GDPR | Qualtrics

Safe. Secure.
And ready for GDPR

Safe + Secure

Nothing matters more to us than the security of your data. For over a decade now, Qualtrics has been the most secure platform on the market – and we’re staying that way. So, when the EU’s new General Data Protection Regulation (GDPR) come into force, we’ve got you covered.

Securing your data

We are ISO 27001 certified and FedRAMP authorised – that’s the “gold standard” of security certification used by the U.S. Government for SaaS providers. As part of those programs, a Privacy Impact Assessment (PIA) – a key requirement of GDPR – has been performed and evaluated by an independent third-party assessor, so you can be confident your data is secure. In addition, Qualtrics has a Data Protection Impact Assessment (DPIA) that documents our handing of all your data, including personal data.

Data correction

Brand administrators can easily find and modify collected personal data to meet the ‘correction’ requirement of the GDPR. So, you’ll easily be able to modify an individual’s personal data should they request it.

Right to be forgotten

Brand administrators can permanently delete individual contacts and respondent personal data should an individual request it using a Subject Access Request.

Built for enterprise security

The Qualtrics platform is packed with enterprise security features that make us the trusted platform for over 8,500 brands.

  • Email Security (SMTP Server Setup, DKIM)

  • Data encryption in transit

  • Data Centers are audited with industry-standard SSAE-16 methods

  • Data redundancy for resilience during disasters

  • Independent 3rd-Party security reviews and penetration tests

  • Continuous network monitoring

  • Single Sign On (SSO)

  • EU-US Privacy Shield Certified

  • Swiss-US Privacy Shield Certified

  • In-house 24/7 security operations center

  • Active session management

  • Users can opt-out of re-contact for a survey

  • Control password parameters and expirations

  • Industry-standard security evaluations

  • Role-based authentication

  • Data sovereignty: U.S., Canada, APAC, EU

  • Data isolation option for unique encryption keys

  • HITRUST self assessed | HIPAA Self Certified

  • IP whitelisting

GDPR

What is GDPR?

The GDPR comes into force on May 25th 2018, tightening the rules for businesses on how they collect, store and process EU citizen’s personal data. The new regulations will impact organisations worldwide who collect and process personal data of EU citizens. So, if you’re running an employee or customer experience program, you’ll likely be affected. There are a lot of changes with the new rules, and here are just some of the key changes that are likely to impact your customer or employee experience programs:

See all GDPR changes

Data correction

EU citizens will have the right to request that their personal data are rectified, and they can request restrictions on how their data are used. In addition, they may asked to “be forgotten,” requiring that all their personal data be permanently erased. Generally speaking, the GDPR explicitly states it must be as easy to withdraw your data as it was to consent to it in the first place

Consent

A business must seek an Individual’s unambiguous consent prior to collecting any personal data. Descriptions about how the personal data will be used must be clearly stated, and business contact details provided if more information is requested. Organisations may need to consider conditions for processing other than consent, such as in relation to a contract, or because of another legal obligation (such as employer-employee).

Privacy assessment

Data processors will need to implement a high level of security to safeguard the controller’s data, and to conduct a Data Protection Impact Assessment (DPIA) that documents how personal data will be safeguarded. Qualtrics can provide an extensive security white paper that describes its key privacy-related processes and procedures.

More information

Got a question on GDPR?

Don’t hesitate to get in touch or contact your customer success manager to find out more about our changes and how we’re helping you to comply.

Frequently Asked Questions

Disclaimer: This FAQ contains helpful compliance information when using Qualtrics products. Customers should always consult their internal compliance team and/or their privacy attorney regarding legal matters. The information herein is provided as-is, and should not be considered legal advice. Qualtrics desires to enable its customers to comply with applicable laws, but does not warrant that a customer’s particular use of its products will be compliant.

For purposes of this FAQ, the terms “You taking,” “Your,” “I”, and “My” refer to the owner or creator of the survey. And “Respondent” refers to the person taking the survey.

Should I get consent from a Respondent to collect their personal data?

While it is always good practice to receive explicit consent from your Respondents, certain laws and regulations (such as the GDPR) require consent prior to collecting personal data of certain individuals (such as those in the EU). As the survey owner, You must explain why personal data are being collected, for what purpose, and how long the data will be held before being deleted. Also, You must provide contact details to the Respondent. This information may be stated on a privacy policy web page or as a text block within the survey.

It is also important to note that under GDPR, consent is one of a number of legitimate interests for processing data. Others include the need to process for the performance of a contract, the need to process in order to comply with a legal obligation, and the need to process in order to protect the vital interests of the data subject or another natural person. Full details can be found in Article 6 of GDPR.

GDPR requires Transparency with regard to the functions and processing of personal data – this is all about giving the individual control over how their data are processed.

In the Qualtrics platform, You may easily create a multiple choice question to display a landing page and ask for consent. The Respondent can select Yes or No before they proceed with the rest of the survey. That response is recorded with the others, and may be used as evidence that the respondent did, indeed, consent. To ensure that the question is answered, the Force Response option should be used. If the Respondent chooses No, then direct the Survey Flow to the End of Survey so no data will be collected.

Can I avoid collecting personal data that would identify a Respondent?

Yes, You may design a survey that will not collect any personal data or other identifying information (such as geo-location or IP address). When distributing a survey using Anonymous Links, no contact personal data will be associated with the resulting response.

In addition, You may enable Anonymize Response in Survey Options so that no location or IP information are collected.

Using both of the above options means that the completed responses will be completely anonymous with no embedded identifying information.

Can I modify a Respondent’s personal data that resides in an existing survey?

Yes, You may modify all response data to correct personal data as required by GDPR when You receive a Subject Access Request, or for other reasons.

The process is easy. First, You search for a specific contact or response. Then You edit the data point, such as a name (when it was entered in an open text field) or an answer (such as for a multiple choice question).

It should be noted that a Qualtrics user may be prohibited from editing or deleting a survey response if they do not have permission (as controlled by the Brand Administrator or another user with appropriate rights).

The screen images below show how the name George was changed to Georgiana.

Also, the Qualtrics API provides automated ways to delete contacts and responses.

Can I delete personal data that resides in an existing survey?

Yes, You may delete any response, including a response that contains personal data, as required by GDPR.

For responses, the deletion may be:

  • a single response
  • all responses
  • the entire survey project (and all related data and associations to contacts)

For contacts, the entire contact and related details may be deleted.

The screenshot below shows how a single response will be deleted.

Like in a desktop operating system, deleting a response flags it for deletion. The next section explains how deleted data can be made unrecoverable.

Is personal data permanently deleted when I remove it?

A deleted response is initially flagged for deletion, and may be recovered by Qualtrics Support (Quni) upon requested. After 90 days, the deletion becomes permanent and unrecoverable.

To permanently and immediately delete data, the Brand Administrator (or a user with equivalent permissions) may perform a permanent deletion. Permanently deleted data are unrecoverable, even by Qualtrics Support.

When a contact is deleted, it is permanently deleted.

How long is personal data retained in Qualtrics if I don’t delete it?

Qualtrics philosophy is that customers own and control all the data they collect. Any retention period required by law or Your company policy is controlled by You.

You should ensure that all contacts and personal data are deleted prior to terminating Your Qualtrics brand, especially if required by policy, law, or regulation.

Does my brand data get included in backups, and if so, for how long?

Yes. Qualtrics backs up all customer data each night, and retains the backup dataset for 90 days. After 90 days, the backup dataset is deleted.

Can I delete customer’s personal data from Qualtrics backups?

No. The nightly backup dataset contains all customer data, and is used for disaster recovery purposes only. This is required for legal and compliance reasons related to availability obligations. Any personal data in these offline backups will be permanently deleted after 90 days.

If my data centre is located in the EU, does Qualtrics transfer My personal data outside the EU at any point?

Generally speaking, Qualtrics processes all Your EU data in the EU, and does not transfer Your data out of the EU.

When You contact Support, the call may be handled by someone in the U.S. where we have a large number of highly trained employees to handle requests worldwide. If You allow access to Your account by Support, and EU personal data is viewed by Support, then it is technically a transfer to the United States. Such transfer is covered by the EU-US Privacy Shield framework, and allowed by GDPR as providing adequate safeguards.

You may ask for an EU support representative to handle your request.

Backup datasets with EU data are stored at an alternate data centre in the EU.

If my data centre is located in the EU, does Qualtrics ensure that My data are accessed only by EU-based employees?

You may request to have support and any account access by a Qualtrics employee located in Dublin. For customers wishing to make this a default for all their users, the EU Data Silo option is available by contacting Your Qualtrics Account Executive. Qualtrics provides the best support using employees (not outsourced) from our U.S. headquarters in Utah, and our EU office in Dublin. GDPR does not require that support must come from the EU. But it does require that any personal data accessed are adequately protected by qualified staff. Background checks are performed on each Qualtrics employee (as allowed by law), and upon hire, the employee must sign a letter of confidentiality.

Does Qualtrics ensure that My data are accessed only by employees that have reasonable justification for doing so?

As required by GDPR, only qualified Qualtrics employees with a specific need are permitted to access Your account. The typical reason for accessing Your account would be upon Your specific request for support. As Qualtrics provides self-service products, customer accounts are unmonitored. Qualtrics employees do not routinely access any customer account except when specifically asked.

Does Qualtrics use sub-processors that process My data?

Qualtrics does not presently use sub-processors to provide the Subscription Services. As required by GDPR, Qualtrics will notify the Brand Administrator if it uses a sub-processor, and maintain a list of those sub-processors at its privacy web page (https://www.qualtrics.com/privacy-statement/).

If a data breach occurs with the Qualtrics platform that affects My data, how and when will I be notified?

If a confirmed data breach occurs that is caused by Qualtrics actions or inactions, we will, without undue delay, notify the Brand Administrator. Information about the breach will be released as it becomes available, as allowed by GDPR. The Brand Administrator will be the main point of contact for all notifications, and will be kept aware of the investigation and remediation efforts as they progress.

How can I comply with a subject access request and portability as required by GDPR?

As You know about the data You are collecting, You are responsible for handling any subject access request (SAR). Qualtrics only provides the platform and wouldn’t know the details about Your survey or Your respondents.

A SAR means that a Respondent is asking about information being collected about him or her in a survey that he or she completed. If You collected personal data of an EU citizen or a person residing in the EU, You may have a legal obligation to respond to a SAR.

Response data may be downloaded in industry-standard formats for data portability to comply with GDPR.

If Qualtrics receives a SAR, it will do its best to contact the survey owner. It may not always be possible to know what survey the Respondent took, and who the rightful owner is.

How do I comply with a subject access request to “be forgotten?”

Similar to the above, You know Your survey and what data you have. If You collected personal data of an EU citizen or a person residing in the EU, You may have a legal obligation to respond and comply with a request to delete all identifiable data.

As previously stated, You have the ability to delete a Respondent’s data.

How does Qualtrics comply with its GDPR obligations to return or destroy all EU personal data?

Qualtrics products provide easy ways to download all Your survey data in industry-standard formats. And, as previously described, You may easily delete data points, all survey responses, and entire projects.

How does Qualtrics comply with its GDPR obligations to encrypt personal data?

All response data stored in our EU data centre are encrypted using the industry standard AES-256 cypher. All data transmitted to the Qualtrics platform are encrypted using the industry standard TLS protocol.

How can I ensure my customers that Qualtrics security meets applicable law and the GDPR (Article 32)?

Qualtrics is committed to safeguarding Your data. We use sophisticated and industry best controls during processing to maintain the confidentiality, integrity, availability, and resilience of Your data. The Qualtrics Security White Paper, available upon request for existing customers and with an NDA for prospects, explains all key security controls, processes, and procedures related to data protection and processing.

As related to Article 28 in the GDPR, Qualtrics will only process personal data according to Your instructions. In other words, the commands You use in the platform are the “instructions,” and Qualtrics does not use personal data for any other means. In addition, it does not transfer personal data to a third party without your consent. If personal data are transferred from the EU to a third country, then adequate safeguards will apply to the transfer (such as the EU-US Privacy Shield Framework).

Qualtrics has developed recovery procedures to minimize downtime related to a disaster, with the ability to restore access to personal data in a timely manner in the event of a physical or technical incident.

We regularly test, assess and evaluate the effectiveness of our technical and organizational measures to ensure the security of the processing.

Qualtrics has conducted a Privacy Impact Assessment that maps how personal data are used in the platform (mainly, the user account names and email addresses used to login to an account). Also, it has prepared a Data Protection Impact Assessment regarding personal data collected by its customers, that may be presented to a Supervisory Authority upon request.

In 2018, Qualtrics expects to be ISO 27001 certified. Our controls are based on FedRAMP and NIST 800-53 frameworks— “gold standard” security authorizations.

For more information about our security and privacy, please visit the links at the bottom of each web page.