Data Processing Agreement

Survio provides the users of Survio websites, questionnaires, products and/or services (hereinafter referred to as the “User”) with data space for the purpose of storing the respondents’ data on Survio’s servers. The User’s data may also include personal data of natural persons. In relation to personal data that the User stores on Survio’s servers (personal data of respondents), Survio acts as the processor of personal data (hereinafter referred to as the “Processor”). The User for whom the data is stored acts as the controller (hereinafter referred to as the “Controller”).

In order to comply with Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 4, 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as the “GDPR”), the Controller and the Processor, also referred to as the “Contracting Party”, and jointly as the “Contracting Parties”, enter into this Data Processing Agreement (hereinafter referred to as the “Agreement”).

Further information on the processing of personal data can be found in the Personal Data Protection Rules available here: https://www.survio.com/en/privacy-policy.

If the User is interested in the services described below, this Agreement may be concluded by the signature of both Contracting Parties. Please contact us via e-mail: support@survio.com.

I. INTRODUCTORY PROVISIONS

  1. The Contracting Parties state that they have concluded a provision of services agreement (hereinafter referred to as the “Main Agreement”), under which the Processor provides the Controller with services consisting of providing a tool for creating online questionnaires, providing data space and a questionnaire management application (hereinafter referred to as the “Services”).
  2. In view of the fact that within the cooperation described in paragraph 1 of this article, data will be stored on the Processor’s servers and transfers of personal data of natural persons provided to the Controller may take place, the Contracting Parties are obligated to enter into a written agreement on the processing of personal data.
  3. The Processor’s services are provided exclusively in the territory of the European Union or in a state of the European Economic Area. Any relocation of the Processor, its activities or parts thereof to a third country requires the prior consent of the Controller and may only take place under the special conditions of Article 44 et seq. of the GDPR. In relation to other processors of the Processor, Article VI of this Agreement shall apply.
  4. The Processor declares that the Processor has implemented the appropriate technical means and organizational measures to the extent that will enable the processing of Personal Data to meet the requirements of this Agreement and the applicable laws and to ensure the protection of the rights of Data Subjects. Significant technical and organizational measures are defined in Annex No. 1. Technical means and organizational measures may be modified to reflect technological progress and developments. The Processor is therefore entitled to implement technical means and organizational measures alternative to those used at the time of concluding this Agreement. However, the Processor undertakes that such means and measures will guarantee the same or a higher level of security.
  5. The Processor declares that the Processor holds the ISO/IEC 27001 certificate, which guarantees that the Processor meets internationally recognized standards for information security management systems.
  6. As there will be communication between the Contracting Parties that the Contracting Parties consider confidential, the purpose of this Agreement is also to regulate the conditions of conduct of the Contracting Parties with respect to the handling of confidential information obtained during cooperation under this and the Main Agreement, as well as before its commencement.
  7. The Contracting Parties undertake to act in mutual agreement and to respect the rights of the other Contracting Party in the performance of this Agreement. The Contracting Parties undertake to inform each other of all facts that are or may be important for the proper performance of this Agreement.

II. SUBJECT MATTER OF THE AGREEMENT

  1. The subject matter of this Agreement includes:
    • authorization of the Processor by the Controller to process Personal Data in accordance with the GDPR and in accordance with the conditions set forth below in this Agreement;
    • determination of the scope, purpose and period of processing Personal Data;
    • determination of means and method of processing Personal Data;
    • determination of the rights and obligations of the Controller and the Processor;
    • provision of guarantees by the Processor in terms of the technical and organizational security of Personal Data protection.
  2. The Controller hereby authorizes the Processor to process Personal Data as described in this Agreement.
  3. The Processor’s costs related to the processing of Personal Data are part of the remuneration for the provision of the Services.

III. CATEGORIES OF DATA SUBJECTS, SCOPE OF PERSONAL DATA, PURPOSE AND PROCESSING PERIOD

  1. Categories of Data Subjects:
    1. The category of data subjects whose personal data is subject to processing under this Agreement: respondents of the Controller. (hereinafter referred to as the “Data Subject”).
  2. Scope of Personal Data:
    1. The scope of Personal Data processed in relation to individual Data Subjects is as follows, unless the Contracting Parties agree otherwise: Personal Data of respondents, which will be stored via the Survio questionnaire on Survio’s servers, i.e. the data that end users fill in the questionnaires in the Survio system. The Personal Data may include, in particular, name, surname, gender, age, job position, address of residence, e-mail, etc. (hereinafter referred to as the “Personal Data”).
    2. The Processor undertakes to process the Personal Data only to the extent specified in the previous paragraph of this article, which is necessary for the provision of the Services.
    3. If the Processor violates the Processor’s obligations and processes Personal Data beyond the specified scope, the Processor does not do so on the basis of authorization of the Controller stipulated by this Agreement, and the Controller is not responsible for such processing of Personal Data and the Processor acts in relation to this Personal Data as the Controller of Personal Data according to the GDPR.
  3. Purpose of Personal Data Processing:
    1. The Processor performs the processing of Personal Data under this Agreement exclusively for the purpose of providing the Services (processing is necessary for the purposes of fulfilling the Main Agreement), unless the Contracting Parties agree otherwise.
    2. The Processor is not entitled to process Personal Data on the basis of this Agreement for a purpose other than specified in the previous paragraph of this article of the Agreement. If the Processor performs the processing of Personal Data for other purposes, it does not do so on the basis of the authorization of the Controller stipulated by this Agreement, the Controller is not responsible for such processing of Personal Data and the Processor acts in relation to this Personal Data as the Controller of Personal Data according to the GDPR. However, the Processor is obligated to notify the Controller in advance of such processing.
  4. Period of Personal Data Processing
    1. The Processor undertakes to process and store Personal Data only for the necessary period of time, but no longer than for the duration of this Agreement and the Main Agreement, unless the Contracting Parties agree otherwise.
    2. Upon termination of the Main Agreement or on the basis of a written instruction from the Controller, the Processor undertakes to delete or return all Personal Data to the Controller and delete any existing copies (backups). The Processor undertakes to perform these actions within 15 days from the day when the event occurred, due to which the Processor is obligated to delete or return the Personal Data. The Processor shall prove the performance of these actions upon the Controller’s request or provide a solemn declaration on the performance of the acts, which the Controller deems sufficient, unless the Controller has reasonable doubts about the Processor’s procedure.
    3. The Processor is entitled to proceed in violation of Article 4.2. of this Agreement, if the law imposes an obligation on the Processor to process Personal Data even after the termination of this Agreement.
    4. For the avoidance of any doubt, the Contracting Parties declare that this Agreement and the Main Agreement are interdependent agreements, and the Contracting Parties have agreed that the termination of the Main Agreement will cause the termination of this Agreement.

IV. RIGHTS AND OBLIGATIONS OF THE CONTRACTING PARTIES

  1. The Processor undertakes to:
    • process Personal Data only on the basis of documented instructions of the Controller; the Processor shall also follow the instructions of the Controller in the area of the transfer of Personal Data to third countries or international organizations, unless such processing is required by the law of the European Union or a Member State of the European Union, which applies to the Controller; in such a case, the Processor shall inform the Controller of this legal requirement prior to processing, unless such laws prohibit providing such information for important reasons of public interest;
    • take and systematically follow and control all measures necessary to ensure the protection of Personal Data, in particular against unauthorized and accidental access to Personal Data, their change, destruction or loss, unauthorized transfers and other unauthorized processing, as well as other misuse of Personal Data;
    • not involve any other Processor in the processing without the prior permission of the Controller. If the Controller grants permission to engage another processor, the same obligations to protect Personal Data as set out in this Agreement must be imposed on this other processor. If the other processor does not fulfil its data protection obligations, the Processor remains fully responsible for the fulfilment of the obligations of the other processor concerned;
    • take into account the nature of the processing and assist the Controller through appropriate technical and organizational measures in fulfilling the Controller’s obligation to respond to requests for the exercise of the rights of Data Subjects set out in Chapter III of the GDPR (Data Subject Rights); the Processor undertakes to immediately inform the Controller in the event that the Processor has received a request for the exercise of the rights of the Data Subject;
    • assist the Controller in ensuring compliance with the obligations under Articles 32 to 36 of the GDPR (Security of Personal Data), taking into account the nature of the processing of information available to the Processor;
    • provide the Controller with all information necessary to prove that the obligations of the Processor have been fulfilled, and to this end undertakes to enable the Controller to perform audits, including inspections performed by the Controller or an auditor appointed by the Controller for the audit, and to provide all necessary cooperation for such audits. The Processor is obligated to allow the Controller to perform the necessary audit within one week of receiving the Controller’s request. The Processor is obligated to make available to the Controller all necessary documentation for the purposes of the audit, in particular the list of implemented technical and organizational measures. The Processor is also obligated to allow the Office for Personal Data Protection and other supervisory bodies to carry out inspections according to the situation. The Processor is obligated to notify the Controller of these inspections;
    • immediately inform the Controller in the event that in the Processor’s opinion a certain instruction of the Controller violates the provisions of the GDPR or other regulations concerning the protection of Personal Data. The Processor is entitled to delay the execution of the instruction until the instruction is confirmed or modified by the Controller;
    • In the event that the Processor learns of changes in the Personal Data submitted to the Processor by the Controller, the Processor undertakes to notify the Controller in an appropriate manner without undue delay;
    • provide the Controller with all necessary information on the course of inspections or administrative proceedings carried out by the Office for Personal Data Protection;
    • notify the Controller without undue delay of any Personal Data breaches. The breach notification shall include, provided that such information is available to the Processor, in particular:
      • a description of the nature of the Personal Data breach, including, where possible, the categories and approximate number of Data Subjects concerned;
      • a description of the likely consequences of the Personal Data breach; and
      • a description of measures to address the Personal Data breach, including any measures to mitigate possible adverse effects.

      If it is not possible to provide the information under letter (i) to (iii) of this paragraph at the same time, it may be provided by the Processor afterwards.

  2. Both Contracting Parties undertake to:
    • implement appropriate technical and organizational safeguards to ensure a level of security commensurate with the risk. In assessing the appropriate level of security, it is necessary to take into account the risks posed by the processing, in particular accidental or unlawful destruction, loss, alteration or unauthorized disclosure of transmitted, stored or otherwise processed Personal Data or unauthorized access to such Personal Data. The Contracting Party is obligated to inform the other Contracting Party of any significant changes in technical and organizational safeguards before their adoption;
    • keep and continuously review and update records on the processing of Personal Data according to Article 30 of the GDPR;
    • inform each other of all circumstances relevant to the performance of the subject matter of this Agreement;
    • maintain the confidentiality of Personal Data and security measures, the disclosure of which would jeopardize the security of Personal Data, even after the termination of this Agreement;
    • act in accordance with other requirements of the GDPR, in particular to observe the general principles of personal data processing, to fulfil their notification obligations, not to transfer Personal Data to third parties without the necessary authorization, to respect the rights of Data Subjects and to provide necessary cooperation in this regard.

V. DATA PROTECTION OFFICER

  1. The Processor has appointed the following Data Protection Officer:

    Name: Richard Žižka
    Contact address: Hlinky 995/70, 603 00 Brno
    Phone: +420 725 008 003
    e-mail: support@survio.com

  2. In the event of a change in the Data Protection Officer or his/her contact details, the Processor is obligated to notify the Controller of the changes without undue delay.

VI. CONSENT TO THE INVOLVEMENT OF OTHER PROCESSORS

  1. The Controller hereby gives the Processor consent to involve other processors in the processing of personal data.
  2. Other processors who provide their services to the Processor are listed in the Personal Data Protection Rules.
  3. The Processor shall be entitled to involve another processor established outside the territory of the European Union only if such other processor has undertaken to comply with specific obligations in accordance with Article 44 et seq. of the GDPR.

VII. HANDLING OF CONFIDENTIAL INFORMATION

  1. The Contracting Parties agree that when providing the Services in accordance with the Main Agreement and this Agreement, the Controller will disclose information to the Processor. The Controller considers this information to be confidential and has no interest in disclosing it.
  2. The Controller intends to make available to the Processor information on the respondents to the questionnaires and their personal circumstances, which the Controller considers confidential.
  3. The Controller considers all information that meets the following criteria to be confidential:
    • any information or documentation provided by the Controller to the Processor in oral or written form, in particular information that the Processor learned during the provision of the Services under the Main Agreement and this Agreement, and
    • any information or documentation that can be described as information that is competitively significant, identifiable, appreciable and normally unavailable in the relevant circles, which, according to their originator or owner, should be kept secret.
  4. Information that is explicitly marked as such shall also be considered confidential. It is sufficient to mark the term “confidential”, e.g. on the packaging of the information carrier, in an e-mail, a fax message or other documents.
  5. Protection under this Agreement shall not apply to information:
    • which has become publicly available, unless this occurred in breach of the Contracting Party’s obligation to protect such information;
    • further information obtained by the Processor on the basis of a procedure independent of this Agreement or the other Contracting Party, if the Processor is able to prove this fact;
    • information provided by a third party who did not obtain such information in breach of its duty of protection; and
    • which have been disclosed by the Processor with the prior written consent of the Controller.
  6. The Processor undertakes to protect, respect and not disclose this confidential information to third parties, even due to negligence, not to use any confidential information of the Controller for the Processor’s own needs, for the needs of the Processor’s own business or for the needs of any third party without the prior consent of the Controller. The Processor undertakes to make all reasonable efforts to prevent access to the above information to any unauthorized third party.
  7. The Processor is entitled to use this confidential information only for the purposes of providing the Services in accordance with the Main Agreement and this Agreement, and only for the duration of the cooperation of the Contracting Parties.
  8. The Processor undertakes to entrust the performance of the Processor’s duties only to employees who are acquainted with the obligations arising for the Processor under this Agreement and applicable laws and will be bound by the duty of confidentiality at least to the same extent as the Processor is bound. The Processor is obligated to regularly check the employees’ compliance with the above-stated obligations.
  9. At the same time, the Processor undertakes not to attempt to ascertain or in any way examine the essence or nature of the confidential information provided. In the event that the activities of the Processor in accordance with this Agreement and the Main Agreement reveal the nature of confidential information, the Processor is in no way entitled to handle the information thus obtained and undertakes to keep it confidential.
  10. The Processor undertakes to treat confidential information as confidential throughout the existence of the confidential information, even after the termination of the cooperation, unless such information is disclosed or made available.

VIII. FINAL PROVISIONS

  1. This Agreement shall enter into force and take effect on the day when the Processor receives the Controller’s consent to this Agreement (e.g. by checking the box when concluding the Main Agreement) and is concluded for an indefinite period.
  2. Each of the Contracting Parties is entitled to withdraw from this Agreement in the event of a material breach of this Agreement. The Controller acknowledges that the termination of this Agreement also means the termination of the Main Agreement, unless the Contracting Parties agree otherwise.
  3. Notice: In case of any discrepancies between the English and Czech language versions of these Personal Data Protection Rules, the English version shall prevail. The English version is available at www.survio.com.
  4. This Agreement is governed by and construed in accordance with the laws of the Czech Republic, regardless of its conflict of law provisions.
  5. The Contracting Parties undertake to settle any disputes arising out of and in connection with this Agreement preferentially by mutual agreement. Only if the dispute concerning this Agreement or the legal relations related to it cannot be resolved amicably, the Contracting Parties are entitled to resolve this dispute before the Czech court having the subject-matter jurisdiction. Territorial jurisdiction will be determined according to the registered office of the Controller.
  6. The Contracting Parties confirm that they have read the text of this Agreement and are aware of its meaning. Furthermore, the Contracting Parties confirm that they have fully and without any difficulties understood all the provisions of the Agreement and do not consider them to be disadvantageous.

ANNEX NO. 1 - TECHNICAL AND ORGANIZATIONAL MEASURES OF THE PROCESSOR

The Processor itself, or through other processors, uses the following technical and organizational measures to secure the data:

Are measures taken to protect against unauthorized access to data?

YES
  • To enter the building/office
  • Access authorization
  • Security system
  • Key Control Policy
  • Visitor Policy (especially the requirement of all visitors being accompanied by employees)
  • Data carriers can only be stored in locked rooms

Is there protection against access by unauthorized persons?

YES
  • Access to data only after logging into the system
  • Use of encryption
  • Workplace password protection
  • Use of individual passwords
  • Automatic blocking of access after re-entering the wrong password
  • Automatic user logout after a long period of inactivity
  • Rules for choosing and handling passwords: At least 8 characters, uppercase and lowercase, special character, numbers (at least 4 of these criteria)
  • Protection against choosing easy-to-guess passwords
  • Rules for data shredding/deletion

Have measures been taken against unauthorized activities in the data processing systems outside the scope of the granted authorization?

YES
  • Access authorization policy
  • Data recovery rules (authorized person, event)
  • Use of an antivirus program
  • Use of a firewall
  • SPAM filter

Is the processing of data divided according to the purpose for which they were collected?

YES
  • Data division according to the position of Controller and Processor
  • Data division according to the following rules (name x ID number of the client)
  • Division of data of clients, customers and other persons among various employees

Is pseudonymization used?

YES
  • Used if practicable

Is data protected during transmission?

YES
  • Use of VPN
  • Sending data by e-mail in encrypted/password-protected folders
  • Data exchange only with secure https protocol
  • Encryption of data on PCs and external data carriers, if used
  • Data encryption on mobile devices
  • Possibility of information retrieval on data handling

Have measures been taken to protect data from loss and accidental deletion?

YES
  • Data protection and backup
  • Adoption of rules for data protection and backups
  • Fire protection system
  • Smoke detectors in the server room
  • Server rooms with temperature control
  • Storing data backups in different areas with fire-fighting equipment

Does a risk assessment take place?

YES
  • Definition of critical components
  • Not using (deactivating) unnecessary components
  • Timely and regular software updates
  • Organizing regular safety training

Are there rules for reviewing, evaluating and assessment of the effectiveness of data security measures?

YES
  • Internal policies for the processing of personal data and their regular updating
  • Notification of changes in data processing processes to data protection officers
  • Selection of default settings corresponding to data protection

Is the process of other processors in processing the provided data reviewed?

YES
  • Contracts for the processing of personal data drawn up in accordance with the GDPR
  • Ensuring audits where necessary
  • Review of technical and organizational measures

What important organizational measures are taken?

YES
  • Data Protection Officer appointed
  • Obligation of confidentiality imposed on employees
  • Personal Data Processing Policy
  • Internal guidelines
  • Regular employee training
  • Regular inspection by the Data Protection Officer

In addition to the above measures, the Processor declares that the Processor holds the ISO/IEC 27001 certificate, which guarantees that the Processor meets internationally recognized standards for information security management systems.

Contact Sales

Start surveying now!

  • Build a survey Easy-to-use survey editor, 100+ ready-made survey templates
  • Collect responses Mobile friendly, omnichannel collection, identity tracking
  • Analyze results Fast and comprehensive analytics, one-click reports
  • Engage with Survio PRO User management, custom dashboards, integrations, API
  • GDPR
  • SSO
  • ISO 27001:2013