The General Data Protection Regulation (“GDPR”) is a new comprehensive data protection law in the European Union (“EU”) that updates existing laws to strengthen the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data. It replaces the patchwork of national data protection laws currently in place with a single set of rules, directly enforceable in each EU member state. GDPR is effective as of May 25, 2018.

Voyc is fully committed to GDPR compliance, and enabling our customers to comply with GDPR. Voyc maintains a robust privacy and security program that we continually improve to meet the needs of our customers, and to maintain industry standard data protection among research software providers. We have consistently reinforced our commitment to privacy and security and the most recent GDPR compliance changes to our policies and functionality, including breach notification policies, new data expiration controls in your account, and the right to be forgotten for any customer or research participant.

For both our customers and their research participants as part of using the Voyc services, GDPR regulates the “processing” of personal data of any EU resident (who is referred to as a “data subject”). “Processing” includes the collection, storage, transfer, or use of personal data. This means that any company that processes the personal data of any data subject, regardless of where the company is based, is subject to the rules of GDPR. Additionally, GDPR defines personal data very broadly, and includes name, email, demographic information, real-time location, online activity, and health information, to name a few.

Voyc receives millions of data points from all over the world, including data that contains personal data from research participants or our site visitors, app users, or any other platform you use Voyc Services. This means that both Voyc and the customers sending us data will need to comply with the requirements of GDPR.

Voyc Data Collection

As between Voyc and our customers, Voyc is the “data processor” and the customer is the “data controller”, as such terms are defined under GDPR. The data controller can use Voyc to collect data from our data subjects (i.e., a customer’s end users) and says how and why personal data is processed. The data processor receives the data from the data controller and acts upon instruction from the data controller.

Data Protection Officer (DPO)

Identifying and appointing a Data Protection Officer (DPO), Data Controller, and Data Processor, is all part of GDPR. Voyc has identified these roles internally, and has measures in place to fulfill the responsibilities of each of these roles.

Company-wide Awareness and Training of Data Protection

All staff at Voyc, including HR, Marketing, Research Recruitment, and IT, complete appropriate training in-line with the requirements of the regulation.

Enhanced Data Deletion and Export Features

GDPR empowers “data subjects,” the individuals from whom the data has been collected, to control who has their data. Today, we already provide users with data export functionality and the ability to delete customer data. However, to further build on these features for GDPR, we will be making it easier for customers to request data deletion and export.

Comprehensive review of vendors

We know that we have an important responsibility when it comes to scrutinizing the vendors we use to help us provide our services to our customers. Part of our readiness plan is making sure that our contracts adequately address the security, privacy, and confidentiality of our customers’ data under GDPR; you can be confident that our vendors have undergone a thorough privacy and security review by Voyc’s legal and security teams. We’ve also ensured your data is stored with an industry leader with a robust security program and appropriate security certifications.