Information We Hold
We have conducted data audits to map data flows.
We have documented what personal data we hold, where it came from, who we share it with, and what we do with it.
Accountability and Governance
We have appropriate data protection policies, controls, and contracts.
We have nominated a data protection lead and will have a local representative assigned.
Decision makers and key people at Alchemer have demonstrated support for data protection legislation and promotes a positive culture of data protection compliance across the business.
Information risks and data protection impact assessments
Alchemer manages information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.
Data Protection by Design
Alchemer has implemented appropriate technical and organizational measures to show we have considered and integrated data protection into our processing activities.
Training and awareness
Alchemer provides data protection awareness training for all staff.
Data processing contracts
Alchemer only processes data on the documented instructions of a controller and there is a written contract outlining the respective responsibilities and liabilities of the controller and our business.
The use of sub-processors
Alchemer has sought prior written authorization from the controller before engaging the services of a sub-processor, and there is a Data Processing Addendum (DPA) in place.
Alchemer operates inside and outside of the EU.
Alchemer has effective processes to identify and report any personal data breaches to its controller.
Alchemer has hundreds of robust features built and refined with data privacy in mind. Here are some of our favorites to use for GDPR compliance:
Feature availability depends on account license type. Check our Feature List for more details.
Visit our Documentation library to learn about the specifics of each and every Alchemer feature.
The right to be informed.
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under GDPR.
The right of access.
Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing.
The right to rectification.
Individuals have the right to have inaccurate personal data rectified, or completed if it is incomplete. An individual can make a request for rectification verbally or in writing. Organizations have one calendar month to respond to a request.
The right to erasure.
Individuals have the right to have personal data erased. This right is also known as “the right to be forgotten.” Individuals can make a request for erasure verbally or in writing. Organizations have one calendar month to respond to a request. This right is not absolute and only applies in certain circumstances.
The right to restrict processing.
Individuals have the right to request the restriction or suppression of their personal data. When processing is restricted, organizations are permitting to store the personal data, but not use it. Organizations have one calendar month to respond to a request. This right is not absolute and only applies in certain circumstances.
The right to data portability.
Individuals can obtain and reuse their personal data for their own purposes across different services. This right allows individuals to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. This right enables consumers to take advantage of applications and services which can use this data to find them a better deal, or help them understand their spending habits.
The right to object.
Individuals have the right to object to:
- Data processing based on legitimate interested or the performance of a task in the public interest/exercise of official authority (including profiling);
- Direct marketing (including profiling);
- Data processing for purpose of scientific/historical research and statistics.
Rights in relation to automated decision and profiling.
This right protects individuals if organizations are carrying out solely automated decision-making that has legal or similarly significant effects on them.
What happens when I make a data rights request as a survey respondent?
Alchemer will identify the Controller of your information (our customer) and will convey your request to them. As they own and control your data, they are responsible for taking requested actions.
Why do you need my email address and the survey link when I make a request?
The link is used to identify the customer who sent you the survey, and in turn, is responsible for ensuring your request is honored.
What happens when I make a data rights request as a survey creator?
We will make all reasonable attempts to comply with your request directly. However, please understand that some information may not “forgotten” as a Customer, due to our obligations to be able to contact you.
What if I need additional information about my company’s GDPR compliance?
It is recommended that you confer with counsel to ensure your specific requirements under GDPR and other international law are followed. Alchemer can only assist with meeting compliance requirements by providing controls to aid in meeting obligations.
What does Alchemer do with the information I provide in a survey?
Alchemer only provides the platform used by our customers to conduct surveys. The individual responses to surveys are the property of the survey creator. Alchemer does not interact with your data except where explicitly permitted by the customer.
Does GDPR replace Privacy Shield compliance controls?
No, GDPR and Privacy Shield work in parallel and are created/maintained by different regulatory bodies. Alchemer is committed to ensuring compliance with both programs.
Registered office: 168 Centennial Parkway, Unit #250, Louisville, Colorado, 80027 USA