From 25th May 2018, the new EU General Data Protection Regulation applies across the European Union. We've been working hard behind the scenes to ensure that Gorilla is fully GDPR compliant, and this page gives an overview of the steps we have taken.
Gorilla allows scientists to run online research studies. For all research and participant data, we are the Data Processor and the scientist in charge of the experiment is the Data Controller. For account information and billing, we are the Data Controller.
This means that it us up to the scientists who use Gorilla to ensure their experiments are run in accordance with GDPR. We meet all the requirements of a Data Processor, but as the Data Controller, there are some responsibilities under GDPR that fall to the scientist.
We run several mailing lists for our account holders. One, Gorilla Offers, contains information about any promotions or special offers for either Gorilla itself or complimentary products from other companies. Under GDPR, this counts as marketing email. All users have had this mailing list disabled by default, and when they next log on, will have the option to opt in to receiving it again.
We also send emails to account holders on our other email lists. For example, we send service related emails whenever we make changes to the platform, or to inform about maintenance. These do not require explicit opt-in consent under GDPR, however if you are unhappy about receiving any of these emails, please accept our apologies. You can disable any of the mailing lists from your Account page.
We also send automated emails based on your actions within Gorilla. For instance, when you first create an experiment, we will send you an email that directs you to Experiment related support materials. You cannot opt out of these service related emails. They are designed to ensure you have the best possible information to make the best use of Gorilla.
Scientists can also use the platform to send emails to participants (we will never email a participant directly). As the scientist is the Data Controller for their participants, it is up to them to obtain consent to contact them. If you are a participant and are unhappy about having received an email from us, please accept our apologies and contact the scientist in charge of the experiment.
We use external suppliers for services such as web hosting, error tracking, email sending etc. You can see a full list of suppliers here. Our suppliers are either located in the EU and/or are part of the US-EU Privacy Shield, so you can be sure your data is safe and secure.
Since the European Court of Justice ruling in the Schrems II case, the US-EU Privacy Shield is no longer a legal basis for transfer. We are closerly following the guidance issued by the Information Commissioner's Office in order to provide the best possible service.
We now has DPAs signed with all our suppliers, and use Standard Contractual Clauses. Further work is underway by the European Commission and EDPB to provide more comprehensive guidance on extra measures we may need to take. In the meantime we have taken stock of the international transfers that we make, so that we can react promptly as guidance and advice becomes available.