A. General Information
When does this Privacy Statement apply?
This Privacy Statement applies to information that can be used to identify you (“Personal Data”) and that you provide to Qualtrics or which is derived from the Personal Data as outlined below. Qualtrics (as defined below) usage of cookies is subject to a separate cookie statement.
Who is the Data Controller?
The data controller of www.qualtrics.com is Qualtrics LLC, 333 W. River Park Drive, Provo, UT 84604, United States of America (“Qualtrics”). Where a registration form is presented on this website, the data controller may vary depending on the actual offering or the purpose of the data collection but it is in any case displayed on the individual registration form’s privacy statement. Qualtrics’ data protection officer can be reached at email@example.com.
What Personal Data does Qualtrics collect?
In the normal course of business, Qualtrics collects Personal Data such as contact information (e.g., name, address, phone number, email address, and your employer) and payment details for customers.
Why does Qualtrics need your Personal Data?
Qualtrics requires your personal data to provide you with access to Qualtrics’ services, to comply with contractual and statutory obligations, including checks required by applicable export laws and to stay in touch with you. Although providing your Personal Data is voluntary, without your Personal Data, Qualtrics cannot provide you with access to its services.
From what types of third parties does Qualtrics obtain Personal Data?
In most cases Qualtrics collects Personal Data from you. Qualtrics might also obtain Personal Data from third parties, if the applicable national law allows Qualtrics to do so. Qualtrics will treat this Personal Data according to this Privacy Statement, plus any additional restrictions imposed by the third party that provided Qualtrics with it or the applicable national law. These third-party sources include Qualtrics or the SAP Group’s business dealings with your employer (for details, please see “Contract Performance” subsection of Section B below) or third parties you directed to share your Personal Data with Qualtrics (e.g. in case of an event where you permit the host of the event to share your registration data with Qualtrics).
How long will Qualtrics store my Personal Data?
Qualtrics will only store your Personal Data for as long as it is required for the performance of contractual obligations, to make its services available to you, for Qualtrics to comply with its statutory obligations resulting from applicable export laws, and to fulfill the purposes outlined in this Privacy Statement.
Qualtrics will also retain your Personal Data for additional periods if applicable laws require it.
Who are recipients of your Personal Data and where will it be processed?
Your personal data will be passed on to the following categories of third parties for processing: companies within the SAP group; vicarious agents (e.g., third party service providers for consulting services and other additional related services); other services providers (e.g. for the provision of the website); state agencies and bodies if required by law.
As part of a global group of companies operating internationally, Qualtrics has affiliates (the “SAP Group”) and third-party service providers outside of the European Economic Area (the “EEA”) and will transfer your Personal Data to countries outside the EA. If these transfers are to a country for which the EU Commission has not issued an adequacy decision, Qualtrics uses the EU standard contractual clauses to contractually require that your Personal Data receives a level of data protection consistent with the EEA. You can obtain a copy of such standard contractual clauses by sending a request to firstname.lastname@example.org. You can also obtain more information from the European Commission on the international dimension of data protection here.
While Qualtrics is certified under the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield, Qualtrics no longer relies on Privacy Shield for transfers of Data to the US. For more details about the Privacy Shield program, please visit https://www.privacyshield.gov/.
The key goals of Privacy Shield are to inform both EU and Swiss individuals about:
- the right of individuals to access their personal data
- the choices and means an organization offers individuals for limiting the use and disclosure of their personal data
- the requirement for an organization to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements
Qualtrics’ Privacy Shield self-certification does not cover human resources data.
Privacy Shield may provide individuals the right to (i) access the data that we hold about them, (ii) request that we correct, amend, or delete it if it is inaccurate or processed in violation of the Privacy Shield, or (iii) limit the use and disclosure of their personal information. In compliance with the Privacy Shield Principles, Qualtrics commits to resolve complaints about our collection or use of personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Qualtrics at: email@example.com.
Qualtrics has further committed to refer unresolved Privacy Shield complaints to the American Arbitration Association (AAA), an alternative dispute resolution provider located in the United States. If an individual does not receive timely acknowledgment of its complaint from us, or if we have not addressed an individual’s complaint satisfactorily, such individual should contact the AAA for more information or to file a complaint (contact details below). The services of the AAA are provided at no cost.
Because adequate protection is provided by Privacy Shield participants, contracts with Privacy Shield participants for mere processing do not require prior authorization (or such authorization will be granted automatically by the EU Member States), as would be required for contracts with recipients not participating in the Privacy Shield or otherwise not providing adequate protection.
Qualtrics self-certifies with Privacy Shield. A self-assessment is signed by a company officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. Qualtrics is required to respond promptly to EU or Swiss individual inquiries, and other requests for information from the Department of Commerce relating to its adherence to the Privacy Shield Principles.
Under Privacy Shield, an individual has the right, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. Under Privacy Shield, Qualtrics must respond to individual complaints within 45 days. For additional information, visit: https://www.privacyshield.gov/article?id=ANNEX-I-introduction
Qualtrics’ Independent Dispute Resolution (IDR) Provider is:
American Arbitration Association
International Centre for Dispute Resolution
New York City, New York, USA
What are your data protection rights?
You can request from Qualtrics access at any time to information about which Personal Data Qualtrics processes about you and the correction or deletion of such Personal Data. Please note, however, that Qualtrics can or will delete your Personal Data only if there is no statutory obligation or prevailing right of Qualtrics to retain it. Kindly note further that if you request that Qualtrics deletes your Personal Data, you will not be able to continue to use any Qualtrics service that requires Qualtrics’ use of your Personal Data.
If Qualtrics uses your Personal Data based on your consent or to perform a contract with you, you can further request from Qualtrics a copy of the Personal Data that you have provided to Qualtrics. In this case, please contact the email address below and specify the information or processing activities to which your request relates, the format in which you would like to receive this information, and whether the Personal Data should be sent to you or another recipient. Qualtrics will carefully consider your request and discuss with you how it can best fulfill it.
Furthermore, you can request from Qualtrics that Qualtrics restricts your Personal Data from any further processing in any of the following events: (i) you state that the Personal Data Qualtrics has about you is incorrect, subject to the time Qualtrics requires to check the accuracy of the relevant Personal Data; (ii) there is no legal basis for Qualtrics processing your Personal Data and you demand that Qualtrics restricts your Personal Data from further processing; (iii) Qualtrics no longer requires your Personal Data but you state that you require Qualtrics to retain such data in order to claim or exercise legal rights or to defend against third party claims; or (iv) in case you object to the processing of your Personal Data by Qualtrics based on Qualtrics legitimate interest (as further set out below), subject to the time required for Qualtrics to determine whether it has a prevailing interest or legal obligation in processing your Personal Data.
For individuals within the State of California, you instead have the right:
- to request from Qualtrics access to your Personal Data that Qualtrics collects, uses, discloses, or sells (if applicable) about you;
- to request that Qualtrics deletes Personal Data about you;
- to opt-out of the sale of Personal Data, if applicable;
- to non-discriminatory treatment for exercise of any of your data protection rights;
- in case of request from Qualtrics for access to your Personal Data, for such information to be portable, if possible, in a readily usable format that allows you to transmit this information to another recipient without hindrance.
How can you exercise your data protection rights?
Please direct any requests to exercise your rights to firstname.lastname@example.org, or, if you are located in the State of California, you can also call toll-free using the numbers provided here. You can also designate another person to submit requests to exercise your data protection rights to Qualtrics. You can give authorization to such person by granting them a limited power of attorney to exercise your data protection rights on your behalf.
How will Qualtrics verify requests to exercise data protection rights?
Qualtrics will take sets to ensure that it verifies your identity to a reasonable degree of certainty before it will process the data protection right you want to exercise. When feasible, Qualtrics will match Personal Data provided by you in submitting a request to exercise your rights with information already maintained by Qualtrics. This could include matching two or more data points that are already maintained by us.
In accordance with the verification process set forth in the California Consumer Privacy Act (“CCPA”), Qualtrics will require a more stringent verification process for deletion requests, or for Personal Data that is considered sensitive or valuable, to minimize the harm that might be posed to you by unauthorized access or deletion of your Personal Data. If Qualtrics must request additional information from you outside of information that is already maintained by Qualtrics, Qualtrics will only use it for the purposes of verifying your identity so you can exercise your data protection rights, or for security and fraud-prevention purposes.
Qualtrics will decline to process requests that are manifestly unfounded, excessive, fraudulent, or are not otherwise required by local law.
If you take the view that Qualtrics is not processing your Personal Data in accordance with the requirements in this Privacy Statement or under applicable EEA data protection laws, you can at any time lodge a complaint with the data protection
authority of the EEA country where you live.
B. Processing based on a statutory permission
Why does Qualtrics need to use my Personal Data and on what legal basis is Qualtrics using it?
Providing the requested services. Qualtrics requires your Personal Data to deliver services you order under a contract Qualtrics has with you, to establish a contract for goods or services between you and Qualtrics, and to send you invoices for ordered services. Qualtrics processes Personal Data to fulfill contractual obligations pursuant to Article 6(1), Subparagraph 1(b) GDPR.
Ensuring compliance. Qualtrics and its products, technologies, and services are subject to the export laws, trade sanctions, and embargoes (“Export Laws”) of various countries including, without limitation, those of the European Union (“EU”), Germany and of the United States of America. Therefore, You acknowledge that, pursuant to the applicable Export Laws issued by these countries, Qualtrics is required to:
(a) take measures to prevent persons, entities and organizations listed on government-issued sanctioned party lists from accessing certain products, technologies, and services through Qualtrics’s websites or other delivery channels controlled by Qualtrics. This may include (i) automated checks of any user registration data as set out herein and other information a user provides about his or her identity against applicable sanctioned-party lists; (ii) regular repetition of such checks whenever a sanctioned-party list is updated or when a user updates his or her information; (iii) blocking of access to Qualtrics’s services and systems in case of a potential match; and (iv) contacting a user to confirm his or her identity in case of a potential match; and
(b) ensure that no individuals from embargoed countries access its services. Therefore, when an existing user logs into a website, app or cloud service of Qualtrics from an embargoed country, the user’s registration data and IP address may be used by Qualtrics to block the user’s access and to log access attempts from embargoed countries.
Any such usage of registration data and IP addresses by Qualtrics is necessary for Qualtrics’ compliance with applicable EU Export Laws (Article 6 para. 1 (c) GDPR) and Qualtrics’s legitimate interest to comply with non-EU Export Laws (Article 6 para. 1 (f) GDPR).
Qualtrics legitimate interest. Qualtrics can use your Personal Data based on its legitimate interest (Article 6 para. 1 lit. f GDPR) as follows:
- Fraud and Legal Claims. If required, Qualtrics will use your Personal Data for the purposes of preventing or prosecuting criminal activities such as fraud and to assert or defend against legal claims.
- Questionnaires and surveys. Qualtrics could invite you to participate in questionnaires and surveys. These questionnaires and surveys will be generally designed in a way that they can be answered without any data that can be used to identify you. If you nonetheless enter such data in a questionnaire or survey, Qualtrics will use this personal data to improve its products and services.
- Contract performance. If you purchase or intend to purchase goods or services from Qualtrics on behalf of a corporate customer or otherwise be the nominated contact person for the business relationship between a corporate customer (a “Customer Contact”) and Qualtrics, Qualtrics will use your Personal Data for this purpose. This includes, for the avoidance of doubt, such steps which are required for establishing the relevant business relationship. In case that an existing Customer Contact informs Qualtrics that you are his replacement, Qualtrics will, from the point in time of such notification, consider you to be the relevant Customer Contact for the respective customer until you object as further set out below.
- Creation of anonymized data sets. Qualtrics will anonymize Personal Data provided under this Privacy Statement to create anonymized data sets, which will then be used to improve its and its affiliates’ products and services.
- Personalized Newsletter. If you opt-in to receive marketing communications such as newsletters from Qualtrics, Qualtrics will collect and store details of how you interact with the newsletters to help create, develop, operate, deliver and improve our newsletter communications with you. This information is aggregated and used to help Qualtrics provide more useful information and to understand what is of most interest.
- Recordings for quality improvement purposes. In case of telephone calls or chat sessions, Qualtrics will record such calls (after informing you accordingly during that call and before the recording starts or where you have opted in to have the call recorded via the Qualtrics Support Portal) or chat sessions in order to improve the quality of Qualtrics services.
- To keep you up-to-date or request feedback. Within an existing business relationship between you and Qualtrics, Qualtrics might inform you, where permitted in accordance with local laws, about its products or services (including webinars, seminars or events) which are similar or relate to such products and services you have already purchased or used from Qualtrics. Furthermore, where you have attended a webinar, seminar or event of Qualtrics or purchased products or services from Qualtrics, Qualtrics might contact you for feedback regarding the improvement of the relevant webinar, seminar, event, product or service.
You can at any time object to Qualtrics’ use of your Personal Data as set forth in this section by sending an email to email@example.com. In this case, Qualtrics will carefully review your objection and cease further use of the relevant information, subject to Qualtrics’ compelling legitimate grounds for continued use of the information, which override your interest in objecting, or if Qualtrics requires the information for the establishment, exercise or defense of legal claims.
Processing under applicable national laws. If the applicable national law allows Qualtrics to do so, Qualtrics will use information about you for a business purpose, some of which is Personal Data:
- To plan and host events
- To host online forums or webinars
- For marketing purposes such as to keep you updated on Qualtrics’ latest products and services and upcoming events
- To contact you to discuss further your interest in Qualtrics services and offerings
- To help Qualtrics create, develop, operate, deliver and improve Qualtrics services, products, content and advertising and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by
- To provide more personalized information to you
- For loss prevention
- For account and network security purposes
- For internal purposes such as auditing, analysis, and research to improve Qualtrics’ products or services
- To verify your identity and determine appropriate services
- To assert or defend against legal claims
- To detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, and to prosecute those responsible for that activity
- To debug to identify and repair errors that impair existing intended functionality
- Short-term, transient use, provided the personal information is not disclosed to a third party and is not used to build a profile about you or otherwise alter your individual experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction
- Undertaking internal research for technological development and demonstration
- Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by Qualtrics.
In accordance with the disclosure requirements under the CCPA, Qualtrics is exempt from providing a notice to opt-out because it does not and will not sell your Personal Data.
C. Processing based on consent.
In the following cases, Qualtrics will process your Personal Data if you granted prior consent to the specific proposed processing of your Personal Data (Article 6 para. 1 lit. a GDPR).
Children. This offering is not directed to users below the age of 16 years, or equivalent minimum age in the relevant jurisdiction. If you are younger than 16, you cannot register with and use this offering.
U.S. Children’s Privacy. Qualtrics does not knowingly collect the Personal Data of children under the age of 13. If you are a parent or guardian and believe that Qualtrics collected information about a child, please contact Qualtrics as described in this Privacy Statement. Qualtrics will take steps to delete the information as soon as possible. Given that Qualtrics services are not directed to users under 16 years of age and in accordance with the disclosure requirements of the CCPA, Qualtrics does not sell the Personal Data of any minors under 16 years of age.
Marketing. Qualtrics requires your Personal Data to inform you about Qualtrics’ latest products, service offers and events. Any such use of information is based on the consent you grant hereunder. Qualtrics will use your name, email and postal address, telephone number, job title and basic information about your employer (name, address, and industry) as well as an interaction profile based on prior interactions with Qualtrics (prior purchases, participation in webinars, seminars or events or the use of (web) services in order to keep you up to date on the latest product announcements, software updates, software upgrades, special offers, and other information about SAP’s software and services (including marketing-related newsletters) as well as events of SAP and in order to display relevant content on Qualtrics websites. In connection with these marketing-related activities, Qualtrics will provide a hashed user ID to third party operated social networks or other web offerings (such as Twitter, LinkedIn, Facebook, Instagram or Google) where this information is then matched against the social networks’ data or the web offerings’ own databases in order to display to you more relevant information.
Forwarding your Personal Data within the SAP Group. Qualtrics will transfer your Personal Data to other affiliated companies within SAP’s Group of undertakings for the purpose to inform you about their latest products, service offers and events in the same way Qualtrics does under this Privacy Statement. A list of entities in the SAP Group can be found here. In such cases, the SAP Group will use the Personal Data for the same purposes and under the same conditions as set forth in this Privacy Statement.
Social media features. Qualtrics offers social network functionality in various parts of our website and on apps. We give you the opportunity to share and recommend your content in social networks in our online offerings. If you visit our website and use the recommendation features, we pass on the URL to the social network you select where your Personal Data will be then used by the social network according to the social network’s own privacy statement. We recommend that you read the privacy statement of the respective social networks carefully.
Profiles. Qualtrics offers you the option to use services, including to view tutorials or take trainings, that require you to register and allow you to create a user profile. User profiles provide the option to display personal information about you, including but not limited to your name, photo, address, email, telephone number, personal interests, skills, etc. Profile data is processed to personalize the interaction with other users to foster the quality of communication and collaboration via such services. Profile data might also be shared with other web offerings and services across the SAP Group, including Ariba, Concur, Hybris, etc. (SAP Cloud ID). The provision of any such information about you as well as the decision to share information with other services is at your free will and based on the consent that you grant.
Event profiling. If you register for an event, seminar, or webinar of Qualtrics, Qualtrics shares basic registration information (your name, company, and email address) with other participants of the same event, seminar, or webinar for the purpose of communication and the exchange of ideas.
Tracking during an event. Qualtrics requires your Personal Data including any occasion where you allowed your event badge to be scanned, to evaluate behavioral aspects by means of tracking during the relevant event. Qualtrics might process tracking data in the context of Qualtrics events for purposes of tracking attendance, determine the attendees’ interests in certain topics and identify drivers for the attendees’ satisfaction and dissatisfaction to optimize planning and investments for future events. Any such use of information is based on the consent you grant.
Processing Special Categories of Personal Data. When you register for or request access to an event or seminar, Qualtrics may ask whether you require any accommodations because of your health or dietary restrictions. Any such use of information is based on the consent you grant. Kindly note that if you do not provide Qualtrics with information regarding what accommodations you require, Qualtrics will not be able to accommodate for it.
Photograph before or during the event. You may be asked to provide Qualtrics with your current photograph via e-mail or Qualtrics could ask to take a picture of you when you arrive at the event. By sending Qualtrics your photograph or allowing a photo of you to be taken, you acknowledge that Qualtrics will use your picture for the purposes described in this Privacy Statement.
Withdrawal of consent. You may withdraw your consent for Qualtrics to process your Personal Data as stated in this Privacy Statement at any time. Once you assert this right, Qualtrics will not process your Personal Data any longer unless legally required to do so. However, any withdrawal has no effect on past processing by Qualtrics up to the point in time of your withdrawal. Please direct any such request to firstname.lastname@example.org.
D. Cookies and similar tools
Information gathered by cookies or similar technologies, and any use of such information, is further described in Qualtrics’ Cookie Statement. You can exercise your cookie preferences as outlined in Qualtrics’ Cookie Statement.
E. Subprocessor List
The list of subprocessors Qualtrics currently uses to process personal data in the Subscription Services can be found here.