Online surveys & GDPR
GDPR for online surveys: FAQ sheet. You ask, we answer!
The topic of GDPR and General Data Protection Regulation is on everyone’s lips, and it also affects the area of online surveys. What changes? What do you have to pay attention to? What will change for your survey participants? In this FAQ sheet we have put together a collection of questions from our customers about the GDPR in online surveys. You can also ask us your questions about the General Data Protection Regulation and we will publish the answers here for everyone. Your name and email address will not be published. Once your question has been received, you will receive a personal answer to the email address you sent to us. Thank you for your contribution to our GDPR FAQs!
GDPR FAQ
- 1 Where can I find the complete text of the General Data Protection Regulation?
- 2 How do I set up GDPR compliance in the QuestionPro survey software?
- 3 When does a data protection officer have to be appointed?
- 4 Where can I find an overview of all data protection officers in the EU countries?
- 5 Do I have to activate GDPR compliance in QuestionPro even if I only carry out online surveys in non-EU countries?
- 6 Do privacy statements need to be translated for each EU country?
- 7 What penalties are there for non-compliance with the GDPR regulations?
- 8 Which QuestionPro license version do I need to use the GDPR function?
- 9 Do I need a QuestionPro account hosted on an EU server to comply with GDPR regulations?
- 10 What does the right to be forgotten mean in the context of online surveys and how do I realize it if a survey participant wants their data deleted?
- 11 Do I have to specify the purpose of data collection, the duration and an exclusion of the use of the data obtained in online surveys?
- 12 Consent to data processing: Do I have to explicitly ask my survey participants whether they agree to the processing of the data before sending the survey data?
- 13 Does survey data have to be sent encrypted according to GDPR and how do I ensure that survey data is sent encrypted when using QuestionPro?
- 14 What regulations are there for interviewing minors in an online survey?
- 15 Do data protection and legal notices have to be provided for anonymized surveys?
DISCLAIMER
IMPORTANT: This FAQ page cannot replace legal advice, it only serves to provide orientation and raise awareness on the subject of GDPR. If you have any legal questions, please consult a qualified lawyer. You may consider all answers directly related to the QuestionPro product as binding.
Where can I find the complete text of the General Data Protection Regulation?
You can find the current and complete text of the European General Data Protection Regulation on the EU website. The portal dejure.org offers a clearer presentation in German
How do I set up GDPR compliance in the QuestionPro survey software?
To set up GDPR-compliant online surveys, we have written a clear blog article for you that explains step by step with illustrations how to create and publish your online survey in accordance with the GDPR guidelines.
When does a data protection officer have to be appointed?
According to Section 4f BDSG, the obligation to appoint a data protection officer already existed before the new General Data Protection Regulation. The new requirements for appointing a data protection officer are regulated by Art. 37 Paragraph 1 GDPR. However, a so-called “opening clause” applies to the Federal Republic, which regulates the appointment of a data protection officer. According to the revised Federal Data Protection Act in accordance with Section 38 BDSG (new), a data protection officer must be appointed in private companies (non-public bodies) if at least ten people work with automatically collected personal data.
Where can I find an overview of all data protection officers in the EU countries?
You can find an overview of all data protection officers in the countries of the European Union here: Data protection officers of the EU countries.
Information about the European Union Data Protection Supervisor (EDPS) can be found here: EU data protection officer.
Do I have to activate GDPR compliance in QuestionPro even if I only carry out online surveys in non-EU countries?
No, you don't have to. The General Data Protection Regulation only affects EU citizens. However, if you operate your survey account on our European server, then if you simultaneously conduct surveys within the EU, you should NOT deactivate GDPR compliance as QuestionPro is a GLOBAL setting. Deactivation would mean that your EU surveys are not GDPR compliant!
Do privacy statements need to be translated for each EU country?
We recommend that the privacy statements be translated into at least all languages in which the survey will be conducted. For example: If you conduct surveys in English, French and German, you should translate the GDPR data protection regulations into at least these three languages. This means you will always comply with the principle of informed consent. By the way: You can find information about the multilingual nature of online surveys with QuestionPro here:
→ Create multilingual surveys
→ Principle of informed consent
What penalties are there for non-compliance with the GDPR regulations?
How high the penalties are for non-compliance with the GDPR regulations obviously depends on the individual case. However, according to Article 83, Paragraph 4 of the GDPR, there is a risk of fines of up to EUR 20 million or even 4% of annual turnover.
Which QuestionPro license version do I need to use the GDPR function?
The GDPR function is available to all QuestionPro users, regardless of the license variant used. You can already access the GDPR functions in the free version.
Do I need a QuestionPro account hosted on an EU server to comply with GDPR regulations?
No, the server location is completely unimportant. If you have a user account hosted in the EU, GDPR compliance is already preset. If the server location is outside the EU, you must activate GDPR compliance. You can find out how to do this and find out where your survey data is hosted in the following blog article:
What does the right to be forgotten mean in the context of online surveys and how do I realize it if a survey participant wants their data deleted?
The right to be forgotten also applies to online surveys. This means that a survey participant has the right to have their data deleted.
If GDPR compliance is activated in your survey account, each survey will contain a “Data protection and data security” link in the footer. If a survey participant clicks on this link, all surveys in which the respondent took part are listed. Here you have the option of submitting a deletion request for each survey with a mouse click. All deletion requests are listed in the survey system and can be deleted there.
Do I have to specify the purpose of data collection, the duration and an exclusion of the use of the data obtained in online surveys?
As a matter of fact! Of course, you don't have to explain your research or survey project in every detail, just that it is a survey for research purposes on a specific topic. You should also mention that the data will not be passed on to third parties and there is no further use for this data apart from the actual purpose. Transparency is very important right now as people are currently highly sensitive to the new GDPR. When it comes to the topic of how long data is stored, things get interesting: it is said that data has to be deleted or blocked as soon as the purpose of storage no longer applies. You should seek legal advice to find out how best to proceed here.
Consent to data processing: Do I have to explicitly ask my survey participants whether they agree to the processing of the data before sending the survey data?
“Consent” is defined in Article 4 No. 11 GDPR (definition) as follows:
For the purposes of this Regulation, the expression… “consent” of the data subject means any voluntary, informed and unequivocal expression of the data subject's wishes, in the specific case, in the form of a statement or other clear affirmative action by which the data subject indicates that he or she agrees to the processing of personal data concerning you.
The easiest way is to place a checkbox at the end or beginning of the survey, which requires consent to store and process the data by activating it. You must declare this checkbox as a mandatory field and it must not already be activated. You can implement this checkbox in the survey software using a single-choice question with an option or using the “presentation text” question type.
Does survey data have to be sent encrypted according to GDPR and how do I ensure that survey data is sent encrypted when using QuestionPro?
The question of whether data must necessarily be transmitted via encryption is regulated by Article 32 of the GDPR. Here it says:
“Taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the different probability of occurrence and severity of the risk to the rights and freedoms of natural persons, the controller and the processor shall take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk; these measures include, but are not limited to:
a) the pseudonymization and encryption of personal data..."
QuestionPro automatically sends survey data via a secure SSL connection. So you don't have to do anything here.
What regulations are there for interviewing minors in an online survey?
Surveying minors is not a primary GDPR topic, but the same data protection provisions and requirements naturally apply here as for adults. Unfortunately, we cannot and are not allowed to give any more in-depth legal advice here. However, the Council of German Market and Social Research offers guidelines for surveying minors that are worth taking a look at. Here you can find the document as a PDF file:
Do data protection and legal notices have to be provided for anonymized surveys?
We generally recommend that our customers add a data protection declaration and an imprint to a survey that states who the initiator of the survey is. Of course, this also applies to anonymous surveys. Is your survey actually anonymous? Remember that most survey solutions collect meta data, such as IP addresses, the device used, the location, etc. In this case it is not an anonymous survey in the true sense. Here you will find valuable information about conducting truly anonymous surveys if you conduct your survey with QuestionPro.
Another tip: Have your survey participants confirm that they have read the data protection declaration.
And here you will find a few general tips on the subject of GDPR in surveys
