GDPR Compliance
1. Our Commitment
Srvey is committed to protecting the privacy and rights of individuals in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). As a Netherlands-based company, we are directly subject to GDPR and the Dutch GDPR Implementation Act (Uitvoeringswet AVG).
2. Controller vs Processor
Understanding the distinction between data controller and data processor is critical for survey platforms:
- Srvey as Controller — we act as the data controller for account data, billing information, and platform usage data that we collect directly from you.
- Srvey as Processor — when you collect survey responses through our platform, you are the data controller for that respondent data. Srvey acts as a data processor, processing the data solely on your behalf and according to your instructions.
- Your responsibilities — as the controller of survey response data, you are responsible for ensuring a valid legal basis for collection (e.g., consent), providing respondents with appropriate privacy notices, and responding to data subject requests concerning their responses.
3. Legal Basis for Processing
We process personal data under the following legal bases:
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Account management | Contract performance | Art. 6(1)(b) |
| Survey hosting & response storage | Contract performance | Art. 6(1)(b) |
| Billing & invoicing | Contract performance | Art. 6(1)(b) |
| Business record retention | Legal obligation | Art. 6(1)(c) |
| Platform security & fraud prevention | Legitimate interest | Art. 6(1)(f) |
| Marketing communications | Consent | Art. 6(1)(a) |
4. Data Subject Rights
Under the GDPR, you have the following rights:
- Right of Access (Art. 15) — request a copy of the personal data we hold about you.
- Right to Rectification (Art. 16) — request correction of inaccurate personal data.
- Right to Erasure (Art. 17) — request deletion of your data, subject to legal retention requirements.
- Right to Restriction (Art. 18) — request that we limit how we process your data.
- Right to Data Portability (Art. 20) — receive your data in a structured, machine-readable format (CSV export).
- Right to Object (Art. 21) — object to processing based on legitimate interest.
- Right to Withdraw Consent (Art. 7) — withdraw consent at any time for consent-based processing.
To exercise any of these rights, email us at [email protected]. We will respond within 30 days as required by the GDPR.
5. Data Processing Activities
Srvey processes the following categories of personal data:
- Identity data — name, email, team and organisation details
- Survey data — survey questions, configurations, and respondent answers (processed on your behalf)
- Financial data — subscription and billing information
- Technical data — IP addresses, browser information, usage logs
6. Sub-Processors
We use the following categories of sub-processors to deliver our services:
- Cloud infrastructure — EU-based hosting for data storage and processing
- Payment processing — for subscription billing (PCI DSS compliant)
- Email delivery — for transactional emails and notifications
All sub-processors are bound by Data Processing Agreements (DPAs) and are required to comply with GDPR. A detailed list of sub-processors is available upon request.
7. International Data Transfers
Your data is primarily stored and processed within the European Economic Area (EEA). Where data transfers outside the EEA are necessary, we rely on:
- EU adequacy decisions (Art. 45)
- Standard Contractual Clauses approved by the European Commission (Art. 46)
8. Data Breach Procedures
In the event of a personal data breach:
- We will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours if the breach poses a risk to individuals' rights and freedoms.
- We will notify affected users without undue delay if the breach poses a high risk.
- We maintain an internal breach register documenting all incidents and response actions.
9. Data Protection Impact Assessments
We conduct Data Protection Impact Assessments (DPIAs) for processing activities that may pose a high risk to individuals, in accordance with GDPR Article 35.
10. Contact & Complaints
For data protection enquiries:
- Email: [email protected]
If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Dutch Data Protection Authority:
- Autoriteit Persoonsgegevens
- Website: autoriteitpersoonsgegevens.nl
- Phone: +31 (0)88 1805 250