“GDPR? I really don’t need to have this stress!”

You don't have to! QuestionPro meets the standards for GDPR-compliant data collection for market research and experience management that came into force in 2018.

GDPR for market research and touchpoint analysis

GDPR in market research and experience management

GDPR-compliant data collection for market research and experience management

The General Data Protection Regulation (GDPR) came into force in the European Union in May 2018 and has a fundamental impact on how organizations treat individuals' data in compliance with new data protection laws. The collection of data for market research and experience management is also affected. Surveys that focus on collecting consumer, market or employee data must comply with the updated regulations. To make it easier for QuestionPro market research and experience management software users to conduct GDPR-compliant data collection, we have introduced a sophisticated process that ensures that all data collected through our platform is fully GDPR compliant.

.

Nomination of a Data Protection Officer

Any organization that collects data from EU citizens must appoint a data protection officer. This person represents the organization in relation to data protection issues. In market research studies and touchpoint analyses as part of experience management that are carried out with QuestionPro, the data protection officer is named in the footer of the survey or a link entitled “Data protection & data security” leads to the relevant information.

Entry of the data protection officer

The input fields for naming the data protection officer in market research studies and touchpoint analyses can be found at QuestionPro at:
Account → Compliance → GDPR → Data Protection Officer.

As soon as you set the GDPR control panel to ON, you will automatically be redirected to the corresponding input field.

Activation of GDPR compliance in QuestionPro

QuestionPro's GDPR compliance is already preset when operating on servers in the European Union. The settings for GDPR-compliant data collection can be found at QuestionPro at:
User account → Compliance → GDPR
Make sure that the GDPR ON / OFF selection field is set to ON!
Please check the settings in your user account!

Retention time of data

The requirements of the GDPR state that companies must make it clear how long respondents' data will be kept. QuestionPro itself has an indefinite retention period for the data collected as long as the account is active and paid. Once an account is terminated voluntarily or involuntarily (due to non-payment), we have a 30-day period after which we remove all data from our servers.

The GDPR regulations require that each company has its own data retention policy, in particular how long data is kept. QuestionPro provides information on its own data expiry policy. We recommend that our clients adapt their own data retention period and clearly and unambiguously state that it complies with the principle of consent after respondents have been informed about the expiry of the data.

Right of inspection

The GDPR requires that respondents have the possibility to view and download all data collected about the respondent. The GDPR recommends a machine-readable format for downloading the data.

QuestionPro provides a mechanism for respondents to download not only the survey data but also the user's metadata. This includes information about the IP address, browser information, etc. Respondents can download this data in PDF and JSON format.

Notifying the supervisory authority of data breaches

GDPR requires a legal obligation to notify the supervisory authority of a data protection breach within 72 hours of becoming aware of it.

QuestionPro has selected the Dutch DPA as the lead supervisory authority that regulates the data collected by QuestionPro. This is because our physical EU servers are located in the Netherlands.

In the event of a breach of the privacy policy, we, QuestionPro, are obligated to report this to the DPA in the Netherlands.

Corporate customers can also choose their own regulator. In the event of data breaches, the company itself must then inform the competent authority as soon as we inform them about the breach.

In cases where a data breach occurs without our involvement - for example, if a laptop containing a respondent's data is stolen - it is up to our customers to inform their own supervisory authority of the breach.

QuestionPro provides its corporate customers with mechanism for choosing the Data Protection Authority.

Further information on the subject of GDPR for market research and experience management

Data processing agreement

QuestionPro will provide a standard data processing agreement to all customers setting out our obligations as a data processor.

We understand that most companies have their own data protection and data processing agreements which QuestionPro will sign and accept when using its survey and analytics platform after sufficient review. This process is only available to our Enterprise Licence customers. Enterprise Licensed customers can request changes to the standard GDPR agreement, but it typically takes 30-60 business days for changes to our standard GDPR to be approved.

A non-modifiable standard data processing and data protection agreement is provided for all other customers.

Right to be forgotten

When respondents click on Privacy & Data Protection, they may request the deletion of their data. This also applies to the stored survey data. In addition, respondents may also request that all tracking data about the user is deleted. QuestionPro automatically removes this data from its servers.

Purpose of data collection

When respondents click Privacy & Data Protection, the stated purpose of the data collection is listed. Solely survey initiators are responsible for the contents.

QuestionPro offers its customers the following standard formulations for standard data processing agreements:

  • Use of data for research purposes only.
  • No commercial sale of data.
  • Respondents will not be contacted for marketing or sales purposes.

It is up to the customer to decide which options to choose. The content can also be customized.

The default options are available in German, English, Spanish, French, Arabic, Hebrew, Japanese and Chinese. Additional languages ​​can be added - however, customers must provide the content and translations themselves.

Our data protection officer in accordance with Section 38 of the Federal Data Protection Act (BDSG) and Art. 37 of the General Data Protection Regulation (GDPR)

Jörg ter Beek
Cortina Consult GmbH
Hafenweg 24
48155 Munster
Tel: (0)251 – 29 79 47 40
E-Mail:  dsb.questionpro@cortina-consult.de

Do you have further questions about GDPR – compliance in the context of market research and experience management? Contact us!

We are happy to provide you with advice and assistance at any time on any questions you may have regarding GDPR compliance! It is best to use the QuestionPro FAQ sheet for your questions.  GDPR FAQ.

Data protection officers of the countries of the European Union

Here you will find a list of data protection officers from the countries of the European Union.

Data protection officers of the states

1:1 live online consultation:
GDPR in market research and touchpoint analyses (experience management)

We would be happy to answer all your questions about the GDPR compliance of QuestionPro's market research and experience management software as part of a 1:1 live online consultation. Arrange a personal appointment now!

Questions about GDPR

Platform for market research and experience management
/* LinkedIn Insight Tag*/