Privacy notice creation date: November 2020

Purpose and lawful basis for processing

The Global Privacy Assembly’s 2020 Census is a questionnaire which will process data provided by GPA members relating to their respective activities as data protection and privacy authorities. The questionnaire aims to provide analysis and reporting for the use by the GPA Members, Working Groups and the Executive Committee to develop internationally comparable metrics in relation to data protection and privacy; and support the efforts of other international partners to make progress in this area. The 2020 Census is managed by the current GPA Secretariat, and therefore the Information Commissioner’s Office. Wider aspects of processing by the GPA Secretariat can be found in the general privacy notice.

The lawful basis that we rely on to process personal data is Article 6(1)(e) of the GDPR 2016, which allows us to process personal data when this is necessary to perform our public tasks as a regulator. The Census will process no special category data.

What we need

The aim of the survey is to seek non-personal information about data protection and privacy authorities e.g. financial information, resources and legislation.
GPA Census will process non-personal information about data protection authorities, such as information about relevant laws, funding, resources and reporting.The GPA Secretariat has ensured appropriate steps to minimize the collection of any personal data. A data processor assisting in the collection of survey data will however collect IP address and geocode (see section below about data processors). We also advise those completing the survey not to enter personal information in the free text boxes.

What we do with it

The data regarding authorities will be used by the Global Privacy Assembly to provide areas of reporting in alignment with the GPA’s strategic plan 2019-2021. No personal data will be included in this reporting. The data will be kept securely on ICO servers.

How long we keep it

We will retain any remaining personal data collected from GPA member authorities for the duration of our tenure as Secretariat of the GPA which is the point when the census project will also be completed. This is currently scheduled to end October 2021 (renewed in October 2019).

What are your rights?

For information on your rights, please see ‘Your data protection rights‘.

Do we use any data processors?

In order to deliver the GPA Census 2020, the Information Commissioner’s Office has entered into a contract with the research company Revealing Reality, whose purpose in this regard is to collect survey data and undertake reporting and analytics. Revealing Reality will be the data processor taking instruction from the ICO.

Revealing Reality will be using the questionnaire platform Question Pro, and safeguards have been taken in order to ensure that any data stored will be kept on EU servers only. Question Pro will capture the user IP Address and Geocode of participants. This data will be deleted by the data processor following the delivery of all relevant work to the GPA Secretariat/ICO, which at the latest will be by the contract expiry date, on 29 October 2021.

A copy of the relevant Privacy Statements for Revealing Reality and Question Pro.

Do we transfer data overseas?

Data processors are located in the EU and will only be using servers located in the EU.

Data controller contact information

The Information Commissioner’s Office (ICO) of the United Kingdom currently acts as the Secretariat and data controller for the GPA. If you have any questions, or you wish to raise a concern or make an access request, please contact the GPA Secretariat secretariat@globalprivacyassembly.org.