Bloomin provides a service in the form of a SaaS-based (Software as a Service) platform for creating and sending surveys, polls and questionnaires.The service is associated with a dashboard allowing the analysis of survey results.The Customer is entirely autonomous. At his/her own pace, he/she creates and sends surveys, and can access analyses at all times via the dashboard.
Information Collected and Purposes
Bloomin surveys are used by “Survey Designers” on the one hand and by “Survey Respondents” on the other.
On the respondent side, Bloomin allows respondents (usually employees of a company) to share regular feedback within the company. Depending on the settings established by the Customer, feedback is shared transparently with all members of the same survey. The respondent can thus situate him/herself in relation to all the participants.
On the Customer side (usually management, or human resources departments), Bloomin reports survey responses in a dashboard to enable analysis over time.The objective, among others, is to continuously measure and improve the experience by identifying blocking points, weak signals and commitment or motivation levers to implement regular action plans.
Provisions relating to the General Data Protection Regulations (GDPR):
The purpose of these obligations is to define the conditions under which Bloomin undertakes to carry out, on behalf of the “controller” (the Customer, signatory of the contract with Bloomin) the personal data processing operations defined below.
Bloomin is authorised to process, on behalf of the data controller, the personal data necessary to provide the service defined above.
The nature of operations performed on data consists of its storage for restitution in the form of a dashboard allowing an analysis.
The personal data processed comprises:
- The data provided by the data controller (Email and any other data provided)
- Responses completed by survey respondents
- Navigation data
Those concerned are the employees of the company for whom the data controller and the managers or departments wish to collect feedback.
Obligations of the Customer:
It is up to the controller to provide the information to the persons concerned by the processing operations at the time of data collection.
Bloomin undertakes to assist and advise the data controller in his/her compliance with certain obligations laid down by the European regulation.
Should the persons concerned exercise their rights in relation to Bloomin, Bloomin sends these requests upon reception by email to the data controller.
The data controller undertakes to:
- Provide Bloomin with the necessary data for the purpose of data processing
- Keep in writing any instructions regarding the treatment of Bloomin data
- Ensure, both upstream and throughout the duration of the process, compliance with the obligations laid down by the European regulation on the protection of data on Bloomin’s part
- Oversee processing, including the performance of audits and inspections in relation to the subcontractor
Obligations of Bloomin:
Bloomin undertakes to:
- Process data only for the purposes defined in the “Information Collected and Purpose” section.
- Process the data in compliance with the instructions provided by the data controller.
- If Bloomin considers that an instruction constitutes a breach of the European Data Protection Regulation or any other provision of EU law or data protection law of the Member States, it shall immediately inform the controller.In addition, if Bloomin is required to transfer data to a third-party country or to an international organisation, under Union law or the law of the Member State to which it is subject, Bloomin must inform the person responsible of this legal obligation before the processing, unless the law prohibits such information for reasons of public interest.
- Guarantee the confidentiality of the personal data processed under this contract
- Ensure that persons authorised to process personal data under the contract between Bloomin and the Customer:- undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality- receive the necessary training in the protection of personal data
- Take into account, with respect to its tools, products, applications or services, the principles of data protection from conception and security of data by default
- To work with trusted partners (the subcontractor) to provide some aspects of the service.The subcontractor is required to respect the same obligations as Bloomin according to the instructions of the controller. It is Bloomin’s responsibility to ensure that the subcontractor provides the same adequate guaranteesas to the implementation of appropriate technical and organisational measures to ensure that the processing meets the requirements of the European Regulation on data protection. If the subcontractor does not fulfil his/her data protection obligations, Bloomin remains fully accountable to the person responsible for processing the other subcontractor’s performance of its duties.
- Notify the controller by email of any breach of personal data within a maximum of 48 hours after having read it. This notification shall be accompanied by all relevant documentation to enable the controller, if necessary, to notify such breach to the competent supervisory authority.
- Assist the data controller in carrying out data protection impact assessments.Bloomin assists the controller in carrying out the prior consultation of the supervisory authority.
- Assist the controller in fulfilling his/her obligation to respond to requests for the exercise of the rights of data subjects: freedom of access, rectification, erasure and opposition, right to limitation of treatment, data portability rights, the right not to be the subject of an individual automated decision (including profiling). When data subjects apply to Bloomin for the exercise of their rights, Bloomin must send these requests as soon as they are received by email to the data controller.
- To implement the appropriate technical and organisational measures to ensure a level of security adapted to the risk and, in particular, to the pseudonymization and encryption of personal data. Bloomin takes steps to ensure that any natural person acting under the authority of the controller or Bloomin, who has access to personal data, does not process them, except upon request of the controller, unless obliged to do so by Union law or by the law of a Member State.
- At the end of the contractual relationship with the controller: – to destroy all personal data on request – to anonymise and not retain personal data for more than three years, except those necessary to comply with applicable laws and regulations and which may be preserved in routine backup copies for disaster recovery and business continuity.
- Keep in writing a record of all categories of processing activities performed on behalf of the controller.
- Provide the controller with the necessary documentation to demonstrate compliance with all his/her obligations and to enable audits, including inspections, by the controller or other auditor that he/she has mandated, and to these audits.