The Personal Data Directive provides general regulations for processing of Personal Data in the EU. The regulations in the Directive have been implemented in local legislation across the EU and EEA, and are enforced by each member state.
As the entity defining the purpose and use for surveys, panels, and communities, Questback’s customers will be regarded as “Controller” according to the Directive, thus being responsible for processing data in accordance with the Directive.
The purpose of this advice is to provide an overview of the Controller’s general obligations under the Directive. The advice cannot be regarded as an exhaustive list of the Controller’s obligations, and it does not cover any elements of the specific local legislation.
The terms herein are defined as in the Directive:
Data Subject: An identified or identifiable natural person, where an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. In practice the respondents, panelists and community members.
Personal data: any information relating to Data Subjects
Processing: any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. Processing may take place only in accordance with the Purpose.
Controller: the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. For surveys initiated by a customer, or on customer’s behalf, a customer is the Controller according to the Directive.
Processor: a natural or legal person, public authority, agency or any other body, which processes personal data on behalf of the Controller. As Questback’s software and storage areas may be used to process personal data, Questback is a processor for its customer when the customer uses Questback software to process personal data.
Consent from Data Subjects
Under the Directive, Processing of Personal Data is only legitimate if one of certain listed requirements are met. For the purpose of surveys, the relevant requirement is in most cases consent from the data subject. Requirements for the consent is presented below.
When such consent is received, Personal Data may be processed according to the regulations in the Directive. This overview will not provide a list of these regulations.
The Controller is required to get the Data Subject’s consent before any processing of Personal Data. Details of the requirements towards consent is described below:
The consent must be:
- Voluntary: Consent must be given freely, it cannot be given under any sort of pressure or undue persuasion. Furthermore, the Data Subject shall have the possibility to withdraw its consent at any given time.
- Specific: The consent must be provided specifically be the Data Subject. This means that the Data Subject must actively and positively approve that data is processed.
- Informed: The consent must be received after the Data Subject has been presented with information as described below.
- Unambiguous: The provided consent must clearly relate to the provision and data described in the information so that there is no doubt as to what the consent covers.
The information must:
- Be provided upon collection of data at the latest: For data collected through a survey, this means that information must be provided at the start of the survey before any data is provided.
- If the personal data is an e-mail address or telephone number already collected before a survey is started, the information should have been provided at the time of collection but must be provided again no later than the start of the survey.
- Include what information that is processed: For the purpose of surveys, communities, and panels, the data collected will in many cases be the data provided by the data subject itself. If additional data is collected, the nature of such data, and the source for collection must be recorded.
- Include identity of the controller and its representative: The identity includes legal name and address. Furthermore, the Data Subject must be made aware of Data Processors, hereunder Questback.
- Include the purpose for processing data: One of the basic elements of Processing in the Directive is that the data Controller may not use Personal Data for purposes other than the purposes specifically covered by the consent. It is therefore of importance that the purpose is a sufficiently detailed description of the reason for processing the data. The purpose must be specified, explicit and legitimate.
- It is important to note that no use of data outside the informed purpose is accepted under the Directive. If the data is processed based on a new purpose, or a purpose different from the specified purpose, a new consent is required. If Controller plans to keep Personal Data after finalization of the survey, this must, therefore, be included in the described purpose.
- Include whether data will be exposed to third parties, and the third parties’ identities: Information about the use of Data Processor is relevant under this section.
- Include information that provision of data is voluntary: Provision of any data is voluntary, and the information must state this clearly to the Data Subjects.
- Include other relevant information making the data subjects capable of exercising its rights: The Data Subject shall have the right to acquire information about data stored about him, and in some cases access to correct and delete any Personal Data. To ensure that such rights can be exercised, the Controller must provide information about the possibilities. The Controller must provide such information with regard to the specific circumstances in each survey/panel/community.
- It is recommended to include in the information that data will be deleted when the purpose is fulfilled, and that Controller will correct any incorrect information when required.
- Include information about transfer of data: The Data Subject must be made aware that the data will be transferred. Questback does not store any data outside the EU/EEA area unless required by the customer in agreement.