How can we help you today?

The Happiness Index and GDPR

The role of our customers

With respect to the GDPR regulations our customers are the Data Controller. According to The Information Commissioner’s Office (ICO) the definition of ‘Data Controller’ is:

“Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data.”

As the Data Controller our customers must comply with, and demonstrate compliance with, all the data protection principles set out in the GDPR regulation.


The role of The Happiness Index

The Happiness Index’s role is the Data Processor. According to the ICO the definition of Data Processor is:

“Data Processors act on behalf of, and only on the instructions of, the relevant controller.”

As a Data Processor it’s not up to The Happiness Index to decide what should happen to the data, which means we’re processing the data and not controlling it. However, we do have a responsibility to protect the data we’ve been trusted with and to use it in-line with the instructions from the Data Controller.


What does legal basis mean?

As a Data Controller you must have a valid lawful basis in order to process personal data. There are six available lawful bases for processing under the GDPR regulations. No single basis is ’better’ or more important than the others and which basis is most appropriate to use will depend on the Data Controller’s purpose and relationship with the individual.

The six legal basis are:


  1. Consent: you have consent to process personal data for a specific purpose.
  2. Contract: the processing is necessary as part of a contract you have with the individual.
  3. Legal obligation: the processing is necessary for you to comply with the law.
  4. Vital interests: the processing is necessary to protect someone’s life.
  5. Public task: the processing is necessary for you to perform a task in the public interest.
  6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

Typically our customers use the legitimate basis of ‘Legitimate interest’, e.g. it is in the legitimate interest of the individual to use their data to run staff surveys so they can have a voice in how their workplace operates.


The Happiness Index’s Accreditation

The Happiness Index is an accredited data handler with the Information Commissioner's’ Office and a holder of the UK Government’s Cyber Essentials certification.


What information do we hold?

The type of personal information we hold at The Happiness Index are the individual’s:


  1. Name
  2. Email
  3. Filter information, e.g. department, location, etc
  4. Scores and comments


How long do we keep data for?

We retain your data for a period of 2 years in case a customer wishes to return to The Happiness Index and access their historical data. Once 2 years have passed and the customer does not return to The Happiness Index we will delete any data relating to personalised surveys.

If the customer has used Pre-built surveys The Happiness Index will anonymise all responses by removing Personally Identifiable Information so we can retain the anonymised data for benchmarking purposes.

If the customer does not wish us to retain their data for the 2 year period they will need to send a data deletion request in writing to The Happiness Index. If the customer has used personalised surveys The Happiness Index will delete the data within 28 days of the ticket being created. If the customer has used Pre-built surveys we will anonymise the data and retain it for benchmarking purposes.