Data Processing Addendum (GDPR)

Download this document
Introduction
Hereby we would like to tell you more about how we collect, process and use data according to the General Data Protection Regulation (GDPR). Below we will describe what personal data YoHe processes and for what purposes. YoHe collects personal data as a contractor.
YoHe's main activity is to conduct surveys for its customers using pop-up windows on the website or in the mobile application.
What is YoHe
YoHe sells or licenses the application through which its customers (companies) can ask their customers (consumers) to participate in a survey in order to get feedback on their own products or services (hereinafter referred to as the application).
The application is filled by the client himself with questions that he wants to ask the consumers. The client can log in the application, fill it out additionally and / or revise it. The client determines which customers are asked to fill out the questionnaire and what personal data they want to receive from the consumer.
The following personal data, as a rule, is requested in the application and then processed by the client personally: last name, first name, middle name, address, e-mail address, telephone number. YoHe client must determine what personal data he is requesting from the customer.
So far as the data mentioned above can identify an individual, it is considered to be "personal data" according to GDPR.
The application can be viewed not only by the client, but also by YoHe. In addition to the specified personal data, YoHe also knows the following metadata: browser, pages visited by the consumer, hardware, URL. This information can't identify individuals, so in this case there can be no question that this is personal data according to GDPR.
The IP address used by the consumer gets into YoHe system, but is immediately automatically converted to a location that is not further specified, indicating only the place of residence and country, without the street name or house number. The IP address is then immediately removed, not stored, and no longer tracked. Thus, there can be no question that this is personal data.
Controller/processor in Core Business
The GDPR defines the ‘controller’ - briefly – as the person who sets the goal and the means for the processing of personal data.
A ‘processor’ under the GDPR is the person who – not being employed by the controller – processes the personal data on behalf of the controller.
With regard to the personal data which is processed in the course of YoHe’s core business it is the client who sets the goal and the means for the processing. The application is a tool for obtaining the personal data and whilst the application is supplied to the client by YoHe, it is the client who fills in the application (and therefore establishes the goal for which the application is being used) and who determines that this application is to be used (and therefore determines the means for the processing).
YoHe is not employed by the client, but by providing the application and ensuring that the application continues to work, and by also being able to view the results of the application, it processes the personal data on behalf of the client and is therefore to be regarded as the processor. YoHe makes no independent decisions with regard to this personal data.
Goal of Core Business
Because it is YoHe’s client who determines what personal data is obtained and what is to be done with it, it is YoHe’s client who sets the goal.
The application involves the client asking consumers to fill in a questionnaire. It is down to the client to ask for the consumer’s consent and/or to enter into an agreement with them.
YoHe and its client enter into a contract for the use of the application and a contract covering the processing of personal data. Under the terms of this latter contract YoHe has no control over the personal data placed at its disposal. It makes no decisions over the receipt and use of the data, its supply to third parties, and the duration of storage of data. Control over the personal data provided under the contract is never vested in YoHe.
YoHe does not use the personal data for any purposes other than those set by its client.
Period of retention of personal data in the core business
YoHe retains the personal data for as long as the contract with the client continues. This may be different if the contract with the client contains some other agreed term.
The possibility exists of agreeing with the client that YoHe retains the personal data for a specified period of time, after which it is automatically deleted without a copy being retained.
Deletion of personal data in the core business
YoHe will at all times and upon first request by the client immediately destroy all extracts and copies received from the client and/or data relating to the client which is processed on behalf of the client, in a manner to be further determined in mutual consultation.
Internal management, technical and organisational security measures in the Core Business
The personal data is stored in encrypted form in YoHe’s database. This comprises the name, address, place of residence, email address and telephone number of the client’s customers. Only authorised persons, employees of YoHe, have access to this data. Only senior employees and management of YoHe’s product related teams have access to this. Product related teams are YoHe’s teams that are charged with the operational development, support, maintenance and testing of YoHe’s software (YoHe’s product). Other teams/divisions, such as Sales, Marketing, HR, Office Management and Finance have no access to this data.
All YoHe’s personnel have signed a confidentiality statement and they are all aware that no personal information may be disclosed outside the company.
In order to prevent the risk of data loss a backup is made every day, and backups are kept for a period of one month.
This website uses cookies to provide visitors with the best experience. By continuing to use this site you consent to our use of cookies as described in our Privacy Policy Accept