Survio recognizes that its customers, visitors, users and others utilizing the Survio System or visiting the Survio website value their privacy. This document (Personal Data Protection Rules) contains important information pertaining to the processing of personal data by our company.
We would therefore like to inform you of the principles and procedures in the processing of personal data, which is conducted in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the “GDPR”).
Please note: In the event of any discrepancies between the English and Czech language version of these Personal Data Protection Rules, the English version shall prevail. The English version is available at www.survio.com.
The following terms, among others, are used within the text – “User”, “Survio Sites/Questionnaires” and “Third Party”, the definition of which is set out in the Terms.
Further, under the term “Agreement”, we mean a legal act on the basis of which the provider undertakes to provide you with its services, whether for payment or free of charge.
Under the term “Survio System”, we mean software that enables Users to create questionnaires/surveys according to the User’s requirements.
I. Basic Information
Controller’s Identification and Contact Information: Survio s.r.o., identification number (IČ) 28300785, with registered office at Brno, Hlinky 995/70, PSČ 60300, Czech republic, contact address: Hlinky 78a, Brno, 603 00, Czech republic a company registered in the Commercial Register with the Regional Court in Brno, section C, file 59684 (hereinafter also referred to as “Survio” or “we”), contact e-mail: email@example.com.
Data Protection Officer: A data protection officer has not been appointed.
Transfer of Personal Data to a Third Country or International Organization: Survio transfers personal data to third countries, specifically the United States of America, but only to companies that have undertaken to comply with the principles of personal data protection imposed through a Privacy Shield. Such companies operate only in the position of personal data processors.
Automated Individual Decision-Making: Survio does not conduct profiling or automated individual decision-making.
Information on the Nature of the Provision of Data: If personal data are being processed for the purpose of the fulfillment of an agreement or the fulfillment of legal obligations, the provision of data is a statutory requirement. If personal data are being processed on the basis of the consent of the data subject, the provision of data is a contractual requirement.
Supervisory Authority: The supervisory authority is the Office for Personal Data Protection with registered office at Pplk. Sochora 27, 170 00 Praha 7, Czech republic, e-mail: firstname.lastname@example.org, tel.: +420 234 665 125.
Survio operates both in the position of a personal data controller, as well as in the position of a personal data processor. Survio operates in the position of a personal data controller in relation to the personal data of Users and of natural persons who visit the Survio website (Art. II of these Rules). In relation to personal data that the User stores on Survio servers (the User puts together a questionnaire in which respondents fill in their personal data), Survio operates as a processor, as it only provides the User with data space for the purposes of data storage. The controller of such personal data is the User itself (Art. III of these Terms).
II. Survio as a Personal Data Controller
Survio operates in the position of a personal data controller in relation to the personal data of Users and natural persons who visit the Survio website.
Why do we process personal data?
For the purpose of the fulfilment of an agreement or the fulfilment of legal obligations, Survio processes primarily the following personal data: name, surname, company name, identification number, tax identification number, residence/registered address, telephone, e-mail.
Survio also processes data that it obtains from the User and other natural persons through their use of the Survio system or their visits to the Survio website: cookie files, protocol files (IP address, or other online identifiers).
In the event that Survio intends to process different personal data than as stated in this article, or for different purposes, it can only do so on the basis of a validly granted consent to the processing of personal data. Consent to the processing of personal data must be granted in a separate document.
Survio declares that it does not process the payment information of Users. All payment information is processed by a third party, specifically by the company cleverbridge AG, with registered office at Gereonstr. 43-65, 50670 Cologne, Federal Republic of Germany.
For what period of time do we process personal data?
The personal data of Users are processed for the duration of the contractual relationship. After the account is cancelled by the User, all data are erased. We process personal data in order to fulfill obligations arising from special legal regulations for the time as set out by such legal regulations.
Where do we obtain personal data?
We obtain personal data directly from data subjects when entering into the Agreement. We always inform data subjects as to which of their personal data they must provide for the purposes of fulfilling the Agreement.
III. Survio as a Personal Data Processor
Survio provides the User with data space for the purposes of storing data operated within the Survio system, on Survio servers. The User’s data may also include the personal data of natural persons. In regard to personal data that the User stores on our servers (personal data of respondents), we operate as a personal data processor. The controller of such personal data is the User itself.
Notice for the User
If you will be collecting the personal data of natural persons through questionnaires, you become a personal data collector and you are obligated to comply with all personal data protection rules set out by the GDPR and by other legal regulations governing such issue. Survio does not bear any liability for a breach of personal data protection rules by Users.
Notice for respondents
The utilization of the Survio system may be subject to the principles and rules of the given User, if Users have such principles. If you provide your personal data to Users, contact the User directly with any questions regarding personal data protection, as the User is in the position of a personal data controller. We cannot be liable for the personal data protection principles or security procedures used by the User, which may differ from these Personal Data Protection Rules.
What is the purpose of processing and how do we handle data?
Survio does not conduct any operations with Users’ data, including personal data, with the exception of storing them on Survio servers, does not intervene in them in any manner, does not modify them, does not make them accessible, nor does it transfer them to third parties (with the exception of making them accessible to state authorities in accordance with the law), unless the Agreement provides otherwise. The sole purpose of handling such personal data is their storage and the possibility of them being accessed by the User.
What kind of personal data do we process?
We only process such personal data of respondents that will be stored through a Survio questionnaire on Survio servers, i.e. data that end users fill into questionnaires within the Survio system. These may be primarily name, surname, gender, age, job position, residence address, e-mail, etc.
For what period of time do we process personal data?
Survio processes personal data for the duration of the contractual relationship with the User. After the account is cancelled by the User, all data are erased.
IV. Recipients of Personal Data
Survio does not transfer personal data to any other controllers. Processors of personal data are:
- companies or natural personas doing business engaging in accounting that are authorized to conduct accounting operations;
- companies or natural persons doing business engaging in IT solutions that are authorized to conduct IT administration and the development of software programs that Survio utilizes;
- companies or natural persons doing business providing server services that are authorized to store data;
- companies providing services in the area of sending out email messages.
The processing of personal data may be conducted by processors exclusively on the basis of a personal data processing agreement, i.e. with guarantees of the organizational and technical security of such data with the definition of the purpose of processing, whereby processors cannot use data for other purposes.
Under certain conditions, personal data may be made available to state authorities (courts, police, notaries, financial authorities, etc., within the scope of the exercise of their statutory powers) or may be provided to other entities within the scope as set out by a special law.
V. Data Security Methods
For the purpose of securing the User’s data against their unauthorized or accidental disclosure, we utilize reasonable and appropriate technical and organizational measures. Technical measures consist in the application of technologies that prevent unauthorized access to the User’s data by third parties. For the purpose of maximum protection, we use encryption of the User’s and end users’ data, primarily including passwords for logging into the Survio system, communication within the Survio system and all data stored on servers. Organizational measures comprise a set of rules of behavior for our employees and are incorporated into Survio’s internal regulations, which are, however, considered confidential due to security reasons. Survio takes to ensure that, in the event of the placement of servers at a data center operated by a third party, similar technical and organizational measures are also implemented by such third party.
All data are placed only on servers located within the European Union or in countries ensuring personal data protection in a manner equivalent to the protection ensured by the legal regulations of the Czech Republic.
VI. Rights of Data Subjects
As a data subject, you have:
- (a) the right to access to personal data: a data subject has the right to obtain from Survio a confirmation of whether personal data pertaining to him/her are or are not being processed, and if so, he/she has the right to access to such personal data and to the following information: a) the purpose of processing; b) the category of personal data affected; c) the recipients to whom personal data have been or will be made available; d) the planned time period for which the personal data will be stored; e) the existence of the right to require the rectification or erasure of personal data from the controller or a restriction on their processing, or to lodge an objection against such processing; f) the right to submit a complaint with a supervisory authority; g) all available information on the source of personal data, if not obtained from the data subject; h) the fact that automated decision-making is occurring, including profiling. The data subject also has the right to obtain a copy of the personal data being processed.
- (b) the right to the rectification of personal data: the data subject has the right to require that we rectify inaccurate personal data pertaining to him/her without undue delay, or that we complete incomplete personal data.
- (c) the right to the erasure of personal data: the data subject has the right to require that we erase personal data pertaining to him/her without undue delay in the event that: a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; b) the data subject withdraws the consent on the basis of which the data were processed, and there is no other legal reason for processing; c) the data subject lodges objections against processing and there are no prevailing legitimate reasons for processing; d) personal data have been processed unlawfully; e) personal data must be erased in order to fulfill a legal obligation set out in the law of the Union or of the Czech Republic; f) personal data have been collected in connection with an offer of information society services. However, the right to erasure shall not apply if the processing is necessary in order to fulfil legal obligations, for the establishment, exercise or defense of legal claims, and in other cases set out by the GDPR.
- (d) the right to the restriction of processing: the data subject has the right to require that we restrict processing, in any of the following cases: a) the data subject refutes the accuracy of the personal data, for the period of time necessary in order for us to be able to verify the accuracy of the personal data; b) the processing of data is illegal and the data subject refuses to allow the erasure of the personal data and requests, in place thereof, the restriction of their use; c) Survio no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defense of legal claims; d) the data subject has lodged an objection against processing, until it is verified whether our legitimate reasons prevail over the legitimate reasons of the data subject.
- (e) the right to lodge a complaint against processing: the data subject has the right, for reasons pertaining to his/her specific situation, to lodge a complaint at any time against the processing of personal data that pertain to him/her and that we are processing on grounds of his/her legitimate interest. In such a case, Survio does not process the personal data further, unless it proves compelling legitimate interests for processing that prevail over the interests or rights and freedoms of the data subject, or for the establishment, exercise or defense of legal claims.
- (f) the right to data portability: the data subject has the right to obtain personal data pertaining to him/her and that he/she has provided us with, in a structured, commonly-used and machine-readable format, and the right to transmit such data to another controller, without Survio hindering it, in the event that: a) processing is based upon consent and b) processing is conducted in an automated manner. In the exercise of his/her right to data portability, the data subject has the right for personal data to be transmitted directly by one controller to another controller, if this is technically feasible.
- (g) the right to lodge a complaint with the supervisory authority: ff the data subject believes that we are not processing his/her personal data in a lawful manner, he/she has the right to lodge a complaint with the supervisory authority. The supervisory authority is the Office for Personal Data Protection with registered office at Pplk. Sochora 27, 170 00 Praha 7, Czech republic, e-mail: email@example.com, tel.: +420 234 665 125.
- (h) the right to information regarding the rectification or erasure of personal data or restriction of processing: we are obligated to notify individual recipients to whom personal data have been made available of all rectifications or erasures of personal data or restrictions of processing, with the exception of cases when this proves impossible or requires disproportionate effort. If the data subject requests it, we inform the data subject of such recipients.
- (i) the right to be informed in the event of a breach of personal data security: if it is likely that a certain case of a breach of personal data security will result in a high risk to the rights and freedoms of natural persons, we are obligated to notify the data subject of such breach without undue delay.
- (j) the right to withdraw consent to the processing of personal data: in the event that the processing of some of the personal data is being conducted on the basis of a consent, the data subject has the right to withdraw his/her consent to the processing of personal data in writing at any time, by sending a disapproval of the processing of personal data to the e-mail address firstname.lastname@example.org.
VII. Cookie Files and Protocol Files
We use cookie files, which are small text files that identify the user of the website www.survio.com and record the user’s user activities. The text in a cookie file is often comprised of a series of numbers and letters that positively identify the user’s computer, but do not provide any specific personal data on the User.
The website www.survio.com automatically identifies the user’s IP address. An IP address is a number automatically assigned to the user’s computer after connecting to the internet. All such information is recorded in an activity file by the server, which enables the subsequent processing of data.
Cookie files and similar technologies serve several purposes, which include:
- Log-in and verification: As soon as the User uses a personal account in order to log on, an encrypted cookie file is stored on the User’s device, which enables the User to move between the pages of the website without the need to repeatedly log on. The User can also save their log-in information so that they do not need to log in every time they return to the website www.survio.com.
- Editing: Survio uses cookie files in order to adjust the content and information to the requirements of Users in order to ensure the user-friendliness of the website.
- Marketing: Survio uses cookie files in order to monitor its advertising campaigns, and for the monitoring of User submissions, applications and discount coupons, promotions and contests.
- Diagnostics: Survio uses cookie files for the purpose of diagnosing and repairing technical problems reported by Users or programmers that are associated with the IP addresses under the control of a specific web company or connection provider.
- Analysis: Survio uses cookie files and other identifiers for the purpose of collecting data on the use and performance of the website www.survio.com.
There may also be third party cookie files located on the website www.survio.com. This may be, for example, because we have authorized a third party to conduct a website analysis. Survio utilizes the following service providers:
- Microsoft Corporation (bing.com)
- Tapfiliate B.V. (tapfiliate.com)
- Seznam.cz, a.s. (imedia.cz)
- Facebook, Inc. (facebook.com, facebook.net)
- Google Inc. (googleapis.com, google-analytics.com, google.com, google.cz, googleadservices.com, googletagmanager.com)
- New Relic, Inc. (newrelic.com)
- Datadog, Inc. (datadoghq.com)
- Oracle America, Inc. (addthis.com)
- ROLLBAR, INC. (rollbar.com)
- Smartsupp.com, s.r.o. (smartlook.com)
We utilize two types of cookie files – permanent and one-time. A permanent cookie file remains on the hard disk even after the browser is closed. Permanent cookie files may be used by the browser during subsequent visits to the website www.survio.com. Permanent cookie files may be removed. One-time cookie files are temporary and are erased as soon as you close the browser.
Instructions for blocking or removing cookie files in browsers can generally be found in the personal data protection principles or in the user guide documentation of individual browsers.
The User’s browser automatically reports certain information upon every display of the website www.survio.com. When registering on the website www.survio.com or when browsing the website, servers automatically record certain information that the web browser sends upon every visit to the website. These server protocols (so-called “log files”) may contain information such as a web request, IP address, type of internet browser, browser language, linking / exit sites and URLs, platform type, number of clicks, domain names, entry portals, number of pages seen and the order of such pages, the amount of time spent on certain pages, the date and time of a submitted request, and one or more cookie files that may positively identify the web browser.
VIII. Applicable Personal Data Protection Legislation
Survio declares that in the provision of personal data protection, it abides primarily by the following legal regulations:
European Union Legislation
All of the legislation based upon Article 16 of the Treaty on the Functioning of the European Union and Article 7 and 8 of the Charter of Fundamental Rights of the European Union, specifically:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
- Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
- Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector;
- Commission Regulation (EU) No. 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications (to a limited extent);
- Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (to a limited extent).
Council of Europe Legislation
- Council of Europe Convention No. 108 dated 28 January 1981 for the Protection of Individuals with Regard to Automatic Processing of Personal Data.
Czech Republic Legislation
- Act No. 101/2000 Coll., on the Protection of Personal Data;
- Act No. 121/2000 Coll., the Act on Copyright, on Rights Related to Copyright.
IX. Final Provisions
By entering into the Agreement, the User confirms that it has acquainted itself with these Personal Data Protection Rules.
Last modified 05/20/2018.