Skip to content
English
More support
Go to www.commonplace.is
  • There are no suggestions because the search field is empty.

GDPR statement

Commonplace Digital LTD - GDPR statement

Commonplace is GDPR compliant. Below you can find some of the key principles of GDPR compliance, and how we achieve this compliance.

1. Status as Controller and Processor for the consultation

For the purposes of the consultation(s) that our customers use Commonplace to conduct, our customer is the Controller and Commonplace is the Processor of all the data collected.

2. Status as Independent Controllers

Commonplace also has its own purposes for collecting and using the data collected, for which Commonplace and our customer are Independent Controllers. These purposes fall into three categories:

  1. Maintaining the ‘profile pages’ of individual community contributors to projects run on Commonplace. These profile pages are independent of each consultation and customer, since an individual can contribute to many different consultations run by different customers. Commonplace needs to be a Controller to facilitate these pages. Community contributors can access their profile page at any time, and perform actions like editing, downloading or deleting their personal data, which is required under GDPR.
  2. Notifying members of the community about other local projects to which they may want to contribute. We collect a separate consent for this purpose, which is also independent of any one customer and individual consultations.  
  3. We occasionally use anonymised data to write trend-based reports, and to feed back into the further development of the Commonplace platform for the benefit of our customers and communities.

The data for which Commonplace is an Independent Controller is identical to the data for which the customer is Controller, except for any Special Category Data collected by our customer for a consultation, for which the customer is the sole Controller and Commonplace is only a Processor.

The purposes for which Commonplace and our customer are Controller and Processor are listed in the Data Processing Addendum to our standard license agreement.

3. How the Commonplace platform supports full GDPR compliance:

a. The first time respondents contribute, they view the Teams Page, where we list and clearly explain which organisations are behind the Commonplace project, what their roles are, and what their purpose is for collecting data. For every organisation that is a Controller or Processor, we provide a link to their privacy statement.

b. Respondents are then asked to provide further information about themselves. This information is optional and may include data such as age or what transport modes they use. If our customer decides it is required, on some projects special category data is also collected. This may include information such as ethnicity, sexual orientation or health information. Special category is anonymised at source, which means that there is no connection between this data and the comment or personal data. It means that this data can only be used to provide summary statistical information for the whole project.

c. Communication options for respondents are clearly defined and opt-in. Project stakeholders can only contact respondents based on the consents that they have given. The granular communication options include:

  • Commonplace News
  • Responses to comments
  • External newsletter
  • Being told about new Commonplaces in the area people live

d. Every contributor has a profile page where they can see their consents, withdraw or modify them, for all Commonplaces they have contributed or subscribed to.

e.Every contributor has the right to see, update, delete or download their data that Commonplace holds on them. The Commonplace profile lets respondents exercise this right easily.

f. We are committed to reducing the risk for our customers. Administrators on a Commonplace cannot download any personal data which includes identifiers or sensitive information. This protects both our customers and contributors.

g. Our customer can decide at what point the personal data for a particular project should be removed. At this point, the link between personal information and the comments themselves is irrevocably broken. From this point on, the comments on a project are completely anonymised. The point at which this takes place is set out in our standard license agreement.

h. Commonplace provides specific instructions to customers for authoring and using paper forms to ensure that the process and disposal of forms is GDPR compliant.

i. Our platform uses some sub-processors: third parties that provide a specific function for the Commonplace platform. An example is SendGrid, which sends out all the email communications to community users. The sub-processors are listed in our standard license agreement and you can view all sub-processors on our website. For any sub-processor where data is transferred outside of the UK, we have a written agreement that includes the Standard Contractual Clauses (SCCs) approved by the Information Commissioner's Office

Our full Data Privacy Policy can be found on our Privacy Policy page.