The General Data Protection Regulation (“GDPR”) is a cornerstone of data protection law in the European Union (“EU”). It provides a unified legal framework governing the collection, use, and protection of personal data across all EU member states. The GDPR strengthens individuals’ rights to privacy and transparency in response to technological advancements, globalisation, and the increasing complexity of international data flows.

Since its enforcement in May 2018, the GDPR has become an established and integral part of Voyc’s compliance framework, shaping how we handle, process, and safeguard personal data.

Voyc is fully committed to GDPR compliance, and enabling our customers to comply with GDPR. Voyc maintains a robust privacy and security program that we continually improve to meet the needs of our customers, and to maintain industry standard data protection among research software providers. We have consistently reinforced our commitment to privacy and security and the most recent GDPR compliance changes to our policies and functionality, including breach notification policies, new data expiration controls in your account, and the right to be forgotten for any customer or research participant.

For both our customers and their research participants as part of using the Voyc services, GDPR regulates the “processing” of personal data of any EU resident (who is referred to as a “data subject”). “Processing” includes the collection, storage, transfer, or use of personal data. This means that any company that processes the personal data of any data subject, regardless of where the company is based, is subject to the rules of GDPR. Additionally, GDPR defines personal data very broadly, and includes name, email, demographic information, real-time location, online activity, and health information, to name a few.

Voyc receives millions of data points from all over the world, including data that contains personal data from research participants or our site visitors, app users, or any other platform you use Voyc Services. This means that both Voyc and the customers sending us data will need to comply with the requirements of GDPR.

As between Voyc and our customers, Voyc is the “data processor” and the customer is the “data controller”, as such terms are defined under GDPR. The data controller can use Voyc to collect data from our data subjects (i.e., a customer’s end users) and says how and why personal data is processed. The data processor receives the data from the data controller and acts upon instruction from the data controller.

Voyc hosts EU and UK data in AWS Ireland in accordance with GDPR and POPIA requirements, as described in the Data Protection Policy.

Identifying and appointing a Data Protection Officer (DPO), Data Controller, and Data Processor, is all part of GDPR. Voyc has identified these roles internally, and has measures in place to fulfill the responsibilities of each of these roles.

All staff at Voyc, including HR, Marketing, Research Recruitment, and IT, complete appropriate training in-line with the requirements of the regulation.

GDPR empowers “data subjects,” the individuals from whom the data has been collected, to control who has their data. Today, we already provide users with data export functionality and the ability to delete customer data. However, to further build on these features for GDPR, we will be making it easier for customers to request data deletion and export.

Voyc recognises its responsibility to carefully evaluate the vendors that support the delivery of our services. As part of our GDPR compliance framework, all vendor relationships are governed by contracts that explicitly address the security, privacy, and confidentiality of customer data.

Each vendor undergoes a thorough privacy and security assessment conducted by Voyc’s legal and security teams. We also ensure that customer data is hosted by an industry-leading provider with a robust security programme and appropriate certifications, consistent with GDPR compliance and best practice.

Voyc now offers a Data Processing Addendum (“DPA”) and an executable version.

Voyc’s security information is detailed in our Trust Centre.

If you would like more information or have follow-up questions please reach out to us at infosec@voyc.ai or visit https://ec.europa.eu/info/law/law-topic/data-protection_en