As a result of the GDPR, more and more CheckMarket users ask us what they should do to be compliant. If you are working with personal data of data subjects in the EU or are located in the EU or have activity in the EU, there are a number of things that you have to take into account. In this blog article we will try to give you a good head start.
“Are your surveys anonymous or do you use personal data?”
- If you distribute your surveys anonymously and you do not process personal data, you can disregard the GDPR. But, be careful, the GDPR has an extremely broad view of what personal data is! (See article 4.1).
- Do you use contacts or ask for an email address, name or any other personal data in your surveys, then make sure to read on as the GDPR imposes a number of responsibilities on you.
Make sure your processing is lawful
According to article 6 of the GDPR, you need a lawful basis before you can process personal data. The processing is only lawful if at least one of the 6 conditions in the legislation is met. The best known is consent from the person concerned, see article 7, but other conditions may apply if you survey your customers, patients, course participants, members, etc. In that case Article 6.b or 6.f may serve: ‘… necessary for performance of contract …’ or ‘… legitimate interests of the controller …’. Explicit consent is then not required. As data controller, you need to be able to prove which ‘lawful basis’ is used.
Inform your respondents
As data controller you must provide the necessary information to the data subjects when collecting personal data. Be sure to check the GDPR articles mentioned in current blog article to find out which information you need to provide when collecting personal data, and which information is included in the “right of access”.
- Article 13 indicates what information you need to provide when collecting personal data from your data subjects to ensure fair and transparent processing, including: which data is being collected, who processes the data, the storage period of the data, the purposes of processing, etc.
- In addition, respondents must be able to access their personal data and all information involved, (see article 13 and article 15).
Don’t keep data longer than necessary
Article 5.1.e of the GDPR requires that personal data not be retained longer than necessary. This means that you must remove the data when you no longer need it for your research. It is allowed to keep data for a longer period for statistical purposes, for example, because you require them for benchmarking, as long as you take the appropriate measures to keep that data safe. And by setting data retention rules, you can fully automate the deletion of contact and/or respondent data in your CheckMarket surveys, regardless of the status of your surveys.
“Right to rectification” and “Right to erasure”
Besides the “right to be informed”, the GDPR takes it a step further with articles 16 and 17. In addition to the “right of access”, respondents also have the “right to rectification” and the “right to erasure (right to be forgotten)”. In other words, they need to be able to change or supplement their personal data or to delete them. Always mention the procedures to be followed and who they can contact with questions. You can, for example, add an extra paragraph to the e-mail invitation or the thank-you page.
Keep a record of processing activities
In accordance with article 30, as controller you have to keep a register of all processing activities. The register must include certain items, such as: the processing purposes, a description of the categories of data subjects and the categories of personal data, a general description of the technical and organizational security measures (if possible), etc. Make sure you read the official guidelines and keep all necessary information.
Data Processing Agreement
When you share personal data with a processor like CheckMarket, you are required to have a Data Processing Agreement (DPA) with that processor. CheckMarket offers a GDPR compliant DPA with best practice contractual protections that clearly articulates all privacy commitments. It of course covers all CheckMarket’s requirements for GDPR as well, and more importantly you can be certain that we impose the same data protection conditions on our sub-processors, in accordance with the requirements in article 28.4 of the GDPR.
This article explains how you can easily review and accept our Data Processing Agreement (DPA):
Data Protection Officer
According to article 37 some organizations have to appoint a Data Protection Officer (DPO). This is required when:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
Does your organization have a DPO? Have your CheckMarket account administrator register your DPO’s details in our tool.
As data processor our biggest priority is to guarantee the safety of personal data. That’s why we apply strict technical and organizational safety measures. For example, we have set up the necessary processes to determine and resolve data leaks, and we use HTTPS encryption.
Note: You should also seek independent legal advice relating to your obligations under the GDPR, as only a lawyer can provide you with legal advice specifically tailored to your situation. Please bear in mind that nothing in this blog article is intended to provide you with, or should be used as a substitute for, legal advice.