Qualtrics complies with applicable data privacy laws in its role as a data controller of its own data and as a data processor of customer data.
Specifically, Qualtrics is GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) compliant and provides technology that enables our customers to be compliant as well. This support page discusses how users can manage data subject requests using the Qualtrics platform.
While Qualtrics provides technology that enables our customers to be compliant with a variety of privacy laws, Qualtrics customers should seek their own legal advice as to how to comply with privacy laws. For more details about Qualtrics and GDPR, visit this page.
Data Subject Requests
In certain circumstances, individuals may have the following rights in relation to personal data:
- Right to access personal data.
- Right to rectify inaccurate personal data.
- Right to erase personal data.
- Right to restrict processing of personal data.
- Right to data portability.
- Right to object to processing of personal data.
- Right to withdraw consent to the processing of personal data.
If a survey respondent wishes to exercise rights in relation to personal data or personal information that may have been collected via Qualtrics, the respondent should contact the customer who collected the relevant data. If a respondent requires additional assistance, the respondent may contact Qualtrics Support.
If an individual wishes to exercise rights in relation to data for which Qualtrics acts as data controller, they should contact email@example.com.
If you receive a data subject request requesting access to the personal data which you hold about the individual, you should review the following page regarding Exporting Response Data.
The Export Data feature is used to download raw response data for use beyond the survey platform. Exported data files allow you to view how individual respondents answered each question in a survey, and also include survey metadata (e.g. Recorded Date, IP Address, etc.), contact fields, and any Embedded Data.
The exported data can then be shared with the data subject in multiple Export Formats including CSV, XML, SPSS and others.
If you receive a data subject request to modify the individual’s data, you have several options. Instructions about how to modify survey response data is available on the Data Modification support page. A survey response may be edited if the user has the appropriate account permission, Edit Survey Responses, which is controlled by Brand Administrators. This permission enables the user to modify data. Further details can be found on the Response Editing support page.
It is also possible to edit a contact’s details within your Directory by following the instructions on the Managing Multiple Directory Contacts support page.
Data Deletion (Right to Erasure)
If you receive a data subject request requesting deletion of an individual’s personal data, you should review the following page regarding Right to Erasure. There are various ways to delete data based on the types of data that you hold about an individual. Please view the following pages for additional instructions about deleting data from the Qualtrics platform:
- Deleting Data By Email Address
- Data Deletion: Survey Platform
- Data Deletion: XM Directory
- Data Deletion: CX Dashboards
- Data Deletion: Employee Experience
- Data Deletion: Custom Solutions
All respondent data is backed up by Qualtrics using two methods: automatic propagation across servers (immediate upon collection) and daily complete off-site encrypted backups. However, customers are responsible for routine back-up of their data in case of user-caused accidental deletion/modification, and for their own archive/data retention policies. Qualtrics backs up data for disaster recovery purposes only.
When a user deletes data from the Qualtrics platform, all backups of said data will be deleted within 90 days.
Restriction of Processing
When you receive a request from a data subject to restrict processing, you are permitted to store the personal data, but not use it. Within the Qualtrics platform, you are able to delete the individual’s data from the platform in accordance with the instructions above if you wish to remove the individual’s information. Alternatively, you can choose to use XM Directory to create and update contact information in one central database and send surveys directly to mailing lists or restrict the distributions that an individual can be sent.
If you receive a data subject request in which an individual requests the right to obtain and reuse their personal data for their own purposes across different services, then you should review the Exporting Response Data support page, which details the Export Data Feature. The Export Data feature is used to download raw response data for use beyond the Survey Platform. Exported data files allow you to view how individual respondents answered each question in a survey, and also include survey metadata (e.g. Recorded Date, IP Address, etc.), contact fields, and any Embedded Data.
Among your export options, you can choose the file type of your download. The various file types are detailed at the Data Export Formats page.
Objection to Processing
Within a particular survey, you can choose to ask for a respondent’s consent before sending them to the rest of the survey. If the data subject decides they don’t want to participate, you can end their survey session. Details on how to set this up in the Qualtrics platform can be found on the Building a Consent Form support page.
If an individual objects to receiving particular type of surveys, you can use XM Directory to establish rules for contacting that individual.
Alternatively, you can choose to delete the individual’s information from your Qualtrics account by following the instructions listed above.
Rights In Relation to Automated Decision Making and Profiling
As the data controller, Customers determine the following about the data stored in the Qualtrics platform:
- What type of data to collect.
- Who to collect data from.
- Where to collect data.
- What the purpose of the data collection is.
- When to delete data.
You must determine whether you have a legal basis for performing automated decision-making and profiling and, if so, whether your performance of such activities complies with applicable law. The tools mentioned above, which enable you to deal with other data subject requests, can be used to support any requests by data subjects objecting to automated decision making and profiling.
Read Access Logs
The activity log does not display all read access to data located in your brand directories. In case of a serious need to know who accessed information in your account, you may contact support, who will pass the request to our Security Operations Center.
Implementing Legal Holds
The Qualtrics platform provides a number of tools to support legal/litigation hold or document preservation requests.
You may choose to use the Export Data functionality. The Export Data feature is used to download raw response data for use beyond the survey platform. Among your export options, you can choose the file type of your download. The various file types are detailed at the Data Export Formats page. Exported data files allow you to view how individual respondents answered each question in a survey, and also include survey metadata (e.g. Recorded Date, IP Address, etc.), contact fields, and any Embedded Data. This downloaded file can be encrypted and stored outside of the Qualtrics platform.
Alternatively, within the Qualtrics platform, you may choose to amend user permission settings so that only certain users may interact and/or access the particular data in question. Details about how to create and manage users can be found on the Creating & Managing Users page, and details about amending permission settings can be found on the User Permissions page.
While Qualtrics provides technology that enables customers to comply with legal hold or document preservation requests, Qualtrics customers should seek their own legal advice regarding compliance.