Privacy policy for surveys via the si-quest.de platform
Controller:
smart insights GmbH
Findorffstraße 22-24
D-28215 Bremen, Germany
info@smart-insights.de
External data protection officer:
Kanzlei Dr. Schenk (law firm)
Rechtsanwalt Dr. Stephan Schenk (named lawyer)
Buchtstraße 13
28195 Bremen, Germany
kanzlei@dr-schenk.net
A) Basic information about data processing and the legal bases for processing
1. This privacy policy explains the nature, scope and purpose of the processing of personal data in the course of the online surveys we conduct via the si-quest.de platform as a market research institute. This privacy policy applies regardless of the systems, platforms and devices that are used for the online platform.
2. For the terms used in this policy, such as "personal data" and "processing" of personal data, see the definitions in Article 4 of the General Data Protection Regulation (GDPR).
3. We only process participants' personal data in compliance with the relevant data protection regulations. This means that users' data is only processed if permitted by law. This includes the following legal grounds for processing:
We process personal data on the legal basis of Article 6(1)(a) and Article 7 GDPR, where the user has given his or her consent.
We process personal data on the legal basis of Article 6(1)(b) GDPR, where this is necessary to perform our services and to implement contractual measures with the data subjects. This is the case, for example, if participants contact us via e-mail about a survey.
We process personal data on the legal basis of Article 6(1)(c) GDPR, where this is necessary to comply with our legal obligations.
We process personal data on the legal basis of Article 6(1)(f) GDPR to safeguard our legitimate interests, such as economic operation of our company and optimisation of the security and functionality of our online platform.
B) Types of surveys
1. We distinguish between three types of surveys that are run on the si-quest.de platform: anonymous surveys, pseudonymised surveys and personalised surveys.
C) Types of personal and non-personal data that are processed
1. In order to provide and guarantee a functioning platform, the following data is automatically processed when the online survey is accessed:
- Date and time of access
- Start, end and duration of use
- Type of device
- Operating system used
- Volume of data sent
- Name and version of the browser that is used
- Operating system
- Referrer URL
- Status of participation in the online survey (started or ended)
- Duration of participation in the completed online survey
- Individual ID of the participant. This is used in pseudonymised surveys to prevent individuals participating multiple times (see also section E "Cookies"). In personalised surveys, the ID is also used by smart insights® to invite participants to the survey and, if necessary, to send a reminder message at the end of the study.
Not all of this data is personal data. In the event that non-personal data is linked to personal data, such data as a whole shall be treated as personal data for as long as the data remains linked.
2. Participants' personal data that is processed in the course of our anonymous online surveys also includes the information voluntarily provided by the participants within the survey, e.g. age and gender. Survey data is only analysed after the data has been aggregated and not with reference to individual participants.
3. For our pseudonymised online surveys, the information voluntarily provided by the participants during the survey, e.g. age and gender, is processed in addition to the data specified under section C.1. For pseudonymised surveys, the participants are usually invited to participate by the survey client. smart insights GmbH provides the client with a list of randomly generated individual access keys for this purpose. These keys are then distributed by the client to the participants (e.g. to the client's customers or employees). For pseudonymised surveys, smart insights GmbH does not know which of these keys has been assigned to which individual participant. When survey data is passed on to the client, the access keys are removed from the raw data so that the client cannot link the individual answers to the personal data of individual participants. Survey data is only analysed after the data has been aggregated and not with reference to individual participants.
4. During our personalised surveys (surveys in which participants are invited to participate with a personal form of address and a personalised survey link or participant key from smart insights®), the data voluntarily provided by the participants during the survey, e.g. age and gender, is processed in addition to the data mentioned under section C.1. E-mail address, name (if applicable) and other data such as the title or gender of the survey participant are also processed. Only the data actually necessary for the purpose of the survey is processed. The data is only analysed after it has been pseudonymised. The personal data is separated from the survey data in this process. This means that it is not possible to identify the e-mail address, name or any other personal data used in the survey invitation from the respondents' answers. The personal data used for the survey invitation is deleted after the end of the survey and is not used for any purpose other than the survey invitation and the reminder to participate. Survey data is only analysed after the data has been aggregated and not with reference to individual participants.
5. When a survey from smart insights GmbH is accessed, information of a general nature is automatically recorded (server log files). This includes the following:
- Name of the accessed survey
- Date and time of access
- Notification of successful retrieval
- Type of device
- Operating system used
- Volume of data sent
- Referrer URL
- IP address
This data is necessary for technical reasons to deliver the survey correctly. Such data is necessary to use the Internet. The data is required to operate, maintain, protect, and monitor the proper functioning of the system. Log file information is stored for security reasons (e.g. to investigate abuse or fraud) for as long as is necessary for the purpose of processing and is then deleted immediately. Data, the further storage of which is necessary for evidential purposes, is excluded from deletion until the applicable incident has been conclusively resolved.
6. The data of participants, if they contact us (e.g. via e-mail), is stored for the purpose of processing any contact query and is deleted as soon as it is no longer required for the purpose of processing a contact query.
D) Recipients of personal data
1. Internal recipients: Within smart insights GmbH, only employees who require access for the purposes stated in each case have access.
2. External recipients: We only pass on your personal data to external recipients outside smart insights GmbH if this is necessary to carry out or process your request, if there is another legal ground for doing so or if we have your express consent to do so.
External recipients may include:
Processors
External service providers that we use to perform services, e.g. technical infrastructure and maintenance or to provide content. We carefully select and regularly review these processors to ensure that your privacy is maintained. The service providers may only use the data for the purposes specified by us and in accordance with our instructions.
Public bodies
Authorities and government institutions, e.g. public prosecutors, courts and tax authorities, to which we must transfer personal data for mandatory legal reasons.
Clients
Clients who commission smart insights GmbH to carry out online surveys.
E) Cookies
Cookies are stored on your computer when you use our survey, in addition to the above data. Cookies are text files that are stored on your hard drive for the browser you are using and that provide the website that creates the cookie (in this case, us) with certain information. Cookies cannot run programs or infect your computer with viruses. They are used to make our website generally more user-friendly and effective.
Our survey currently uses the following types of cookies, the scope and functionality of which are explained below:
- Transient cookies are automatically deleted when you close your browser. These include session cookies in particular. Session cookies store a session ID, which is associated with the various requests made by your browser in the same session. This means that we can recognise your computer when you return to the website. The session cookies are deleted when you close the browser.
- Persistent cookies are automatically deleted after a specified period of time, which may vary depending on the cookie. You can delete cookies at any time via your browser's security settings.
You can configure your browser settings to suit your preferences, e.g. to accept third-party cookies or to reject all cookies. Please note that you may not be able to use all the features of our survey if you disable cookies.
F) Data processing in third countries
If data is transferred to a party whose registered office or place of data processing is not located in a Member State of the European Union or in another state party to the Agreement on the European Economic Area, we ensure, prior to transferring the data (except in legally permitted exceptions), that the recipient provides an adequate level of data protection (e.g. by way of an adequacy decision of the European Commission or by appropriate guarantees such as self-certification by the recipient for the EU-US Privacy Shield) or that you give your consent to the data being transferred.
G) Storage period, erasure (deletion)
The following applies if no information regarding the specific storage period or deletion of the data is provided in the individual sections of this privacy policy:
We store your personal data only as long as necessary to fulfil the intended purposes or – in the case of consent – as long as you have not withdrawn your consent. If you object to processing, we delete your personal data, unless further processing is permitted under the relevant statutory provisions. We also delete your personal data if we are obliged to do so for other legal reasons.
Applying these general principles, we typically delete your personal data immediately in the following cases:
- the legal basis has ceased to apply and no other legal basis applies (e.g. retention periods under commercial and tax law). If there is another legal basis, we delete the data after the other legal basis has ceased to apply.
- when the data is no longer necessary for the purposes of preparing and executing a contract or for legitimate interests pursued by us and no other legal basis applies (e.g. retention periods under commercial and tax law). If there is another legal basis, we delete the data after the other legal basis has ceased to apply.
- if the purpose we are pursuing by collecting data no longer applies and no other legal basis applies (e.g. retention periods under commercial and tax law). If the latter is the case, we will delete the data after the other legal basis has ceased to apply.
H) Security measures
1. We implement organisational, contractual and state-of-the-art technical security measures to ensure that the provisions of data protection laws are complied with and to protect the data that we process against accidental or intentional manipulation, loss, destruction and access by unauthorised persons.
2. The data is transmitted in encrypted format to prevent misuse of the data by third parties. Your data is processed by smart insights GmbH within the Federal Republic of Germany.
3. For the transmission of discrete data, 256-Bit SSL (Secure Sockets Layer) encryption is used to protect against manipulation or access by unauthorised persons.
4. Both the survey itself and the "si-quest.com" domain are hosted on ISO 27001-certified servers in Germany.
I) Rights of data subjects
As a data subject whose data is processed, you have many rights. They are as follows:
Right of access: You have the right to access the personal data we have stored about you.
Right of rectification and erasure (deletion): You have the right to request that we correct incorrect data and – where the legal requirements are met – that we delete your data.
Restriction of processing: You have the right to request that we restrict the processing of your data, provided that the legal requirements are met.
Data portability: If you have provided us with data on the basis of a contract or consent, you may, if the legal requirements are met, request that we provide this data in a structured, commonly used and machine-readable format or that we transfer it to another controller.
Objection to data processing on the legal basis of "legitimate interest": You have the right to object to data processing by us at any time for reasons arising from your particular situation, where such processing is based on "legitimate interest". If you make use of your right to object, we will cease to process your data, unless we can demonstrate – in accordance with the statutory provisions - that there are compelling legitimate grounds for further processing which override your rights.
Withdrawal of consent: If you have given us your consent to process your data, you may withdraw your consent at any time with effect for the future. The legality of the processing of your data until withdrawal is not affected by your withdrawal of consent. You can withdraw your consent by sending an email to widerruf@smart-insights.de or writing to the postal address of smart insights GmbH provided at the start of this policy.
Right to lodge a compliant with the supervisory authority: You also have the right to lodge a complaint with the competent supervisory authority if you are of the opinion that the processing of your data violates applicable law. To lodge a complaint, you can contact the data protection authority responsible for your place of residence or country or our data protection authority.
LAST UPDATED: 19/11/2018