Så här tar vi hand om dina uppgifter

När du vill få kontakt med EIBA så tar du kontakt med EIBA. Därför är det naturligt att inte använda cookies och andra metoder för att få reda på vem du är och vad du vill utan att du själv vet det.

I undersökningar använder vi oss av säkra leverantörer som följer GDPR och är kvalificerade enligt ISO 20252.

Den långa versionen (på engelska)/Long version

The European Institute of Behavioral Analysis AB (EIBA) is here to help organizations understand all the people rely on you and that determine your success.

We do not collect information we do not need. For instance, right now we are not collecting cookies from your browser. If you want to talk to us, you will contact us.


We will maintain the value of privacy and preserve the ability for you to control how your data is collected and stored in accordance with the General Data Protection Regulation.

This starts with making sure that you get clear choices about how and why data is collected and used, and ensuring that you have the information you need to make the choices that are right for you across our products and services.

EIBA’s compliance with the General Data Protection Regulation (GDPR)

Key Points of the General Data Protection Regulation (GDPR)

  • New data protection laws for organizations that handle personal data within EU and EEA countries.
  • GDPR will replace current data protection laws starting the 25th of May 2018.
  • GDPR restricts how organizations can collect, store, and process personal data.
  • GDPR aims to give each individual full control of how his/her personal data is handled.
  • GDPR provides clear regulations regarding transparency connected to processing personal data.
  • Strict sanctions for organizations that does not comply.

How Does the GDPR Affect Feedback Collection?

  • Collecting and assessing feedback from individuals is a way of processing personal data under the GDPR.
  • According to GDPR, the organisation that collects the feedback and determines the purpose of processing is the “Client”.
  • GDPR requires that a Client process personal data in accordance with its rules and principles.
  • According to GDPR, a supplier that processes personal data on behalf of the Client assumes the role as “Processor”.
  • A Client that wants to use a Processor (for example EIBA) for their feedback collection, needs to ensure that the processor is compliant with GDPR.
  • A Client that wants to use a Processor for gathering feedback processes and procedures must enter into a Data Processing Agreement (DPA) with the Processor. EIBA has this mandatory DPA available for its customers.

EIBA and the GDPR – be on the Safe Side With us

A business with a problem that needs a solution Collecting and assessing feedback from your customers, employees or other individuals within the EU and EEA countries is considered processing personal data. Therefore, it is your responsibility to comply with GDPR as well as document your compliance. As a customer of EIBA you’re on the safe side.

GDPR Focus

One of EIBA’s highest priorities is and has always been data security. In 2016 EU executed the new legal framework. As a result, EIBA assembled a dedicated GDPR team with the CEO as well as representatives from each department to ensure that every part of the company is compliant. We have also closed several promising projects that we figured might be in breach with GDPR.

Located in Europe

EIBA’s headquarters are located in Stockholm, Sweden. EIBA only uses EU-based servers to ensure data protection and security. EIBA only utilises certified data centers according to the international information security standard, ISO 27001.



The Respondent is the DATA SUBJECT

Respondent provides input into the survey, and must provide the Client consent for processing.

EIBA’s customers

The Client must receive legal consent (typically consent or a contractual relationship) for processing personal data. The Client defines the purpose as well as the data lifecycle and retention time. The Client is always in full control of the data. The Client is the contact point for the Data Subject.

EIBAs data collecting partner is the processor

EIBA sublets efficient and GDPR compliant tools for data collecting, used by the Client. The tool includes functionalities that allow customers to fulfill the requirements and principles in accordance with the GDPR. EIBA performs support and services. EIBAs data collecting partner provides the required security measures. Data Processing Agreement (DPA) in place with Customer.

EIBA’s hosting provider is the SUB-PROCESSOR

EIBA uses certified hosting providers across a range of data centers to meet the highest security requirements. To ensure data confidentiality, integrity, and accessibility, EIBA takes the necessary and relevant technical and organizational security measures. Data Processing Agreement (DPA) in place with EIBA.

Other EIBA entities may be SUB-PROCESSORS

Support and services may be provided by other entities within EIBA.

Security of Highest Standard

EIBA continues to be the first and safest choice for data security. EIBA strictly follows German security requirements since Germany maintains the highest security standards in Europe. EIBA has several action points in place that aligns with GDPR, which include the following:

  • Maintain confidentiality with access control measures for systems and data
  • Secured integrity by encrypted data transfers
  • Availability is ensured by regular data and storage backups and disaster recovery plans
  • Customer data is logically separated for each customer to ensure confidentiality and integrity
  • Continuous penetration tests conducted by external third-party security providers
  • Notification of data breach

Privacy and Consent

EIBA has implemented strategies and functions compliant with GDPR’s guidelines by respecting individuals’ rights to control their personal data. This is one reason why EIBA requires personal consent. As a EIBA customer (the Client), you will always have:

  • Full control of your data while using the EIBA platform. This can be accessed through the account settings. Users have the option to permanently remove all data associated with a particular EIBA account at any time.
  • There are several privacy settings available, such as set data retention policies, automatic anonymising or the immediate removal of all personal data.
  • There is an editable consent collection functionality available for surveys.

Detailed Documentation – for Your and our Safety

GDPR has strict requirements regarding processing documentation. The Client is responsible for collecting documentation from the Processor. As a EIBA customer, you will have access to required documentation regarding the processing of personal data in the EIBA platform.

Employee Confidentiality

All EIBA employees operate and must abide by non- disclosure agreements. EIBA employees are also subject to privacy training and awareness. All Customer data is considered confidential. Internal access is restricted and is only granted on a need-to-know basis.

Employees are not permitted to enter customer accounts or surveys without explicit approval. Our EIBA employees know how to protect your integrity.

Legal Terms

A mandatory GDPR compliant Data Processing Agreement available (if personal data is processed).

What you need to know about GDPR before you collect feedback in Europe

On May 25th, 2018, the European Union’s (EU) new data protection framework, the General Data Protection Regulation (GDPR), will come into force. It is the most significant piece of data protection legislation to date and will impact any organization that processes personal data in connection with goods/services offered to an EU resident, or monitors the behaviour of persons within the EU. The GDPR strengthens individuals’ privacy rights through stricter limits on the processing of their personal data, significantly expanding their rights over their data, and providing increased transparency into the nature, purpose, and utility of it.

GDPR Overview

As a regulation instead of a directive, the GDPR becomes enforceable as law in all EU member states simultaneously on this date. It replaces the separate member state implementations of data protection law, streamlining compliance by providing a single set of principles to follow.

The scope of this new regulation covers all organizations that process the personal data of EU residents or monitor individuals’ behaviours conducted within the EU, regardless of the entity’s location. The terms processing and personal data are defined broadly: processing involves ”any operation or set of operations which is performed on personal data” and personal data means ”any information relating to an identified or identifiable natural person (’data subject’).” The GDPR outlines various requirements for Clients (entities who determine the purposes and means of the processing of personal data) and Processors (entities who process personal data as directed by a Client).

Key RequirementsBrief Description
Data Protection by Design and Default
Clients and Processors must incorporate data protection into new products and services that involve the processing of personal data (Design) and consider data protection issues in all business decisions (Default).

Lawfulness of Processing

Processing must be based on consent, performance of a contract, legal obligation, protection of vital interests, tasks carried out in the public interest, or legitimate interest balanced against the fundamental rights of data subjects.
Conditions for Consent

Requests for consent must be freely given, specific, informed and unambiguous through a statement or through a clear affirmative action.

Security of Processing

Clients and Processors shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

Data Subject Rights & Information

Clients shall provide the information outlined in Articles 13 & 14 to Data Subjects and Data Subjects may access, correct, delete, restrict processing of, and transfer their personal data, as well as object to automated decision-making based on their personal data.
Data Inventory

Clients and Processors must create centralized repositories containing records of processing activities carried out on personal data.
Data Protection Impact Assessments

Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, prior to processing Clients must carry out assessments of the impact of the envisaged processing operations on the protection of personal data.
Data Protection Officer

Clients and Processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or large-scale processing of special categories of data must appoint a Data Protection Officer.
Client-Processor Relationships
Client and Processor relationships must be governed by binding contracts that set the terms of the processing to be performed and provide Clients with the right to object to Sub-Processors engaged by the Processors.

Data Breach Reporting

In the event of a breach involving personal data, the Client shall, where feasible, notify the relevant Supervisory Authority within 72 hours of becoming aware of it and, if there is a likely high risk to the rights and freedoms of natural persons, the affected data subjects without undue delay.

Suggested Steps for GDPR Compliance

There are several steps that companies should take in anticipation of May 25th 2018, which EIBA have already implemented, such as:

  • Form a GDPR compliance team and assign responsibilities
  • Undertake a GDPR readiness assessment
  • Evaluate requirements for a Data Protection Officer and appoint one if necessary
  • Implement policies and procedures to respond to data subjects’ rights requests
  • Review and update processor and sub-processor agreements
  • Create a record of personal data processing activities
  • Obtain, document, and maintain a legal basis for each processing activity
  • Update privacy and security policies and procedures
  • Update data breach notification protocols

If you want to know more about GDPR

Please follow these links:


While the content on this page is designed to help organizations understand the GDPR in connection with EIBA’s services, the information contained herein may not be construed as legal advice. Organizations should consult with their own legal counsel with respect to interpreting their unique obligations under the GDPR and the use of a company’s products and services to process personal data.