Snap Surveys recognizes its responsibility to help our clients meet their General Data Protection Regulation (“GDPR”) obligations when using our software and services. 

We have always taken data protection and the security of all of your data (whether personal or not) very seriously.  Since 2013 we have been certified to ISO 27001, the international standard for best practice for information security management systems.  We prepared for the GDPR for over a year before its implementation by building on our ISO and Data Protection Act compliance frameworks.

The GDPR remains very relevant to many of our clients post Brexit – the UK GDPR now applies directly in the UK and the original or ‘EU GDPR’  still applies to data controllers and processors established in the EU, or who process the personal data of EU citizens in certain contexts. Our analysis below applies equally to both regimes, so where we refer to the GDPR we refer to whichever regime is appropriate.

In the context of our Snap Online service, our clients using our service are data controllers and we act as their data processor, only processing their Survey Data in accordance with their instructions.

Our services provide our clients with huge amounts of flexibility when carrying out surveys. Our clients are in full control of the potential categories of participants, the amount of personal data that they collect, the information they provide to potential participants, the type of questions asked, what their survey data is used for and who it is shared with, and how long it is retained for.

As a result, compliance with the GDPR for any given survey run by our clients will depend in large part on the steps and the decisions taken by our clients, and Snap XMP contains many features and functionality to help our clients meet their obligations under the GDPR. For example, our clients can:

  • Collect as much or as little personal data as they like, or apply various levels of anonymization to their surveys
  • Provide participants with fair processing information at the beginning of a survey
  • Set a consent question where required, and save a record of that consent
  • Export, edit and delete survey data
  • Comply with the data subject rights of access, rectification, erasure, restriction, data portability and objection
  • Access a range of options as to how and where their survey data is hosted, including the option of a ‘ringfenced UK’ solution
  • Have the confidence that their survey data is protected in accordance with our ISO 27001:2013 Information Security Management System

We have set out below some of the key obligations of the GDPR and described how Snap XMP will assist our clients to meet these requirements.

To further assist our clients, we have produced a number of GDPR ‘how to tutorials’ that give detailed guidance on specific topics such as obtaining consent within your surveys and providing opt outs, and anonymization in surveys.  These are available on our website at snapsurveys.com/gdpr and in our Support Hub.

Further information about the GDPR is available on the Information Commissioner’s Office website at www.ico.org.uk.  Please contact your Snap Surveys Account Manager if you would like further information about Snap XMP.

GDPR RequirementApplication to the Snap Online service
A. Processing of personal data: in  summary, any information relating to an identified or identifiable natural personWhen using Snap Online, you may upload personal data regarding your potential participants, such as email addresses, and may collect personal data in your survey responses. As the data controller, you may set up your surveys to collect as much or as little personal data as you choose. It is worth noting that we do not distinguish within our systems between personal and non-personal data. Instead, we treat all data within Snap Online as data which is important to you and apply the same high levels of security to all data that you submit to and collect using Snap Online (“Survey Data”), and will only process that Survey Data in accordance with your instructions.The GDPR applies only to personal data. The obligations under the GDPR do not apply to anonymous data. We offer several options to anonymize your surveys, including the option to run anonymous surveys using Snap Online. For more information on this, please see https://www.snapsurveys.com/support-snapxmp/snapxmp/making-surveys-anonymous/.
B. Principles for data processing: all processing must comply with the principles of lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation and integrity and confidentiality, and data controllers are accountable for such complianceCompliance with the principles is the responsibility of Snap Surveys’ data controller clients who determine what data they collect from participants (including how much data they gather, and whether they need to collect personal data at all), the purposes for which that data is used and how long they store the data for. Various features within Snap Online assist compliance with these obligations, including:
  • the ability to provide potential participants with fair processing information (including regarding the purposes for processing and data storage periods)
  • where consent is required, obtain that at the beginning of the survey (see C below)
  • the ability to delete and rectify Survey Data held in Snap Online (see F and G below)
  • the ability to download Survey Data from a client’s Snap Online account to its own systems at any time
  • the ability to anonymize data sets
  • applying high levels of security to all data held within Snap Online, in line with our ISO 27001:2013 certified Information Security Management System
C. Controllers must be able to demonstrate a lawful basis for processing personal data, for example consent, the controller’s legitimate interests, or the performance of a public taskIt is for the data controller to determine the basis for processing for any given survey, but consent is likely to be used in many surveys run by Snap Surveys’ clients (particularly where special categories of personal data may be processed). Relevant information (fair processing information) regarding the survey may be provided in the survey invitation email and/or at the beginning of the survey (see also D below) and, where required, the first page of the survey can be configured to obtain the participant’s consent to proceed with the survey. Where consent is obtained as a response to a question in the survey this can provide clients with a record of consent and when it was given. For more information on this, please see https://www.snapsurveys.com/support-snapxmp/snapxmp/including-a-consent-question-snap-desktop/ (Snap Desktop) and https://www.snapsurveys.com/support-snapxmp/snapxmp/including-a-consent-question-snap-online/ (Snap Online). Snap Online also offers the option to include an opt-out link in the survey invitation email, to enable participants to opt-out of the survey and of receiving future survey invitations for that survey. For more information on this, please see https://www.snapsurveys.com/support-snapxmp/snapxmp/including-an-opt-out-link-in-an-email-invitation/.
D. Data subject rights: Generally and the right to informationAs a general note, responsibility for compliance with the rights of data subjects falls on the data controller. Snap Online contains the features described below to assist our clients in complying with these responsibilities directly themselves. As a data processor, Snap Surveys will not respond directly to any request made to it by a survey participant in relation to that participant’s potential rights under the GDPR. Snap Surveys will instead refer the request to its relevant data controller client and will not take any actions without their instructions. Snap Surveys will provide all reasonable assistance to its clients on their request. Regarding the right to information, the relevant fair processing information can easily be provided to potential participants in the survey invitation email and/or at the beginning of the survey itself, before further information is collected. Where appropriate, It is possible to use a layered approach and provide a summary of the information together with a link to your full privacy policy containing more detail.
E. Data subject rights: AccessSnap Online allows clients to download and export their survey response data as they see fit. This means that clients may access an individual’s survey response, and provide a copy of that response to the individual. For more information on this, please see https://www.snapsurveys.com/support-snapxmp/snapxmp/exporting-an-individuals-survey-responses/. Clients should bear in mind that this and the other data subject rights apply only to personal data. Where the data is anonymous, the rights do not apply. As mentioned above, Snap Surveys provides several options for data anonymization.
F. Data subject rights: RectificationOur clients are able to amend and update participant information or survey responses themselves by uploading revised data to Snap Online. For more information on this, please see https://www.snapsurveys.com/support-snapxmp/snapxmp/amending-an-individuals-information-held-in-snap-xmp/
G. Data subject rights: Erasure (‘right to be forgotten’)Our clients are able to delete participant information or survey responses. For more information on this, please see https://www.snapsurveys.com/support-snapxmp/snapxmp/removing-an-individuals-information-held-in-snap-xmp/. It is also possible to delete entire surveys. Note that once deleted by our clients, the information remains on Snap Surveys’ servers for up to 12 + 2 weeks until it is permanently deleted – see N. below.
H. Data subject rights: Restriction of processingIt is possible for our clients to achieve this in a number of ways by:
I. Data subject rights: Data portabilityIt seems unlikely that individuals will exercise this right in relation to their survey response data, but if required Snap Online allows clients to download and export responses in commonly used electronic formats.
J. Data subject rights: ObjectionShould a participant object to the processing of their data, our clients can:
K. Data subject rights: automated individual decision making, including profilingIn Snap Surveys’ view, it is unlikely that these provisions are intended to apply to the services covered by Snap Online.
L. Data Protection by Design and DefaultAs mentioned in B. above, our data controller clients can determine how much or how little personal data to collect using Snap Online, and can delete the Survey Data held in Snap Online. Clients can also use Snap Online to carry out anonymous surveys or can subsequently anonymize their data sets. All Survey Data is protected in line with our ISO 27001:2013 Information Security Management System.
M. Use of processorsWe act as a data processor to our data controller clients who use our Snap Online system. Data controllers must have agreements in place with their data processors. Our Snap XMP Subscription Agreement includes data processing provisions which address the requirements of the GDPR.
N. Deletion or return of data at the end of the agreementOur clients can download and export the Survey Data held in their Snap Online account to their own systems at any time, and delete the Survey Data held in their Snap Online account at any time. Snap Surveys encourages its clients to review the Survey Data held in their Snap Online accounts at regular intervals and not to retain such Survey Data for longer than is necessary. For more information on downloading and exporting, please see https://www.snapsurveys.com/support-snapxmp/snapxmp/exporting-an-individuals-survey-responses/ and, for deleting entire surveys, see https://www.snapsurveys.com/support-snapxmp/snapxmp/deleting-a-survey-in-snap-xmp/. On closure of a Snap Online account, any Survey Data still contained within that account will remain there for 28 days (unless you ask Snap Surveys to delete it sooner), following which it is deleted in accordance with the procedure below. Once Survey Data is deleted from Snap Online, either by our clients, or by Snap Surveys on account closure, it remains on our servers for up to a further 12 weeks after deletion (which enables us to guard against accidental deletion by clients of their data), then remains in our back-up system for a further 2 weeks, before being permanently deleted. Although Snap Online gives our clients the ability to export and delete their Survey Data themselves, Snap Surveys can also, on request assist our clients with the deletion and return of their Survey Data.
O. Security of processingSnap Surveys’ commitment to data security is evidenced by its ISO 27001:2013 certification. Our data centre providers UKFast and Microsoft Azure are also ISO 27001:2013 certified. Central to this is our Information Security Management System which protects the confidentiality, integrity and availability of information within our systems. Our ISMS is regularly tested and externally audited each year as a requirement of maintaining our certification. For more information about the security measures that we adopt to protect our systems, please seehttps://www.snapsurveys.com/gdpr/security-measures/.
P. Data security breachesIn the unlikely event of a data security breach, Snap Surveys has policies and procedures in place to react swiftly to data security breaches (linked to its wider information security incident management processes under its ISO 27001:2013 certification) and to report any security breaches of which we become aware to our data controller clients without undue delay. Snap Surveys will co-operate with its clients in relation to the investigation, mitigation and remediation of the breach.
Q. Overseas transfers of personal data are only permitted where there is an adequate level of protection, appropriate safeguards are in place, or under certain derogationsOur clients may choose whether to have their Survey Data held at data centres in the UK or the US. For clients with Snap Online running on UKFast servers, their Survey Data is held on servers in the UK. This is a wholly “ringfenced UK solution” and Survey Data will not leave the UK, unless as a result of a transfer made by a client. For clients with Snap Online running on Microsoft Azure servers, their Survey Data is held on servers in the US. For technical support reasons, this is accessible by Snap Surveys staff based in both the UK and the US. We have Intra Group Data Processing Agreements in place with our US subsidiary and Microsoft Azure which incorporate standard contractual clauses. Clients can identify whether they are running Snap Online on UKFast or Microsoft Azure servers by logging into their Snap Online Account and looking at their web page address:
  • online1.snapsurveys.com indicates UKFast
  • online2.snapsurveys.com indicates Microsoft Azure

A note on Snap Desktop

The summary above focuses on our clients’ use of Snap Online. As part of the Snap XMP range, Snap Surveys also provides its Snap Desktop software, which can be used in connection with online and offline surveys.
When Snap Desktop is used in connection with offline surveys,  many areas remain under our clients’ complete control, such as:

  • the system that it is installed on and the levels of security that our clients apply to this system
  • the treatment and final deletion of data following its deletion by a user
  • the process of backing-up data, and
  • the location of where the data is stored

In addition, many of the features and functionality described in relation to Snap Online apply equally to Snap Desktop, meaning that our clients can:

  • Collect as much or as little survey data as they like, or apply various levels of anonymisation to their surveys
  • Provide participants with fair processing information at the beginning of a survey, and set a consent question where required
  • Export, edit and delete data held within Snap Desktop
  • Comply with the rights of access, rectification, erasure, restriction, data portability and objection

Disclaimer: this document is intended to give an overview of how certain features of Snap XMP may be able assist Snap Surveys’ data controller clients in complying with some of their obligations under the GDPR. It is not intended to be an exhaustive statement of the law and readers should not rely on it as legal advice. The circumstances of each client will vary and you may wish to consult your legal advisers for advice on your own specific circumstances.

Originally posted: 9 March 2018

Last updated: 10 March 2021