPR?
Personal data under GDPR is any information that relates to an identified or identifiable natural person. This includes things like names, addresses, email addresses, IP addresses, and other identifying information.
2. How does GDPR apply to SurveySparrow if we are based outside the EU?
GDPR applies to companies that process the personal data of individuals in the EU, regardless of where the company is based. Where SurveySparrow processes the personal data of individuals in the EU, we are required to comply with GDPR.
3. How do we comply with GDPR?
To comply with GDPR, SurveySparrow ensures that it is processing personal data in a lawful, fair, and transparent manner. This includes obtaining explicit consent from individuals before collecting, using, or disclosing their personal data, and being transparent about how their personal data is being used. SurveySparrow also ensures that personal data is collected for specified, explicit, and legitimate purposes and is not processed in a manner that is incompatible with those purposes.
4. How can ISO 27001 and SOC 2 help with GDPR compliance?
GDPR requires organizations to implement appropriate technical and organizational measures, such as policies, procedures, and processes, to protect personal data processing. ISO27001 and SOC 2 privacy criteria provides an excellent starting point for meeting these technical and operational requirements, as it is the most comprehensive privacy-specific standards for an information security management system, building on requirements, control objectives, and controls to help reduce the risk of a breach. While the GDPR Regulation, ISO27001 and SOC2 privacy standards aim at protecting the privacy and protection of Personal Data, it is important to understand that neither of these are replaceable in place of the other.
5. How do we handle requests from governmental authorities?
If SurveySparrow were to receive a request from a governmental authority, we would respond in a timely manner, providing any information requested that is necessary for the authority to conduct its investigation. SurveySparrow would also ensure that it is only providing the minimum amount of data necessary to comply with the request, and that the data is being handled in accordance with GDPR or applicable data protection requirements.