Secure German data protection
Data protection-compliant use of surveys with easyfeedback
On 05/25/2018, the new EU General Data Protection Regulation (GDPR ) came into force. The aim of the GDPR is a uniform data protection regulation at EU level. The GDPR has replaced the existing German Federal Data Protection Act (BDSG).
We, easyfeedback, have aligned all measures with the GDPR and provide you here with all the necessary information, a guide and the required documents to comply with data protection according to the GDPR.
First of all: Data protection applies when personal data is collected and processed. Therefore, first check whether you are processing personal data at all.
Personal data when using with easyfeedback are/could be:
Email invitation via easyfeedback:
- Email address
- First name
- Last name
- Reference text
- Value 1 – X
Extension of the survey link with parameters & variables or a personal ID. Possible extensions that can draw conclusions about a person:
- ID numbers (customer number, ticket number, etc.)
- Other personal data
Responses of the participant:
- All responses that identify a person
If you are not collecting personal data, you do not need to pay attention to anything else at this point.
Responsibility and responsible contact persons
When you collect and process personal data with easyfeedback, a chain of responsible parties and responsible contact persons is created. Everyone within this chain must enter into a commissioned processing agreement with their direct service provider (processor), document the associated technical and organizational measures to protect the data and name the service providers used to their client (responsible party).
The data protection chain in accordance with order processing and GDPR:
You collect and process personal data from your employees, customers or other persons with surveys via easyfeedback. Then you assume the role of the data controller vis-à-vis them. We, easyfeedback, are your order processor in this relationship.
The contract for order processing regulates the relationship and responsibility (download below).
In order to be able to offer you our services, we use two service providers: data center (Strato AG) and server management (Zeusware GmbH).
We have also entered into a contract for order processing with both of the aforementioned service providers, where we, easyfeedback, assume the role of the responsible party and our service providers assume the role of the order processor.
In order to comply with data protection, it is therefore necessary for you to conclude an order processing agreement with us to close the chain.
Procedure directories and notifications to data subjects
According to the GDPR, data protection stipulates that the collection and processing of personal data must be documented in a procedure directory and that the data subjects must receive a notification of the process
(right to information).
We support you in both points with templates for download (below) and technical features within easyfeedback.
Guideline for data protection compliant collection and processing of personal survey data
- Check whether you collect personal data from employees, customers, suppliers or other groups of people via easyfeedback surveys.
- If so, conclude an order processing contract with us (download below). This ensures that we work with the data in a compliant manner, contains the technical and organizational measures and binds our service providers to the same conditions.
- Create a procedure directory for the collection and processing (download below).
- Inform the relevant group of people at the beginning of the survey about the collection and processing of personal data.
- Create a data protection notice (right to information) for the person concerned, in which you inform them about the type of data that is collected and processed, explain their rights and who the responsible body is, as well as naming the contact person (download below).
Contract for order processing (GDPR)
For the regulation between you and us, we have prepared a contract for order processing, which is directly aligned to the use of easyfeedback.
In this way you conclude the contract with us:
- Log in to your account
- Navigate to “Account > Account data > Privacy”
- Click on “Conclude contract” under “Order processing in accordance with GDPR”
- Follow the steps described there
- Sign the contract for order processing as responsible party and send it to easyfeedback
According to data protection, every procedure for processing personal data must be documented. To make it easier for you to work with easyfeedback, we have created a sample procedure directory that you can use.
How to create your survey procedure directory:
- Download sample procedure directory
- Delete or add information that does not apply
- File internally for documentation and submit in case of audit/request
Notice of processing (passive – active)
According to the GDPR, each person must be informed about the processing of personal data concerning him or her. To ensure this, individuals must be made aware of the processing.
How actively the participant must be made aware of the data protection notice is not clear from the GDPR – only that it must be pointed out.
We recommend two variants:
- You place a notice text on the welcome page of the survey in which you draw the participants’ attention to the “clickable” data protection notice in the closing bar of the survey. (passive)
Place data protection notice (right to information) in the survey.
In addition to the reference to the processing, you must also provide the person concerned with information about the type of processing, their rights and about the information options.
To provide the information, we offer a text link called “Privacy notice” in the closing bar within the survey, where an info box with the privacy notice will open after you click on the link. To activate the function, please go to the settings of your survey and activate the function “Privacy notice”. After saving, the text at the bottom left of the survey is clickable and the info box opens.
You can create the privacy notice (right to information) on your own, or you can use our template and add the missing information.
How to store the privacy notice in the survey
- Download data protection notice (right to information).
- Complete missing information (marked red).
- Specify the type of data you are collecting and how long you are storing it for.
- Navigate to the settings of your survey at easyfeedback, activate the function “Privacy notice” and copy the entire text into it.
- After saving, open the survey preview and check your information.
Note: The information provided here is not legal advice. We do not guarantee the accuracy and completeness of the information. If you have any questions about the exact and optimal implementation for your company, please contact your data protection officer.