Snap Surveys recognizes its responsibility to help our clients meet their General Data Protection Regulation (“GDPR”) obligations when using our software and services.
We have always taken data protection and the security of all of your data (whether personal or not) very seriously. Since 2013 we have been certified to ISO 27001, the international standard for best practice for information security management systems. We prepared for the GDPR for over a year before its implementation by building on our ISO and Data Protection Act compliance frameworks.
The GDPR remains very relevant to many of our clients post Brexit – the UK GDPR now applies directly in the UK and the original or ‘EU GDPR’ still applies to data controllers and processors established in the EU, or who process the personal data of EU citizens in certain contexts. Our analysis below applies equally to both regimes, so where we refer to the GDPR we refer to whichever regime is appropriate.
In the context of our Snap WebHost service, our clients using our service are data controllers and we act as their data processor, only processing their Survey Data in accordance with their instructions.
Our services provide our clients with huge amounts of flexibility when carrying out surveys. Our clients are in full control of the potential categories of respondents, the amount of personal data that they collect, the information they provide to potential respondents, the type of questions asked, what their survey data is used for and who it is shared with, and how long it is retained for. Our clients can even choose to run anonymous surveys, or install Snap WebHost as a product on their own servers, so that they may host their own survey data. In this scenario Snap Surveys acts as a software provider rather than a data processor to its clients, but the functionality within the Snap WebHost software which assists our clients to meet their GDPR obligations remains largely as described below for the Snap WebHost service, while at the same time giving our clients their own control in areas such as where and for how long their data is stored and the security measures that they apply.
As a result, compliance with the GDPR for any given survey run by our clients will depend in large part on the steps and the decisions taken by our clients, and Snap WebHost contains many features and functionality to help our clients meet their obligations under GDPR. For example, our clients can:
- Collect as much or as little personal data as they like, or apply various levels of anonymization to their surveys
- Provide respondents with fair processing information at the beginning of a survey
- Set a consent question where required, and save a record of that consent
- Export, edit and delete survey data
- Comply with the data subject rights of access, rectification, erasure, restriction, data portability and objection
- Access a range of options as to how and where their survey data is hosted, including the option of a ‘ringfenced UK’ solution
- Have the confidence that their survey data is protected in accordance with our ISO 27001:2013 Information Security Management System
We have set out below some of the key obligations of the GDPR and described how Snap WebHost will assist our clients to meet these requirements.
To further assist our clients, we have produced a number of GDPR worksheets that give detailed guidance on specific topics such as obtaining consent within your surveys and providing opt outs, and anonymization in surveys. These are available on our website at snapsurveys.com/gdpr and in our Support Hub.
Further information about the GDPR is available on the Information Commissioner’s Office website at www.ico.org.uk. Please contact your Snap Surveys Account Manager if you would like further information about Snap WebHost.
|GDPR Requirement||Application to the Snap WebHost service|
|A. Processing of personal data: in summary, any information relating to an identified or identifiable natural person||When using Snap WebHost, you may upload personal data regarding your potential respondents, such as email addresses, and may collect personal data in your survey responses. As the data controller, you may set up your surveys to collect as much or as little personal data as you choose. It is worth noting that we do not distinguish within our systems between personal and non-personal data. Instead, we treat all data within Snap WebHost as data which is important to you and apply the same high levels of security to all data that you submit to and collect using Snap WebHost (“Survey Data”), and will only process that Survey Data in accordance with your instructions.The GDPR applies only to personal data. The obligations under the GDPR do not apply to anonymous data. We offer several options to anonymize your surveys, including the option to run anonymous surveys using Snap WebHost. For more information on this, please see https://www.snapsurveys.com/support/worksheets/making-surveys-anonymous/.|
|B. Principles for data processing: all processing must comply with the principles of lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation and integrity and confidentiality, and data controllers are accountable for such compliance||Compliance with the principles is the responsibility of Snap Surveys’ data controller clients who determine what data they collect from respondents (including how much data they gather, and whether they need to collect personal data at all), the purposes for which that data is used and how long they store the data for.
Various features within Snap WebHost assist compliance with these obligations, including:
|C. Controllers must be able to demonstrate a lawful basis for processing personal data, for example consent, the controller’s legitimate interests, or the performance of a public task||It is for the data controller to determine the basis for processing for any given survey, but consent is likely to be used in many surveys run by Snap Surveys’ clients (particularly where special categories of personal data may be processed). Relevant information (fair processing information) regarding the survey may be provided in the survey invitation email and/or at the beginning of the survey (see also D below) and, where required, the first page of the survey can be configured to obtain the respondent’s consent to proceed with the survey. Where consent is obtained as a response to a question in the survey this can provide clients with a record of consent and when it was given. For more information on this, please see https://www.snapsurveys.com/support/worksheets/including-consent-question-survey/. Snap WebHost also offers the option to include an opt-out link in the survey invitation email, to enable respondents to opt-out of the survey and of receiving future survey invitations for that survey. For more information on this, please see https://www.snapsurveys.com/support/worksheets/including-opt-link-email-invitation-snap-webhost/.|
|E. Data subject rights: Access||Snap WebHost allows clients to download and export their survey response data as they see fit. This means that clients may access an individual’s survey response, and provide a copy of that response to the individual. For more information on this, please see https://www.snapsurveys.com/support/worksheets/download-export-survey-data/. Clients should bear in mind that this and the other data subject rights apply only to personal data. Where the data is anonymous, the rights do not apply. As mentioned above, Snap Surveys provides several options for data anonymization.|
|F. Data subject rights: Rectification||Our clients are able to amend and update respondent information or survey responses themselves by uploading revised data to Snap WebHost. For more information on this, please see https://www.snapsurveys.com/support/worksheets/amending-individuals-information-held-within-webhost-survey/|
|G. Data subject rights: Erasure (‘right to be forgotten’)||Our clients are able to delete respondent information or survey responses themselves by uploading revised data sets with the relevant information removed. For more information on this, please see https://www.snapsurveys.com/support/worksheets/removing-individual-data-from-your-webhost-survey/. It is also possible to delete entire surveys. Note that once deleted by our clients, the information remains on Snap Surveys’ servers for up to 12 + 2 weeks until it is permanently deleted – see N. below.|
|H. Data subject rights: Restriction of processing||It is possible for our clients to achieve this in a number of ways by:
|I. Data subject rights: Data portability||It seems unlikely that individuals will exercise this right in relation to their survey response data, but if required Snap WebHost allows clients to download and export responses in commonly used electronic formats.|
|J. Data subject rights: Objection||Should a respondent object to the processing of their data, our clients can:
|K. Data subject rights: automated individual decision making, including profiling||In Snap Surveys’ view, it is unlikely that these provisions are intended to apply to the services covered by Snap WebHost.|
|L. Data Protection by Design and Default||As mentioned in B. above, our data controller clients can determine how much or how little personal data to collect using Snap WebHost, and can delete the Survey Data held in Snap WebHost. Clients can also use Snap WebHost to carry out anonymous surveys or can subsequently anonymize their data sets. All Survey Data is protected in line with our ISO 27001:2013 Information Security Management System.|
|M. Use of processors||We act as a data processor to our data controller clients who use our Snap WebHost system. Data controllers must have agreements in place with their data processors. Our Software License and Services Agreement includes data processing provisions which address the requirements of the GDPR.|
|N. Deletion or return of data at the end of the agreement||Our clients can download and export the Survey Data held in their Snap WebHost account to their own systems at any time, and delete the Survey Data held in their Snap WebHost account at any time. Snap Surveys encourages its clients to review the Survey Data held in their Snap WebHost accounts at regular intervals and not to retain such Survey Data for longer than is necessary. For more information on downloading and exporting, please see https://www.snapsurveys.com/support/worksheets/download-export-survey-data/ and, for deleting entire surveys, see https://www.snapsurveys.com/support-snap11/worksheets/deleting-survey-snap-professional-snap-webhost/. On closure of a Snap WebHost account, any Survey Data still contained within that account will remain there for 28 days (unless you ask Snap Surveys to delete it sooner), following which it is deleted in accordance with the procedure below. Once Survey Data is deleted from Snap WebHost, either by our clients, or by Snap Surveys on account closure, it remains on our servers for up to a further 12 weeks after deletion (which enables us to guard against accidental deletion by clients of their data), then remains in our back-up system for a further 2 weeks, before being permanently deleted. Although Snap WebHost gives our clients the ability to export and delete their Survey Data themselves, Snap Surveys can also, on request assist our clients with the deletion and return of their Survey Data.|
|O. Security of processing||Snap Surveys’ commitment to data security is evidenced by its ISO 27001:2013 certification. Our data centre providers UKFast and Rackspace are also ISO 27001:2013 certified. Central to this is our Information Security Management System which protects the confidentiality, integrity and availability of information within our systems. Our ISMS is regularly tested and externally audited each year as a requirement of maintaining our certification. For more information about the security measures that we adopt to protect our systems, please seehttps://www.snapsurveys.com/gdpr/security-measures/.|
|P. Data security breaches||In the unlikely event of a data security breach, Snap Surveys has policies and procedures in place to react swiftly to data security breaches (linked to its wider information security incident management processes under its ISO 27001:2013 certification) and to report any security breaches of which we become aware to our data controller clients without undue delay. Snap Surveys will co-operate with its clients in relation to the investigation, mitigation and remediation of the breach.|
|Q. Overseas transfers of personal data are only permitted where there is an adequate level of protection, appropriate safeguards are in place, or under certain derogations||For clients with Snap WebHost running on UKFast servers, their Survey Data is held on servers in the UK. This is a wholly “ringfenced UK solution” and Survey Data will not leave the UK, unless as a result of a transfer made by a client. For clients with Snap WebHost running on Rackspace UK servers, their Survey Data is also held on servers in the UK. For technical support reasons, this is accessible by Snap Surveys staff based in both the UK and the US. We have an Intra Group Data Processing Agreement in place with our US subsidiary which incorporates standard contractual clauses. Similarly, should Rackspace need to permit access to the servers from outside of the EEA or the UK, it will ensure that the recipient is located in an ‘adequate’ territory, has Binding Corporate Rules in place, has executed standard contractual clauses, or has in place an alternative compliant transfer mechanism for that access. Clients can identify whether they are running Snap WebHost on Rackspace or UKFast servers by logging into their WebHost Account and looking at their web page address:
A note on Snap Professional
The summary above focuses on our clients’ use of Snap WebHost, as it is when using Snap WebHost that Snap Surveys acts as a data processor to its clients. Snap Surveys also acts as a software provider in supplying its Snap Professional software. As this software is installed on our clients’ computers Snap Surveys does not have access to this data and does not act as a data processor, but Snap Surveys nonetheless remains focussed on providing its clients with software which allows them to comply with their obligations under the GDPR.
In relation to their use of Snap Professional many areas remain under our clients’ complete control, such as:
- the system that it is installed on and the levels of security that our clients apply to this system
- the treatment and final deletion of data following its deletion by a user
- the process of backing-up data, and
- the location of where the data is stored
In addition, many of the features and functionality described in relation to Snap WebHost apply equally to Snap Professional, meaning that our clients can:
- Collect as much or as little survey data as they like, or apply various levels of anonymization to their surveys
- Provide respondents with fair processing information at the beginning of a survey, and set a consent question where required
- Export, edit and delete data held within Snap Professional
- Comply with the rights of access, rectification, erasure, restriction, data portability and objection
Disclaimer: this document is intended to give an overview of how certain features of Snap WebHost may be able assist Snap Surveys’ data controller clients in complying with some of their obligations under the GDPR. It is not intended to be an exhaustive statement of the law and readers should not rely on it as legal advice. The circumstances of each client will vary and you may wish to consult your legal advisers for advice on your own specific circumstances.
Originally posted: 9 March 2018
Last updated: 10 March 2021