GDPR Compliance

Zykrr and GDPR Compliance

Zykrr is fully compliant with the General Data Protection Regulation (GDPR) and enables its customers—who act as data controllers—to comply with the regulation effectively when using the Zykrr feedback platform.

Zykrr always functions as a data processor, meaning it processes personal data only on behalf of, and as instructed by, the customer. The data controller, typically Zykrr’s client, retains full control over what data is collected, stored, and processed.

For the official GDPR definition of a “data processor,” refer to Article 4.8 of the GDPR.

While Zykrr provides the tools to manage data in a compliant way, customers are responsible for implementing appropriate legal and operational practices and are encouraged to seek their own legal counsel.

Managing Data Subject Rights in Zykrr

Below is a summary of how Zykrr enables customers to respond to each GDPR data subject right.

✅ Right to Be Informed

  • When users (employees, customers, etc.) are invited to access the Zykrr platform, the invite email can include information about their data rights.
  • When survey links are sent using Zykrr’s distribution engine, customers can insert:
    • Why the individual is being contacted
    • Data processing information
    • An unsubscribe or opt-out link

Customers are responsible for ensuring that all legally required disclosures are included in communications.

✅ Right of Access

  • Customers can search for a data subject using identifiable fields (e.g., email, name).
  • All related records can be exported in CSV format to fulfill access requests quickly.

✅ Right to Rectification

  • Customers can update individual or bulk records via the CSV upload tool.
  • This allows corrections to data fields (e.g., name, contact number, segmentation attributes) without losing associated feedback.

✅ Right to Erasure / Right to Be Forgotten

  • Customers can:
    • Delete specific feedbacks
    • Delete all feedbacks associated with a data subject
    • Delete an entire feedback campaign, which removes all data collected in that project
    • Delete an account, which results in deletion of all linked data permanently

All deletions are immediate and irreversible unless data backups are held under separate contractual terms.

✅ Right to Restrict Processing

  • Although Zykrr does not support a “pause” mechanism for data processing, customers can restrict processing by deleting the data subject’s records upon request.
  • This is functionally equivalent to erasure and satisfies the requirement to cease processing.

✅ Right to Withdraw Consent

  • When a data subject withdraws consent, customers can:
    • Search for the data subject
    • Delete their records from a single interface

Zykrr allows batch or single deletions, and customers are responsible for honoring withdrawal requests in a timely manner.

✅ Right to Data Portability

  • The same CSV export used for the Right of Access also fulfills this requirement.
  • Zykrr allows structured, machine-readable exports of individual or grouped data records.

✅ Right to Object to Processing

  • Zykrr provides no native UI for objection management.
  • Customers are advised to:
    • Offer a clear channel (e.g., email, form) for objections
    • Maintain logs of such requests
    • Delete or exclude those individuals from further survey processing using filters or suppression lists

✅ Rights Related to Automated Decision-Making and Profiling

  • If the customer uses Zykrr for profiling or AI-based decision workflows, they are responsible for:
    • Informing data subjects at the time of consent
    • Clarifying what decisions are automated
    • Ensuring no legal or similarly significant effects are made solely via automation unless permitted under Article 22 of GDPR

Zykrr’s Role and Responsibilities

Role Description
Zykrr Acts as Data Processor — processes data only under documented customer instructions
Customer Acts as Data Controller — responsible for data collection, consent, rights management, and legal compliance

Zykrr provides secure infrastructure, access-controlled interfaces, and deletion/audit capabilities to enable these rights, but legal compliance is the customer’s responsibility.

Need Help?

For audit documentation, DPA execution, or guidance on any data subject workflow, contact your Customer Success Manager or email support@zykrr.com.

Updated on 17 Jan 2022