VERSION 22 March 2018
When ZEF is providing ZEF’s services, ZEF has a dual role under the applicable data protection legislation:
ZEF as a data controller - Users
ZEF as a data processor – Respondents
Should you have a question about a specific survey determined by ZEF’s Customer, please contact directly the Customer entity in question.
ZEF uses personal data to perform ZEF’s services, in particular:
- to review, investigate, research and analyze how to improve and develop ZEF’s services
- to perform statistical analysis on personal data, to understand how individuals use ZEF’s services
- to test ZEF’s services, for the purpose of improving security and troubleshooting
When a User registers to ZEF’s services, User provides the following information to ZEF:
- Email address
- First name and last name
- Picture (optional)
- Facebook page (optional)
- LinkedIn page (optional)
- Twitter page (optional)
- Telephone number (optional)
- Name of the organization or company (Customer) (optional)
- Company website (optional)
- Company’s LinkedIn page (optional)
- Company’s Facebook page (optional)
- Company’s Twitter page (optional)
- Company’s logo or other picture (optional)
- Payment related information (for paid license plans)
○ Credit card number
○ Name on credit card
○ CVC number on credit card
○ Postal code (for USA payment cards)
○ VAT / company ID (when paying with an invoice)
○ International Bank Account Number (IBAN) (when paying with an invoice)
During the use of service, ZEF also processes the following information related to User:
- Information that is collected indirectly or passively when User interacts with ZEF
- ZEF collects usage data whenever User interacts with ZEF’s services
- IP address, browser type, operating system, geographic location
- ZEF collects User Data from third parties if the User gives permission to those third parties to share such information with ZEF
ZEF uses this information to identify User within Customer organization within ZEF’s services. ZEF requires this User Data to verify which individuals use ZEF’s services on behalf of the Customer in accordance with the agreement between ZEF and the Customer. ZEF’s services allow User to access and edit, update or delete their User Data.
ZEF collects User Data to allow Users to have access to, and gain full benefit of, ZEF’s services. ZEF will use User Data for the following purposes:
(i) to process any orders, inquiries, requests or feedback the User or the Customer may have provided to ZEF
(ii) to contact User based on User’s contact under point (i) above, for customer support, as well as to provide User with invoicing information
(iii) to inform Users about ZEF’s services, such as software updates and upgrades, security patches, system enhancements, new software versions, as well as other information regarding ZEF’s services.
(iv) if User has given his/her consent to receive ZEF’s electronic marketing material, ZEF may send such material to User
(v) to meet contractual obligations ZEF has with the Customer
(vi) to comply with applicable regulatory and authoritative requirements
As a data subject the User has the right to withdraw his or her consent at any time. User may easily withdraw his or her consent by choosing to do so in ZEF’s service.
As a data subject the User has the right to access, rectify, cancel, and object to the processing of his/her personal data by directing any such requests to ZEF. ZEF allows Users to exercise these rights by submitting a data subject request through ZEF’s services.
Furthermore, you have the right to lodge a complaint with a data protection supervisory authority.
As a basic principle, ZEF will not store User Data any longer than is necessary to fulfill the purposes for which the User Data was collected, unless longer storage is required by applicable laws or regulations.
ZEF’s current storage practice for User Data is that such personal data will be deleted after the realization of the User’s account resignation, unless longer storage period is required by applicable law.
As a data controller, the Customer in question determines the means and purposes of processing Respondent Data. As ZEF’s services are being used by many Customer entities, these purposes may vary depending on the survey determined by the Customer in question. The Customer is responsible for ensuring that the collection and processing of Respondent Data is carried out in accordance with the applicable legislation and the GDPR.
ZEF will not process Respondent Data for any other purposes or by other means than those instructed by the Customer in question.
Although the Customer determines the types of personal data collected, Respondent Data which ZEF processes on behalf of the Customer typically includes following types of personal data:
- Email address
- Home address
- Phone number
- Date of birth
- Employment details
- Education and qualification
- Business contact details
- Other survey-specific information provided by the Respondent and determined by the Customer
The Customer may also choose to conduct a survey without any personal data being provided from the Respondents. In this event no personal data listed above will be collected and processed.
ZEF also collects personal data about the Respondents in following situations:
- Usage data about the Respondent whenever he/she interacts with ZEF’s services
- IP address and browser type for the purposes of solving technical issues for a maximum period of 31 days at a time
- ZEF collects Respondent Data from third parties if the Respondent gives permission to those third parties to share such information with ZEF
- Email address if the Respondent provides it to ZEF in order to send the Respondent an invitation email to answer to a survey through ZEF’s services
The Customer is responsible for ensuring that a legal basis under the GDPR is established prior to collecting any Respondent Data. For the purpose of using ZEF’s services (surveys), the relevant legal basis is typically consent from the Respondent. In this case the Customer is required to obtain the Respondent’s consent before any collection or processing of personal data is carried out on ZEF’s services. The Customer must also comply with the relevant provisions of the GDPR concerning consent (or other legal basis for processing, if applicable).
Since the Customer as a data controller has control over determining the purposes for which Respondent Data is collected, as well as for the duration for which the Respondent Data is stored, the Customer is responsible for determining when to delete the Respondent Data.
After the end of provision of services under the agreement between ZEF and the Customer, ZEF commits to either delete or return all Respondent Data to the Customer, based on Customer’s choice. ZEF deletes existing copies of Respondent Data unless legislation requires storage of Respondent Data.
To learn more about the third-party data processors used by ZEF, as well as transfers of User Data to third countries, please visit the following link.
ZEF ensures the confidentiality, integrity and availability of personal data processed via ZEF’s services. ZEF implements appropriate technical and organizational measures and procedures in such a way that ensures the protection of data subject’s rights, and always in accordance with applicable data protection law, as well as to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure, access and other unlawful forms of processing. ZEF ensures that all persons processing personal data under its authority and supervision have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
In case of a data security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, ZEF will inform data subjects of the breach without undue delay, including a summary description of the potential impact and a recommendation on measures to mitigate the possible adverse effects of the breach.
ZEF ensures that personal data has been pseudonymized or anonymized wherever possible. ZEF’s services contain appropriate authorization mechanisms to avoid unlawful access, as well as effective encryption has been used to mitigate the risk of data security breaches. ZEF will inform when an updated version of the service is available, and if the update is security critical, users will be prevented from using the old version of the service.
Furthermore, ZEF recommends that data subjects take additional measures to protect information privacy, by keeping confidential account information and passwords.
Business ID 0640379-1
Contact information of person in charge of ZEF’s GDPR matters:
Customer Onboarding Manager