The EU General Data Protection Regulation, or GDPR as it's more commonly known, goes into effect on May 25, 2018. It replaces its predecessor, the Data Protection Directive (and the implementation laws in the various EU member states), in an effort to provide more streamlined and uniform protection of the personal data of EU residents. If you do business in Europe, have European employees or customers, or otherwise collect or store information about anyone living in the EU, then GDPR will likely apply to you, either directly or indirectly. For the purposes of this article, if you use Checkbox to import user information or receive survey responses from anyone living in the EU, that data is protected by GDPR, regardless of what country you reside in, where your business is located, or where your Checkbox data is stored. When it comes to the data collected and stored in your Checkbox Survey account, GDPR compliance is a joint responsibility between you as the account or survey administrator (i.e. the "data controller") and Checkbox (i.e. the "data processor"). This article will summarize certain requirements of the GDPR and how Checkbox addresses its obligations as a data processor under GDPR. It will also list some of the obligations that account or survey administrators may have with regard to the storage and protection of personal data in Checkbox. Disclaimer: This article is not intended as legal advice or to offer a fully inclusive list of all GDPR requirements - if you have any questions about your own responsibilities regarding GDPR, we recommend that you consult with an appropriate legal professional.
GDPR Key Points
The GDPR covers the collection, storage and processing of personal data from anyone living in the EU. Personal data is broadly defined as any information relating to an “identified or identifiable” individual. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. GDPR compliance is the responsibility of both the data controller (the person or organization responsible for collecting the data) and data processor (the person or organization responsible for processing the data at the request of the data controller). With regard to your Checkbox Survey account, the data controller is the account or survey administrator (you) and the data processor is Checkbox, along with our data storage and processing partners. When collecting or processing personal data, data controllers and processors must ensure that data is:
- Collected legally and transparently
- Collected and used for a specific, legitimate purpose
- Kept accurate and up to date
- Stored only as long as is necessary
- Appropriately secured, with recovery and breach notification plans in place in the event of a data breach or loss
In addition, data subjects (the persons whose data is being collected or stored) have certain specific rights that may apply with regard to their personal data:
- Right of access - the right to access and confirm the accuracy of one's personal data
- Right to rectification - the right to require that a data controller correct any missing or inaccurate data
- Right to be forgotten - the right to have all of one's personal data permanently deleted
- Right to restriction of processing - the right to tell a data controller that they can't use or process one's data while corrections are being made to it
- Right to be informed - the right to know how one's data is being used
- Right to data portability - the right to request a copy of all one's personal data in a readable format
- Right to object - the right to opt out of or object to certain uses of personal data, such as for marketing purposes
- Right to object to automated processing - the right to object to an automated decision that is made using one's personal data
Your Checkbox Data and GDPR Compliance
Your Additional Responsibilities
If you are using Checkbox to collect or store any data from EU residents, we highly recommend becoming familiar with all the requirements of GDPR. At a minimum, you will want to take into account the rights of the data subject that we've listed above when importing users, sending out surveys, and exporting data to your computer or server. We would also recommend that you make use of the Checkbox features that we've listed above, as part of your overall GDPR compliance plan. However, this list is not comprehensive and is not intended as legal advice, so we highly recommend that you seek the advice of a qualified professional in order to ensure that you are meeting all requirements of the GDPR.
If you have any questions about the features that are available on your account or how to enable them, please contact support. You may also email us if you have any general questions on GDPR as it relates to Checkbox or if you'd like to sign a Data Processing Addendum with us.