I'm building a survey in Survey123 in order to collect data about floodings by volunteers.
The idea is that volunteers anonymously complete a survey via Survey123 while sharing a (GPS)-location and eventually a photo (of the flooding).
In order to comply to the GDPR (EU-regulation 2016/679), I request from the volunteers that, before they are able to submit the survey, they explicity give their consent by a checkbox that the data they will submit will be processed for a specific purpose.
To my knowledgde, the data of the completed surveys are stored in ArcGIS Online. Correct me if I'm wrong.
Based on the results of a test survey, I have mentioned that a photo attached to the survey has also EXIF-data, wherein data about the camera is stored. To my opinion this is not personal data and will be no problem in order to comply with the GDPR.
I'm more concerned about privacy issues about data that possibly is transferred to Survey123 and ArcGIS Online, but which is not visible for me as a creator of a survey, but for which I can be accountable/responsible under the GDPR .
My first question is does Survey123 for example also collect IMEI-data and/or other personal data/information or identificable data/information (e.g. username of the Android-account, Android-version, etc.) ?
My second question is if ESRI has the right to combine or to enrich the data which the volunteers have collected, with other data?
To address your first question, Survey123 does not collect any information that is not visible to the survey creator. There are built-in editor tracking fields that will automatically log the username of the person who created an entry, but that will only be populated if the person already has an ArcGIS Online account (and thus consented as part of using the ArcGIS Online system). If you are sharing the form publicly, that field will not be populated; additionally, you could choose to disable editor tracking on the feature service if that is still a concern. I'll also note that phone operating systems have been increasingly locking down access to account information like IMEI numbers; that isn't accessible on iOS and the
To address your second question, I would refer you to the Esri Products & Security Privacy Statement Supplement, specifically the "Customer Data" section:
Customer Data will be used only to provide customer the Products & Services including purposes compatible with providing those services. For example, we may use Customer Data to provide a personalized experience, improve service reliability, combat spam or other malware, or improve features and functionality of the Products & Services. Esri will not use Customer Data or derive information from it for any advertising or similar commercial purposes. Customer Data is not Administrator Data, Payment Data, or Support Data.