Privacy made in Germany
Use of surveys in accordance with data protection with easyfeedback
(Guidance Manual + documents)
On 25.05.2018, the new EU General Data Protection Regulation (GDPR ) came into force. The purpose of the GDPR is to create consistent data protection regulation at the EU level. The GDPR has replaced the existing Federal Data Protection Act (BDSG).We, easyfeedback, have aligned all measures to the GDPR, and give you all the necessary information, a guide and the documents required to comply with data protection according to GDPR.
To begin with: Data protection is applicable where personal data are collected, stored and processed.Therefore, first check whether you are even processing personal data.
Personal data in case of use with easyfeedback are/may be:
E-mail invitation via easyfeedback:
- E-mail address
- First name
- Last name
- Reference text
- Custom 1 – X
Extension of the survey link by parameters and variables or a personal ID. Possible extensions that can draw conclusions about a person:
- ID numbers (customer number, ticket number, etc.)
- Other personal data
Responses from the participant:
- all answers, which identify a person
If you do not collect any personal information, you do not need to pay attention here.
Responsibility and responsible contact persons
If you use easyfeedback to collect and process personal data, this will create a chain of responsible persons and responsible contact persons. Each person or organisation within this chain must make an order processing agreement with their direct service provider (processor), document the related technical and organizational measures to protect the data, and name the service providers used to their client (Controller).
The data protection chain pursuant to the order or contract and the GDPR:
You collect and process personal Data information with easyfeedback from your employees, customers or other persons. In this case you are in the role of the Controller. In this relationship we, easyfeedback, are your Supplier.
> The contract on order processing regulates the relationship and the competence (available below to download)
In order to offer you our service, we use two service providers: a data processing service centre (Strato AG) and a server management company (Zeusware GmbH).
We have concluded a contract on order processing with both service providers, in which we at easyfeedback assume the role of Controller and our service providers assume the role of Supplier.
To comply with data protection it is therefore necessary that you conclude an agreement on order processing with us, to close the chain.
Public Procedure Registers and notifications to subject cases
According to the GDPR, data protection stipulates that the collection and processing of personal data must be documented in a Procedure Register (PR) and that the data subjects receive a notification of the procedure (Notice to the Public).
In both points we support you with templates to download (available below) and technical features in your survey.
Guideline / Checklist for the data protection-compliant collection and processing of personal in a survey data
- Check whether you collect personal data on employees, customers, suppliers or other groups of persons via easyfeedback surveys.
- If so, conclude a contract on order processing with us (download below). This ensures that we work in accordance with the data, includes the technical and organizational measures and binds our service providers to fulfill the same conditions.
- Create a Procedure Register (PR) for the collection and processing of data (download available below).
- Inform the persons at the beginning of the survey about the collection and processing of personal data.
- Create a ‘Data Protection Notice’ (Notice to the Public) for the participants, in which you inform about the type of data, which will be collected and processed, explain their rights and inform them who is the responsible authority, as well as giving the name of the contact (download available below).
Contract on order processing (GDPR)
For control between you and us, we have prepared a contract, which is geared directly to the use of easyfeedback.
In this way you conclude the contract with us:
- Download Contract on Order Processing
- On page 1 enter your company data as Controller
- Under §2 (2) tick the type of data, which you are collecting through easyfeedback
- Under §2 (3) check the data subject category and if applicable, expand it
- Sign the Contract on Order Processing as ‘Controller’ and send to easyfeedback
Note: If you send a scanned copy of the contract to us by e-mail, it will be returned to you by the same method. If you send a scanned copy of the contract to us by post, please send two signed copies – we will return one copy to you by post.
Procedure Register (PR)
In accordance with data protection every personal data processing procedure must be documented. In order to make your cooperation with easyfeedback easier, we have predefined a Procedure Register for you to use.
In this way you can create your Procedure Register for the survey:
- Download predefined Procedure Register
- Delete or expand information, which does not apply.
- File internally for documentation and produce at audit or when required
Note on processing (passive – active)
Under GDPR every person must be informed of the processing of personal data relating to him or her. In order to guarantee this, the persons must be notified of the processing.
How “actively” the participant’s attention must be drawn to the data protection notification is not made clear by the GDPR – the only stipulation is that his or her attention must be drawn to it.
We recommend 2 alternatives to you:
- On the welcome page of the survey you place an information text, in which you draw the participant’s attention to the data protection notices in the footer of the survey, on which the participant can click. (passive)
Placing data protection information in the survey
As well as providing a notice about the fact of processing, you must also provide the data subject with information on the type of processing, his or her rights and the possibilities for information.
To activate the feature, please go to the settings of your survey and activate the function “Privacy Notice”. After saving, the left text in the footer of the survey can be clicked and opens a info box.
You can create the data protection notices (Notice to the Public) independently, or you can use our template and expand the missing information.
In this way you store the data protection notices in the survey:
- Download Data Protection Notice
- Add missing information (marked in red)
- Provide information on the type of data, which you collect and how long you store these
- After saving open the survey preview and check your information
Note: The information provided here is not legal advice. We give no guarantee for the accuracy and completeness of the information. If you have questions about the exact and optimal implementation for your company, contact your data protection officer.