Empfehlung: Enable European data residency to keep client data within regional boundaries. With Qualtrics you can store data solely in european data centers for months, ensuring emails and responses reside in EU infrastructure. This supports your intellectual property protections, meets privacy obligations, and provides a clear resolution for data handling across mobile devices and websites.
Data minimization and consent: capture consent at the point of collection, store only what you need, and set retention to months that fit your risk profile. Over time, adjust retention windows based on audit findings. Ensure your policies are relevant and reflected in the UI. Use transactions logs to verify access and detect invisible access attempts across mobile and websites.
Security controls: enforce TLS 1.2+ in transit, encryption at rest, and role-based access control. Schedule monthly reviews of access rights and privacy controls for your team. Maintain emails data separation and ensure audit trails cover data exports and potential disclosures in transactions.
Policy updates and rights: when the policy changes, you will receive emails describing what is new. Provide customers with a way to exercise rights and export data. Ensure the changes remain relevant to your processes and update your websites and mobile experiences accordingly.
Implementation checklist: enable EU data residency; set data retention months; enable consent collection; enable encryption and access controls; enable monitoring and alerting for unusual activity; generate monthly reports on data access. By following these steps you reduce risk and build trust across transactions.
What Data Qualtrics Collects and Why
If you wish to limit what Qualtrics collects, customize your data settings now and proceed with targeted controls on the page you interact with.
What data Qualtrics collects
Qualtrics collects the name you provide and the answers you submit, with time stamps for each response. It logs page views, time on page, and related actions, and it records data from devices and cookie data to tailor experiences. Billing information may appear on invoices, and the data form a dataset used to operate your account and generate insights. The system stores this information to support access, reporting, and customer service, with a clear trail of activities tied to your name and page visits.
Why Qualtrics collects data
Qualtrics collects data to learn how people engage with surveys, to operate the service, and to deliver timely responses. There is a process that flags a potential violation and logs related data when anomalies occur. Data are shared with and received by partners who provide analytics, hosting, and support. Transfers may move data to servers in Utah and European facilities to meet regional requirements; access is limited to personnel with a legitimate and reasonable need. The goal is to detect violations, protect user accounts, and keep your data safe, while enabling you to review and manage the data you knowingly provide. If you wish, you can opt out of nonessential processing and still use core features.
To optimize control, customize cookie settings on the page and opt out of nonessential data sharing with partners. For example, remove nonessential data from forms and schedule removal of old entries after a defined time. If you need data removed, submit a request; you can choose to remove specific items or clear datasets, and Qualtrics will confirm when the data are removed.
Where Data Is Stored, Transferred, and Protected
Store data exclusively in regional data centers operated by authorized providers that meet our security framework and applicable laws. Encryption technologies designed to protect data at rest and in transit deploy AES-256 for storage and TLS 1.2+ for network traffic, with keys managed through a dedicated key-management service. Access controls enforce least privilege, and every access is logged and reviewed regularly.
Provided roles determine access to identifiers and personal information; only staff and contractors with a documented need can view data. For students and organizations, this means support teams access de-identified or aggregated datasets and researchers work with anonymized identifiers wherever possible. Please keep to the minimum necessary data and avoid excessive collection; feedback is collected through approved channels and used to improve safeguards, not to target individuals.
Data Residency and Security Controls
Data remains under the jurisdiction of the policy and resides in data centers aligned with the framework. There, visit the official policy portal to see data-location maps and cross-border transfer rules. We require formal reviews of any third-party provider and maintain contractual protections covering confidentiality, breach notification, and data-retention terms.
Cross-Border Transfers, Access, and Dispute Resolution
When data crosses borders, we rely on recognized mechanisms such as standard contractual clauses or equivalent safeguards. Transfers are limited to what is necessary to provide the platform and services, avoiding excessive exposure. Access to data is restricted to targeted teams for defined purposes; identifiers may be replaced with pseudonyms in shared datasets. We monitor attempts of accessing data to identify unusual patterns and maintain audit trails to support review processes. Customization options let you adjust privacy settings across official platforms. We do not sell data; this policy ensures transparency about data usage and provides feedback channels to users.
In case of disputes, parties may seek resolution through the court in the relevant jurisdiction or via agreed arbitration. We respond to lawful access requests promptly and suspend processing when required by law or court order. The dispute process remains accessible through official channels, and updates are posted on the platforms to keep users informed.
Cross-Site Data Sharing: Third-Party and Other Services
Always require the name and an additional data-sharing addendum from any third-party service before transferring data; obtain explicit written consent and limit the scope to what is strictly necessary for your program and customers.
What we share and with whom
We read contracts with named companies to ensure applicable privacy controls. We share minimal data with these companies, only what's needed to support the program and to operate the system. Data may include identifiers, activity logs, and non-sensitive recordings where applicable; we avoid transfer of excessive data and prevent interest-based profiling. We verify the company's design, security measures, and read-only access for our team, and we ensure cookies are used only for legitimate purposes. We require the name of the partner and the program it supports, and we confirm backup procedures. Processing occurs on secured computer systems, and data may travel across the internet to reach processors. For child data, we apply heightened safeguards and only process with parental consent where allowed by law. In utah, we align with state standards when applicable.
Controls, standards, and customer rights
We maintain a standard policy across all vendors. Each program must implement strong access control, audit logs, and clear data-handling responsibilities. We monitor data flows to prevent excessive exposure and ensure that their handling remains within the defined scope. Customers can read, export, delete, or restrict their data and opt out of cross-site data sharing. Our backup copies are encrypted and stored under our control, whether in the cloud or on-premises, with retention aligned to applicable requirements. We handle government requests through formal channels and document every demand. Also, we provide a simple interface to disable cross-site cookies and manage consents. We identify every company by name in the data processing agreement, and we keep records of processing activities for customers to read.
| Vendor | Data Shared | Purpose | Retention | Controls |
|---|---|---|---|---|
| Vendor A (name) | Identifiers, activity logs, cookies | Service operation and reliability | 12 months | Access controls, DPA |
| Vendor B (name) | Recordings (where applicable), backup copies | Support and analytics | 6–24 months | Encryption at rest, audit trails |
User Rights: Access, Correction, and Deletion Requests
Engage by submitting an Access request via the secure privacy portal or by contacting our privacy team. To speed processing, include your full name, the email associated with your account, and a concise description of the data you want to review, such as session history, identifiers, or analytics records.
We maintain a live inventory of personal data and processing activities to support your rights; after submission, we report on each item linked to your identity and the processing steps we operate.
Access: we provide a portable copy of the data we maintain that relates to your account, including identifiers, contact details, and data logs, using session data. Data is delivered in CSV or JSON format; we redact elements necessary to protect others' privacy or security.
Correction: if you find inaccuracies, submit a Correction request with the exact field and value; we verify against internal sources, apply changes in the primary store, and issue a revised copy along with a short summary of adjustments.
Deletion: you may request removal of personal data from active processing; we assess legal obligations and business needs. If deletion is feasible, we remove from primary systems and anonymize backups; if not, we provide a clear rationale and offer de-identification or restriction where possible.
Timeline and response expectations: we acknowledge requests within a few days and provide a final decision within 15 days for straightforward cases; for complex records, we extend once by up to 15 days with a documented reason. You will receive a report detailing actions taken.
Security and accountability: we operate with secure transmission and role-based access; internal audits log actions to manage risk. If you have concerns or suspect a violation, contact us immediately and we will engage with you to address the issue. We welcome questions and feedback throughout the process to improve safeguards.
Data use for research and improvement: data may be used to enhance products and services under strict controls; personal data is not shared with external groups without consent. You can request information about research-related processing as part of your rights, and your feedback helps refine risk management and privacy practices.
Breach Notification: Zeitpläne und Kundenremedien
Beginnen Sie mit einem konkreten Aktionsplan: Innerhalb von 24 Stunden nachdem eine die persönlichen Daten betreffende Verletzung entdeckt wurde, aktivieren Sie das Incident-Response-Team und sichern Sie die betroffenen Systeme im Namen des Unternehmens. In Minnesota sind die staatlichen Gesetze zur Verletzungsbenachrichtigung zu befolgen; benachrichtigen Sie Einzelpersonen ohne unangemessene Verzögerung. Bereiten Sie Kommunikationen unter Verwendung einer vorgefertigten Vorlage vor und richten Sie eine spezielle Support-Hotline und E-Mail für Kundenfragen ein. Stellen Sie sicher, dass die Sprache klar ist, die beteiligten Datenpunkte beschrieben werden und die Schritte, die Kunden unternehmen sollten, um sich selbst zu schützen, im Vordergrund stehen. Stimmen Sie dies sowohl mit internen Einstellungen als auch mit den Verpflichtungen gegenüber Anbietern, einschließlich Drittverarbeitern, ab.
Timelines
- Entdeckung und Eindämmung: Innerhalb von 24 Stunden betroffene Systeme isolieren und zugehörige Quellen sichern; dokumentieren, was passiert ist und welche Daten betroffen waren.
- Risikobewertung und Benachrichtigungsentwurf: Innerhalb von 24–48 Stunden Datentypen, Empfänger und Risikostufe bestimmen; Kunden- und Regulierungsmitteilungen unter Verwendung der Vorlage vorbereiten.
- Kundenbenachrichtigung: Innerhalb von 72 Stunden bei hochriskanten Verstößen; andernfalls benachrichtigen Sie so bald wie möglich, aber nicht später als innerhalb des gesetzlich vorgeschriebenen Zeitrahmens; geben Sie an, was passiert ist, welche Datenkategorien betroffen sind, welche Maßnahmen für Kunden möglich sind und welche Kontaktmöglichkeiten bestehen.
- Regierungs- und Lieferantenkoordination: Benachrichtigung der Regierungsbehörden, wenn dies durch Gesetze oder Vorschriften erforderlich ist; Koordination mit Drittanbietern und internationalen Tochtergesellschaften, wenn Daten über Grenzen hinweg übertragen wurden.
- Nachrichtliche Aktualisierungen: Führen Sie fortlaufende Aktualisierungen durch, wenn neue Informationen auftauchen oder sich der Umfang der Verletzung erweitert.
Kundenremedien
- Kreditüberwachung und Identitätsschutz: Bieten Sie 12 Monate kostenlose Überwachung, Betrugsbenachrichtigungen und Wiederherstellungsdienste für betroffene Personen an.
- Kostenerstattung: Erstattung angemessener Ausgaben im Zusammenhang mit dem Verstoß, wie z. B. Kredit-Freezes oder spezialisierter Identitätsschutz, und Bereitstellung klarer Dokumentation für Ansprüche.
- Zugriff auf Anleitungen und Schutzmaßnahmen: Stellen Sie eine Checkliste für Sicherheitseinstellungen und einen direkten Support-Kanal für Fragen bereit; fügen Sie Schritte zum Zurücksetzen von Passwörtern und zum Aktivieren der Zwei-Faktor-Authentifizierung hinzu.
- Benachrichtigungen über mehrere Kanäle: Nutzen Sie E-Mail, SMS und ein sicheres Portal, damit Kunden Details überprüfen und schnell Maßnahmen ergreifen können; stellen Sie einen Ansprechpartner für Fragen bereit.
- Grenzüberschreitende und Anbieterabwicklung: Bei Datenschutzverletzungen, die die internationale Datenverarbeitung betreffen, koordinieren Sie sich mit den relevanten beteiligten Stellen und stellen Sie sicher, dass Drittanbieter die gleichen Benachrichtigungsstandards erfüllen; teilen Sie Quellen und bewährte Verfahren mit den Stakeholdern.
- Remedies for cross-vendor risks: if data was processed by vendors such as googles or other cloud services, confirm remediation actions and update data handling settings and preferences.
- Transparenz und Aufklärung: Veröffentlichen Sie eine prägnante Zusammenfassung von Vorfällen und gewähren Sie Zugang zu Forschungsergebnissen oder Anleitungen von unabhängigen Quellen und bieten Sie interessierten Kunden ein monatliches Datenschutz-Update an.
