Data Protection (GDPR Document)

🐧🐧 Not a lawyer or a techie? No worries — check out our article GDPR in qualitative research.

At VeroMotion s.r.o., we are committed to handling personal data responsibly, lawfully, and transparently. This document outlines how we comply with the General Data Protection Regulation (GDPR).

Last Updated: 24 June 2025

  • I. Overview
  • II. Data Protection Principles
  • III. Data Subject Rights
  • IV. Our Other Obligations
  • V. Our Use Of Personal Data And Our Purpose
  • VI. Our Specific Data Protection Measures

I. Overview

Purpose of this policy

  • You have legal rights concerning how your personal data is handled.
  • In the course of our business activities, we collect, store, and process personal data about our customers, suppliers, and other third parties. To comply with the law and maintain confidence in our business, we acknowledge the importance of correct and lawful treatment of this data.
  • All individuals working in or with our business are required to comply with this policy when processing personal data.
  • You have legal rights concerning how your personal data is handled.

Introduction

  • This policy, along with any referenced documents, sets out the basis on which we process personal data collected from data subjects—such as customers and business contacts—or provided to us from other sources.
  • It also outlines our obligations under the General Data Protection Regulation (the “Regulation”).
  • This policy defines the rules and legal conditions that must be satisfied when we obtain, handle, process, transfer, or store personal data.
  • The procedures and principles outlined here must be followed at all times by our company, employees, agents, contractors, and any other parties acting on our behalf.
  • Our goal is to ensure lawful, fair, and transparent handling of your personal data and to respect your legal rights.

Key Definitions

  • Data: Any information stored electronically or in structured paper files.
  • Data subject: Any living individual about whom we hold personal data, regardless of EU residency. Data subjects have legal rights over their personal data.
  • Personal data: Information relating to an identifiable individual. This includes factual information (e.g., name, address, date of birth) or opinions, actions and behaviour.
  • Data controller: An individual or organization that determines how and why personal data is processed. We are the Data Controller for personal data used in our business for our own commercial purposes.
  • Data processing: Any action involving personal data, including collection, recording, organization, storage, alteration, retrieval, use, disclosure, erasure, or destruction. Processing also includes transferring data to third parties.

Summary of the Data Protection Principles

This Policy aims to ensure compliance with the Regulation. The Regulation sets out the following principles with which any party handling personal data must comply. Personal data must be:

  1. Lawful, fair, and transparent: Processed in a lawful, fair, and transparent manner in relation to the data subject;
  2. Purpose-limited: Collected for specific, explicit, and legitimate purposes and not processed further in a way incompatible with those purposes;
  3. Data minimization: Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed;
  4. Accuracy: Accurate and, where necessary, kept up to date;
  5. Storage limitation: Kept no longer than necessary for its intended purpose for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard the rights and freedoms of the data subject;
  6. Respect for data subjects’ rights: personal data must be processed in line with data subjects’ rights, including rights to:
    • Access their data
    • Correct inaccuracies
    • Prevent processing for direct marketing
    • Object to harmful processing
  7. Security: Processed securely using appropriate technical and organizational measures;
  8. Restricted transfers: Not transferred to countries outside the EEA unless adequate safeguards are in place.

Our use of personal data and purpose

We collect, hold, and process the personal data listed in Schedule 1. The specific purposes for which this data is processed are also listed in that schedule.

Data protection measures

When handling personal data, we implement the safeguards described in Schedule 2 to ensure its protection.

II. Data Protection Principles

Lawful, Fair, and Transparent Data Processing

The Regulation does not prohibit the processing of personal data but ensures it is carried out fairly and lawfully, without infringing upon the rights of the data subject. Processing of personal data is considered lawful if at least one of the following legal bases applies:

  1. (Consent) – The data subject has given clear consent for their personal data to be processed for one or more specific purposes.
  2. (Contract) – Processing is necessary for the performance of a contract with the data subject or to take steps at the request of the data subject before entering into a contract.
  3. (Legal obligation) – Processing is necessary for compliance with a legal obligation to which the Data Controller is subject.
  4. (Vital interests) – Processing is necessary to protect the vital interests of the data subject or another natural person.
  5. (Public interest) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.
  6. (Legitimate interests) – Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject—especially where the data subject is a child.

Processed for Specified, Explicit and Legitimate Purposes

The Company collects and processes personal data as outlined in Schedule 1 of this Policy. This includes data provided directly by data subjects (e.g. when contacting us) or received from third parties.

We only process personal data for the specific purposes listed in Schedule 1, or for other uses explicitly permitted under the Regulation. Data subjects will be informed of these purposes either:
– At the time the data is collected (if obtained directly), or
– Within one calendar month (if obtained from a third party).

Adequate, Relevant and Limited Data Processing

The Company collects and processes only the personal data that is adequate, relevant, and limited to what is necessary for the intended purposes communicated to the data subject, in line with Section 5 of this Policy.

Accuracy of Data and Keeping Data Up To Date

We are committed to maintaining accurate and up-to-date personal data. Data accuracy is verified at the time of collection and reviewed annually. Any identified inaccuracies will be corrected or deleted promptly.

Timely Processing and Data Retention

Personal data will be retained only for as long as necessary for the purposes for which it was collected. When data is no longer required, we will take all reasonable steps to delete or anonymize it without undue delay, in accordance with our Data Retention Policy.

Secure Processing

The Company ensures that personal data is processed securely to prevent unauthorized access, unlawful use, or accidental loss, destruction, or damage.

Our security framework includes:
– Assessment of the risks to individual data subjects
– Implementation of technical and organizational measures to mitigate those risks
– Ongoing monitoring and improvement of security controls

Further details are provided in Section 6 and Schedule 2 of this Policy.

III. Data Subject Rights

Overview of Rights

Under the General Data Protection Regulation (GDPR), data subjects have the following rights:

  1. The right to be informed;
  2. The right of access;
  3. The right to rectification;
  4. The right to erasure (also known as the ‘right to be forgotten’);
  5. The right to restrict processing;
  6. The right to data portability;
  7. The right to object;
  8. Rights with respect to automated decision-making and profiling.

Keeping Data Subjects Informed

When collecting personal data, the Company shall provide data subjects with the following information:

  1. The Company’s identity and contact details;
  2. The purpose(s) of processing and the legal basis for processing (as set out in Schedule 1);
  3. Where applicable, the legitimate interests pursued by the Company;
  4. The categories of personal data concerned (where not obtained directly from the data subject);
  5. Any recipients or categories of recipients of the data;
  6. Details of transfers to third countries and safeguards in place;
  7. The retention period or criteria used to determine it;
  8. The rights of the data subject;
  9. The right to withdraw consent at any time (where relevant);
  10. The right to lodge a complaint with a supervisory authority;
  11. Whether provision of personal data is a legal or contractual requirement and possible consequences of not providing the data;
  12. The existence of automated decision-making, including profiling, and related information.

This information shall be provided:

  • At the time of collection (if collected directly), or
  • If collected from a third party:
    – At the first communication with the data subject, or
    – Before disclosing the data to a third party, or
    – In any event, no later than one month after obtaining the data.

Subject Access Requests (SARs)

Data subjects may request access to their personal data at any time. The Company shall respond within one month of receiving the request. This may be extended by up to two additional months for complex or numerous requests, with prior notice. Requests should be sent to: dataprotection@quallie.com or via the contact form at www.quallie.com/support.

Fees:
– SARs are free of charge
– The Company reserves the right to charge for excessive, repetitive, or unfounded requests.

Rectification of Personal Data

If a data subject notifies the Company that their personal data is inaccurate or incomplete, it shall be corrected within one month (extendable by two months for complex requests). Any third parties who have received the data must also be notified, unless this proves impossible or requires disproportionate effort.

Erasure of Personal Data

Data subjects may request deletion of their personal data where:

  • It is no longer needed for its original purpose
  • Consent has been withdrawn
  • The data subject objects and there are no overriding legitimate grounds
  • It has been unlawfully processed
  • Erasure is required to comply with a legal obligation

Requests will be fulfilled within one month, extendable for complex cases. Third parties will also be informed where feasible.

Restriction of Processing

Data subjects may request to restrict the processing of their data. The Company will retain only the data necessary to enforce the restriction and will notify any third parties (unless this requires disproportionate effort).

Data Portability

Where processing is based on consent or contract and carried out by automated means, data subjects have the right to receive their data in a structured, commonly used format (e.g., CSV, XML) and to transmit it to another data controller. Where technically feasible, the Company will send the data directly to the other controller upon request.

Objections to Personal Data Processing

Data subjects have the right to object to:

  • Processing based on the Company’s legitimate interests
  • Direct marketing, including profiling for marketing purposes
  • Processing for research or statistical purposes, unless required for public interest

In such cases:

  • The Company shall cease processing for marketing immediately.
  • For legitimate interests or research, the Company may continue only if it can demonstrate compelling legitimate grounds that override the data subject’s interests.

Automated Decision-Making and Profiling

If the Company uses personal data for automated decision-making (including profiling) that produces legal or similarly significant effects, the data subject has the right to:
– Request human intervention
– Express their point of view
– Contest the decision

This right does not apply if the decision:
– Is necessary for a contract
– Is authorised by law
– Is based on explicit consent

In cases of profiling, the Company shall:
– Provide clear information about the logic involved and consequences
– Use appropriate algorithms and statistical procedures
– Ensure data accuracy and the ability to correct errors
– Protect personal data to avoid discrimination or bias

IV. Our Other Obligations

Accountability

The Company’s privacy contact can be reached at: dataprotection@quallie.com.

The Company shall maintain internal records of its personal data processing activities, including:

  • The Company’s name and contact details;
  • The purposes for processing;
  • Categories of data subjects and types of personal data processed;
  • Categories of recipients, including third parties;
  • Details of transfers to countries outside the EEA, including safeguards in place;
  • Retention periods for each category of personal data;
  • A general description of the technical and organisational security measures used;

Privacy Impact Assessments

The Company shall carry out Data Protection Impact Assessments (DPIAs) where required under the GDPR, especially when processing is likely to result in a high risk to individuals.

Each DPIA shall cover:
– The purpose(s) and scope of processing
– An assessment of necessity and proportionality
– Risks to data subjects
– Safeguards and security measures to reduce those risks

Organisational Measures

To ensure GDPR compliance, the Company shall:

  • Make all personnel aware of this policy and their responsibilities;
  • Limit access to personal data to those who need it for their role;
  • Provide appropriate training for anyone handling personal data;
  • Review personal data processing methods regularly;
  • Require employees, contractors, and agents to comply with this policy through contractual obligations;
  • Ensure subcontractors apply equivalent standards;
  • Require third parties to take responsibility for data protection compliance through appropriate contractual terms.

The Company requires that all third-party service providers handling personal data on its behalf comply with applicable data protection laws. Where appropriate, agreements include provisions ensuring that such providers take responsibility for any breaches or failures to meet those obligations.

Transfers of Personal Data Outside the EEA

Personal data may only be transferred outside the EEA if one of the following applies:

  • The destination has an adequacy decision by the European Commission
  • Appropriate safeguards are in place (e.g. standard contractual clauses, binding corporate rules)
  • The data subject has explicitly consented to the transfer
  • The transfer is necessary for contract performance or pre-contractual steps
  • The transfer is necessary for public interest or legal claims
  • The transfer is required to protect vital interests
  • The transfer is made from a legally accessible public register

Data Breach Notification

All personal data breaches must be reported immediately to the Company’s privacy contact.

If a breach may pose a risk to the rights and freedoms of individuals (e.g., financial harm, identity theft, loss of confidentiality), the supervisory authority shall be notified without undue delay, and no later than 72 hours after the breach is discovered.

If the risk is considered high, affected individuals shall also be informed without undue delay.

Notifications shall include:

  • The type and number of data subjects and records affected
  • Contact details of the Company’s privacy contact
  • Potential consequences of the breach
  • Steps taken to address and mitigate the impact

Implementation of Policy

This Policy is effective from 18 April 2018 and applies only to data processing activities carried out on or after this date.

Schedule 1: Our Use Of Personal Data And Our Purpose

The following personal data may be collected, held, and processed by the Company:

Data for which we are Data Controller: We collect and process the following personal data as Data Controller, meaning we determine the purposes and means of processing:
– Identity and contact data (e.g., name, email, username, phone number)
– Professional information (e.g., employer, job title, location)
– Authentication data (e.g., usernames, passwords)
– Technical and usage data related to user access and system performance
– Location data related to device usage of our Services
– Financial information necessary for billing and payment processing

Data for which we act as Data Processor: For specific data categories, including project content data provided by end users or participants through our platform on behalf of our customers, we function exclusively as a Data Processor. We handle this data solely based on the instructions given by our customers, who are the Data Controllers, and we do not decide the purposes or methods of processing.

Category of personal dataExamplesPurpose of processingLegal basis
Identity and contact DataFirst name, last name, title, email, username, phone, physical address, gender, profile photoAccount management, user identification, communication, supportContract performance, Legitimate interest
Professional informationEmployer, position, job title, department, geographic location, area of responsibilityCustomer profiling, user role management, service customizationLegitimate interest
Authentication dataUsername, passwordSecure login and access controlContract performance
Technical and usage dataDevice ID, IP address, MAC address, OS info, browser type, device type, software logs, crash reportsService operation, performance monitoring, troubleshooting, securityLegitimate interest
Activity logsBrowsed pages, date/time of visits, online navigation, cookiesTroubleshooting, user behavior analysis, improving user experience, marketingLegitimate interest, consent (for cookies)
Location dataGeo-location of device (if applicable)Service personalization, fraud preventionConsent, legitimate interest
Financial informationAccount details, payment informationBilling, payment processingContract performance, legal obligation
Demographic and preference DataSocio-demographic profile, personal interests/preferencesMarketing, customer segmentation, service customizationConsent, legitimate interest
Customer/audience segmentation dataGrouping or categorizing customers based on usage or inputTargeted marketing, analyticsLegitimate interest
Project content dataTexts, images, videos, audio files, or other data submitted by usersService delivery, storage, analysis, and processing of user-generated contentContract performance
Additional data typesAny other personal data uploaded or submitted by usersVaries depending on customer use of the serviceContract performance, legitimate interest

Schedule 2: Our Specific Data Protection Measures

To safeguard personal data and ensure compliance with Article 32 of the GDPR, the Company has implemented a range of technical and organisational measures appropriate to the level of risk. These measures help protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

1. Technical and Organisational Safeguards

The Company maintains and enforces the following controls:

  • Information security governance: Security roles and responsibilities are defined and embedded within company policies and training.
  • Access management: Access to personal data is restricted to authorised personnel only, based on the principle of least privilege and role-based access controls.
  • Data security: Personal data is encrypted at rest and in transit. Passwords are hashed and regularly rotated.
  • Network and system security: Firewalls, intrusion detection systems, regular patching, and malware protection are applied to secure infrastructure.
  • Incident management: Incidents and breaches are monitored, documented, and escalated according to defined procedures, including data breach notification obligations.
  • Business continuity & disaster recovery: Backup procedures are in place and tested regularly to ensure service resilience and data restoration.
  • Personnel security: employees receive data protection training and are contractually bound by confidentiality and data protection obligations.
  • Vendor/Sub-processor management: Third-party service providers are vetted for GDPR compliance and are subject to data protection agreements and regular reviews.
  • Audit and assurance: Security practices are reviewed regularly, and audits may be performed to assess compliance and effectiveness.
  • Physical and environmental Security: office and data center access is physically secured, monitored, and limited to authorised personnel.

2. Handling of Personal Data

The Company follows specific operational rules when handling personal data:

  • Personal data is transmitted only over secure (encrypted) channels.
  • PII data in emails must be encrypted, either by encrypting the entire email or by placing the data in encrypted containers.
  • Unauthorised sharing or informal access to personal data is prohibited.
  • Temporary files and redundant copies must be securely deleted when no longer required.
  • Devices must be locked when unattended, and personal data must never be left visible or accessible to unauthorised individuals.
  • Use of personal data on mobile or personal devices is restricted and must be explicitly approved and secured.
  • Removable media containing personal data must be stored in locked environments when not in use.
  • Regular backups are created, encrypted, and stored securely.
  • Passwords used to access systems with personal data must be strong and not shared or stored in insecure ways.

3. Marketing and Preference Checks

Marketing data is managed in accordance with applicable regulations and opt-out registers. The marketing team ensures that data subjects are not contacted where restrictions apply.

Reference to Security Policy

Further details of our data protection practices, including technical and organisational safeguards, are documented in our internal Information Security Policy. This policy is reviewed and updated regularly to reflect technological and regulatory developments.