What are my GDPR Responsibilities for Surveys?

No comments

As a result of the GDPR, more and more CheckMarket users ask us what they should do to be compliant. If you are working with personal data of data subjects in the EU or are located in the EU or have activity in the EU, there are a number of things that you have to take into account. In this blog article we will try to give you a good head start.

“Are your surveys anonymous or do you use personal data?”

  • If you distribute your surveys anonymously and you do not process personal data, you can disregard the GDPR. But, be careful, the GDPR has an extremely broad view of what personal data is! (See article 4.1).
  • Do you use contacts or ask for an email address, name or any other personal data in your surveys, then make sure to read on as the GDPR imposes a number of responsibilities on you.

Make sure you have permission

According to article 6 of the GDPR, you need a lawful basis before you can process personal data. The most common, is consent from the data subject (see article 7). As data controller, you need to be able to prove which ‘lawful basis’ was used. Also, keep in mind that respondents can withdraw their consent at all times.

Inform your respondents

As data controller you must provide the necessary information to the data subjects when collecting personal data. Be sure to check the GDPR articles mentioned in current blog article to find out which information you need to provide when collecting personal data, and which information is included in the “right of access”.

  • Article 13 indicates what information you need to provide when collecting personal data from your data subjects to ensure fair and transparent processing, including: which data is being collected, who processes the data, the storage period of the data, the purposes of processing, etc.
  • In addition, respondents must be able to access their personal data and all information involved, (see article 13 and article 15).

 “Right to rectification” and “Right to erasure”

Besides the “right to be informed”, the GDPR takes it a step further with articles 16 and 17. In addition to the “right of access”, respondents also have the “right to rectification” and the “right to erasure (right to be forgotten)”. In other words, they need to be able to change or supplement their personal data or to delete them. Always mention the procedures to be followed and who they can contact with questions. You can, for example, add an extra paragraph to the e-mail invitation or the thank-you page.

Keep a record of processing activities

In accordance with article 30, as controller you have to keep a register of all processing activities. The register must include certain items, such as: the processing purposes, a description of the categories of data subjects and the categories of personal data, a general description of the technical and organizational security measures (if possible), etc. Make sure you read the official guidelines and keep all necessary information.

Data Processing Agreement

When you share personal data with a processor like CheckMarket, you are required to have a Data Processing Agreement (DPA) with that processor. CheckMarket offers a GDPR compliant DPA with best practice contractual protections that clearly articulates all privacy commitments. It of course covers all CheckMarket’s requirements for GDPR as well, and more importantly you can be certain that we impose the same data protection conditions on our sub-processors, in accordance with the requirements in article 28.4 of the GDPR.

This article explains how you can easily review and accept our Data Processing Agreement (DPA):

Data Protection Officer

According to article 37 some organizations have to appoint a Data Protection Officer (DPO). This is required when:

  1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  2. the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  3. the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

Does your organization have a DPO? Have your CheckMarket account administrator register your DPO’s details in our tool.

CheckMarket’s responsibilities

As data processor our biggest priority is to guarantee the safety of personal data. That’s why we apply strict technical and organizational safety measures. For example, we have set up the necessary processes to determine and resolve data leaks, and we use HTTPS encryption.

More information about our safety measures can be found in our privacy policy and our data processing agreement (DPA).

Note: You should also seek independent legal advice relating to your obligations​​ under the GDPR, as only a lawyer can provide you with legal advice specifically tailored to your situation. Please bear in mind that nothing ​in this blog article​ is intended to provide you with, or should be used as a substitute for, legal advice.​

Want to create your own surveys that are also GDPR compliant? Try our tool for free.

Read more

How Startups like Airbnb Measure Customer Satisfaction

No comments

“The ability to learn faster from customers is the essential competitive advantage that startups must possess”, wrote Eric Ries in his book The Lean Startup, the unofficial bible of the startup movement. Measuring customer feedback is extremely important to startups, and in this blogpost we will show you how three of them (TransferWise, Uber and Airbnb) do it.

Read more

GDPR: We Updated Our Privacy Policy

No comments

On May 25, 2018, the most significant piece of European data protection legislation to be introduced in 20 years will come into force when the EU’s General Data Protection Regulation (GDPR) replaces the 1995 Data Protection Directive. We know that preparing for this regulatory change is a priority for many of our customers and it is equally a priority for us. That is why we are already busy making our survey tool fully GDPR compliant. Today, we are updating our privacy policy which has been specifically adjusted to reflect the new regulation.

Read more

5 Easy Ways to Fight Online Survey Fatigue

No comments

More and more companies ask their customers for feedback nowadays. We at CheckMarket think that the increase of customer-centricity is great, but unfortunately there’s not only good news attached to it. People are getting a bit tired of filling in surveys, because they simply receive lots and lots of invitations on a regular basis. Survey fatigue is coming to the surface. Since getting valuable feedback is essential, how do you make people open your invitations? These 5 tips will help you get your feedback requests clicked on more easily.

Read more

Survey Checklist – Create the perfect survey

No comments

Conducting a survey is one thing, but conducting a survey that generates valuable insights is another. Question types, distribution, testing, … There’s a lot to keep in mind. Luckily for you, we created a useful checklist that will guide you every step of the way. Now it’s up to you. Follow these steps, tick them off when they are finished and conduct your perfect survey!

Read more