Skeepers pays great attention to the protection of your data. We strictly apply the GDPR.
Discover in this article how Skeepers Feedback Management aligns with the GDPR and what best practices ensure the compliance of the solution to meet the strict requirements of the General Data Protection Regulation.
Overview of the GDPR
The General Data Protection Regulation 2016/679 concerning the protection of individuals with regard to the processing of personal data and the free movement of such data was enacted on April 27, 2016, and came into force on May 25, 2018.
The GDPR applies not only to legal entities, such as companies based in Europe, but also to those located outside the European Union that process data of European citizens. It aims to provide a enhanced and harmonized protection of personal data across the member states of the European Union, while allowing citizens to better control the use of their information.
Furthermore, it strengthens and complements data protection in France, which has been ensured since 1978 by Loi Informatique et Libertés. It imposes certain key principles on the legal entities that process data.
Compliance of Skeepers Feedback Management solution with the GDPR
Security by design
Skeepers guarantees adequate protection of personal data processed on the Feedback Management platform, including prevention against unauthorized or unlawful processing, as well as against accidental loss, destruction, or damage, through appropriate technical and organizational measures that ensure the integrity and confidentiality of the data.
To obtain our data security documentation (PSSI, PAS, etc.), please contact us at the email address security@skeepers.io.
To apply the same level of data protection in your questionnaires, you can encrypt certain sensitive data concerning your respondents by encrypting the desired attributes.
To do this, go to the 'Tracking' category and then 'Attributes' accessible via the left sidebar of the platform, select the attribute, and activate the option "Encrypt this attribute" (learn more about attribute encryption).
Privacy by design
A determined, explicit, and legitimate processing purpose
Feedback Management by Skeepers is a SaaS solution that allows you to conduct surveys, reviews, and information campaigns about the experiences of your customers, prospects, partners, and employees.
To learn more about the processing carried out by Skeepers, we invite you to consult the Agreement on the processing of personal data (from page 39).
Customer experience surveys
If you conduct customer experience surveys, particularly through campaigns distributed by the Feedback Management routing services (email and SMS deployments via Skeepers) to individuals who are already customers of the company, it is not necessary to obtain their consent in the following cases :
- If the contacts are already customers of your organization
- If the solicitation concerns similar products or services offered by your organization
- If the solicitation is not of a commercial nature
In these cases, the processing of data is based on your legitimate interest in gathering their feedback on their experience as customers.
In the case of the first exception, it cannot be invoked if no sale or service has been provided, such as when the customer has merely created an online account. Indeed, creating an account does not guarantee a future order of products or services from the organization.
Additionally, data protection authorities in some countries (notably Germany) require data controllers to obtain prior consent from their consumers, even for transactional emails.
Marketing surveys
If you conduct surveys for marketing purposes, that is, advertising campaigns distributed via the Feedback Management routing services (email and SMS deployments via Skeepers), email advertising is only permitted if individuals have explicitly given their prior consent before being approached (opt-in). This consent must be free, specific, informed, and unambiguous. To be valid, consent must be expressed through a positive and explicit action by the individual (such as checking a dedicated non-pre-checked box). Accepting the terms of use is not sufficient. Consent must be given freely.
Therefore, it is necessary to add an "Opt-in" question specifying to recipients the future use of the collected data.
To do this, go to the survey of your marketing survey in the 'Campaigns' category accessible via the left sidebar of the platform. Add an "Opt-in" type survey item and ensure the "Checked by default" field is unchecked (learn more about multiple-choice items).
Data minimization by design
Feedback Management is a solution that has been designed to collect, by design, only exact, adequate, relevant, and limited data necessary for conducting surveys, feedback, information collection on the experience lived by your customers, prospects, partners, and employees. To learn more about the data processing carried out by Skeepers, we invite you to consult the Agreement on the processing of personal data (from page 39).
Verbatim desensitization
Disabled by default, an option to desensitize verbatim allows you to minimize your data collection in a "Text field" question (learn more about verbatim desensitization).
To activate it, go to one of your campaigns and check the option in the Advanced settings of your text field.
Issue | Explanation |
---|---|
What elements to exclude from your verbatim? |
Certain terms or expressions, such as irrelevant personal data (such as bank coordinates, phone numbers) or inappropriate statements (religious references, insulting remarks, etc.), will be automatically deleted. |
How to manage these exclusions in Feedback Management? |
When a respondent enters a answer to an open question, the content is analyzed by the Feedback Management solution directly from the browser. If specific words, sequences, or expressions to exclude are detected in the verbatim, they are automatically replaced with generic terms (or patterns). For example, a URL in the verbatim will be replaced with [**WEBSITE**]. This way, the initially entered data is never collected or stored. |
When the verbatim desensitization option is enabled on an open question, verbatim are collected without accents and in lowercase. Sequences to exclude are replaced by the pattern name between brackets. This option includes predefined terms that are automatically excluded, and you have the ability to add new terms freely. This option is also compatible with the use of our semantic analysis feature (learn more about verbatim analysis).
Activation of the respondent's IP location
The respondent's IP location feature is useful, especially in the case of a search for a nearby service.
To activate it in a survey, go to the distribution linked to this campaign and access the Deployment settings. Then check the fields related to this feature.
When accessing the survey, each respondent can choose whether to share their location or not by answering this message that will appear in their browser.
When it is not necessary in the context of a project, we invite you to disable it because the IP address is personal data, indirectly identifiable.
Data relevance over time
Data retention
Data relevance over time (limitation of data retention) means that the data collected must be accurate, up-to-date, and retained only for the duration necessary for the purposes for which they are processed. You must inform your customers or prospects of this duration in your Privacy Policy or any other relevant document (notably directly from the survey).
Feedback Management offers you the opportunity to collect personal data in real-time and update it on your account.
The Feedback Management platform offers a standard data retention period of 24 months (771 days to be exact): this retention period is justified to allow you to conduct relevant statistical studies.
This 24-month retention period can be reduced upon request to your Customer Success Manager or Skeepers commercial contact to meet your constraints.
However, we recommend that you do not reduce the retention period of answers and data on the platform to less than 6 months, as this could lead to certain restrictions :
- The solution will no longer be able to provide statistics on dispatches made beyond the chosen period.
- The solution will no longer be able to apply non-solicitation rules beyond the chosen period.
- The solution will no longer be able to provide you with deployment logs beyond the chosen period.
Furthermore, the minimum retention period for backups is 15 days. Contact data will therefore be retained in these backups for 15 days after deletion from the main database.
Finally, application logs may contain contact data and are retained for 6 months. It is not possible to purge these logs of specific data.
At the end of the chosen retention period, the answers to questionnaires and the personal data attached to them will be retained for an additional period of 12 months. They will not be subject to consultation by you, their retention is only justified by the activation of the reversibility clause which could occur during this period and will allow their extraction.
After these additional 12 months, personal data will be anonymized.
Generally, we strongly advise you to regularly export the data from your Skeepers Feedback Management account in XLS or CSV format. To do this, you simply need to create a raw data visualization for each of your campaigns and export the data either once a year or on a recurring basis over a defined period. For more information, we invite you to consult our articles Create a raw data visualization and Share a raw data export via email or via FTP.
If you would like to learn more about the retention of different data, we recommend that you consult the article How is data retention managed by Skeepers Feedback Management?
Anonymization API
After collecting information through a survey, it is possible to anonymize the data of an attribute, based on the ID and value of the attribute. Anonymization will allow you to erase the contact's information (if it exists), encrypted attributes, and all free text attributes/questions.
To learn more about the implementation, we invite you to consult the following section of our documentation API: Anonymize data by attribute value.
We advise you to enable the "anonymize_encrypted_only" option to avoid erasing free text questions, which could make the exploitation of your questionnaires almost impossible.
Inform the data subjects and communicate your Privacy Policy
Information for the date subjects relates to the legitimacy, loyalty, transparency of data.
As the Data Controller, you are subject to the transparency obligation provided for in Articles 12 and following of the General Data Protection Regulation (GDPR).
You can detail the intended use of the data you collect by inserting an explanatory paragraph at various points in the questionnaire that you can customize : title, subtitle, header, footer, question help text, rich content, or the "Info" button.
Examples of information mentions at the time of data collection are provided below :
For a customer survey :
- GDPR information mention: [Organization's name] wishes to know your opinion on your customer experience. To learn more about the processing of your data at [Organization's name]: [insert a link to your privacy policy] and at Skeepers, our subcontractor: https://skeepers.io/en/privacy-cookie-policy/.
For a marketing survey :
- GDPR information mention: By checking the box, I accept that my information [specify which] will be used for Marketing purposes by [Organization's name].
You have the option to integrate your own privacy policy directly into your Feedback Management questionnaire or create a redirect to the pages of your website dedicated to data collection.
To do this, you can integrate them intuitively into the help text of one of the questions (accessible in the Advanced Settings tab of an item of your survey) or in the "Info" section of your questionnaire (learn more about extra content).
Whether it is for a customer experience survey or for a marketing survey, the concerned parties must be informed :
- that their personal data will be collected and used for the purpose of a customer experience survey or a marketing survey
- and that they will be transferred to a third party, Skeepers, for these purposes
This information must be included in your terms and conditions and privacy policy. Furthermore, the concerned parties must be able to oppose this use in a simple, free, and easy way at any time.
The Feedback Management solution provides a default unsubscribe link in each of its emails and a "STOP" button for the SMS sent, which perfectly meets the requirements in force regarding the right of opposition.
Update your Privacy Policy
It is important to update your privacy policy.
Example of information mention to be included in your Privacy Policy :
- Transfer of data to third parties
To better understand your experience as a consumer of our products/user of our services, we use the services of the survey provider Skeepers to collect your opinion through a questionnaire [displayed on our Website/available by email, SMS or QR code], on the basis [of our legitimate interest (Article 6.f) of the General Data Protection Regulation) / your consent (Article 6.f) of the General Data Protection Regulation)] (at the choice of the Client). We collect/communicate certain of your personal data, strictly necessary for the service ([specify which: name, first name, email address and/or phone number, etc]). You can [object to the transfer of your data/withdraw your consent] at any time. Unless deleted by you in advance, your data will be retained for [XXX] months. Then, your data will be anonymized. Your opinions will be made visible on the following distribution channels: [Google Reviews, etc.]. You can exercise your rights of access, deletion, opposition, modification, limitation, and portability at any time by writing to our data protection officer at @. You have the possibility to lodge a complaint with a supervisory authority. To learn more about data processing at Skeepers: https://skeepers.io/fr/politique-de-confidentialite/.
Accountability
The GDPR provides for the use of a register to record precisely the personal data processing operations you carry out ("Data Processing Register").
Keeping a Data Processing Register allows you to know how you use personal data and to assess their relevance in relation to the purposes pursued (more information on the CNIL website).
Skeepers can provide you with a template of the Data Processing Register of its solution by writing to privacy@skeepers.io.
Cookie management
Before reading this section of the article, we invite you to consult our documentation concerning the cookies deposited by Skeepers Feedback Management collection devices.
- If you only send surveys by email and SMS, you should only refer to the section "Trackers placed by a survey" in the article.
- If you integrate your questionnaires into your websites (for example, in the form of a pop-in), you should only refer to the section "Trackers placed by Skeepers Javascript tag" in the article.
Privacy mode
As for the "Privacy mode", the cookies deposited in this context are considered as "trackers whose purpose is limited to measuring the audience of the site or application, to respond to different needs (performance measurement, detection of navigation problems, optimization of technical performance or ergonomics, estimation of the power of the servers necessary, analysis of the content consulted, etc.) strictly necessary for the operation and current administration of a website or application".
Consequently, they do not require, in accordance with Article 82 of the Computer and Liberties Act, the prior consent of the internet user:
Articles 5 – On trackers exempt from consent §46 of the Deliberation n° 2020-091 of 17 September 2020 on the adoption of guidelines relating to the application of Article 82 of the amended Act of 6 January 1978 on operations of reading and writing in the terminal of a user (in particular "cookies and other trackers") and the repeal of the deliberation n° 2019-093 of 4 July 2019
Indeed, they are mainly intended to avoid excessive solicitation of internet users, to know the pages visited and their number, and to generate random values. Consequently, disabling them would hinder the proper conduct of the service and the experience of users.
LocalStorage key
Concerning the duration of life of LocalStorage keys, which are configured by default in "persistent" mode, this allows to avoid excessive solicitation of prospects at each visit to your site. This information is recorded on the user's device and is never sent to our Feedback Management platform.
The duration of use can be parameterizable thanks to the triggering rule that prevents over-solicitation in the configuration of an integrated distribution on a website.
You can therefore set their duration of life from the back-office of the platform by entering a number of days on the interface which can be equivalent to 13 months.
If you have any questions, do not hesitate to contact our team Customer Care.