Personal Data - Who is responsible for it?

Marvel
Marvel
  • Updated

This sets out some high level answers to the obligations you and Ballpark each have in relation to any personal data involved in your use of the Ballpark services.

We’ve pulled out the high level answers we think you’ll need below, but for the avoidance of doubt, this doc is based on our full Terms and Privacy Policy, which should always be referred back to as the source of truth.

What is Personal Data?

“Personal Data” means data about an individual who can be identified either from that data or by combining the data with other information which we have access to.

Who is the Data Controller and who is the Data Processor?

Ballpark as Data Controller

Ballpark is the data controller of your own personal data and any personal data of team-mates or colleagues who are other users on your account, including any personal data that might be voluntarily uploaded to the site as part of your research survey build.

You as the Data Controller and Ballpark as the Data Processor

Where you invite third party users to your research survey, we are processing personal data under your instructions, and you will retain control over any personal data submitted by your testers. Therefore you are the data controller, and Ballpark is the data processor.

Scenario one: Setting up your research survey

Before you have invited any third party users or participant testers to your research survey, you (and potentially any team members or colleagues of yours) will be interacting with the Ballpark service to set up your research project.

In this scenario, Ballpark is the data controller and responsible for your personal data. You acknowledge that we may process personal data provided by you to provide the Services.

For more information on how we may use your personal data, see our Privacy Policy.

Scenario two: Inviting testers to your research survey

Where you use the Ballpark services to gather research responses from testers, whether known or unknown to you, you will be the data controller, and Ballpark will be the data processor of any personal data from testers.

Known participant testers:

Known testers could include your own employees or customers who you individually invite to access your research survey. You will be the data controller of personal data (such as names and email addresses), and Ballpark will be the data processor.

Anonymised participant testers:

Through Ballpark you may also invite anonymised participant testers to your project. You will only see anonymised demographic data relating to participants for screening purposes; this would not include personally identifiable data.

Over the course of your research you may collect personal data from your anonymised participant testers (audio, video recordings or screen-recordings that include personal data). Your participant testers may also choose to disclose personal data over the course of the research survey. You will be the data controller of that personal data, and Ballpark will be the data processor.

Your obligations

  • You must comply with all Applicable Data Protection Laws relating to the protection of Personal Data which apply to your business.
  • You warrant that you have the right to transfer your Personal Data to us so that we may deliver the services to you.
  • Where you are the data controller, if your participant testers want their data deleted or forgotten, the request would go to you (rather than Ballpark), and you would be obliged to carry out their request.
  • Where you are the data controller, you confirm you have all necessary appropriate consents in place to cover this.
      • Where you do not have any particular documentation in place to cover your relationship with your testers, you are permitted to rely on Ballpark’s Privacy and Cookie policy, but with you, the user of Testing Services, rather than Ballpark being deemed the data controller.
      • For more information on this, please see our Privacy Policy.

Ballpark obligations

  • Ballpark must comply with all Applicable Data Protection Laws relating to the protection of Personal Data which apply to our business.
  • We will handle personal data only to the extent that is required to provide our services to you
  • We will take reasonable technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage
  • ensure that anyone who has access to personal data keeps it confidential
  • not transfer personal data outside of the European Economic Area without adequate measures in place to protect it
  • notify you without delay if we become aware of a breach of security which has resulted in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data
  • if you ask us to and in any event on termination of your subscription, delete any personal data held
  • provide you with information to allow you to comply with your obligations under Applicable Data Protection Law
  • maintain records to show we have complied with these obligations

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request