The EU General Data Protection Regulation (GDPR), which went into effect on May 25, 2018, replacing the Data Protection Directive 95/46/EC is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens and residents (Individuals) data privacy and to reshape the way organizations across the region approach data privacy. The introduction of the UK GDPR that forms part of the Data Protection Act 2018 after the Brexit transition, is similarly designed to expand the rights with respect to personal data of individuals in the United Kingdom.
With GDPR in place, Individuals from the European Union and UK can now exercise greater control over their data and decide the extent to which businesses can store & manage the same.
As a global service provider, SurveySparrow recognizes the value of data protection, and has committed to address and implement stringent processes and procedures in accordance with the applicable data protection regulation. The following sections outline our approach and dedication towards the GDPR.
The scope of the GDPR is very broad and it will affect:
When you access personal data, you do so either as a controller or a processor. There are different requirements and obligations depending on which category you fall under:
Where SurveySparrow processes the personal data of individuals in the EU or the UK, it has certain obligations under the GDPR. These obligations include the following:
When using our services to collect, store or process your personal data, including that of your customers or users, you are the Data Controller and we are a Data Processor. You must ensure that any services you use to process personal data are doing so in compliance with the GDPR. This means that when you use any of our services to collect and/or process your personal data you need to ensure certain contractual terms are in place.
Under the General Data Protection Regulation (GDPR), you as a customer have certain obligations with regard to personal data that you collect or use. These obligations include:
We stride by Transparency, Privacy and Security and help in facilitating data processing and management simple for you. You control and own your data, here is a summary of the measures adopted by SurveySparrow to be fully in compliance with the GDPR:-
Data Processing: The processing of personal data on behalf of an Individual shall be only based on an Individual’s documented instructions and for the purpose of rendering the agreed services which shall be governed by the Terms of Service and Data Processing Agreement (DPA) updated in accordance with the recent developments in the GDPR.
Data Processing Agreement: Regulates the processing of personal data for performing the agreed services. We have an up-to-date Data Processing Agreement in place that elucidates our approach towards GDPR. The DPA details our commitment and obligations as a data processor to our customers (controllers), addressing the principles of processing, the measures adopted for securing the data, the rights of the data subjects and the responsibilities of the controllers and processors. We acknowledge that the GDPR will help us adopt the highest operational standards and will thereby facilitate the protection of customer data in the best way possible.
International Data Transfers: In order to ensure that transfer of personal data continues to benefit from a high level of protection, we have incorporated the new Standard Contractual Clauses (“SCC”) adopted on 4 June 2021 by the European Commission replacing the old SCCs that were adopted under the previous Data Protection Directive(Directive 95/46, into our DPA for the lawful transfer of personal data outside the EEA and UK.
Training on GDPR: SurveySparrow Inc. is committed to ensuring that our employees, customers, suppliers and all other relevant stakeholders we work with understand the importance of the General Data Protection Regulation (GDPR). We emphasize regular training as an essential part of GDPR compliance and as part of this we specifically train all personnels to understand their roles and responsibilities in the organizational requirement for GDPR compliance. We ensure all personnels receive an internal employee awareness certification by completing the training and assessment on GDPR and information security requirements.
Personal Privacy of customers’ data is absolute at SurveySparrow . While we process customer data in accordance with the documented instructions, the right to edit, delete , retain or transfer the data resides with the customer at all times.
Customers at any point in time can get in touch with us and reasonably request for required information to prove our GDPR compliance. They can approach the Data Protection Officer (DPO) by sending an email to firstname.lastname@example.org and ask for any information pertaining to their account. If deemed necessary, customers can also verify their logs to confirm upon specific events related to their personal data.
We have developed and implemented a comprehensive information security program and internal controls in accordance with the international standards (SOC 2 Type II and ISO 270001).We promise to adopt utmost security standards so that your personal data does not get compromised at any point you have a valid account with SurveySparrow. We have tightened our IT infrastructure, data security platform & IT policies so as to offer our customers enhanced end-to-end security.You may refer to our Security Page for a detailed description on our security measures.
Being the data owner, it is completely your call to decide on where & with whom your data must reside. We’ll help you port your data out of our ecosystem in a safe and secure manner. However, the transfer of data to another IT environment/processor will purely depend on the technical feasibility at both ends.
1. What is considered personal data under GDPR?
Personal data under GDPR is any information that relates to an identified or identifiable natural person. This includes things like names, addresses, email addresses, IP addresses, and other identifying information.
2. How does GDPR apply to SurveySparrow if we are based outside the EU?
GDPR applies to companies that process the personal data of individuals in the EU, regardless of where the company is based. Where SurveySparrow processes the personal data of individuals in the EU, we are required to comply with GDPR.
3. How do we comply with GDPR?
To comply with GDPR, SurveySparrow ensures that it is processing personal data in a lawful, fair, and transparent manner. This includes obtaining explicit consent from individuals before collecting, using, or disclosing their personal data, and being transparent about how their personal data is being used. SurveySparrow also ensures that personal data is collected for specified, explicit, and legitimate purposes and is not processed in a manner that is incompatible with those purposes.
4. How can ISO 27001 and SOC 2 help with GDPR compliance?
GDPR requires organizations to implement appropriate technical and organizational measures, such as policies, procedures, and processes, to protect personal data processing. ISO27001 and SOC 2 privacy criteria provides an excellent starting point for meeting these technical and operational requirements, as it is the most comprehensive privacy-specific standards for an information security management system, building on requirements, control objectives, and controls to help reduce the risk of a breach. While the GDPR Regulation, ISO27001 and SOC2 privacy standards aim at protecting the privacy and protection of Personal Data, it is important to understand that neither of these are replaceable in place of the other.
5. How do we handle requests from governmental authorities?
If SurveySparrow were to receive a request from a governmental authority, we would respond in a timely manner, providing any information requested that is necessary for the authority to conduct its investigation. SurveySparrow would also ensure that it is only providing the minimum amount of data necessary to comply with the request, and that the data is being handled in accordance with GDPR or applicable data protection requirements.