The General Data Protection Regulation (GDPR) harmonizes data privacy laws across the European Union (EU). It took effect on May 25, 2018, and establishes rules and fundamental rights regarding the processing and protection of personal data.
All Enalyzer account holders, whether located within or outside the EU, must comply with GDPR when collecting and/or processing personal data.
When conducting surveys, the definitions of roles and responsibilities under the GDPR play a central role:
Personal Data
Any information relating to an identified or identifiable natural person (data subject), such as a name, identification number, location data, online identifier, or characteristics specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
Processing
Any operation performed on personal data, including, but not limited to: collection, organization, structuring, storage, alteration, use, disclosure by transmission, and more.
The Data Subject
A person whose personal data is processed by a controller or processor. In this case, the data subject is the respondent.
The Data Controller
Determines the purpose for and how the personal data is processed. In this case, the data controller is the Enalyzer account holder who carries out surveying and reporting.
The Data Processor
Processes data on behalf of the Data Controller according to its instructions. In this case, the Data Processor is Enalyzer, who processes data on behalf of and accordance to instructions from the Enalyzer account holder (Data Controller).
Rights of Respondents (Data Subject)
The respondent generally has the right to obtain the following information from Enalyzer account holder (Data Controller) which must be given upon the Enalyzer account holder’s collection or receipt of the respondent’s personal data:
- The identity and the contact details of the Enalyzer account holder (Data Controller)
- The contact details of the data protection officer, where applicable
- The purpose of the processing and the legal basis for the processing
- The categories of personal data concerned. If there is an intent to transfer personal data to a third country outside EU
- The period for which personal data will be stored, or if that is not possible, the criteria used to determine the period
- The recipients to whom the personal data have been or will be disclosed
- The right to rectification (update or correct) inaccurate personal data concerning him/her
- The right to erase personal data concerning him/her without undue delay
- The right to restrict the processing of personal data
- The right to object to the processing of personal data
- The right to receive a copy of the personal data concerning him/her
- The right to data portability, in order to transfer personal data
- The right to complain to a supervisory authority
As stated above all respondents must contact the Enalyzer account holder, who is the Data Controller and administrator of the survey, to exercise their rights. As a Data Processor, Enalyzer is not responsible for this. Enalyzer will therefore refer all requests from respondents to the Enalyzer account holder.
Obligations for the Enalyzer Account Holder (Data Controller)
When personal data is collected or received by the Enalyzer account holder from the respondents the Enalyzer must inform the respondents about their rights as stated above.
For the full law text and obligations of the Enalyzer account holder as Data Controller, please visit https://gdpr-info.eu/chapter-3/
Enalyzer account holders (as Data Controller), are solely responsible for giving information to the respondents in a clear language, according to the aforementioned. Moreover, the Enalyzer account holder shall handle all requests from their respondents with respect to rectification, erasure/deletion, restriction of processing etc. of personal data and provide a copy of responses etc. with personal data upon request from the respondent.
If you have any doubt on how to handle this, please contact our support team.
Obligations for the Enalyzer Account Holder (Data Controller) and Enalyzer (Data Processor)
The Data Controller that is subject to GDPR, must have in place an appropriate Data Processing Agreement with Enalyzer as their Data Processor, where, among other things, secure organizational and technical measures to process data, are regulated. The Data Processing Agreement also sets out the instructions that the Enalyzer account holder (Data Controller) gives to Enalyzer regarding processing of personal data of the respondents, etc. and establishes the rights and responsibilities of both parties with respect to such processing.
Using Enalyzer to manage your surveys implies that a Data Processing Agreement is accepted along with our General Terms and Conditions and Privacy Policy. All Enalyzer documents are aligned to meet the GDPR demands.