“We here at Feedbackly take our data security seriously. This is why we put this page together so that you can have 100% clarity on how we handle your data. From this page, you can find everything you need to understand how your data is handled.”
– Feedbackly Team
Taking effect on 25 May 2018, the European Union’s General Data Protection Regulation (GDPR) is one of the most important international legislative changes in data protection in decades. The purpose of the regulation is to increase the individual’s rights to manage and process their personal data and to harmonize legislation within the European Union.
Feedbackly is firmly committed to the new Data Protection Regulation and we have been studying it’s content and impact for a while already. In addition to complying with the regulation ourselves, it is important for us to help our customers with their compliance efforts. This goal will be achieved through training, instruction, and technical development of our software.
Feedbackly´s GDPR-compliant terms come to force on the 1st of April 2018. Here you can find the most important documents regarding use of Feedbackly:
- Feedbackly general terms
- Appendix: Feedbackly Data Protection Agreement (Customers)
Obligations as a Feedbackly´s customer
Feedbackly’s clients generally act as controllers for the personal data registers and data they are processing in Feedbackly. The aim of the controller (client) is to define the purpose of the register, and the processor (Feedbackly) is responsible for helping the client in the processing of information in the intended manner. Simply put, this means that the customer uses Feedbackly for their intended purpose and Feedbackly assists the customer in implementing this purpose. This means that we are doing also updates to the software so that this is going to be fast and easy.
The controller (customer) is responsible for ensuring that data is processed technically and administratively in accordance with the requirements of the regulation. The regulation includes significant changes to how and when registers can be maintained. In addition, the controller must ensure that their own activities are transparent towards the data subject, the data is valid, and correct restrictions are applied to the use of personal data. It is particularly important to remove unnecessary information and to safeguard the data subject’s legislative rights. According to the regulation, the data subject has the right to ask for their registered data, to update it and, in certain circumstances, to demand it’s deleted.
We also encourage you to analyse your situation with the assistance of a lawyer, as the services or training they provide may give you instructions directed specifically at your organization. The responsibility to take care of this is on the controller (client) so we strongly advise to put some effort in. But don´t worry, we have also created an easy to use instructions on how you can get started.
How can I get started?
- Review the General Data Protection Regulation and the European Data Protection Supervisor’s instructions. These are important and apply to all controllers.
- Check what registers you maintain, and ensure that they are consistent with the requirements of the regulation. List how it is collected, why, by whom, how the data is stored and how everything is handled. For the data in Feedbackly, you can also do this in Feedbackly dashboard. Notice: This is only for the data stored in Feedbackly, not anything else.
- Explore how your current software, services, policies, and processes are compatible with the regulation. Make the data processing agreements (DPA) with all the processors of your registry. You may find templates and instructions for this from European commission website and materials for SME´s –> Click here
- We advise you to use a professional lawyer to go through your GDPR documents and processes so that you can be sure that they are done right.
Is Feedbackly prepared for the GDPR?
We are proud to tell that we have put a tremendous amount of work to make sure that everything is in order when the regulations is enforced. We have put in enterprise-level effort to look after our data protection and privacy as we understand the importance of this matter. This way also our enterprise customers can rely on us that we do our part in the data protection chain.
We have trained our staff as data protection experts and specialists. Feedbackly’s data protection mechanisms have been entrusted to the management of the entire company, as well as to a DPO (Markus Räipiö) who is responsible for operations as part of the management team.
A tech team has been set up to implement the changes required by the regulation. Their task is to put implement the data protection processes and changes and make them part of the company’s overall functions and services. There are going to be also some visual and functional changes such as new features in Feedbackly to make your life easier.
GDPR brings changes to the Feedbackly software
Automatic expiration of personal data
In order to avoid storing old and unnecessary data, Feedbackly will set an expiration date for personal data by default. After the set time period, given feedback data will be anonymized and personal data will be deleted. Our customers can change the expiration date according to their business needs and regulatory requirements.
Stricter requirements for consent
The GDPR enforces even stricter requirements for consent when collecting the data. By using Feedbackly and strictly required fields, everyone can be sure that the data that enters the system is collected with proper permissions.
Showing personal data on demand
Previously, when a customer wished to examine the results of a survey, the results were displayed to the customer in full form. In many cases, showing the exact personal information related to the feedback results is unnecessary if the customer is not taking any action regarding them. Therefore, personal data is only displayed if the customer explicitly indicates he/she needs to see them. In that case, it leaves an audit trail.
Tools to manage personal data
The GDPR gives more rights to individuals over their personal data. We at Feedbackly will provide efficient tools for our customers to find out what personal data is stored in their account and therefore fulfill requests coming from individuals. These features include the ability to print out a report on personal data by the individual, delete all related personal data etc. In addition, an individual can be provided links to change their answers if they wish to do so.
Access to customer data
While we have always accessed customer data only purposefully and with the agreement of our customers, we have developed stricter controls on who can access the data inside the company, including a clear audit trail for those people who actually do.
Storing relevant backups is crucial to us for disaster recovery purposes. However, backups tend to hold information even after it is deleted from production systems. This is why we periodically run our backups through certain filters to ensure they contain only information we and our customers have permissions to store.
Data processing and subcontractors
Our objective is to provide the safest and highest quality service to our customers. Like many other SaaS services, we also use subcontractors and partners to provide our service. This means that our subcontractors also take part in the processing of personal data on a case-by-case basis. All our subcontractors go through an audit process, which ensures that they share our own tight security and privacy requirements. All companies we work with would need to obey the new EU data regulations if applicable.
- Google Cloud Platform
- Sendgrid emails
As part of a data processing agreement, our customers must accept our subcontractors’ use of personal data.
To enhance the data and personal data security, we are using Auth0 services to ensure encryption end-to-end. By using Feedbackly services you approve that your personal data is handled by Auht0 and that you accept their data security regulations. Please find them here: https://auth0.com/docs/
You are not able to hold Feedbackly accountable on any breaches of Auth0 -services.
Data processing agreements
We fully understand our important role as a processor of valuable and confidential personal data and are serious about the responsibility that our customers give us. Over past months, we have built a processing agreement with our customers in accordance with the Data Protection Regulation, which identifies the customer’s processing instructions for the registry. These guidelines are the foundation for all our processing operations.
We require all our customers to accept our data processing agreement so that we can ensure safe and lawful processing of personal data even after 25 May, 2018. We will process personal information you provide to Feedbackly only and solely in accordance with the regulation. These terms you can find at the upper part of this page.
Feedbackly employees undertake to participate in data protection and processing training to ensure that your data is reliably managed. All our employees are also subject to duty of confidentiality with respect to our customers’ data when they start working at Feedbackly.
Retrieving and removing data
Feedbackly provides a possibility for retrieving and removing individual data subject’s items. Also, if your customer relationship with us will nevertheless end, or if you want to retrieve or remove any personal information, we will provide you with the right tools for this. Retrieving event, data subject, and other personal information is done by request.
You can submit a request of this to support(at)feedbackly.com. In addition, on request, we can ensure that your personal data is removed on our own and on our subcontractors’ data bases upon termination of your customer relationship. We will permanently remove your information within the stated deadline unless we have a legitimate reason in public interest to maintain the data.
Data transmission internationally
Feedbackly will never transfer personal information covered by our processing agreements and keyed in by our customers to a service outside the European Union or the European Economic Area. We also ensure that our subcontractors are committed to complying with this practice.
Feedbackly reserves the right to process information covered by its own registers in countries outside the European Union or the European Economic Area, provided that adequate security and data protection of these services is appropriately undertaken. We also try to minimise the amount of data that is being processed outside the EU, but because of the open nature of the Internet, we cannot completely restrict the processing.
Our support to you
Feedbackly’s team provides assistance in questions to do with the data protection regulation. In addition, our customer relations manager and customer service personnel provide user support and help with Feedbackly’s data protection features.