What is GDPR and does it apply to me?
GDPR (General Data Processing Regulation), officially entered into application on 18 May 2018, is an EU regulation on the protection of personal data and privacy for individuals in the EU. GDPR applies to any Survicate Customer that's processing data in the EU or processing data of EU citizens. Within the scope of this regulation, any entity processing personal data must clearly state the purpose of the data to be processed, their legal basis, how long the data is kept, and whether it is shared with any third party or outside the European Economic Area (EEA). Data subjects have the right to request a copy of their stored data at any time and the deletion of their personal data under certain conditions.
📌This article is meant to provide background and help you better understand GDPR and how it applies to your usage of Survicate. If you are impacted by GDPR, please consider consulting a lawyer or your company's security officer for more information.
Is Survicate GDPR Compliant?
👍Yes, Survicate is fully GDPR compliant.
Our headquarters are located in Warsaw, Poland. As a business operating within the EU, we are subject to GDPR and all additional EU data protection amendments.
By choosing Survicate you will meet your obligations under Article 28 of the GDPR to work with a Data Processor that executes appropriate technical and organizational measures and pseudonymization techniques to ensure the protection of the rights of the data subject. We assist you in meeting your obligations under the GDPR, such as deleting personal data or gathering and storing proof of consent.
Survicate acts as both Data Controller and Data Processor under the provisions of GDPR compliance:
As Data Controller: Survicate is processing your data as a Survicate user and is responsible for protecting your personal data, which makes us the Data Controller of Survicate users. Detailed information about how Survicate processes your personal data can be found in our Terms of Service and Data Processing Agreement.
As Data Processor: Survicate is processing your data subjects' data on your behalf and per your instructions, which makes us the Data Processor, and you the Data Controller. As your Data Processor, we enter into the Data Processing Addendum which binds us to meet our Data Processing obligations to protect the rights of the data subjects. Our Data Processing Addendum can be found at the following link: Survicate DPA
Is my data stored in the EU data center?
Our data centers are located in Ireland (EU), Amazon AWS Cloud, an ISO 27001 and SOC2 certified data center. Under the provisions of GDPR, entities transferring personal data outside the EU and European Economic Area (EEA), should take the necessary technical and institutional measures to implement data protection principles and pseudonymization techniques. By working with a company that has its data centers inside the EU, you will eliminate many risks associated with transcontinental data transfers.
What personal data does Survicate collect from my data subject?
In Survicate, we take the protection of Personally Identifiable Information (PII) very seriously and we understand it's a matter which should be handled delicately. Therefore, in Survicate, you can choose to keep your responses anonymous (without collecting any PII) or only obtain personal data when the data subject is willing to share their information. We also give you the possibility to collect the personal information of your respondents at all times. If you are collecting the personal data of your respondents in any way, you might need to obtain consent to process the personal data of your respondent or modify how you currently obtain that consent.
How does Survicate ensure the right to be forgotten? (Deleting your data subjects' information)
In order to help you handle your obligations under the GDPR Right to Erasure requests, Survicate allows you to delete personal data stored in survey responses conveniently.
You may delete:
GDPR Compliance at Survicate
The measures we have taken to ensure GDPR compliance
Form a GDPR compliance team and assign responsibilities ✅
Assess GDPR readiness – thorough research of the areas of our product and our business impacted by GDPR ✅
Appoint a Data Protection Officer ✅
Review data protection policies, procedures, processor and sub-processor agreements ✅
Develop requirements of product changes to fulfill GDPR obligations ✅
Implement the required changes to our internal processes, policies, procedures, and processor and sub-processor agreements to achieve compliance with GDPR ✅
Perform the necessary changes to our product based on the requirements ✅
Perform an audit of all changes to verify and validate compliance with GDPR ✅
Communicate our compliance with GDPR ✅
The procedures we follow
We carry out an analysis of the risks, and we have strict procedures in place. Here are some of them:
When deciding what measures to implement, we take account of the state of the art and costs of implementation.
We have an information security policy and take steps to make sure the policy is implemented.
Where necessary, we have additional policies and ensure that controls are in place to enforce them.
We make sure that we regularly review our information security policies and measures and, where necessary, improve them.
We have put in place basic technical controls such as those specified by established frameworks like Cyber Essentials.
We understand that we may also need to put other technical measures in place depending on our circumstances and the type of personal data we process.
We use encryption and/or pseudonymization where it is appropriate to do so.
We understand the requirements of confidentiality, integrity, and availability of the personal data we process.
We make sure that we can restore access to personal data in the event of any incidents, such as by establishing an appropriate backup process.
We conduct regular testing and reviews of our measures to ensure they remain effective and act on the results of those tests where they highlight areas for improvement.
Where appropriate, we implement measures that adhere to an approved code of conduct or certification mechanism.
We ensure that any data processor we use also implements appropriate technical and organizational measures.