When customers want to make use of the Sinzer tool, a Data Controller of the customers' organization should be identified. The name of the Data Controller will be captured in the Sinzer subscription agreement between Sinzer and customer. The customer access to the Sinzer tool after signing the Sinzer subscription agreement as well as a Data Processing Agreement (DPA).
The DPA captures rights and obligations as specified under article 28.3 of the GDPR:
- the subject matter and duration of the processing;
- the nature and purpose of the processing;
- the type of personal data;
- that the processor (Sinzer) deletes or returns all the personal data to the controller at choice of the controller.
This DPA is attached as addendum to the Sinzer subscription agreement. Signing both documents is a condition for using the Sinzer tool. In that way Sinzer ensures that all customers are aware of their responsibilities under the GDPR. The Data Controller is responsible for demonstrating that the organisation applies to the six principles outlined in Article 5 of the GDPR:
Personal data must be:
- processed lawfully, fairly and transparently.
- adequate, relevant and limited to what is necessary for processing.
- accurate and kept up to date.
- kept in a form such that the data subject can be identified only as long as is necessary for processing.
- processed in a manner that ensures its security.
and can only:
- collected for specified, explicit and legitimate purposes after having obtained informed consent.
Features in the Sinzer tool to be able to grant data subjects rights
An editable form of consent when collecting data via surveys
This form of consent will be shown to respondents of surveys prior to starting the survey. They will need to register their consent (agree with this). If individuals do not agree, they cannot enter the survey.
The form of content should notify the respondents why their data is collected, how long it will be stored, who they can contact to find out what data was collected and how they have their data removed. This consent is stored in the system.
The data controller will need to specify the message for the consent, this can be a general message for all projects and surveys in Sinzer, but we recommend this is further specified per project.
Informed consent in case of data collection by other means than the survey in the Sinzer tool
Survey individuals whose data is collected on paper will need to sign a separate document listing their consent. The data controller is responsible for having this document signed and for storing this consent.
Any personal data entered in Sinzer manually or uploaded via Excel is expected to be gathered with consent of the individuals. It is the role of the Data Controller to make sure this consent is there and individuals are made aware who to contact for review or retraction of their information.
An editable survey footer containing contact details of the customer’s Data Protection Officer
On every page of the survey, the contact information for the Data Protection Officer of that community is listed so individuals know after having giving consent who to contact to:
- Review data stored for them
- Retract (delete) or correct information
- Learn about how their data is protected
Note: this cannot be specified per per project, since this is one identifiable person in the customers organisation.
Anonymised Data Exports files for Subject Access
Individuals have a right to know what information is being held about them. The basic provision is that, in response to a valid request, the Data Controller must provide a permanent, intelligible copy of all the personal data about that Data Subject held at the time the request was made.
The Data Controller may negotiate with the Data Subject to provide a more limited range of data (or may choose to provide more), and certain data may be withheld. This includes some Third Party material, especially if any duty of confidentiality is owed to the Third Party, and limited amounts of other material (“Third Party” means either that the data is about someone else, or someone else is the source.)
All formats (Excel, Word or CSV) for data exports do not contain personal details such as name, sir name and email address, but an ID (code) that represents the unique individual instead.
In this way the Data Controller can ensure respondents’ access to their data obtained via a survey. Note that for collecting data on paper or via manual entry, the data controller is responsible for obtaining consent and ensuring that dealing with the data is GDPR compliant.
Documentation of the log-in activity of users
Upon request of the Data Controller an overview of the log-in activity of the users of the customers community(ies) and / or account(s) and / or project(s) in the Sinzer tool can be provided.
Helpful articles from Sinzer’s online helpdesk
In the Sinzer tool are two frameworks available: the Social Return on Investment (SROI) in which impact is expressed in a monetary value and the Strategic Impact Framework. For clients of both our frameworks you can find helpful articles in the Sinzer online helpdesk.