(Guidance Manual + documents)
On 25.05.2018, the new EU General Data Protection Regulation (GDPR) came into force. The purpose of the GDPR is to create consistent data protection regulation at the EU level. The GDPR has replaced the existing Federal Data Protection Act (BDSG).
We, easyfeedback, have aligned all measures to the GDPR, and give you all the necessary information, a guide and the documents required to comply with data protection according to GDPR.
To begin with: Data protection is applicable where personal data are collected, stored and processed.Therefore, first check whether you are even processing personal data.
Personal data in case of use with easyfeedback are/may be:
E-mail invitation via easyfeedback:
Extension of the survey link by parameters and variables or a personal ID. Possible extensions that can draw conclusions about a person:
Responses from the participant:
If you do not collect any personal information, you do not need to pay attention here.
Responsibility and responsible contact persons
If you use easyfeedback to collect and process personal data, this will create a chain of responsible persons and responsible contact persons. Each person or organisation within this chain must make an order processing agreement with their direct service provider (processor), document the related technical and organizational measures to protect the data, and name the service providers used to their client (Controller).
The data protection chain pursuant to the order or contract and the GDPR:
You collect and process personal Data information with easyfeedback from your employees, customers or other persons. In this case you are in the role of the Controller. In this relationship we, easyfeedback, are your Supplier.
> The contract on order processing regulates the relationship and the competence (available below to download)
In order to offer you our service, we use two service providers: a data processing service centre (Strato AG) and a server management company (Zeusware GmbH).
We have concluded a contract on order processing with both service providers, in which we at easyfeedback assume the role of Controller and our service providers assume the role of Supplier.
To comply with data protection it is therefore necessary that you conclude an agreement on order processing with us, to close the chain.
Public Procedure Registers and notifications to subject cases
According to the GDPR, data protection stipulates that the collection and processing of personal data must be documented in a Procedure Register (PR) and that the data subjects receive a notification of the procedure (Notice to the Public).
In both points we support you with templates to download (available below) and technical features in your survey.
Guideline / Checklist for the data protection-compliant collection and processing of personal in a survey data
Contract on order processing (GDPR)
For control between you and us, we have prepared a contract, which is geared directly to the use of easyfeedback.
In this way you conclude the contract with us:
Note: If you send a scanned copy of the contract to us by e-mail, it will be returned to you by the same method. If you send a scanned copy of the contract to us by post, please send two signed copies - we will return one copy to you by post.
Procedure Register (PR)
In accordance with data protection every personal data processing procedure must be documented. In order to make your cooperation with easyfeedback easier, we have predefined a Procedure Register for you to use.
In this way you can create your Procedure Register for the survey:
Note on processing (passive - active)
Under GDPR every person must be informed of the processing of personal data relating to him or her. In order to guarantee this, the persons must be notified of the processing.
How "actively" the participant's attention must be drawn to the data protection notification is not made clear by the GDPR - the only stipulation is that his or her attention must be drawn to it.
We recommend 2 alternatives to you:
Placing data protection information in the survey
As well as providing a notice about the fact of processing, you must also provide the data subject with information on the type of processing, his or her rights and the possibilities for information.
To activate the feature, please go to the settings of your survey and activate the function "Privacy Notice". After saving, the left text in the footer of the survey can be clicked and opens a info box.
You can create the data protection notices (Notice to the Public) independently, or you can use our template and expand the missing information.
In this way you store the data protection notices in the survey:
Note: The information provided here is not legal advice. We give no guarantee for the accuracy and completeness of the information. If you have questions about the exact and optimal implementation for your company, contact your data protection officer.