This sets out some high level answers to the obligations you and Ballpark each have in relation to any personal data involved in your use of the Ballpark services.
What is Personal Data?
“Personal Data” means data about an individual who can be identified either from that data or by combining the data with other information which we have access to.
Who is the Data Controller and who is the Data Processor?
Ballpark as Data Controller
Ballpark is the data controller of your own personal data and any personal data of team-mates or colleagues who are other users on your account, including any personal data that might be voluntarily uploaded to the site as part of your research survey build.
You as the Data Controller and Ballpark as the Data Processor
Where you invite third party users to your research survey, we are processing personal data under your instructions, and you will retain control over any personal data submitted by your testers. Therefore you are the data controller, and Ballpark is the data processor.
Scenario one: Setting up your research survey
Before you have invited any third party users or participant testers to your research survey, you (and potentially any team members or colleagues of yours) will be interacting with the Ballpark service to set up your research project.
In this scenario, Ballpark is the data controller and responsible for your personal data. You acknowledge that we may process personal data provided by you to provide the Services.
Scenario two: Inviting testers to your research survey
Where you use the Ballpark services to gather research responses from testers, whether known or unknown to you, you will be the data controller, and Ballpark will be the data processor of any personal data from testers.
Known participant testers:
Known testers could include your own employees or customers who you individually invite to access your research survey. You will be the data controller of personal data (such as names and email addresses), and Ballpark will be the data processor.
Anonymised participant testers:
Through Ballpark you may also invite anonymised participant testers to your project. You will only see anonymised demographic data relating to participants for screening purposes; this would not include personally identifiable data.
Over the course of your research you may collect personal data from your anonymised participant testers (audio, video recordings or screen-recordings that include personal data). Your participant testers may also choose to disclose personal data over the course of the research survey. You will be the data controller of that personal data, and Ballpark will be the data processor.
- You must comply with all Applicable Data Protection Laws relating to the protection of Personal Data which apply to your business.
- You warrant that you have the right to transfer your Personal Data to us so that we may deliver the services to you.
- Where you are the data controller, if your participant testers want their data deleted or forgotten, the request would go to you (rather than Ballpark), and you would be obliged to carry out their request.
- Where you are the data controller, you confirm you have all necessary appropriate consents in place to cover this.
- Ballpark must comply with all Applicable Data Protection Laws relating to the protection of Personal Data which apply to our business.
- We will handle personal data only to the extent that is required to provide our services to you
- We will take reasonable technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage
- ensure that anyone who has access to personal data keeps it confidential
- not transfer personal data outside of the European Economic Area without adequate measures in place to protect it
- notify you without delay if we become aware of a breach of security which has resulted in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data
- if you ask us to and in any event on termination of your subscription, delete any personal data held
- provide you with information to allow you to comply with your obligations under Applicable Data Protection Law
- maintain records to show we have complied with these obligations