General Data Protection Regulation (GDPR)

Learn about the General Data Protection Regulation (GDPR). This article is an overview of compliance best practices when using UserZoom Manager. This information should by no means be seen as legal advice. We strongly advise customers to always consult their internal compliance team and/or privacy attorney regarding legal matters.

Plan Availability: All Plans
👥 User roles: Owner, Admins, Researchers, and Collaborators
For more information, see our article on how to find your plan and user role.


On this page:



What is GDPR?

  • The General Data Protection Regulation (GDPR) came into force on May 25, 2018, and is an EU regulation that dictates the rules on how EU citizen personal data can be collected, processed, and stored.
  • GDPR impacts all organizations worldwide that handle the personal data of EU citizens, regardless of their location.
  • GDPR discerns between three key entity roles:
    • Data Controller
      • The party determining what data is to be collected, for what purpose, from whom, how it is to be collected, and how it is to be used.
      • UserZoom customers are the Data Controllers of any data collected in UserZoom studies.
    • Data Processor
      • Executes the instructions given by the Data Controller regarding data processing.
      • UserZoom is the Data Processor of any data collected in UserZoom studies.
    • Data Subject
      • The individual whose data is being collected.
      • Participants of a UserZoom study are the Data Subject.



How this impacts your organization when using UserZoom

  • GDPR helps EU citizens have control over their data by enforcing rules related to:
    • A legal basis for use (Consent):
      • Data Controllers need a ‘lawful basis’ in order to process an individual’s personal data. In the context of the studies carried out on the UserZoom platform, consent is the most appropriate lawful basis for processing.
      • When relying on the consent of a Data Subject, such consent should be clear and explicit consent and obtained prior to the collection of the Data Subject’s personal data. When seeking consent for various different purposes, the consent for each should be requested separately.
      • If purposes for data processing change after consent was obtained or if an additional purpose is envisaged, Data Controllers need to obtain new, specific consent.
    • Data Subject Rights:
      • Data Controllers are responsible for guaranteeing that Data Subject rights, as defined under GDPR, are respected.
      • Data Subjects have the right to request to have their personal data rectified or permanently erased.
      • If such a request is received by UserZoom, it will be communicated to the customer (Data Controller), so that they instruct UserZoom (Data Processor) on how to proceed.
  • For more information, learn how UserZoom can help you comply with GDPR.




If my company is based outside the European Union, does the GDPR apply to me?

GDPR applies whenever personal data of EU citizens, including data collected from EU citizens located outside of the EU, is collected or processed.


Where is UserZoom data stored?

EMEA and APAC customers: Ireland and Germany

NAM and SAM customers: United States


Can I avoid collecting Personal Data from a participant?

Yes. By default, UserZoom doesn't collect any personal data. Studies can be designed so they don't ask for any personal data.


How does UserZoom help you comply with the GDPR obligation to return or destroy all EU personal data?

UserZoom allows you the possibility to delete the data at the study level through the platform. For granular data deletion, you can always contact us.


Can I delete the customer’s personal data from UserZoom backups?

No. The nightly backup dataset contains all customer data and is used for disaster recovery purposes only. This is required for legal and compliance reasons related to availability obligations. All UserZoom backups are encrypted by default as a compensatory measure.


Does UserZoom ensure that customer data is accessed only by employees that have a reasonable justification for doing so?

Only qualified UserZoom employees with a specific need are permitted to access your account. A common reason for accessing your account would be when Product Support has been contacted and need to troubleshoot or investigate. UserZoom employees do not routinely access any customer account except when specifically asked and solely for the purpose of providing the services under the agreement.


How can we ensure that we can collect appropriate consent from participants on the UserZoom platform?

UserZoom includes an editable consent page which you may use in order to request specific consents from participants. Customers also have the option to include links here when needed (e.g. to refer a participant to the relevant Privacy Policy).


Please provide any feedback you have on this article. Your feedback will be used to improve the article and should take no more than 5 minutes to complete. Article evaluations will remain completely confidential unless you request a follow-up. 

Was this article helpful?
2 out of 2 found this helpful