Overview of customer’s responsibilities as data controllers

 

Introduction

The Directive and the GDPR provides general regulations for processing of Personal Data in the EU. The regulations in the Directive and the GDPR are enforced by each member state.

As the entity defining the purpose and use for surveys, panels, and communities, Questback’s customers will be regarded as the “Controller” according to the Directive, thus being responsible for processing data in accordance with the Directive.

The purpose of this document is to provide an overview of the Controller’s general obligations under the Directive and the GDPR.

Definitions

The terms herein are defined as in the Directive and the GDPR. For respondent data, Questback will in all cases be the Processor, and Questback’s customer will in all cases be the Controller. The Respondent will be the Data Subject. Other relevant terms defined in the Directive and the GDPR are Processing, Personal Data, and Purpose.

Consent from Data Subjects

Under the Directive and GDPR, Processing of Personal Data is only legitimate if one of certain listed legal basis for processing are met. It is customer’s responsibility to ensure that a legal basis is in place. For the purpose of surveys, the relevant requirement is in many cases consent from the Data Subject. The requirements for lawful consent to be in place are described in this document.

The regulations do not simply require that consent is obtained by Controller, but the Controller must also be able to demonstrate that the Data Subject has consented to processing of his data. This means that records will need to be kept for consent to be verifiable.

When consent is received, Personal Data may be processed according to the regulations in the Directive and the GDPR. This overview will not provide a list of these regulations.

The Controller is required to get the Data Subject’s consent before any processing of Personal Data takes place.

The consent must be:

  • Freely and Voluntarily given: Consent must be given freely, it cannot be given under any sort of pressure or undue persuasion. Furthermore, the Data Subject shall have the possibility to withdraw their consent at any given time.
  • Specific: The consent must be obtained in a manner that is distinguishable from other matters. It must cover all processing activities carried out for the same purpose or purposes and where processing has multiple purposes, consent must be given for all of them.
  • Affirmative: The consent must be a statement or clear affirmative action. This means that there needs to be a positive indication of agreement by the Data Subject to their personal data being processed and that is not based, for example, on silence, pre-ticked boxes or inaction on the part of the Data Subject.
  • There is also further detail found variously within the Articles and the Recitals to the GDPR that provide supplementary meaning around those terms within the definition that we are more familiar with from the current consent definition under the DPD.
  • Informed: The consent must be received after the Data Subject has been presented with information as described below.
  • Unambiguous: The provided consent must clearly relate to the provision and data described in the information, so that there is no doubt as to what the consent covers. The way the consent is collected should leave no room for doubt about the Data Subject's intentions in providing their agreement to their personal data being processed. This may be relatively straightforward to achieve where consent is being sought for a single survey, but will potentially be harder to demonstrate where the personal data collected is to be processed for multiple purposes.

The information must:

  • be provided upon collection of data at the latest: For data collected through a survey, this means that information must be provided at the start of the survey, before any data is provided. If the personal data is an e-mail address or telephone number already collected before a survey is started, the information should have been provided at the time of collection, but must be provided again no later than the start of the survey.
  • include the identity of the Controller and its representative: The identity includes legal name and address. Furthermore, the Data Subject must be made aware of Processors.
  • include the purpose for processing Personal Data: As the Controller may not use Personal Data for purposes other than the purposes specifically covered by the consent. It is therefore of importance that the purpose is a sufficiently detailed description of the reason for processing the data, hereunder the relevant time period. The purpose must be specified, explicit and legitimate.
  • include the type of information that will be processed: For the purpose of surveys, communities and panels, the data collected will in most cases be the data provided by the Data Subject itself.
  • include information about whether data will be exposed to third parties, and the third parties’ identities: Information about the use of Processor is relevant under this section.
  • include information about the fact that Data Subjects have the right to withdraw consent at any time. (the process for withdrawing consent must be as easy as that for giving consent.)
  • include information that provision of data is voluntary: Provision of any Personal Data is voluntary, and the information must state this clearly to the Data Subjects.
  • include other relevant information making the Data Subjects capable of exercising their rights: The Data Subject shall have the right to acquire information about data stored about themselves. To ensure that such rights can be exercised, the Controller must provide information about the possibilities.
  • include information about transfer of data: The Data Subject must be made aware that the Personal Data will be transferred. Questback does not store any data outside the EU/EEA area unless agreed with its customer in their contracts.
  • It is recommended to include in information that data will be deleted when the purpose is fulfilled, and that Controller will correct any incorrect information if and when required to do so.