Snap Surveys recognizes its responsibility to help our clients meet their General Data Protection Regulation (“GDPR”) obligations when using our software and services.
We have always taken data protection and the security of all of your data (whether personal or not) very seriously. Since 2013 we have been certified to ISO 27001, the international standard for best practice for information security management systems. We prepared for the GDPR for over a year before its implementation by building on our ISO and Data Protection Act compliance frameworks.
The GDPR remains very relevant to many of our clients post Brexit – the UK GDPR now applies directly in the UK and the original or ‘EU GDPR’ still applies to data controllers and processors established in the EU, or who process the personal data of EU citizens in certain contexts. Our analysis below applies equally to both regimes, so where we refer to the GDPR we refer to whichever regime is appropriate.
In the context of our Snap Online service, our clients using our service are data controllers and we act as their data processor, only processing their Survey Data in accordance with their instructions.
Our services provide our clients with huge amounts of flexibility when carrying out surveys. Our clients are in full control of the potential categories of participants, the amount of personal data that they collect, the information they provide to potential participants, the type of questions asked, what their survey data is used for and who it is shared with, and how long it is retained for.
As a result, compliance with the GDPR for any given survey run by our clients will depend in large part on the steps and the decisions taken by our clients, and Snap XMP contains many features and functionality to help our clients meet their obligations under the GDPR. For example, our clients can:
- Collect as much or as little personal data as they like, or apply various levels of anonymization to their surveys
- Provide participants with fair processing information at the beginning of a survey
- Set a consent question where required, and save a record of that consent
- Export, edit and delete survey data
- Comply with the data subject rights of access, rectification, erasure, restriction, data portability and objection
- Access a range of options as to how and where their survey data is hosted, including the option of a ‘ringfenced UK’ solution
- Have the confidence that their survey data is protected in accordance with our ISO 27001:2013 Information Security Management System
We have set out below some of the key obligations of the GDPR and described how Snap XMP will assist our clients to meet these requirements.
To further assist our clients, we have produced a number of GDPR ‘how to tutorials’ that give detailed guidance on specific topics such as obtaining consent within your surveys and providing opt outs, and anonymization in surveys. These are available on our website at snapsurveys.com/gdpr and in our Support Hub.
Further information about the GDPR is available on the Information Commissioner’s Office website at www.ico.org.uk. Please contact your Snap Surveys Account Manager if you would like further information about Snap XMP.
|GDPR Requirement||Application to the Snap Online service|
|A. Processing of personal data: in summary, any information relating to an identified or identifiable natural person||When using Snap Online, you may upload personal data regarding your potential participants, such as email addresses, and may collect personal data in your survey responses. As the data controller, you may set up your surveys to collect as much or as little personal data as you choose. It is worth noting that we do not distinguish within our systems between personal and non-personal data. Instead, we treat all data within Snap Online as data which is important to you and apply the same high levels of security to all data that you submit to and collect using Snap Online (“Survey Data”), and will only process that Survey Data in accordance with your instructions.The GDPR applies only to personal data. The obligations under the GDPR do not apply to anonymous data. We offer several options to anonymize your surveys, including the option to run anonymous surveys using Snap Online. For more information on this, please see https://www.snapsurveys.com/support-snapxmp/snapxmp/making-surveys-anonymous/.|
|B. Principles for data processing: all processing must comply with the principles of lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation and integrity and confidentiality, and data controllers are accountable for such compliance||Compliance with the principles is the responsibility of Snap Surveys’ data controller clients who determine what data they collect from participants (including how much data they gather, and whether they need to collect personal data at all), the purposes for which that data is used and how long they store the data for.
Various features within Snap Online assist compliance with these obligations, including:
|C. Controllers must be able to demonstrate a lawful basis for processing personal data, for example consent, the controller’s legitimate interests, or the performance of a public task||It is for the data controller to determine the basis for processing for any given survey, but consent is likely to be used in many surveys run by Snap Surveys’ clients (particularly where special categories of personal data may be processed). Relevant information (fair processing information) regarding the survey may be provided in the survey invitation email and/or at the beginning of the survey (see also D below) and, where required, the first page of the survey can be configured to obtain the participant’s consent to proceed with the survey. Where consent is obtained as a response to a question in the survey this can provide clients with a record of consent and when it was given. For more information on this, please see https://www.snapsurveys.com/support-snapxmp/snapxmp/including-a-consent-question-snap-desktop/ (Snap Desktop) and https://www.snapsurveys.com/support-snapxmp/snapxmp/including-a-consent-question-snap-online/ (Snap Online). Snap Online also offers the option to include an opt-out link in the survey invitation email, to enable participants to opt-out of the survey and of receiving future survey invitations for that survey. For more information on this, please see https://www.snapsurveys.com/support-snapxmp/snapxmp/including-an-opt-out-link-in-an-email-invitation/.|
|E. Data subject rights: Access||Snap Online allows clients to download and export their survey response data as they see fit. This means that clients may access an individual’s survey response, and provide a copy of that response to the individual. For more information on this, please see https://www.snapsurveys.com/support-snapxmp/snapxmp/exporting-an-individuals-survey-responses/. Clients should bear in mind that this and the other data subject rights apply only to personal data. Where the data is anonymous, the rights do not apply. As mentioned above, Snap Surveys provides several options for data anonymization.|
|F. Data subject rights: Rectification||Our clients are able to amend and update participant information or survey responses themselves by uploading revised data to Snap Online. For more information on this, please see https://www.snapsurveys.com/support-snapxmp/snapxmp/amending-an-individuals-information-held-in-snap-xmp/|
|G. Data subject rights: Erasure (‘right to be forgotten’)||Our clients are able to delete participant information or survey responses. For more information on this, please see https://www.snapsurveys.com/support-snapxmp/snapxmp/removing-an-individuals-information-held-in-snap-xmp/. It is also possible to delete entire surveys. Note that once deleted by our clients, the information remains on Snap Surveys’ servers for up to 12 + 2 weeks until it is permanently deleted – see N. below.|
|H. Data subject rights: Restriction of processing||It is possible for our clients to achieve this in a number of ways by:
|I. Data subject rights: Data portability||It seems unlikely that individuals will exercise this right in relation to their survey response data, but if required Snap Online allows clients to download and export responses in commonly used electronic formats.|
|J. Data subject rights: Objection||Should a participant object to the processing of their data, our clients can:
|K. Data subject rights: automated individual decision making, including profiling||In Snap Surveys’ view, it is unlikely that these provisions are intended to apply to the services covered by Snap Online.|
|L. Data Protection by Design and Default||As mentioned in B. above, our data controller clients can determine how much or how little personal data to collect using Snap Online, and can delete the Survey Data held in Snap Online. Clients can also use Snap Online to carry out anonymous surveys or can subsequently anonymize their data sets. All Survey Data is protected in line with our ISO 27001:2013 Information Security Management System.|
|M. Use of processors||We act as a data processor to our data controller clients who use our Snap Online system. Data controllers must have agreements in place with their data processors. Our Snap XMP Subscription Agreement includes data processing provisions which address the requirements of the GDPR.|
|N. Deletion or return of data at the end of the agreement||Our clients can download and export the Survey Data held in their Snap Online account to their own systems at any time, and delete the Survey Data held in their Snap Online account at any time. Snap Surveys encourages its clients to review the Survey Data held in their Snap Online accounts at regular intervals and not to retain such Survey Data for longer than is necessary. For more information on downloading and exporting, please see https://www.snapsurveys.com/support-snapxmp/snapxmp/exporting-an-individuals-survey-responses/ and, for deleting entire surveys, see https://www.snapsurveys.com/support-snapxmp/snapxmp/deleting-a-survey-in-snap-xmp/. On closure of a Snap Online account, any Survey Data still contained within that account will remain there for 28 days (unless you ask Snap Surveys to delete it sooner), following which it is deleted in accordance with the procedure below. Once Survey Data is deleted from Snap Online, either by our clients, or by Snap Surveys on account closure, it remains on our servers for up to a further 12 weeks after deletion (which enables us to guard against accidental deletion by clients of their data), then remains in our back-up system for a further 2 weeks, before being permanently deleted. Although Snap Online gives our clients the ability to export and delete their Survey Data themselves, Snap Surveys can also, on request assist our clients with the deletion and return of their Survey Data.|
|O. Security of processing||Snap Surveys’ commitment to data security is evidenced by its ISO 27001:2013 certification. Our data centre providers UKFast and Microsoft Azure are also ISO 27001:2013 certified. Central to this is our Information Security Management System which protects the confidentiality, integrity and availability of information within our systems. Our ISMS is regularly tested and externally audited each year as a requirement of maintaining our certification. For more information about the security measures that we adopt to protect our systems, please seehttps://www.snapsurveys.com/gdpr/security-measures/.|
|P. Data security breaches||In the unlikely event of a data security breach, Snap Surveys has policies and procedures in place to react swiftly to data security breaches (linked to its wider information security incident management processes under its ISO 27001:2013 certification) and to report any security breaches of which we become aware to our data controller clients without undue delay. Snap Surveys will co-operate with its clients in relation to the investigation, mitigation and remediation of the breach.|
|Q. Overseas transfers of personal data are only permitted where there is an adequate level of protection, appropriate safeguards are in place, or under certain derogations||Our clients may choose whether to have their Survey Data held at data centres in the UK or the US. For clients with Snap Online running on UKFast servers, their Survey Data is held on servers in the UK. This is a wholly “ringfenced UK solution” and Survey Data will not leave the UK, unless as a result of a transfer made by a client. For clients with Snap Online running on Microsoft Azure servers, their Survey Data is held on servers in the US. For technical support reasons, this is accessible by Snap Surveys staff based in both the UK and the US. We have Intra Group Data Processing Agreements in place with our US subsidiary and Microsoft Azure which incorporate standard contractual clauses. Clients can identify whether they are running Snap Online on UKFast or Microsoft Azure servers by logging into their Snap Online Account and looking at their web page address:
A note on Snap Desktop
The summary above focuses on our clients’ use of Snap Online. As part of the Snap XMP range, Snap Surveys also provides its Snap Desktop software, which can be used in connection with online and offline surveys.
When Snap Desktop is used in connection with offline surveys, many areas remain under our clients’ complete control, such as:
- the system that it is installed on and the levels of security that our clients apply to this system
- the treatment and final deletion of data following its deletion by a user
- the process of backing-up data, and
- the location of where the data is stored
In addition, many of the features and functionality described in relation to Snap Online apply equally to Snap Desktop, meaning that our clients can:
- Collect as much or as little survey data as they like, or apply various levels of anonymisation to their surveys
- Provide participants with fair processing information at the beginning of a survey, and set a consent question where required
- Export, edit and delete data held within Snap Desktop
- Comply with the rights of access, rectification, erasure, restriction, data portability and objection
Disclaimer: this document is intended to give an overview of how certain features of Snap XMP may be able assist Snap Surveys’ data controller clients in complying with some of their obligations under the GDPR. It is not intended to be an exhaustive statement of the law and readers should not rely on it as legal advice. The circumstances of each client will vary and you may wish to consult your legal advisers for advice on your own specific circumstances.
Originally posted: 9 March 2018
Last updated: 10 March 2021