Data Security & Privacy Policy
Role
Formetrics' authorized users are agreed upon in the contract between Formetrics and the customer. The number of people who have access and the extent of such access are also defined in the contract. The customer alone has control over who has access to the data and the location of the individual.
Access
Respondent Personal data in Formetrics systems.
Geography
Known by customer.
Support personnel, 1st line support Sweden.
Respondent Personal data in Formetrics systems.
Sweden
Support personnel, 1st line support Germany.
Respondent Personal data in Formetrics systems.
Germany
R&D and Technology Function for Formetrics
All data in customer’s area
Sweden
1. Introduction
​
This Policy is part of Formetrics Personal Data protection process. As a Feedback management software provider, Formetrics processes Personal Data from Respondents for surveys and feedback management. Formetrics role is to ensure that privacy regulations are observed and data subject rights are implemented. This document provides an overview of how Formetrics processes Personal Data for Respondents as a Processor for its Software-As-A-Service provision to customers.
​
2. Description
Formetrics provides feedback management through a SAAS platform where customers access software and personal data is stored in the same location. Customers are responsible for complying with applicable law in collecting and processing personal data for surveys. Personal data is used for survey design, invitations, and response assessment. Respondents provide valid consent under GDPR compliance, and deletion is the responsibility of the customer. Formetrics provides a process for compliance and will delete all personal data upon termination if the customer hasn't done so unless other has been stated in writing between the parties.
3. Products
Formetrics offers feedback management software and support through a secure Software As A Service (SaaS) platform.
Support is available during office hours via telephone and email for software issues and day-to-day customer concerns. Depending on the customer's request, support personnel may access personal data.
Formetrics also offers training, advisory services, and projects, which may or may not involve processing personal data depending on the customer's requirements and Data Processing Agreement.
​
4. Parties responsible for protection of Personal Data from Respondents
​
4.1 Formetrics' customer is the Controller
As the customer of Formetrics, you are considered the Controller and therefore responsible for complying with all relevant legislation. It is also your responsibility to ensure that a Data Processing Agreement is in place with Formetrics that covers all areas relevant to your compliance.
4.2 Formetrics is the Processor
As a provider of services and software that enable you to process data, Formetrics is the Processor in relation to that data. Formetrics processes Personal Data for its customers based on Data Processing Agreements as defined by GDPR.
Formetrics will process data in accordance with the EU General Data Protection Regulations and your instructions in data processing agreements or otherwise.
5. Legal Basis for processing personal data for Respondents
Formetrics' customers are considered the Controller of the Processing of Respondent Personal Data. Formetrics' basis for processing will therefore always be a Data Processing Agreement with the customer.
The customer's basis for processing Respondent Personal Data, for which it is the Controller, is defined by the customer itself. As consent will often be the relevant legal basis, Formetrics provides functionality that allows the customer to collect valid consent from its respondents.
If the customer chooses not to collect personal data using the default settings, they must document their legal basis for processing outside of the Formetrics software.
​
6. Types of Personal Data processed for Respondents
Formetrics may process a wide range of Personal Data from respondents, depending on the nature and objectives of the survey. This may include personal information such as name, address, phone number, email address, family information, age, date of birth, marital status, number of children, employment and education details, and business contact information. The responses provided by the respondents may also cover any relevant area related to the survey topic.
​
7. The purpose and duration of the processing
The purpose of processing Respondent Personal Data will in all cases be defined by the Customer. In order to collect valid consent from Respondents, Formetrics will provide the Customer with the ability to enter the purpose of processing in the survey before it is published as a default setting.
8. The subject-matter of the processing
Formetrics' processing of Respondent Personal Data will in all cases be performed in order to provide feedback from Respondents to its customers or to its own organization. Feedback can be relevant for shorter duration processes, or for processes where trends are studied for many years. The specifics will be defined for each specific survey or set of surveys, and the purpose of processing will be determined by the customer.
9. Access to Respondent Personal Data
9.1 Personnel with access to Respondent Personal Data is located as follows:
​
​
​
​
​
​
​
​
9.2 Access to Respondent Personal Data may be granted to authorized personnel in additional locations or by additional individuals in order for Formetrics to provide support, advisory services, or professional services to its customers. This access and the extent of it will be agreed upon in the contract between the customer and Formetrics. However, the customer remains in control of who has access to the data and the location of the individual with access.
​
10. Retention and deletion of Respondent Personal Data
10.1 Formetrics as processor does not at any point define retention time for Respondent personal data, or provide advice to the controller about the duration of retention time. The retention time for Respondent Personal Data will be defined by
the controller (Formetrics’ customers) for each survey.
10.2 When a respondent requests to be deleted from the software, Formetrics' customer will be able to perform such deletion within the software. The functionality for this is available in the system. If the customer requires assistance with the deletion, Formetrics will provide support. The customer is responsible for maintaining a list of the respondents who have requested deletion to fulfill their requirements towards the respondent.
10.3 As Formetrics is the Processor and not the Controller of the Personal Data, it will carry out the deletion of Personal Data only on the instruction of the Controller (i.e. the customer). Therefore, if an agreement between the customer and Formetrics has expired or terminated, and the customer has not deleted the Personal Data in the system, Formetrics will delete such data only upon the instruction of the customer. If no instruction is provided, Formetrics will keep the Personal Data for the retention period as defined by the customer in the Data Processing Agreement.
​
11. Process in case of personal data breach
In cases of a personal data breach as defined by the GDPR, Formetrics will follow the steps outlined below:
Step 1 – Notification to the Appropriate Personnel: Formetrics will inform the General Counsel, Privacy Officer, or Data Protection Officer when an assumed personal data breach is discovered. The persons listed above will assess whether a personal data breach has actually occurred. If there is no personal data breach, the process will end at this stage.
Step 2 – Notification to the Customer: If a personal data breach has taken place, Formetrics will ensure that all affected customers are informed without undue delay. The customers will be notified within the timeframes set in the contract and GDPR. Information will be provided to the correct authorized party in the customer's organization, as defined in the contract. The information will be provided via email unless otherwise agreed upon in the contract.
Step 3 – Assessment of Obligations to Data Protection Agency and Data Subjects: Formetrics' Data Protection Officer will evaluate whether Formetrics is obligated to inform the Data Protection Agency or Data Subject based on the law or contract. If Formetrics is obligated to inform, the Data Protection Officer will initiate the process.
​
12. Information security
All personal data of respondents is processed in strict accordance with Formetrics IT Governance Policy, which sets out the company's IT security regulations. The policy is reviewed and updated on a regular basis to ensure that all personal data is protected to the highest possible standards.