April 11, 2019|Data Security & Compliance|

GDPR Overview

The EU General Data Protection Regulation, or GDPR as it’s more commonly known, goes into effect on May 25, 2018. It replaces its predecessor, the Data Protection Directive (and the implementation laws in the various EU member states), in an effort to provide more streamlined and uniform protection of the personal data of EU residents.

If you do business in Europe, have European employees or customers, or otherwise collect or store information about anyone living in the EU, then GDPR will likely apply to you, either directly or indirectly.  For the purposes of this article, if you use Checkbox to import user information or receive survey responses from anyone living in the EU, that data is protected by GDPR, regardless of what country you reside in, where your business is located, or where your Checkbox data is stored.

When it comes to the data collected and stored in your Checkbox Survey account, GDPR compliance is a joint responsibility between you as the account or survey administrator (i.e. the “data controller”) and Checkbox (i.e. the “data processor”). This article will summarize certain requirements of the GDPR and how Checkbox addresses its obligations as a data processor under GDPR. It will also list some of the obligations that account or survey administrators may have with regard to the storage and protection of personal data in Checkbox.

Disclaimer: This article is not intended as legal advice or to offer a fully inclusive list of all GDPR requirements – if you have any questions about your own responsibilities regarding GDPR, we recommend that you consult with an appropriate legal professional.

GDPR Key Points

The GDPR covers the collection, storage and processing of personal data from anyone living in the EU. Personal data is broadly defined as any information relating to an “identified or identifiable” individual. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

GDPR compliance is the responsibility of both the data controller (the person or organization responsible for collecting the data) and data processor (the person or organization responsible for processing the data at the request of the data controller). With regard to your Checkbox Survey account, the data controller is the account or survey administrator (you) and the data processor is Checkbox, along with our data storage and processing partners.

When collecting or processing personal data, data controllers and processors must ensure that data is:

  • Collected legally and transparently
  • Collected and used for a specific, legitimate purpose
  • Kept accurate and up to date
  • Stored only as long as is necessary
  • Appropriately secured, with recovery and breach notification plans in place in the event of a data breach or loss

In addition, data subjects (the persons whose data is being collected or stored) have certain specific rights that may apply with regard to their personal data:

  • Right of access – the right to access and confirm the accuracy of one’s personal data
  • Right to rectification – the right to require that a data controller correct any missing or inaccurate data
  • Right to be forgotten – the right to have all of one’s personal data permanently deleted
  • Right to restriction of processing – the right to tell a data controller that they can’t use or process one’s data while corrections are being made to it
  • Right to be informed – the right to know how one’s data is being used
  • Right to data portability – the right to request a copy of all one’s personal data in a readable format
  • Right to object – the right to opt out of or object to certain uses of personal data, such as for marketing purposes
  • Right to object to automated processing – the right to object to an automated decision that is made using one’s personal data

 

Your Checkbox Data and GDPR Compliance

As we’ve mentioned, GDPR compliance is a joint responsibility between the party collecting the data (you) and the party storing and processing the data (Checkbox).  Below is a summary of the ways in which Checkbox is addressing its GDPR obligations, along with some of the features you can use in order to address your GDPR compliance obligations with respect to collecting and storing data in Checkbox. This list is not intended to be a comprehensive checklist of all  obligations and we therefore recommend that you seek the advice of a qualified professional to ensure that you are meeting all requirements of the GDPR.  

Consent and Notice: GDPR requires a “legal basis” for collection and processing personal data. Our legal basis is “necessity for performance of a contract” – that is, providing service to our clients under our license agreement. Your legal basis may be “consent.” In order to help satisfy the consent requirement, Survey Administrators may add an opt-in question to the beginning of their surveys asking respondents to consent to their data being collected and stored. If the respondent does not consent, the Survey Administrator may use Checkbox logic features to disqualify the respondent and skip them to the end of the survey.

As of our 2018Q2 product release, Checkbox also includes the ability for Survey Administrators to add a standard Privacy Policy footer to their surveys, which includes information about how personal data is being used and stored and how to make a request to access, change or delete that data. As of version 2018Q2, Checkbox also includes an opt-in feature on its website forms and self-registration page, allowing users to opt into receiving communications from Checkbox or surveys from Checkbox’s customers.

Data Use, Storage and Deletion: Checkbox stores and processes personal data only as necessary in the course of providing service to its clients. We never sell or transfer personal data to any non-agent third party, unless required by law. We maintain personal data as long as an account is active, unless a survey administrator deletes the data or requests that it be deleted. All data is permanently deleted 60 days after an account is terminated, or earlier if requested by the account administrator in writing. For more information, please see our privacy policy.

Survey administrators are responsible for responding to and managing deletion or “right to be forgotten” requests from their respondents. Survey administrators can permanently delete all responses from a respondent user at any time by deleting that user. Alternatively, survey administrators can delete individual responses in Checkbox, which will ‘soft-delete’ those responses. Survey administrators must then make a request in writing to Checkbox to permanently delete those responses. Survey administrators are responsible for monitoring and deleting any Checkbox data that is exported to any system or storage device outside of Checkbox.

Again, as of our 2018Q2 product release, Checkbox includes the ability for Survey Administrators to add a standard Privacy Policy footer to their surveys, which includes information about how to make a request to access, change or delete personal data.

Data Access & Accuracy: Survey administrators are responsible for the accuracy of the data in their Checkbox accounts. If a respondent requests to review their personal data for accuracy, a survey administrator can export the user’s personal details from the User Manager (.csv export feature available as of version 2018Q2). Survey administrators may also export the results of their surveys and submit that data to their respondents for accuracy review. If a respondent requests that data be updated or deleted, the survey administrator can either edit the user’s profile in Checkbox, edit the survey response(s) in Checkbox, or delete the data (as noted above).

Data Portability: Respondents can request their data from a survey administrator and the administrator can provide that data at any time, as noted above. In addition, survey administrators may want to consider adding a Response Details item or an Email Response item to their surveys, which will give the respondent the means to print and/or save their survey response after they submit it. As of version 2018Q2, the Response Details item includes a Print button so that the respondent can easily print their response from the screen or print it to PDF to save a copy. The Response Details item also includes identifiable personal information such as IP address, name, and email, as applicable.

Data Security:  Checkbox maintains strict controls over its customer data to ensure high levels of security. Checkbox hosted accounts are cloud-hosted with Amazon AWS, which offers best-in-class data security and compliance programs, along with being GDPR-ready. Data is encrypted in transit, backup files are encrypted, and Team and Enterprise clients have the option to encrypt their data at rest. Checkbox management reviews and updates security policies regularly to ensure that all staff are trained on and using appropriate controls when it comes to customer data. For more information on Checkbox’s security policies, please view our Security Overview.

On-premises customers also have the option to encrypt their data in transit and at rest, while maintaining their own internal access controls.

Cross-Border Transfer: Checkbox is based and stores and processes data in the United States. Under GDPR, transfer to and processing of personal data in the United States must take place under a legal transfer mechanism. Checkbox relies on the EU-US and Swiss-US Privacy Shield Frameworks as its legal basis for transfer and processing, and is EU-US and Swiss-US Privacy Shield certified. For more details, please review our privacy policy.

Disaster Recovery and Breach Notification: Checkbox hosted data is backed up nightly and Checkbox has failover plans in place in the event of any hosting infrastructure failure or outage. In the event of any data breach or system outage, Checkbox shall promptly notify all affected customers. For more information, please see our privacy policy.

Data Processing Addendum: Checkbox account administrators may request a standard Data Processing Addendum to their Checkbox SLA, which will specify our and your data-protection responsibilities and, if applicable, will contain the EU-approved “standard contractual clauses” governing transfer and processing of personal data outside of the EU. Enterprise customers may request that Checkbox review their own DPA.

Your Additional Responsibilities

If you are using Checkbox to collect or store any data from EU residents, we highly recommend becoming familiar with all the requirements of GDPR. At a minimum, you will want to take into account the rights of the data subject that we’ve listed above when importing users, sending out surveys, and exporting data to your computer or server. We would also recommend that you make use of the Checkbox features that we’ve listed above, as part of your overall GDPR compliance plan. However, this list is not comprehensive and is not intended as legal advice, so we highly recommend that you seek the advice of a qualified professional in order to ensure that you are meeting all requirements of the GDPR.  

Questions?

If you have any questions about the features that are available on your account or how to enable them, please contact support. You may also email us if you have any general questions on GDPR as it relates to Checkbox or if you’d like to sign a Data Processing Addendum with us.