Privacy GDPR/CCPA
Alchemer GDPR/CCPA Command Center
Privacy 101
GDPR – Applicable to EU-based businesses and any business that controls or processes the data of EU citizens are required to comply with GDPR starting May 25, 2018 and beyond. This set of laws is the latest effort to ensure everyone has control of their data, and knows exactly where and how it’s used – requiring individual consent.
CCPA – This sweeping legislation creates requirements for identifying, managing, securing, tracking, producing and deleting consumer privacy information of residents of the State of California.
We are a business of data integrity
With Alchemer, you can have a peace of mind that data is collected, stored, and processed with the appropriate levels of sensitivity – always meeting or exceeding GDPR / CCPA compliance.
Centralized information always accessible
This is our central space where all things GDPR/CCPA are monitored. Stay informed with our GDPR/CCPA compliance and ongoing data privacy initiatives centralized here.
Disclaimer: While we confer with counsel and in-house compliance and security on various data privacy policies and regulations like the GDPR/CCPA, do not mistake this information to be a substitute for legal advice.
Latest GDPR/CCPA News & Resources
Alchemer’s Commitment to GDPR and CCPA
Alchemer is undertaking a number of efforts to not only comply with but to exceed the spirit of the regulation.
Alchemer and GDPR
-
Our GDPR Compliance
open close -
Documentation
Information We Hold
We have conducted data audits to map data flows.
We have documented what personal data we hold, where it came from, who we share it with, and what we do with it.
Accountability and Governance
Accountability
We have appropriate data protection policies, controls, and contracts.
Local Representative
We have nominated a data protection lead and will have a local representative assigned.
Management Responsibility
Decision makers and key people at Alchemer have demonstrated support for data protection legislation and promotes a positive culture of data protection compliance across the business.
Information risks and data protection impact assessments
Alchemer manages information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.
Data Protection by Design
Alchemer has implemented appropriate technical and organizational measures to show we have considered and integrated data protection into our processing activities.
Training and awareness
Alchemer provides data protection awareness training for all staff.
Data processing contracts
Alchemer only processes data on the documented instructions of a controller and there is a written contract outlining the respective responsibilities and liabilities of the controller and our business.
The use of sub-processors
Alchemer has sought prior written authorization from the controller before engaging the services of a sub-processor, and there is a Data Processing Addendum (DPA) in place.
Operational base
Alchemer operates inside and outside of the EU.
Breach notification
Alchemer has effective processes to identify and report any personal data breaches to its controller.
Registered office: 168 Centennial Parkway, Unit #250, Louisville, Colorado, 80027 USA
-
Product Features
open close -
Alchemer has hundreds of robust features built and refined with data privacy in mind. Here are some of our favorites to use for GDPR compliance:
- Advanced Privacy Policy and opt-in consent process
- Delete individual response data
- Track respondent email unsubscribe requests
- To gain consent from website visitors to the use of cookies users can leverage three different kinds of website intercepts
- Survey responses can be anonymized
Feature availability depends on account license type. Check our Feature List for more details.
Visit our Documentation library to learn about the specifics of each and every Alchemer feature.
Registered office: 168 Centennial Parkway, Unit #250, Louisville, Colorado, 80027 USA
-
GDPR Rights
open close -
The right to be informed.
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under GDPR.
The right of access.
Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing.
The right to rectification.
Individuals have the right to have inaccurate personal data rectified, or completed if it is incomplete. An individual can make a request for rectification verbally or in writing. Organizations have one calendar month to respond to a request.
The right to erasure.
Individuals have the right to have personal data erased. This right is also known as “the right to be forgotten.” Individuals can make a request for erasure verbally or in writing. Organizations have one calendar month to respond to a request. This right is not absolute and only applies in certain circumstances.
The right to restrict processing.
Individuals have the right to request the restriction or suppression of their personal data. When processing is restricted, organizations are permitting to store the personal data, but not use it. Organizations have one calendar month to respond to a request. This right is not absolute and only applies in certain circumstances.
The right to data portability.
Individuals can obtain and reuse their personal data for their own purposes across different services. This right allows individuals to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. This right enables consumers to take advantage of applications and services which can use this data to find them a better deal, or help them understand their spending habits.
The right to object.
Individuals have the right to object to:
- Data processing based on legitimate interested or the performance of a task in the public interest/exercise of official authority (including profiling);
- Direct marketing (including profiling);
- Data processing for purpose of scientific/historical research and statistics.
Rights in relation to automated decision and profiling.
This right protects individuals if organizations are carrying out solely automated decision-making that has legal or similarly significant effects on them.
Registered office: 168 Centennial Parkway, Unit #250, Louisville, Colorado, 80027 USA
-
FAQ
open close -
What happens when I make a data rights request as a survey respondent?
Alchemer will identify the Controller of your information (our customer) and will convey your request to them. As they own and control your data, they are responsible for taking requested actions.
Why do you need my email address and the survey link when I make a request?
The link is used to identify the customer who sent you the survey, and in turn, is responsible for ensuring your request is honored.
What happens when I make a data rights request as a survey creator?
We will make all reasonable attempts to comply with your request directly. However, please understand that some information may not “forgotten” as a Customer, due to our obligations to be able to contact you.
What if I need additional information about my company’s GDPR compliance?
It is recommended that you confer with counsel to ensure your specific requirements under GDPR and other international law are followed. Alchemer can only assist with meeting compliance requirements by providing controls to aid in meeting obligations.
What does Alchemer do with the information I provide in a survey?
Alchemer only provides the platform used by our customers to conduct surveys. The individual responses to surveys are the property of the survey creator. Alchemer does not interact with your data except where explicitly permitted by the customer.
Does GDPR replace Privacy Shield compliance controls?
No, GDPR and Privacy Shield work in parallel and are created/maintained by different regulatory bodies. Alchemer is committed to ensuring compliance with both programs.
Registered office: 168 Centennial Parkway, Unit #250, Louisville, Colorado, 80027 USA