IdSurvey and GDPR

Data Protection, GDPR and Information Security

How we respect GDPR as data processor

Data security

We guarantee data security adopting security measures that are adequate to the risk, as the article 32 of the GDPR commands: we guarantee privacy on treatments (binding our employees to privacy) and we adopted policies on personal data violations to alert the data controller without unjustified delay about all data violations we might discover. Lastly, once the services are over, according to instructions received by the controller, we allow him to export or delete all data from our system and we won’t save any copy.

Alert, assist and advise the controller

We collaborate with the data controller alerting, assisting and advising him on our system functioning; We’ll provide assistance to the titolare to allow him to handle requests related to the practice of the rights of the person concerned and, keeping in mind the nature of the processing and information we have, we’ll help the controller to guarantee conformity with the security requirements of the processing, the data violation notification and the evaluations on data protection impact.

Privacy by design and by default

Being aware of the duties that weigh on the controller with regards to privacy by design and privacy by default, in accordance with the article 25 of the Regulations, and the instrumentality that characterizes the role of the processor, so that the processing satisfies GDPR requirements and guarantees the protection of the rights of the person concerned. Specifically:
  • from the designing phase of our system, we apply adequate technical and organizational measures to effectively realize the data protection principles as the minimization, and integrate the required warrantees in the processing to satisfy requirements of the Regulations and protect rights of the people concerned (privacy by design);
  • we apply adequate technical and organizational measures to guarantee that only personal data required for each specific purpose of the processing are processed by default setting (privacy by default). For example:
    • we make available the possibility to manage and delete every type of data;
    • we allow to set complex passwords that match high security requirements;
    • we allow to set an expiration date on passwords;
    • we allow to create users with customized authorizations;
    • we allow to display and edit all data related to the contacts;
    • we allow to display all data collected in interviews completed by the users;
    • we allow to set customized privacy texts with acceptance flag.
Read more on characteristics and certifications of our OnCloud infrastructure.

Are we obliged to nominate a data protection officer (RPD or DPO)?

We’re not obliged to nominate a DPO: the nomination is mandatory in three hypothetic scenarios:
  • the processing is performed by a public authority or a public institution;
  • the main activity, made on behalf of the controller, involves the regular and systematic large-scale monitoring of the people concerned;
  • the main activity, made on behalf of the controller, involves large-scale sensitive data (particular categories of personal data) or juridical data (data related to penal sentences or crimes).
The recommendation to better define the compulsoriness of DPO nomination are deducted from the Guideline on data protection officer (RPD or DPO) published by the Working Party Article 29 that, at paragraph 2.2, addresses the nomination of the DPO by the processor, giving a few examples. As our main activity is not represented by large-scale processing like those described above, we’re not subjected to nomination obligation.

We’re available to subscribe agreements on data processing

We’re available to provide or subscribe agreements that include (in writing):
  • the content and the duration of the service that the controller will perform on behalf of the processor;
  • the nature and scope of the processing;
  • the personal data type processed on behalf of the controller;
  • the categories of people concerned;
  • the duties and rights of the data controller;
  • the duties and rights of the data processor, as established by the article 28 of the Regulations.

We own records of processing activities

As established by the Regulations, we own records of processing activities that we make on behalf of the controller. The records in writing include:
  • name and contact data of each data controller for whom the data processor operates;
  • the categories of processing done on behalf of every data controller;
  • when applicable, personal data transmission to third country or to an international organization, and the documentation of adequate warrantees they’re based on;
  • a general description of technical and organizational security measures of the article 32, paragraph 1 of the Regulations.

Obligations of the processor to nominate a sub-processor

We’re aware that the data processor can nominate another data processor only upon written authorization of the data controller. We communicate data of our sub-processor when the agreement on processing is subscribed that will include the proxy for the following nominations. We impose to the sub-processor, through an agreement, the same obligations for data processing included in the contracted subscribed between the data controller and the data processor.

Data violation

The violation of personal data is a security violation that implicates the accidental or illegal destruction, loss, modification, un-authorized disclosure or access to personal data transmitted, stored or processed in any way. If we acknowledge a violation, we would inform the data controller with no unjustified delay. We adopted a company policy that allow us to assist the data controller in guaranteeing conformity of processing to rules that preside over their security, including those related to personal data violation.

Role of the processor on impact assessment

The controller is the one that has to make the impact assessment on data protection in accordance with Article 35 RGPD and the related responsibility weighs on him and it cannot be transferred on the processor. However we give assistance to the controller in conducting DPIA providing all needed information, as established in the processing agreement.

Knowledge base

Enter the knowledge base to discover all the solutions and strategies for setting up and designing questionnaires.

Guide and papers

IdSurvey has an online guide for all features of the software so you can easily discover all tools.

Help Desk support 24/7

Using your ticket area you can request technical assistance. One of our experts will answer you back shortly.

Methodologies compared: advantages and disadvantages of data collection via telephone, web and on field. (CATI, CAWI and CAPI)


CATI methodology (Computer Assisted Telephone Interview) improved telephone interviewing process. In fact, a software automatically support and lead the interviewer during data collection. Thus, they see questions on the screen followed by possible answers. For this reason, it has several advantages:
  • high quality of collected data: you avoid any interviewer misinterpretation or incorrect question administering;
  • time reduction: automatic callback managed by the system. The interviewer can also directly insert the data with no use of paper;
  • more accuracy: being completely automated, there’s no room for mistakes or unclear compiling;
  • complete control on interviews progress: you can check in real time completed, incomplete and dropped interviews.


Web revolution has been crucial to market research evolution. This is particularly true for CAWI methodology (Computer Assisted Web Interviewing). Back in the days, with CAWI you could reach just around 20% of the population. So it was used just for limited purposes. Today, you reach wide and generic population (an entire country, a multinational corporation…). A link is sent to the respondents via email. They just follow the link to complete the questionnaire. Main characteristics of CAWI method are:
  • 1. the software autonomously send the emails and takes care of their following classification. Finished questionnaires are marked as complete.
  • 2. the respondent is invited via email and clicks on the link to answer the questionnaire. Obviously you need to have all email addresses of your respondents to carry on a CAWI survey.


CAPI method (Computer Assisted Personal Interview) is the tech evolution of Face to Face research. An interviewer collects the data in a face to face meeting with the respondent. Using a mobile device or PC even offline, the interviewer carry on the interview and send back the answers in real time. Data are immediately sent to the main server. CAPI is used a lot in Mystery Client research: mystery clients can discreetely complete their task in their smartphone or mobile device.

Observations on CATI CAWI CAPI Surveys

To sum up, we compared CATI CAWI CAPI Surveys. And each one of them represented a step forward for market research. Now it’s time for some observations on the actual effectiveness of these methodologies. CAWI methodology has several advantages but requires all respondents to have an email account and a basic knowledge of computers to correctly complete the questionnaire. CAPI methodology’s biggest quality is the real face to face interaction between respondent and interviewer. In contrast, the average number of completed interviews in a working day is usually lower than CATI. CATI methodology guarantees the benefits of the other two techniques above. Specifically, an heterogeneous target and the call agent that can help the respondent during the interview. But CATI is still the most expensive method because of higher costs linked to the call center, the interviewers and phone traffic.