Personal data

This chapter gives an initial overview of what has to be taken into account when processing personal data in accordance with the GDPR and when a data processing agreement (DPA) is required.

The processing of personal data is subject to the EU General Data Protection Regulation (GDPR or in german: DSGVO), which in Germany is in some places still concretized by the Federal Data Protection Act (BDSG new). Personal data are thus subject to special protection - and their processing is associated with a number of conditions and obligations.

The GDPR defines personal data as follows:

any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or one or more specific characteristics expressing the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person;

Whether the data collected in an online survey are personal cannot be said in general terms. But if one relates the population of the interviewees to the information available, the question can usually be answered clearly:

• If you invite participants with personalised links or participation codes and the allocation of addresses to data sets is clearly recognisable, then you are certainly dealing with personal data.
• If it is clear from the data (at least for some data sets) which person it is, then it is personal data, for example
  • if only a small group of persons (e.g. employees of a company) is interviewed and individual persons can be identified on the basis of the information (e.g. department, gender and age).
  • if names or e-mail addresses are mentioned in open text responses.
• If you have a very large (e.g. all German-speaking Facebook users) or very homogeneous (e.g. all students of a degree programme) potential circle of participants and do not ask for names and e-mail addresses, then it is not possible to draw conclusions about individual persons in all rules. Most scientific surveys are designed as anonymous surveys for ethical reasons.

By default, SoSci Survey does not store any additional information (namely IP addresses), which allows the assignment to individual persons and offers the possibility, for example, to collect contact data separately from the remaining data (Data protection in the online survey). However, project managers have the possibility to collect such data (with the question type “Device and transmitted variables”), to ask for names with open text entries, and it is possible to use the Serial mail function in such a way that an assignment of collected data to address data is possible. In these cases one must assume personal data.

Address data (e.g. e-mail addresses or postal addresses) are almost always personal. In SoSci Survey, such data can be stored separately from the survey data, e.g.

• As address list for Sending serial mails when privacy mode “anonymous” or “pseudonym” is selected.
• This may be in conjunction with the question type Opt-in for e-mail distribution..
• With the question type collect contact data separately, e.g. for competitions.

The exact requirements and obligations associated with the processing of personal data can be answered by the data protection officer or by the trusted search engine. If the requirements are not met, the supervisory authorities can impose heavy fines.

Here are a few key points:

• First of all, a legal basis is needed for the processing of personal data. This can be an effective consent by the persons concerned (very helpful!) but also the fulfilment of sovereign tasks in the context of scientific activity at universities. Processing without a legal basis is prohibited.
• If you have personal data processed by a third party (e.g. SoSci Survey GmbH), a data processing agreement is mandatory.
• One has information duties towards the data subjects (= persons whose data are processed), e.g. one has to inform them about the use of the data and about their rights. Because this information is different for each study, there is no __standard _ template in SoSci Survey.
• It is necessary to take appropriate technical and organisational measures to ensure that the personal data is secure and will not be used in a way other than that foreseen in the processing procedure (and possibly agreed to by the data subjects).
• Should the data nevertheless be passed on to third parties or used for other purposes than permitted, the responsible supervisory authority must be informed at short notice (usually within 72 hours).
• In addition, it must be possible to prove at any time that the personal data is being processed lawfully. This includes a list of procedures and an extensive collection of documents.

In short: Since the DSGVO came into force, the processing of personal data is only possible under certain conditions and with a respectable administrative effort. It should therefore be clarified at an early stage whether personal data are actually required in the questionnaire.

Furthermore, the level of protection required for the data depends on the potential risk for the data subject. If only e-mail addresses for invitation e-mails are processed, this data is much less sensitive (risky) than if detailed information on purchasing habits, political attitudes or professional activities is available.

A data processing agreement between the party responsible for the processing (you) and SoSci Survey GmbH is required to …

• if personal data are processed and
• if this is not done on your own survey server (License for your own survey server), but (b) on a server of SoSci Survey GmbH.

SoSci Survey GmbH operates two different survey servers: The standard server www.soscisurvey.de and the Pro-Server s2survey.net (Survey server in comparison).

• The Standard server www.soscisurvey.de is only designed to process personal address data (address list for serial mails and separately collected contact data). No personal data may be collected in the questionnaire on this server.
• The Pro-Server s2survey.net is designed for the collection and processing of personal data. Personal data can also be requested or processed here in the questionnaire (e.g. serial e-mails with data protection mode “personal”).

If you only collect address data (address list for serial mails, separately collected contact data), then you can electronically agree a DPA with SoSci Survey GmbH under Survey Project → Project Settings → Tab Data Protection/ → DSGVO → AVV Online Agreement.

The electronic DPA is agreed by one click and is immediately valid. The DPA and the technical and organisational measures (TOM) can also be downloaded at any time under the menu item mentioned above.

To ensure that the DPA is not overlooked, the serial mail function can only be used after agreement of a DPA.

Important: The agreement of a DPA is only one of several conditions. The other obligations under the GDPR must be fulfilled independently of this.

If personal data is collected during the survey, this is only possible on the Pro-Server s2survey.net, which is subject to a fee. Currently, SoSci Survey GmbH does not charge any additional costs for the agreement of a DPA.

Since this often involves data that poses a medium or high risk for the persons concerned, SoSci Survey GmbH agrees to a DPA in writing in this case. The procedure is as follows:

• You call up our portal for DPAs and download the DPA contract template of SoSci Survey as well as the technical and organizational measures (TOM) there. The general terms and conditions (the “main contract” for data processing) can be viewed at any time on the SoSci Survey Homepage.
• You or your data protection officer (DSB) check the contract template and TOM. The documents have been optimised in consultation with numerous data protection officers, so that further changes can only be made in very well-founded exceptional cases and only for a fee. In general, we only conclude a DPA on the basis of our contract template. Other contracts can only be signed after legal review and approval. The costs incurred for this (approx. 2,500 to 5,000 €, depending on the scope and questions to be clarified) are borne by the client. If the contract imposes further obligations on SoSci Survey GmbH than those provided for in our DPA template, increased usage fees will be charged depending on the risk.
• If you would like to use SoSci Survey on the basis of the aforementioned documents, please fill out the form in portal for DPAs. Please ensure that all information is complete. Important: As the latest end of processing, do not enter the end of the survey but the time when the data should be deleted from the survey server.
• If you do not yet have a customer number (as can be seen in the SoSci Survey User account), please first purchase a user license for the Pro server in the SoSci Survey Shop. This will automatically give you a customer number.
• After sending the information on the DPA, we will create the documents and send them to you by post in duplicate. This can take up to 7 days.
• After countersigning the contracts, send a copy back to SoSci Survey GmbH. Data processing can then begin.

If you agree on a DPA in written form, this is not automatically stored in all survey projects – often it only refers to one or a number of survey projects. Therefore SoSci Survey will still require a DPA when calling the serial mail function. In this case, please send a short e-mail to info@soscisurvey.de and let us know for which survey project the existing DPA should be registered.