With reference to requests for Data Processing Agreements
At Mentimeter, we handle personal data with care, and we only collect and process the information that is necessary in order to provide our services and give a good user experience. Our services depend on the use of the personal data we collect (for example email addresses) and since we decide the purpose and means for this personal data it means that we are liable as “controllers” (as described in Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data - “GDPR”). What we collect and process as well as the purpose and means are described in our Privacy Policy.
If we would sign a DPA covering the same personal data that we depend on to provide our services, we would instead be considered a “processor” in relation to such data and depend on your instructions when we provide our services. That situation may prevent us from providing the service you pay us to do and we believe that this is neither required according to GDPR nor appropriate. How we structure our services must be entirely under our control, and, as a consequence, our responsibility.
An example: if you as an organization purchase a subscription with several licenses and invite colleagues to register for a Mentimeter account using their email addresses, we are dependent on our right to use these addresses in order to comply with the obligations described in our online terms. This could be related to us being able to, for example, provide appropriate security measures or being able to communicate with our users to provide help or give information if there is a difficult situation.
If you are a controller in relation to the same personal data that we need to process to provide our services, there is simply a transfer of personal data between two independent controllers processing the same personal data for different and independent purposes. To give some comfort in this situation, we do have data processing agreements as well as sufficient safeguards for data transfers between EU and non-EU countries in place with all our processors (such as the Standard Contractual Clauses (SCC) adopted by the European Commission).