The General Data Protection Regulation (GDPR) took effect on May 25th, 2018. It is a new and far-reaching privacy regulation. You can read more about how Automattic is implementing the GDPR’s principles in this document that covers the company wide policies that include Crowdsignal.
There are three roles defined in the GDPR:
- Data subjects are people whose personal data is collected. They are those who fill in surveys, quizzes, polls or ratings.
- Data controllers determine how data is used and processed. For Crowdsignal the owners of surveys, quizzes, polls and ratings are data controllers for the personal data of data subjects who respond to them. They create the tools that data subjects fill in to collect data and determine how to use that data through reports, analysis or by exporting it.
- Data processors process the data for the data controller. Crowdsignal is the data processor of the collected data. Our users use the tools provided to collect data and analyse it.
We have built a GDPR Access Tool to allow data subjects access to their data. Using this tool it is possible to view survey and poll responses that are associated with a particular email address. This tool allows polls, quizzes and surveys to be queried. Ratings are by their nature anonymous and cannot by identified.After confirming their email address any survey or poll response found will be shown. The user can then request a zip file containing this data, or request that the data be deleted.
Delete requests are not seen or handled by Crowdsignal staff. The request is sent directly to the Crowdsignal users who own the polls/quizzes/surveys. They can take care of these requests in the GDPR Data Subject Erasure Requests page. On that page the responses can be deleted or if there is a legitimate reason for keeping the data the request can be ignored. The data controller should contact the data subject if this happens.
The GDPR Access Tool is open to all. Even if you do not reside in the EU you can use it to find out about your personal data. However every request to delete data will have a notice telling the data controller if the data subject made the request from within the EU (based on IP address) or not.
If you have any queries about the GDPR please contact us.