This chapter gives an initial overview of what has to be taken into account when processing personal data in accordance with the GDPR and when a data processing agreement (DPA) is required.
The processing of personal data is subject to the EU General Data Protection Regulation (GDPR or in german: DSGVO), which in Germany is in some places still concretized by the Federal Data Protection Act (BDSG new). Personal data are thus subject to special protection - and their processing is associated with a number of conditions and obligations.
Important: The fines and obligations according to GDPR also apply to private persons, students and scientists (e.g. collection of data as part of a scientific study or thesis).
The GDPR defines personal data as follows:
any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or one or more specific characteristics expressing the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person;
Whether the data collected in an online survey are personal cannot be said in general terms. But if one relates the population of the interviewees to the information available, the question can usually be answered clearly:
By default, SoSci Survey does not store any additional information (namely IP addresses), which allows the assignment to individual persons and offers the possibility, for example, to collect contact data separately from the remaining data (Data protection in the online survey). However, project managers have the possibility to collect such data (with the question type “Device and transmitted variables”), to ask for names with open text entries, and it is possible to use the Serial mail function in such a way that an assignment of collected data to address data is possible. In these cases one must assume personal data.
Address data (e.g. e-mail addresses or postal addresses) are almost always personal. In SoSci Survey, such data can be stored separately from the survey data, e.g.
The exact requirements and obligations associated with the processing of personal data can be answered by the data protection officer or by the trusted search engine. If the requirements are not met, the supervisory authorities can impose heavy fines.
Here are a few key points:
In short: Since the DSGVO came into force, the processing of personal data is only possible under certain conditions and with a respectable administrative effort. It should therefore be clarified at an early stage whether personal data are actually required in the questionnaire.
Furthermore, the level of protection required for the data depends on the potential risk for the data subject. If only e-mail addresses for invitation e-mails are processed, this data is much less sensitive (risky) than if detailed information on purchasing habits, political attitudes or professional activities is available.
A data processing agreement between the party responsible for the processing (you) and SoSci Survey GmbH is required to …
SoSci Survey GmbH operates two different survey servers: The standard server www.soscisurvey.de and the Pro-Server s2survey.net (Survey server in comparison).
If you only collect address data (list of contacts for serial mails, separately collected contact data), then you can electronically agree a DPA with SoSci Survey GmbH under Survey Project → Project Settings → Tab Data Protection/ → DSGVO → AVV Online Agreement.
The electronic DPA is agreed by one click and is immediately valid. The DPA and the technical and organisational measures (TOM) can also be downloaded at any time under the menu item mentioned above.
To ensure that the DPA is not overlooked, the serial mail function can only be used after agreement of a DPA.
The Online-AVV can be downloaded here in advance for review: Contract template Online-AVV (address data)
Important: The agreement of a DPA is only one of several conditions. The other obligations under the GDPR must be fulfilled independently of this.
If personal data is collected during the survey, this is only possible on the Pro-Server s2survey.net, which is subject to a fee. Currently, SoSci Survey GmbH does not charge any additional costs for the agreement of a DPA.
Since this often involves data that poses a medium or high risk for the persons concerned, SoSci Survey GmbH agrees to a DPA in writing in this case. The procedure is as follows:
If you agree on a DPA in written form, this is not automatically stored in all survey projects – often it only refers to one or a number of survey projects. Therefore SoSci Survey will still require a DPA when calling the serial mail function. In this case, please send a short e-mail to info@soscisurvey.de and let us know for which survey project the existing DPA should be registered.