Data Protection: l'approccio al GDPR

1.    INTRODUCTION

When conducting employee surveys, anonymity and confidentiality are the most important pre-requisites for employees when giving their honest feedback. Therefore, reliable data protection and data security measures have a very high value for Great Place to Work® Italy (hereafter: GPTW). 
Below, GPTW’s concept to ensure data protection and anonymity of all survey participants is pre-sented.
Please note that the commissioning of an employee survey for which a company provides GPTW with contact data of its employees needs an agreement on how to handle data processing and data security [processing in accordance with Article 28 General Data Protection Regulation (hereafter: GDPR)]. In this case, a data protection agreement between the client and GPTW is required. For this purpose, GPTW provides a corresponding sample agreement.

2.    CONDUCTING THE GREAT PLACE TO WORK® EMPLOYEE SURVEY

We offer various ways to conduct a Great Place to Work® employee survey. Each company decides for itself which type of implementation is the most appropriate one.
2.1.    Online survey
•    When conducting an online survey, an agreement on how to handle data processing and data security between the company conducting a Great Place to Work® employee survey and GPTW is mandatory. 
•    Prior to the start of the survey, the company provides GPTW with corresponding e-mail ad-dresses of employees selected to participate in the survey. Optionally, e-mail addresses are linked to information based on organizational units. Hence, obtained survey results can be evaluated on the basis of linked organizational units.
•    GPTW invites employees to participate in the survey by e-mail. These e-mails contain a per-sonalized link with which employees are forwarded to the online questionnaire. The com-pany and each individual employee respectively must ensure that invitation e-mails are not forwarded within the company or to third parties.
•    The online questionnaire is directly processed and stored on a server of The Trust Lab Lim-ited which is located in Ireland. In accordance with Article 28 GDPR, an agreement exists on how to handle data processing and data security. All online questionnaires are scalable and barrier-free for mobile devices.  
•    The website of the online questionnaire is encrypted. Specifically, this means that the transmission of responses to the survey server is encrypted. Encryption supports both standard 128bit and high-level 256bit encryption. These are security standards that corre-spond to the encryption used in online banking. Interception or recording of employee re-sponses is almost impossible.
•    After completion of the survey and prior to further processing and reporting, survey data is separated from the participant’s personal data (e.g., name, e-mail address). This procedure ensures that it is not possible to draw conclusions about responses given by individual par-ticipants. 
•    In any case, forwarding or third-party use of address data is strictly prohibited. All address data are deleted by default in May of the following year in which the survey was conduct-ed. It is possible to agree on a shorter deletion period.
2.2.    Paper-and-pencil survey
•    About one week before the start of the survey, GPTW dispatches the desired number of paper-and-pencil questionnaires and stamped and self-addressed envelopes. 
•    Paper-and-pencil questionnaires are not personalized. These questionnaires simply contain an imprinted company name and, if applicable, an additional organizational unit and/or line of business and/or Country – each in combination with corresponding numbers. Therefore, it is not possible to draw conclusions about individual participants – not even on the basis of the printed numbers and/or QR codes. 
•    Generally, survey documents are distributed to all invited employees along with a corre-sponding cover letter. 
•    Paper-and-pencil questionnaires will be returned anonymously to GPTW using stamped and self-addressed envelopes which will be provided by GPTW.
•    Alternatively, paper-and-pencil questionnaires may directly be collected by the client. For this purpose, sealed envelopes are inserted into containers or urns which will be provided by the company. In this case, the company must adhere to certain standards to ensure anonymous participation in the survey and must document the precise methodology to GPTW (e.g., sealing urns, "monitoring" of urns as well as returning paper-and-pencil ques-tionnaires by confidants).
2.3.    Code letter survey
•    A code letter survey is an online survey that does not require individual e-mail addresses. Invited employees gain access to the survey via an individual access code, which can be en-tered after following this links: www.onemanyany.com, www.gptwsurveys.com.
•    Each invited employee receives the above-mentioned link and his/her individual access code. This information can be found in a sealed envelope or urn and randomly distributing by the client/Data Controller. 
•    Usually, sealed envelopes are partially addressed and not coded or personalized. The ad-dress field only contains the printed company name and, if applicable, a specific organiza-tional unit, industry or country. Therefore, it is not possible to draw conclusions about indi-vidual persons (not even by the corresponding numbers).
•    As a general rule, code letters are distributed in conjunction with an accompanying letter to all invited employees. 
•    Code letters may only be opened by an invited employee who received the letter for par-ticipation in the survey. In case these letters are opened by the company’s project coordi-nators or third parties, GPTW must be informed immediately. The corresponding codes will be deleted from our system. Subsequently, new codes need to be generated (at an extra charge).
•    In principle, it is possible to work with fully addressed code letters or code letters send di-rectly to private addresses. In this case, the measures for processing and deletion of per-sonal data as mentioned in Sections 2.1 and 2.2 may apply.

3.    EVALUATION OF THE GREAT PLACE TO WORK® EMPLOYEE SURVEY

•    The Great Place to Work® employee survey contains 

o    Closed questions: Evaluation of statements such as "Employees are paid appropri-ately here" on the basis of several answer categories ("almost always true", "often true", etc.)
o    Open questions: free text fields 
o    Demographic questions: Assignment of oneself to certain age groups, gender, etc.

•    Answering each of the survey questions is voluntary. Final evaluation and reporting is based exclusively on anonymized data records ("raw data") which do not contain any personal da-ta. 
•    For online surveys, it is generally possible to subsequently combine given responses with personal data (name, e-mail addresses) until personal data is deleted, i.e. 365 days after the completion of the survey. However, this option is only used in exceptional cases (e.g., if required by quality assurance during evaluation process) and is generally the responsibility of the GPTW project manager involved. The same applies to code letter surveys for which fully addressed letters are used. 
•    No personal data (e.g., name, address, e-mail address) is available for the paper-and-pencil survey and code letter surveys with partially addressed code letters. Once received by GPTW, paper-and-pencil questionnaires are manually scanned or processed by controlled manual input. Data collection is done by GPTW or an external service provider with whom an agreement on how to handle data processing and data security has been concluded. A data set is generated to be used for the statistical analyses. Questionnaires are destroyed after 12 months of storage. If the client wishes the original questionnaires to be kept longer – e.g., for follow-up surveys – a written and signed order is needed which will be archive by GPTW. 
•    For all evaluations and results reports, results of the employee survey are presented exclu-sively in aggregated form (all closed and demographic questions). Results contain no recog-nizable answers given by individual persons. For this purpose, an evaluation limit – i.e. a minimum number of respondents – is defined below which no results are displayed. The default value is an evaluation limit of five responses (employees). Deviating evaluation lim-its can be regulated within the framework of an individual agreement. 
•    This evaluation limit is also observed if different demographic or organizational characteris-tics are combined for an evaluation, e.g. results for all men of a certain age group or for all managers in a certain company division. In order to achieve even greater immediate safety among respondents, combined demographic characteristics can be completely excluded for data analysis.
•    By default, given responses to open questions are reported in word-by-word quotations, i.e. without anonymization of names or other references that allow conclusions to be drawn about individuals. The questionnaire contains a very clear "warning notice" that draws survey participant’s attention to this fact and additionally instructs them not to give names or describe facts in such a way that conclusions can be drawn about other individu-als. Additionally, an anonymization of the open questions by GPTW can be commissioned. In this case, however, GPTW cannot guarantee complete anonymization. 
•    It is only possible to assign answers to open questions to individual organizational units or with information on demographic questions if at least five people in an organizational unit or in a demographic group took part in the survey. 
•    Reports are uploaded to the GPTW download portal (link: gptwge.feedbackdialog.com). Access is protected by a user name and password. After completion of all data analyses, da-ta to access the GPTW download portal will be sent by e-mail. The link to the download page will be sent in a separate e-mail. The portal is highly encrypted with AES-256 (256-bit) so that the data cannot be viewed by unauthorized persons.
•    In principle, GPTW does not provide any "raw data" with which the company can carry out its own evaluations and thus possibly circumvent the intended evaluation limit of at least five persons. If a company wishes to have access to raw data, this procedure must be regu-lated in a separate agreement in order to maintain the anonymity of all survey participants.
•    Anonymized raw data from the Great Place to Work® employee survey can be used and processed for comparative analyses and publication by GPTW Italy, by partner organizations in the worldwide GPTW network as well as in the context of research cooperations with universities and other research institutions.  

4.    STORAGE LOCATIONS AND ACCESS RIGHTS

Personal data, anonymous survey data ("raw data") and result reports are stored in the following locations:
•    Server of GPTW Italia, Milan, Italy, via Gaspare Gozzi, 5
•    Survey server of The Trust Lab Limited:  The Telehouse London (UK) Data Centre (service provider)
The processing of personal data takes place exclusively in the European Union. 
The IT service provider The Trust Lab Limited provides the following services for GPTW:
•    Hosting of online surveys,   
•    development and hosting of tools for evaluating survey results and producing results re-ports 
•    furnishing of results reports for our clients via a download portal.
The company has a business relationship with The Trust Lab Limited for more than ten years. Coop-eration is regulated, among other things, by an agreement on how to handle data processing and data security. 
Access to personal data - usually the name, e-mail address and organizational assignment of em-ployees - is limited to a circle of no more than 4 Operation Manager and 5 Project Managers at GPTW Italia. In addition, GPTW system administrators and authorized employees of our service provider The Trust Lab Limited have access to this data.

5.    IT INFRASTRUCTURE AND SECURITY STANDARDS OF GREAT PLACE TO WORK® ITALY

•    Server is located in the building of GPTW Institute Italia s.r.l. in Milan, Italy
•    Steel door locked and windowless server room
•    Access is granted only for administrators and management
•    Mostly redundant infrastructure components and server systems (protected by UPS with surge protection)
•    Multi-level backup concept with logical and spatial separation
•    Up-to-date, central AV and patch management
•    Hosted systems for collaboration software (Exchange, SharePoint)
•    State-of-the-art encryption (data transmission, mobile devices, Wifi, VPN, e-mail)
•    Least privilege principle (authorization and role concept, separation of system and data)
•    Only software supported by the manufacturer is used
•    Devices with valid hardware service by the manufacturer (partly for notebooks worldwide)

6.    IT INFRASTRUCTURE AND SECURITY STANDARDS OF TRUST LAB – ONE MANY ANY, IRELAND

•    Servers are located in London, UK (before Brexit become operative, server will be located in Poland, within the European Union)
•    Servers are protected by a firewall
•    Access to the server room is only possible for selected administrators
•    Access to the online survey and results reports (download) via HTTP or HTTPS
•    GPTW project managers can only access the questionnaire design and reporting tools via HTTPS
•    web sites of the survey and of test links: http://oma0.com, http://www.onemanyany.com, https://www.onemanyany.com
•    IP address of the website: 212.124.202.98
•    Invitation emails are usually sent by the sender Questo indirizzo email è protetto dagli spambots. È necessario abilitare JavaScript per vederlo. from the e-mail server with IP Address 212.124.202.102 (sender can be customised by the data con-troller)
•    Usual E-mail subject: Best Workplaces Italia 20XX - Indagine Trust Index© (email subject can be customized buy the data controller)
•    System administrators and database administrators of One Many Any (Trust Lab) and GPTW Italia can access the server via VPN.

7.    THE GREAT PLACE TO WORK® CULTURE AUDIT©

The Great Place to Work® Culture Audit© is a survey of measures and programs that companies implement to shape their individual workplace culture. Questions of the Culture Audit© are based on nine selected areas of human resources work and comprises three parts: (i) general questions about the company, (ii) a detailed description of measures and programs as well as (iii) additional statistical data on specific topics.
With the help of the Culture Audit©, companies receive feedback on the quality of their individual measures and programs compared to very good employers. In addition to the results of the Great Place to Work® employee survey, the Culture Audit©, is a central evaluation criterion in the "Ital-ian's Best Employers" competition and its associated regional and industry competitions.
Only the following personal data is relevant for the Culture Audit©:
•    Contact details of a person processing the audit, individual access data for this person to an online questionnaire
•    Optional: contact data of another person for further inquiries
•    Names of the current company management and the current personnel management
The Culture Audit© is conducted as part of an offline survey. Within the scope of this survey, each participating company provides statistical data and presents its own measures and programs in text form. It is also possible to upload/send materials on individual measures and programs by email or by usual sharing tools (Dropbox/Onedrive/Drive etc.). 
All stored company data are evaluated by a team of evaluators at GPTW. In principle, only the eval-uation team or employees of GPTW have access to the data.  
Data from the Great Place to Work® Culture Audit© can be used and processed for comparative analyses and publication by GPTW Italy and partner organizations in the worldwide GPTW network as well as in the context of research cooperations with universities and other research institutions. At the same time, the confidentiality of stored data is protected at all times. A publication of infor-mation from the Culture Audit©, which can be attributed to a specific company, can only be pub-lished with the express consent of the company concerned.
Neither sensible, nor personal data are processed or stored in the culture Audit©.

8.    INTERNATIONAL DATA TRANSFER

We may transfer the information we collect to recipients in countries other than the country in which the information was originally collected, including the United States of America. Those coun-tries may not have the same data protection laws as the country in which initially provided the in-formation. 
GPTW is a global business. To offer our services, we may need to transfer anonymous or anony-mised data among several countries, including the United States, where we are headquartered. When we transfer data to other countries, we will protect that information as described in this doc-ument and we assure the clients and the data controller that no personal data will be transferred outside the country in which it is collected. Data transferred to other countries are anonymous or anonymised before transfer is done. The purpose of transferring data is for research purposes and for publishing the Great Place to Work® Institute Best Workplaces™ international lists. 
GPTW Inc. comply with applicable legal requirements providing adequate safeguards for the trans-fer of information to countries outside of the European Economic Area ("EEA") or Switzerland.
GPTW Incorporated complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information that is transferred from the European Union and Switzerland to the United States.  GPTW has certified that it adheres to the Privacy Shield Principles.  If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification, please refer to https://www.privacyshield.gov .
In compliance with the Privacy Shield Principles, GPTW commits to resolve complaints about our collection or use of your personal information.  EU and Swiss individuals with inquires or complaint regarding our Privacy Shield policy should first contact GPTW at:  Questo indirizzo email è protetto dagli spambots. È necessario abilitare JavaScript per vederlo.; or write to us at:
Global Privacy Officer Great Place To Work® Institute, Inc. 222 Kearny Street, Suite 800, San Francis-co, CA 94108
GPTW has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU and Switzerland in the context of the employment relationship.
GPTW receives and processes personal information from or relating to GPTW Affiliates and other legally separate entities in the context of the provision of products, services and support to these entities. Personal information received by GPTW will be treated in accordance with their instruc-tions or pursuant to GPTW contractual arrangements with them consistent with the Privacy Shield requirements. GPTW acts as a data processor with respect to this information.

9.    CONTACT DETAILS

If you have any questions or require further information on our data protection and data security measures, please do not hesitate to contact us:

Roberto Donno
Chief Operation Officer
Internal Data Protection Officer
+39 02 36768650