Three-line summary
All data is stored within the EU/EEA. We sign standard data processing agreements (DPAs) for all engagements involving personal data. Anonymity in employee surveys is ensured through thresholds, separated data files and AI-driven anonymisation checks.
1. Data Processing Agreement (DPA)
For all engagements where we handle personal data on your behalf — customer, employee or market research with contact data — we sign a data processing agreement under GDPR Art. 28. We use a standard template that follows the recommendations of the Swedish Authority for Privacy Protection (IMY).
Our DPA template includes
- Specification of purpose, duration and category of personal data
- Technical and organisational security measures (TOMs)
- Sub-processor list and approval process
- Reporting obligations on security incidents (72 hours)
- Return or deletion of data after engagement ends
- Audit rights for you as data controller
- Sub-processor liability and insurance
The agreement is sent with the offer. You have the opportunity to review and comment before signing. If you have your own templates, we adapt our process to yours.
2. Data localisation — where is data stored?
All data is stored within the EU/EEA. We never use cloud services with US-based data flows for engagements involving Swedish personal data — no AWS US, no Google Cloud US, no Microsoft 365 instances outside the EU.
Our sub-processor stack consists of the following types of providers — all EU-based. The full sub-processor list with specific providers is attached to the DPA — you must approve it before we use each provider.
| Purpose | Location |
|---|---|
| Survey collection and data gathering | EU/EEA |
| Telephone interviews (telephony infrastructure) | Sweden |
| Data storage (raw data and reports) | EU/EEA |
| AI models (LLM for sentiment analysis) | EU region |
| Email communication | EU/EEA |
| Backup and security copies | EU/EEA |
On request we share the specific list with you before signing — names of providers, their role, and their own GDPR documentation. You have audit rights and veto rights on every sub-processor.
3. Anonymity in employee surveys
Anonymity is not an assertion — it is a technical and organisational construct. Here is how we do it.
Reporting thresholds
No results are reported at a group level with fewer than 5 respondents. The default is 5; some engagements choose 7 or 10 (with extra-sensitive questions or smaller organisations). If a team has 4 responses it is merged with the overall level — the manager cannot see a report from which they could deduce who responded.
No IP addresses or personal markers
We do not log respondent IP addresses. This is configured in the survey platform from the start. No other personal markers (browser fingerprint, cookie ID) are saved with the responses.
Identifying free-text responses are masked
AI-driven anonymisation check on free-text — if a respondent writes "I am the only woman on the team" or "my manager Pelle in Northern district" this is masked before the report is created. The original text is archived separately and disappears when the engagement is complete.
Separated files
The email distribution file is stored separately from response data, in its own encrypted volume. The correlation between email and response is destroyed as soon as the distribution is complete.
Leadership commitment
Before the engagement starts, leadership confirms in writing that no attempts will be made to deanonymise respondents. This creates a moral and contractual guarantee in addition to the technical safeguards.
4. Retention — how long is data kept?
Personal data is deleted no later than 30 days after final delivery unless otherwise agreed. Aggregated and anonymised results (without personal linkage) may be retained by us for up to 5 years for historical comparison if you approve.
| Data type | Standard retention |
|---|---|
| Personal data (email, name, phone) | Deleted within 30 days of final delivery |
| Individual responses with pseudonym ID | Deleted within 30 days |
| Aggregated report and anonymous data file | 5 years for comparison (if you wish) |
| Recordings of telephone interviews | Deleted after 90 days (transcript anonymous) |
| Backup security copies | Deleted within 60 days |
You receive a deletion certificate when the entire retention process is complete. If you want alternative retention (shorter or longer) we adapt under the agreement.
5. Security incidents — what happens if something goes wrong?
In the event of a suspected or confirmed security incident we follow GDPR Art. 33–34:
- Within 24 hours: Initial assessment of severity. Affected client is informed directly if the incident affects their data.
- Within 72 hours: Formal incident report to you, with description of the incident, scope, actions taken and preventive steps going forward.
- Notification to IMY: We support you as data controller in making any notification to the Swedish Authority for Privacy Protection.
- Notification to respondents: If the incident is so serious that respondents must be informed, we help draft the message.
Since 2005, Alba has not had any security incident requiring notification to IMY.
6. Right to access, rectification and deletion
Respondents and you as data controller have rights under GDPR:
- Right to information about how their data is processed
- Right of access to their personal data
- Right to rectification of inaccurate data
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to data portability
- Right to object to processing
We have a standard process for handling such requests within 30 days.
Need our complete GDPR documentation?
We send the standard package — DPA template, sub-processor list, security measures (TOMs), incident process and retention policy — within 1 working day.
Request the GDPR pack