|A. Processing of personal data: in summary, any information relating to an identified or identifiable natural person
||When using Snap WebHost, you may upload personal data regarding your potential respondents, such as email addresses, and may collect personal data in your survey responses. As the data controller, you may set up your surveys to collect as much or as little personal data as you choose.
It is worth noting that we do not distinguish within our systems between personal and non-personal data. Instead, we treat all data within Snap WebHost as data which is important to you and apply the same high levels of security to all data that you submit to and collect using Snap WebHost (“Survey Data”), and will only process that Survey Data in accordance with your instructions.The GDPR applies only to personal data. The obligations under the GDPR do not apply to anonymous data.
We offer several options to anonymize your surveys, including the option to run anonymous surveys using Snap WebHost. For more information on this, please see
|B. Principles for data processing: all processing must comply with the principles of lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation and integrity and confidentiality, and data controllers are accountable for such compliance
||Compliance with the principles is the responsibility of Snap Surveys’ data controller clients who determine what data they collect from respondents (including how much data they gather, and whether they need to collect personal data at all), the purposes for which that data is used and how long they store the data for.
Various features within Snap WebHost assist compliance with these obligations, including:
- the ability to provide potential respondents with fair processing information (including regarding the purposes for processing and data storage periods)
- where consent is required, obtain that at the beginning of the survey (see C below)
- the ability to delete and rectify Survey Data held in WebHost (see F and G below)
- the ability to download Survey Data from a client’s Snap WebHost account to its own systems at any time
- the ability to anonymize data sets
- applying high levels of security to all data held within Snap WebHost, in line with our ISO 27001:2013 certified Information Security Management System
|C. Controllers must be able to demonstrate a lawful basis for processing personal data, for example consent, the controller’s legitimate interests, or the performance of a public task
||It is for the data controller to determine the basis for processing for any given survey, but consent is likely to be used in many surveys run by Snap Surveys’ clients (particularly where sensitive categories of personal data may be processed).
Relevant information (fair processing information) regarding the survey may be provided in the survey invitation email and/or at the beginning of the survey (see also D below) and, where required, the first page of the survey can be configured to obtain the respondent’s consent to proceed with the survey. Where consent is obtained as a response to a question in the survey this can provide clients with a record of consent and when it was given. For more information on this, please see
Snap WebHost also offers the option to include an opt-out link in the survey invitation email, to enable respondents to opt-out of the survey and of receiving future survey invitations for that survey. For more information on this, please see
|D. Data subject rights: Generally and the right to information
||As a general note, responsibility for compliance with the rights of data subjects falls on the data controller. Snap WebHost contains the features described below to assist our clients in complying with these responsibilities directly themselves.
As a data processor, Snap Surveys will not respond directly to any request made to it by a survey respondent in relation to that respondent’s potential rights under the GDPR. Snap Surveys will instead refer the request to its relevant data controller client and will not take any actions without their instructions. Snap Surveys will provide all reasonable assistance to its clients on their request.
|E. Data subject rights: Access
||Snap WebHost allows clients to download and export some or all of their survey response data as they see fit. This means that clients may access an individual’s survey response, and provide a copy of that response to the individual. For more information on this, please see https://www.snapsurveys.com/support/worksheets/download-export-survey-data/.
Clients should bear in mind that this and the other data subject rights apply only to personal data. Where the data is anonymous, the rights do not apply. As mentioned above, Snap Surveys provides several options for data anonymization.
|F. Data subject rights: Rectification
||Our clients are able to amend and update respondent information or survey responses themselves by uploading revised data to Snap WebHost. For more information on this, please see
|G. Data subject rights: Erasure (‘right to be forgotten’)
||Our clients are able to delete respondent information or survey responses themselves by uploading revised data sets with the relevant information removed. For more information on this, please see
https://www.snapsurveys.com/support/worksheets/removing-individual-data-from-your-webhost-survey/Note that once deleted by our clients, the information remains on Snap Surveys’ servers for 12 + 2 weeks until it is permanently deleted – see N. below.
|H. Data subject rights: Restriction of processing
||It is possible for our clients to achieve this in a number of ways by:
- placing a marker against a given potential respondent to prevent further survey invitations or reminders being sent to that respondent until any restriction is lifted. For more information on this, please see
- in relation to a given survey response, adding a marker to that response to exclude it from reporting, and/or creating a version of the survey response data with that response excluded from further processing until any restriction is lifted.
|I. Data subject rights: Data portability
||It seems unlikely that individuals will exercise this right in relation to their survey response data, but if required Snap WebHost allows clients to download and export individual responses in commonly used electronic formats.
|J. Data subject rights: Objection
||Should a respondent object to the processing of their data, our clients can:
- place a marker against that potential respondent to prevent further survey invitations or reminders being sent to them. For more information on this, please see https://www.snapsurveys.com/support/worksheets/place-marker-potential-respondent/
- in relation to their survey response, add a marker to that response to exclude it from reporting, and/or create a version of the survey response data with that response removed, which can be used for further processing.
|K. Data subject rights: automated individual decision making, including profiling
||In Snap Surveys’ view, it is unlikely that these provisions are intended to apply to the services covered by Snap WebHost.
|L. Data Protection by Design and Default
||As mentioned in B. above, our data controller clients can determine how much or how little personal data to collect using Snap WebHost, and can delete the Survey Data held in Snap WebHost.
Clients can also use Snap WebHost to carry out anonymous surveys or can subsequently anonymize their data sets.
All Survey Data is protected in line with our ISO 27001:2013 Information Security Management System.
|M. Use of processors
||We act as a data processor to our data controller clients who use our Snap WebHost system.
Data controllers must have agreements in place with their data processors. Our Software License and Services Agreement has been updated to include data processing provisions which address the requirements of the GDPR.
|N. Deletion or return of data at the end of the agreement
||Our clients can download and export the Survey Data held in their WebHost account to their own systems at any time, and delete the Survey Data held in their WebHost account at any time. Snap Surveys encourages its clients to review the Survey Data held in their WebHost accounts at regular intervals and not to retain such Survey Data for longer than is necessary.
For more information on downloading and exporting, please see https://www.snapsurveys.com/support/worksheets/download-export-survey-data/. On closure of a WebHost account, any Survey Data still contained within that account will remain there for 28 days (unless you ask Snap Surveys to delete it sooner), following which it is deleted in accordance with the procedure below.
Once Survey Data is deleted from WebHost, either by our clients, or by Snap Surveys on account closure, it remains on our servers for a further 12 weeks after deletion (which enables us to guard against accidental deletion by clients of their data), then remains in our back-up system for a further 2 weeks, before being permanently deleted.
Although Snap WebHost gives our clients the ability to export and delete their Survey Data themselves, Snap Surveys can also, on request assist our clients with the deletion and return of their Survey Data.
|O. Security of processing
||Snap Surveys commitment to data security is evidenced by its ISO 27001:2013 certification. Our data centre providers Rackspace and UKFast are also ISO 27001:2013 certified.
Central to this is our Information Security Management System which protects the confidentiality, integrity and availability of information within our systems. Our ISMS is regularly tested and externally audited each year as a requirement of maintaining our certification.
For more information about the security measures that we adopt to protect our systems, please seehttps://www.snapsurveys.com/gdpr/security-measures/.
|P. Data security breaches
||In the unlikely event of a data security breach, Snap Surveys has policies and procedures in place to react swiftly to data security breaches (linked to its wider information security incident management processes under its ISO 27001:2013 certification) and to report any security breaches of which we become aware to our data controller clients without undue delay.
Snap Surveys will co-operate with its clients in relation to the investigation, mitigation and remediation of the breach.
|Q. Overseas transfers of personal data are only permitted where there is an adequate level of protection, appropriate safeguards are in place, or under certain derogations
||For clients with Snap WebHost running on Rackspace UK servers, their Survey Data is held on servers in the UK. For technical support reasons, this is accessible by Snap Surveys staff based in both the UK and the US. Our US subsidiary is certified under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks to ensure an adequate level of protection in those circumstances. Similarly, should Rackspace need to permit access to the servers from outside of the EEA or the UK, it will ensure that the recipient is certified under the Privacy Shield Framework, has executed EU Model Clauses, or has in place an alternative compliant transfer mechanism for that access.
For clients with Snap WebHost running on UKFast servers, their Survey Data is held on servers in the UK. This is a wholly “ringfenced UK solution” and Survey Data will not leave the UK, unless as a result of a transfer made by a client.
Clients can identify whether they are running Snap WebHost on Rackspace or UKFast servers by logging into their WebHost Account and looking at their web page address:
- www.snapsurveys.com/wh indicates Rackspace
For clients that require ultimate control over their Survey Data, we offer the option to install Snap WebHost as a product on clients’ own servers which means that the data is hosted on our clients’ own systems. In this arrangement, the client is both data controller and data processor.
- wh.snapsurveys.com indicates UKFast