Customer Feedback Centre and GDPR Compliance
Customer Feedback Centre and GDPR Compliance
As of 19 December 2022
Customer Feedback Centre takes data privacy very seriously, and we view the GDPR as an opportunity to enhance our commitment to data protection for the benefit our customers.
In effect from 25 May 2018, Customer Feedback Centre will Process Personal Data in accordance with GDPR requirements. https://gdpr-info.eu/
1) Does GDPR affect me and my business?
If you have customers in the EU, plan to have customers in the EU - then yes.
2) My Business is not not based in the EU - do I need to be GDPR compliant?
Any business that collects, processes or handles data from the EU will need to comply with the GDPR regardless of whether they are physically located within the EU.
This said, we are not able to provide legal advice and highly recommend that you refer to your legal counsel or an applicable data supervisory authority for full details on whether you will need to comply to the GDPR.
You may find the following two resources helpful.
**1) Whitecase.com GDPR Handbook
2) EDPS.EU
3) If the Customer Feedback Centre is GDPR compliant, does this also mean that my business is GDPR compliant because we are a Customer Feedback Centre client?
All data you collect using Customer Feedback Centre via Kiosk Mode and Unique Feedback URL is GDPR compliant as of 25 May 2018.
However, we cannot confirm that any customer data collected and processed outside of our platform and prior to importing into the Customer Feedback Centre is GDPR compliant.
In other words: If "you" upload a customer list or add a customer manually, we cannot confirm that "you" obtained GDPR compliant customer permission first.
4) What should I do about my legacy contacts?
New and explicit permission will have to be obtained before sending emails or text messages to your legacy contacts using the Customer Feedback Centre "unless" you have record of their consent to receive such communication from you.
Checklist:
#1) Check your workflow, signup and other processes to ensure that all customer information and data is in compliance with the GDPR.
#2) Check your privacy policies, terms of service and other publicly visible pages detailing your service to ensure that you are transparent about collecting, sharing and usage of your customer data.
#3) Your customers have the right to know how their personal data is being processed. Clearly define all processing activities by you and disclose any third parties processing on your behalf.
#4) Check your forms to ensure the above mentioned information is available and provided when collecting new customer information.
5) Where does the Customer Feedback Centre store and process data?
We use EarlyEcho LLC to process and store data within AWS Data Centre in the United States.
By using the Customer Feedback Centre, you agree and acknowledge your data will be processed outside of the EU.
6) Does GDPR apply to UK Businesses?
Until March of 2019, the UK remains an EU member state, so GDPR compliance applies to business based in the UK, or those collecting and processing data from the UK.
7) Does the Customer Feedback Centre offer a Data Processing Agreement?
GDPR law specifies that the Controller (you) is responsible for Data Processing Agreements (DPA) with third party processors you may use.
You, as the controller would need to specify the subject matter, nature and purpose of the processing for "your" customers.
We as processor act only upon a controller’s instruction according to GDPR laws. Please submit your DPA to us via [email protected].
8) I have further questions about the Customer Feedback Centre and GDPR
We are happy to answer any questions you may have. Please email us at [email protected]
9) Additional GDPR Compliance Information
1) In effect from 25 May 2018, the Customer Feedback Centre will Process Personal Data in accordance with GDPR (General Data Protection Regulation) requirements. https://www.eugdpr.org/
2) Customer Feedback Centre is a “processor” by definition of the GDPR.
Definition: A processor is a natural or legal person or agency that processes data on behalf of a controller. “Processing” is defined very broadly in the Directive to include collection, use, storage, manipulation, disclosure, disposal, and virtually any other action with personal data.
Customer Feedback Centre processes data as delegated by the “controller”.
Definition: A controller is as the natural or legal person or public agency that “alone or jointly with others” determines “the purposes and means of processing” personal data.
The GDPR defines the data controller as the principal party for responsibilities such as collecting consent, managing consent-revoking and enabling right to access. A data subject who wishes to revoke consent for his or her personal data therefore will contact the data controller to initiate the request.
3) Data Protection Impact Assessment. In effect from 25 May 2018, upon Customer’s request, Customer Feedback Centre (processor) shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under the GDPR to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Customer Feedback Centre.
4) Customer Feedback Centre shall return Customer Data to Customer and, to the extent allowed by applicable law, delete Customer Data in accordance with the procedures and timeframes specified by the GDPR.
5) Notification of Sub-processors and Objection Right for New Sub-processors. Customer acknowledges and expressly agrees that the Customer Feedback Centre does engage with Sub-processors and that the Customer Feedback Centre may engage in new Sub-processors at any time. All current Sub-processors have expressed their intention to be GDPR compliant by May 25th. List of current Sub-processors: SendGrid for Email delivery, Twilio for SMS delivery, EarlyEcho LLC with AWS DataCenter in the United States, Stripe for card payment processing, EazyCollect for direct debit processing, Salesmate.io for telecommunication, welcome and marketing emails.
6) Customer Feedback Centre maintains security incident management policies and procedures and shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by Customer Feedback Centre or its Subprocessors of which Customer Feedback Centre becomes aware (a “Customer Data Incident”).
Customer Feedback Centre shall make reasonable endeavours to identify the cause of such Customer Data Incident and take those steps as Customer Feedback Centre deems necessary and reasonable in order to remediate the cause of such a Customer Data Incident to the extent the remediation is within Customer Feedback Centre’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s Users.
**7) **Information collected by Account Owners and Users. Account owners and Users can store data that may contain Personal information in “Customer Notes”, “JobID”, “ExtraField” and “CustomField”. Customer Feedback Centre has no direct relationship with the individuals whose Personal Data it hosts as part of those entry fields. Each Account owner is responsible for providing notice to its customers and third persons concerning the purpose for which the Personal Data is stored and how this Personal Data is processed.
8) Information collected by Customer Feedback Centre. Customer Feedback Centre collects the name, email address, mailing address, mobile phone number, and credit card information and bank account details upon signup. Customer Feedback Centre uses this information for administrative purposes and billing. Customer Feedback Centre may also use the information to understand and analyse usage and preferences in order to improve the product and functionality. Data is only used in anonymised or aggregated form.
9) In compliance with GDPR Article 37 the Customer Feedback Centre has a designated DPO (Data Protection Officer) available for inquiries from data subjects on issues relating to data protection practices, withdrawal of consent, the right to be forgotten, and related rights. Please contact [email protected]