UPDATED May 12th, 2018
On May 25th, 2018, the EU’s General Data Protection Regulation (GDPR) rules will come into force. Although many of our member companies are already prepared for, and are abiding by GDPR, others are seemingly less clear about the policies and procedures that they need to put into place before the May 25th deadline.
We have prepared a GDPR Q&A section in the secure Members Area of the MSPA Europe/Africa website. This sectionis being updated regularly to include additional information as it becomes available.
- Are there different forms which need to be created depending on whether you are working as a subcontractor for other MSP’s, versus hiring a service provider to be a subcontractor for you?
- Do we need to change the employees contracts to comply with GDPR regulation ? Can you tell us exactly what we need to change or what is the minimum what we need to do with employees contracts ?
- Do you recommend that MSPA members adopt a common interpretation of GDPR as far as MS is concerned?
- For how long can I keep data about employees performance in our system?
- GDPR -Why is that some companies can get away with asking their customers to.opt out whilst for Mystery Shopping organisations they have to ask contacts to positively opt in.
- How can understand/apply a status of the legitimate interest in MS companies?
- How do we need to apply Gdpr on photos(with persons or cars) and invoices (with account or tax number of the shopper) that we attach in the reports?
- How does it impact non European countries.
- If shoppers have ignored our email asking them to opt-in/opt-out, and have done neither, can we continue to email them a) reminders to opt-in, b) mystery shopping assignment/recruitment?
- If staff in a retail outlet is the only 1, at the date of evaluation, how do we ensure full compliance with GDPR if the date of a visit reveals the identity of a person under evaluation?
- Is it necessary delete all e-mails sent and received? If yes, since which date?
- Is it possible that a local legislation to be more restrictive than European legislation?
- So when doing business with European partners which agreement should prevail? The partners version, ours or do you require both signed?
- We have had Y2K and now GDPR... what's next?
- We really need a GDPR officer in Mystery Shopping companies?
- What is the difference between single and double opt in?
- What is the impact of GDPR for video shopping ? And Audio recording ?
- What is your perception concerning personal data of mystery shoppers (mostly names) being delivered from one MS provider (subcontractor) to the other (subcontracting) provider along with standard data collection?
- What responsibility do we have as MS companies where we suspect that our clients have not informed their staff that they are holding historical MS data on them?
- What templates and other documents, guidance and support will MSPA provide for members, to help ensure compliance with this regulation? Will we have everything we need to learn on the website?
- When we are assigned to mystery shop the clients’ competitors in e.g. the Automotive Industry, can we forward the competitors quotes and prices to the client?
- Who hyped it, was it authorities or the market? Is it going to end like the fuss about the Millennium bug did?
- Why choose consent as a legal base rather than legitimate interest? Running a business has been indicated to be of legitimate interest by some legal advisors in NL…
- Would you recommend sending one communication/contract addendum to all clients if a generic nature or do they need to be individual Ines for each specific client/programme?
other Q&A covered within our advisory area include:
- What is GDPR?
- Why was it introduced?
- How does it apply – what are Data Controllers and Data Processors?
- Who are the “Data Subjects”?
- What is their “Personal Data”?
- How does the regulation protect the Data Subject?
- What should the Data Subject expect?
- What does all this mean to me as a Data Controller?
- What does all this mean to me as a Data Processor?
- How should I manage the issue of Consent, Correction and Erasure for client employees?
- What do I need to do and when should I do it?
- What is the MSPA/BV approach to positioning of Data Protection Officer in Mystery Shopping agencies? Is this new position related to GDPR necessary or recommended?
- Non legally binding interpretation of Employee consent requirement for Mystery Shopping Client Employees V5 18-4-18
- Video MS and The Employee
- Video MS and the Customer
We will provide further information regarding other aspects of GDPR as and when we find out more. Our other planned activities on GDPR include:
- CONNECT - we are intending to open a forum where members can exchange views regarding GDPR, so watch this space
- LEARN - we are working to provide other information, education options and certification programmes with the help of trusted partners
- SHARE - we welcome any comments, questions and suggested alterations from members who may have information to share with the association.
We trust that you will find the information contained valuable, however please remember that this has expressly been created to offer an interpretation of GDPR in terms of its impact on you as providers of Mystery Shopping services. It does in no way constitute advice, and the MSPA and its representatives have no liability for the information that’s been provided.