General Data Protection Regulation

1 General Information
2 Background
3 Enabling the Customer to be GDPR Compliant
4 GDPR Contract
5 Key Principles of GDPR and Responsible Parties

General Information

The General Data Protection Regulation is a new set of privacy regulations and guidelines that replaces the Data Protection Directive 95/46/EC and effective May 25, 2018.

Background

The General Data Protection Regulation (GDPR) will require several changes to organizations in the way they collect and process European Union (EU) personal data.

The GDPR contains a number of new protections for EU citizens and threatens penalties for non-compliance. In addition, there are new security, recordkeeping, access rights, and notification procedures that companies must implement to ensure compliance. Issues that are attracting particular focus include increased administrative requirements, and the need to provide the tools necessary to meet the numerous obligations on administrators, controllers, and processors.

Expimetrics offers self-service products to users via an Application Service Provider model delivered via the Internet and using standard web browser software. Customers solely determine what data to collect, from whom and where, for what purpose, and for how long. Therefore, Expimetrics does not and cannot classify or represent any Customer data. All data are processed electronically on the instructions of the Customer as required to provide the software, support, and maintenance. Expimetrics administrators and employees do not interact with or view this data process.

Since the Customer has full control over its data, it may have special obligations to protect the data outside the scope of the protection Expimetrics provides (for instance, if data were downloaded to the user’s local drive or printed). Expimetrics has always agreed to safeguard all Customer data with industry best standards regardless of what that data represents.

Enabling the Customer to be GDPR Compliant

Expimetrics enables its Customers to be GDPR compliant. Briefly stated, that means Expimetrics will:

  1. Provide sufficient guarantees to the controller to implement appropriate technical and organizational measures designed to safeguard Customer data

  2. Process data (that could include personal data) only to fulfil its obligations as related to the Services

  3. Enable users to modify and delete individual data points

  4. Enable users to modify and delete complete survey responses

  5. Enable users to modify and delete the entire project (responses and survey definitions)

  6. Provide security documentation that describes the processes and procedures for safeguarding the data

  7. Sign a contract that governs the processing of EU personal data

GDPR Contract

GDPR Article 28, Section 3, requires that a contract be in place between a data controller and a data processor. For years, the Expimetrics Survey Taker and Survey Maker Terms of Service and Privacy Policy have provided the fundamental legal requirements and obligations regarding data ownership, processing behavior, safeguarding data, breach notification, and more.

However, if a Expimetrics Customer desires to have a GDPR-specific contract, it may be electronically downloaded here.

This Contract appends the terms of an existing Agreement to satisfy the requirement of the GDPR Article 28, Section 3, that governs the processing of EU personal data. Once reviewed and signed, please send to contact@expimetrics.com.

Key Principles of GDPR and Responsible Parties

Both Expimetrics and its Customers (controllers) are separately and jointly liable for actions or inactions that do not comply with GDPR. Thus, the GDPR requires a shared responsibility to protect an individual’s right to privacy. The table below summaries these responsibilities and is included for clarification only.

Legend: E = Expimetrics’ responsibility; C = Customer’s responsibility; S = Shared responsibility

Breach Notification Standards
S
Data security and processing standards
E
Individual “unambiguous” explicit consent before data collection
C
Individual withdraws consent, requests data deletion
C
Parental consent to collect information on children
C
Only transfer data to a country with adequate protection
E
Cross-border transfer of PII
C
Post public privacy notice
S
Follow requests from a DPA
S
Allow right to data modification and to be forgotten
C
Provide data portability
S
Rights of notice, access, and objection
C
Clarifying role of controller and processor
S
Data breach notification
S
Collect data only for “specific, explicit, and legitimate purposes”
C

Please note: this is not an exhaustive list of responsibilities.