SoundRocket GDPR, PIPL, & CCPA Policy
Updated 2.26.2023
Introduction
This policy outlines the steps that SoundRocket will take to ensure compliance with the General Data Protection Regulation (GDPR), Personal Information Protection Law (PIPL), and the California Consumer Privacy Act (CCPA). The GDPR is a regulation that aims to protect the privacy and personal data of individuals within the European Union (EU) and European Economic Area (EEA) and to harmonize data protection laws across the EU/EEA. The PIPL is a law that aims to protect the personal information of individuals in China. The CCPA is a law that aims to protect the personal information of California residents. SoundRocket fully supports all three regulations and is committed to ensuring that personal data is collected, processed, stored, transferred, or used in a way that respects the rights of all individuals. Related to this policy is the base SoundRocket Privacy & Confidentiality Policy.
IRB Human Subjects Research Protocols
The great majority of those who SoundRocket collects data from are study participants. As such, in addition to complying with GDPR, PIPL, and CCPA, SoundRocket also ensures that its human subjects research protocols are in line with the ethical principles outlined by institutional review boards (IRBs). Often this includes actual oversight of a study by a formal IRB—but whether a study is reviewed by IRB or not, SoundRocket uses research protocols consistent with what would be approved by IRB. While GDPR, PIPL, and CCPA primarily focus on privacy and data protection, IRB. protocols focus on the ethical treatment of human subjects in research, which includes privacy and data protection as well. Some of the key similarities and differences between IRB protocols and GDPR/PIPL/CCPA include:
- Informed consent: Both IRB protocols and GDPR/PIPL/CCPA require informed consent from research participants. However, IRBs often have stricter requirements for what constitutes informed consent for some study protocol.
- Data anonymization: While GDPR, PIPL, and CCPA require that personal data be anonymized or deleted when it is no longer needed, IRB protocols often require data to be anonymized from the beginning of the study to protect the privacy of research participants.
- Sensitive data: While GDPR, PIPL, and CCPA provide guidelines for handling sensitive data, such as health information, IRB protocols often have stricter requirements for how sensitive data is collected, stored, and used in research.
- Risk assessment: IRB protocols require researchers to conduct a risk assessment to determine the potential harm that research participants may experience as a result of the study. GDPR, PIPL, and CCPA do not have a specific requirement for risk assessment, but they do require that personal data be processed in a way that respects the rights and freedoms of individuals.
Work Conducted in Collaborations
When SoundRocket works as a subcontractor for another organization, we ensure that we comply with their privacy practices and policies, as required and specified by the collaboration via contract. We require that our collaborators provide us with clear guidelines and expectations for how personal data should be collected, processed, stored, transferred, or used. We will only process personal data for the purposes specified in our agreement with the organization and will not disclose it to any third parties without their explicit consent, unless required by law.
Our contractual requirements to our customers will come first before this policy, however, SoundRocket will never knowingly engage in a contract that we believe would put us in a position where we cannot uphold these policies. It is our experience that our standard operating procedures in all social science survey research data collection projects meet or exceed the privacy protections stipulated by the relevant privacy laws.
We are committed to ensuring the protection of personal data and compliance with all applicable regulations, including GDPR, PIPL, and CCPA, when working as a subcontractor for another organization. We will regularly review and update our policies and procedures to ensure ongoing compliance and best practices.
Scope
This policy applies to all personal data that SoundRocket collects, processes, stores, transfers or uses in any way. This includes data relating to customers, employees, suppliers, research study participants, and anyone else who engages in a formal relationship with SoundRocket.
Data Collection
We will only collect personal data for specific, explicit and legitimate purposes, and will not process it in a way that is incompatible with those purposes. We will inform individuals of the purpose for which we are collecting their data and obtain their consent where necessary. We will also ensure that personal data is accurate, up-to-date and relevant to the purposes for which it was collected.
Data Storage
We will ensure that personal data is stored securely and protected against unauthorized access, accidental loss, destruction or damage. We will use appropriate technical and organizational measures to ensure the confidentiality, integrity and availability of personal data. We will regularly review and update our security measures to ensure they remain effective.
Data Use and Disclosure
We will only use personal data for the purposes for which it was collected, and will not disclose it to any third parties without the individual’s explicit consent, unless required by law.
Data Retention and Disposal
We take the protection of personal data seriously and are committed to complying with the GDPR, PIPL, and CCPA. To ensure compliance, we will not retain personal data for longer than necessary and will dispose of it securely when it is no longer needed. We will also ensure that personal data is securely deleted or anonymized when it is no longer needed.
Data subject rights are an important part of the GDPR, PIPL, and CCPA, and we are committed to ensuring that individuals are aware of their rights and can exercise them effectively. These rights include the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability, the right to object, and the right to lodge a complaint. It is important to note some differences between the regulations, such as the specific conditions under which data can be erased or transferred.
However, we are committed to complying with all regulations and ensuring that personal data is collected, processed, stored, transferred or used in a way that respects the rights of individuals and complies with all applicable regulations.
Table 1 summarizes our understanding of how these privacy laws relate to the work that we do. Table 2 describes specific ways that SoundRocket will ensure these rights will be upheld within the context of a research study.
Table 1: GDPR, PIPL, and CCPA Rights Summarized
| GDPR | PIPL | CCPA | |
| Right to rectification | Data subjects have the right to request the rectification of inaccurate personal data concerning them. |
Data subjects have the right to request the correction of inaccurate personal information or the completion of incomplete personal information. | California residents have the right to request the correction of inaccurate personal information that we have collected about them. |
|
Right to erasure (Right to be forgotten) |
Data subjects have the right to request the erasure of personal data concerning them under certain conditions. | Data subjects have the right to request the deletion of personal information under certain conditions. | California residents have the right to request the deletion of personal information that we have collected about them, subject to certain exceptions. |
| Right to restriction of processing | Data subjects have the right to request the restriction of the processing of their personal data under certain conditions. | Data subjects have the right to request the restriction of the processing of their personal data under certain conditions. | California residents have the right to request that we limit our use of their personal information under certain conditions. |
| Right to data portability | Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format and have the right to transmit that data to another controller without hindrance. | Data subjects have the right to request the transfer of their personal information to another controller in a structured, commonly used, and machine-readable format. |
California residents have the right to request that we provide them with their personal information in a portable and readily usable format. |
| Right to object | Data subjects have the right to object to the processing of their personal data for specific reasons, such as direct marketing or legitimate interest. | Data subjects have the right to object to the processing of their personal information for specific reasons, such as if the personal information is processed in violation of laws or regulations. | California residents have the right to opt-out of the sale of their personal information. |
| Rights in relation to automated decision-making and profiling | Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. | Data subjects have the right to request that their personal information not be used for automated decision-making or profiling that may affect their rights or interests. | California residents have the right to opt-out of targeted advertising and profiling. |
| Right to lodge a complaint | Data subjects have the right to lodge a complaint with a supervisory authority if they believe that their rights have been infringed. | Data subjects have the right to file a complaint with the relevant regulatory body if they believe that their personal information has been processed in violation of laws or regulations. | California residents have the right to lodge a complaint with the California Attorney General’s office or other relevant regulatory body if they believe that their personal information has been processed in violation of the CCPA. |
Table 2: How SoundRocket Complies with Privacy Laws in a Research Context
| SoundRocket Efforts | |
| Right to be informed | SoundRocket informs individuals about the collection and use of their personal data/information and provides detailed information on its privacy policies. |
| Right of access | SoundRocket provides details about the data that is provided to us from third parties (collaborators) as well as the data that is corrected from the research participant. SoundRocket will provide study participants with a view of the data provided, so long as a link remains. Participants may obtain access by sending an email to privacy@soundrocket.com formally requesting access. |
| Right to rectification | SoundRocket corrects or completes inaccurate or incomplete personal data/information upon request, as long as a link remains to identify the data in question. These requests may come in via various ways, including sending an email to privacy@soundrocket.com formally requesting rectification. |
| Right to erasure (Right to be forgotten) | SoundRocket deletes personally identifiable data upon request or when it is no longer needed for its original purpose. The specific plan for deletion for a given study will be covered in the informed consent. |
| Right to restriction of processing | SoundRocket restricts the processing of personal data/information upon request or when the accuracy of the personal data/information is contested. This restriction is only possible with data that remains linked to individuals—anonymized data cannot be removed from further processing. |
| Right to data portability | SoundRocket provides individuals with their personal data/information in a structured, commonly used and machine-readable format and allows them to transmit it to another controller without hindrance. Portability is only possible with data linked to individuals—anonymized data cannot be made portable. |
| Right to object | SoundRocket allows individuals to object to the processing of their personal data/information for specific reasons. This restriction is only possible with data linked to individuals—anonymized data cannot be restricted. |
| Rights in relation to automated decision-making and profiling | SoundRocket provides individuals with the right to opt-out of automated decision-making and profiling that may affect their rights or interests. However, this is generally not applicable, as automated decision-making and profiling is not an aspect of the work that we generally do. Once data is anonymized, such automation cannot be used in a way that affects individuals rights. |
| Right to lodge a complaint | SoundRocket provides individuals with a process to lodge a complaint if they believe their rights have been infringed. Complaints may be submitted to privacy@soundrocket.com. |
Accountability and Governance
We will appoint a Data Protection Officer (DPO) to oversee our GDPR, PIPL, and CCPA compliance and ensure that our policies and procedures are regularly reviewed and updated. We will also provide training to our employees to ensure they are aware of their responsibilities under the GDPR, PIPL, and CCPA.
Conclusion
We are committed to ensuring the protection of personal data and compliance with the GDPR, PIPL, CCPA, as well as IRB and other related laws and policies. This policy forms the basis of our approach and will be regularly reviewed and updated to ensure ongoing compliance. We will also ensure that our customers, employees, and other individuals whose data we process are aware of their rights under the GDPR, PIPL, and CCPA and can exercise these rights effectively.