Data Processing Addendum (GDPR)
Processing of Personal data
On 25 May 2018 the General Data Protection Regulation (GDPR) comes into effect. Below we examine what personal data Mopinion processes, and for what purposes.
Mopinion collects personal data as a contractor.
Below we will describe the way in which Mopinion processes and stores the personal data which Mopinion obtains in the course of its core business, which can be summarised as providing surveys for its clients.
Description of Core Business
Mopinion sells or grants licences for an application with which its clients (businesses) are able to ask their customers (in general consumers) to participate in a survey in order to obtain feedback from the consumers about their own products or services (hereafter referred to as the application).
The application is filled in by the client himself with the questions that he wishes to put to the consumers. The client is given the ability to login to the application, to further fill it in and/or revise it. It is down to the client to determine which customers are asked to fill in the survey and what personal data the client wishes to receive from the customer.
The following personal data is generally requested in the application and is then processed by the client personally: surname, christian names, address, email address, telephone number. It is down to Mopinion’s client to determine what personal data it requests from the customer.
Because the data referred to above may identify natural persons it amounts to ‘personal data’ within the meaning of the GDPR.
The application can be viewed not only by the client, but also by Mopinion. Besides the stated personal data the following meta-data is also known to Mopinion: The browser, the pages visited by the consumer, the hardware, the URL. This information is not capable of identifying natural persons, so in this case there is no question of it being personal data within the meaning of the GDPR.
The IP address that the consumer uses comes in to Mopinion’s system but is immediately converted automatically into a location which is not further specified, but is only indicated by the place of residence and country, without street name or house number. The IP is then immediately deleted, is not stored, and is no longer traceable. That way there is no question of this being personal data.
Controller/processor in Core Business
The GDPR defines the ‘controller’ -briefly – as the person who sets the goal and the means for the processing of personal data.
A ‘processor’ under the GDPR is the person who – not being employed by the controller – processes the personal data on behalf of the controller.
With regard to the personal data which is processed in the course of Mopinion’s core business it is the client who sets the goal and the means for the processing. The application is a tool for obtaining the personal data and whilst the application is supplied to the client by Mopinion, it is the client who fills in the application (and therefore establishes the goal for which the application is being used) and who determines that this application is to be used (and therefore determines the means for the processing).
Mopinion is not employed by the client, but by providing the application and ensuring that the application continues to work, and by also being able to view the results of the application, it processes the personal data on behalf of the client and is therefore to be regarded as the processor. Mopinion makes no independent decisions with regard to this personal data.
Goal of Core Business
Because it is Mopinion’s client who determines what personal data is obtained and what is to be done with it, it is Mopinion’s client who sets the goal.
The application involves the client asking consumers to fill in a questionnaire. It is down to the client to ask for the consumer’s consent and/or to enter into an agreement with them.
Mopinion and its client enter into a contract for the use of the application and a contract covering the processing of personal data. Under the terms of this latter contract Mopinion has no control over the personal data placed at its disposal. It makes no decisions over the receipt and use of the data, its supply to third parties, and the duration of storage of data. Control over the personal data provided under the contract is never vested in Mopinion.
Mopinion does not use the personal data for any purposes other than those set by its client.
Period of retention of personal data in the core business
Mopinion retains the personal data for as long as the contract with the client continues. This may be different if the contract with the client contains some other agreed term.
The possibility exists of agreeing with the client that Mopinion retains the personal data for a specified period of time, after which it is automatically deleted without a copy being retained.
Deletion of personal data in the core business
Mopinion will at all times and upon first request by the client immediately destroy all extracts and copies received from the client and/or data relating to the client which is processed on behalf of the client, in a manner to be further determined in mutual consultation.
Internal management, technical and organisational security measures in the Core Business
The personal data is stored in encrypted form in Mopinion’s database. This comprises the name, address, place of residence, email address and telephone number of the client’s customers. Only authorised persons, employees of Mopinion, have access to this data. Only senior employees and management of Mopinion’s product related teams have access to this. Product related teams are Mopinion’s teams that are charged with the operational development, support, maintenance and testing of Mopinion’s software (Mopinion’s product). Other teams/divisions, such as Sales, Marketing, HR, Office Management and Finance have no access to this data.
All Mopinion’s personnel have signed a confidentiality statement and they are all aware that no personal information may be disclosed outside the company.
Mopinion uses the services of Amazon Web Services (AWS), an international organisation that is accredited under ISO 21001 standards and is based in Dublin, Ireland, where the personal data is stored. Under the terms of the contract with AWS the data remains within Europe and is not retained otherwise than on the express request of Mopinion.
In order to prevent the risk of data loss a backup is made every day, and backups are kept for a period of one month.
Data leaks in the Core Business
Should a breach of security or data leak be detected within Mopinion this would be reported to the client as soon as possible, and in any case within 24 hours of discovery, and Mopinion would provide the client with all the information it has about the breach or data leak. Further actions would be in accordance with the ‘Procedure for reporting and handling data breaches’.
Data Processing Agreement
The Data Processing Agreement is a template for a contract between Mopinion and its clients. You can either view this agreement online here or request a signed version of this processor contract here.
Data Protection Officer
If you have any questions regarding the DPA, please contact Mopinion’s Data Protection Officer (DPO) – M. Haroon at firstname.lastname@example.org.