The GDPR and Feedier
About the GDPR
The General Data Protection Regulation (GDPR) comes into effect on May 25th, 2018, and the new regulations will have wide-ranging impacts on organizations that collect and process data in the EU. On the most basic level, the GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on organizations handling data.
Specifically, the GDPR regulates the processing of personal data about individuals in the European Union including its collection, storage, transfer and/or use. It gives data subjects more rights and control over their data by regulating how companies handle and store the personal data they collect.
It is imperative for enterprise companies, in particular, to prepare for these changes as the new regulations come with increased enforcement and failure to comply can lead to greater fines. Even if you have no entity or presence in the EU, the GDPR may still apply to your company.
Is Feedier (Alkalab SAS) ready for the GDPR?
At Alkalab SAS, we are committed to the security of your data and protecting the privacy of your clients. Alkalab SAS endeavors to develop its services using the Privacy by Design and Privacy by Default philosophies. This means we consider privacy and personal data protection throughout all parts of our product development lifecycle. Our services are designed to limit personal data collection by default, requiring you as a customer to explicitly enable features that collect more information. All personal data is stored in AWS Region EU (Ireland), meaning in the European Union. The customer portal and API are also hosted in the same location. Where possible, Alkalab SAS will perform processing activities and analysis on anonymised or pseudonymised data. This means we will exclude or remove any screenshots, IP addresses, email addresses, free-form (text) responses and any identifiers that link the feedback item to the original item which may contain personal data before processing it.
Our Role as a Data Controller and Data Processor
Feedier has customers who are both companies and individuals.
We offer a product to companies that allows them to collect and analyze product feedback provided by individuals who may reside in the EU. In this case, through our contract with the company who is our customer, we are acting as a data processor. We collect, store, and retrieve data on their behalf and at their request. We also use our own product to collect, store, and retrieve data to analyze our own product. In this capacity, we are both a data controller and data processor, since the data processing is happening for our own purposes.
Our Use of Third Party Data Processors
Feedier makes use of third party services in infrastructure, reporting, and analytics. It is our obligation to ensure that the processing of data on our behalf is also GDPR compliant. For the details of our third-party tools, please refer to the privacy page.
When acting in our role as a data processor, it is the obligation of the data controller (our customer, a company) to ensure that they have collected consent and made clear that personal data is being collected for the purposes served by the Feedier platform.
When acting in our role as a data controller, it is our obligation to make sure that we have collected consent to allow us to store and use data for the purposes served by the Feedier platform.
Since these are not the only ways to provide personal data to Feedier (for example, personal data can be submitted to us by data controllers through the API or data import functionality), data controllers must still ensure that they have appropriate consent collected for EU residents.
All details about the data we collect can be found on our Privacy page
Your rights and reponsilities
Feedier is required to be in compliance with the GDPR since we offer services to residents of the EU. In order to offer our service, we must collect data that can identify people. In addition to our obligation to follow the regulation, Feedier intends to follow best practices in privacy and protection of data. In accordance with the French Data Protection Laws and the European General Data Protection Regulation 2016/679 (GDPR) you have a right of access, correction and removal of your personal data which you may exercise by sending us an email at [email protected]. Your requests will be processed within 30 days. We may require that your request be accompanied by a photocopy of proof of identity or authority.
One of the main drivers of the GDPR is informing your customers/users about you data policies. It is therefor crucial that when you ask for insights or feedback through Feedier, you make it easy for your users to see your data policy as explained in your Privacy Statement. We made it possible for you to use the Footer Note (available from the Settings page of every Carrier) to add:
- A link to your own terms & conditions
- A link to your own privacy statement
- A short description / summary about your policies
Notification in the event of a Data Breach
We will notify the owners of Feedier accounts within 48 hours of the discovery of a data breach. We will work with our customers to inform Data Subjects of the breach.
Data Processing Agreements
Enterprise customers who have custom DPAs can submit the DPA for review to [email protected].