🔄 We are currently updating our documentation. Some pages may be outdated during this process. We apologize for any inconvenience caused.
The general features are quite simple. For all new quests created after the 25th of May 2018, GDPR will be enabled by default. This means that the controller will have to create a GDPR statement describing the purpose, duration etc. of collecting the data, and that the data subject will have to accept this on a comply page in order to respond to the quest. Moreover, the controller must make sure to flag any question containing personal data (by default, all open answer questions, as well as any uploaded respondent data, will be pre-flagged as personal data). When the retention period set for the personal data is up, all data flagged as personal (as well as the IP address) will be deleted from the system, and the respondent’s e-mail address will be anonymized.
We provide the following features:
Any personal data collected before 25th of May, 2018 has been automatically deleted.
You have the option to delete personal data that was collected before you activated GDPR settings for any particular Quest.
Use case:
You have a running quest with 50 collected responses. The controller enables GDPR and flags a few questions as personal data. The automatic deletion will take care of any new responses coming in, but for the existing responses, pre-GDPR activation, the controller will have to click “Delete personal data pre-GDPR” in order to do the same with the 50 existing responses.
To be able to cater for the GDPR requirements, data subjects (respondents) can request to either have their personal data exported in a readable format or completely deleted. In short this will consist of expanding the current delete function in the responses grid on the follow-up page, as well as when viewing an individual response in follow-up.
When opting to delete a response, the controller will be presented with two options:
The export in Essentials already caters for the export of personal data including the option to att IP address to the exported file.
To cater for this, we have introduced a separate “invitation retention period” to the GDPR settings accordion, where the controller can define how long the data uploaded should remain in our system before being deleted. Moreover, we have also introduced a button for deleting the invitation data uploaded prior to enabling GDPR on the quest. Read more
| Field label | Mandatory | Example for employee engagement |
| Company name (controller) | yes | Questback AS |
Contact Details
|
yes | Bogstadveien 54, Oslo |
| Controller’s representative (if applicable) | no | Kanzlei Vollpfeifen & Partner ADDRESS |
| Purpose of each processing operation for which consent is sought | yes | The purpose for the processing of personal data for the defined use case is to comply with company regulations regarding continuous dialogue with employees about their work environment, job satisfaction, career opportunities and other elements relevant to their position in the company. Company will use the personal data in order to assess trends in employee satisfaction over years, in order to pinpoint areas where measures are needed for increased employee satisfaction, or to mitigate negative working environment. |
| What personal data will be collected and used | no | Name, email. |
| What special categories of personal data will be collected and used | no | sexual orientation, health information, trade union membership |
| Retention period | yes | 3 months |
| Criteria used to determine processing period (if no retention period has been defined) | yes if unlimited retention period | after 250 survey are completed |
| Legal basis for processing | no | consent |
| egitimate interest of controller or third party (if applicable) | no | evaluate and assess customer satisfaction, improve workplace culture and atmosphere |
| Recipients or categories of recipients of the personal data | no | HR, Senior managemant |
| Transfer of data to a non-EU/EEC country or international organisation, and safeguards | no | transfer to USA based on EU standards clauses |
| Statutory or contractual requirement (if applicable) | none | |
| Automated decision making | no | none |
| Information on data subject rights | no | text |
| Information on right to withdraw consent | no | text |
| Information on supervisory authority | no | text |
| Name & contact details of data protection officer (if applicable) | no | Dr. Kinast und Partner ADRESSE |
Did you find an answer to your question? Under documentation we have gathered informative descriptions that helps you understand Essential's functionality fully. Through insight work, you raise the level of knowledge in the entire organization
