GDPR compliant data collection surveys

The General Data Protection Regulation (GDPR) regulation will enter into effect in the European Union from May 2018 and it will have a fundamental impact on how organizations treat data from individuals in compliance with the new privacy laws.

Online surveys, which are at the forefront of any consumer, market or employee data collection, also need to be made compliant with the updated regulations. In order to make it easier for QuestionPro survey software users to create and send GDPR compliant data collection surveys, we have put in place a sophisticated process to ensure all data being collected using our platform is fully GDPR compliant.

View GDPR Survey Template

GDPR Survey

All GDPR survey updated settings will be under :

Account > Organization > GDPR

Checkbox : ON / OFF - GDPR Compliance.

NOTE - if we are on our EU servers a GDPR compliance will be turned on by default. All other DC - users have to turn on GDPR by choice.

GDPR is at an org level. Not user.

GDPR Survey - Data Protection Officer

Every organization that is collecting data from EU citizens must have a named DP officer. This person should be empowered within the organization and represent the organization with respect to data and privacy issues.

Account > Organization > GDPR

Field for a DP a officer, name, email and contact information.

On the survey footer - Privacy & Data Security - that goes to a page.

Enterprise customers with Edge Support agreements may ask QuestionPro’s DP officer to represent the company. This is only applicable to customers with an Edge Service Contract.

Learn more about GDPR Compliant Survey Settings

Survey data retention period

GDPR relations state that companies must make it clear how long data about the respondents and users are retained. As such, QuestionPro itself has an indefinite retention period of data collected as long as the account is active and paid for. Once an account is cancelled voluntarily or involuntarily (due to non-payment) - we have a 30 day grace period after which we remove all data from our servers. This however is OUR data retention policy.

GDPR regulations require that each company outline its own data retention policy, and more specifically, how long is data retained for.

QuestionPro will provide language and details about its own data expiry policy. We recommend that our customers either adapt or refine their own data retention period and state it clearly.

We will provide the language to be editable and available for respondents - when they take the survey.

This would satisfy the principle of informed consent of subjects and respondents with regards to expiry of data.

Right to look at all survey data collected

GDPR calls for allowing citizens and users to be able to look at and download all the data collected on a user. GDPR advices machine readable format for downloading the data for respondents.

QuestionPro will provide a mechanism for respondents to download not only the survey data, but also metadata associated with the user while we are in the process to collecting their responses. This includes details about the IP address, browser information etc.

The respondents will be able to see that and download it in PDF as well as JSON format - to make it compliant with the spirit of GDPR.

Respondents- when they click on I Privacy and Data Security will see a list of all the surveys that they have taken. They can download a PDF copy of the data that has been collected from them.

Survey Data breaches and Supervising Authority

GDPR calls for a legal obligation for the notification to supervisory authority regarding a data breach within 72 hours of knowing about it.

As such, due to the fact that QuestionPro operates pan-Europe and most companies collect data and impact citizens of multiple countries within the EU, GDPR allows for selecting a “Lead Supervising Authority” - QuestionPro has selected the Dutch - DPA as the lead supervisory authority that governs data collected by QuestionPro. This is partly because our physical servers are located in the Netherlands.

In case of a data breach, at QuestionPro, we will be obligated to notify and DPA in the Netherlands.

In some cases, each of our clients may want to select their own Supervisory Authority. Our customers must then use their own supervisory authority and can notify them about a data breach as soon as we notify you.

In cases where there is a data breach without our involvement - example a laptop with data from survey respondents gets stolen, it is up to our clients to notify their own supervisory authority regarding the breach.

QuestionPro will provide a mechanism to select the Supervisory Authority that each of our clients in the EU want.

Learn more about GDPR Data Collection

Notification to subjects - regarding breaches

Processor Agreements

QuestionPro will have a standard processor agreement for all customers. We will have a standard agreement that lists our obligations as data processors.

We realize that enterprises may have their own DPA’s / data processor agreements that QuestionPro will need to sign and agree to. This will only be available to our Enterprise License Customers - where we agree and look at your DPA.

For all other customers, QuestionPro will have a standard DPA and we will not modify or negotiate the language of the agreement.

Right to be forgotten

When users click on privacy and data protection, they can request that their data - on an individual response level be deleted. They can also delete all survey responses. Further - they can also ask for the system to completely “forget” - including all cookies about the user. QuestionPro will automatically remove all references to the user from its servers.

Research and acknowledgement

When users click on data and privacy - the stated purpose of research and data use will be presented.

Questionpro offers default language that includes;

1. Use of data for research purposes only.
2. No commercial sale of the data.
3. Individual users will not be contacted for marketing or sales purposes.

Each of these are encapsulated in a paragraph. QuestionPro will offer default language that our customers can use. However, it's up to the customers to decide which options to choose. They may edit the content and language also.

The default options will be available in English, Spanish, French, German, Arabic, Hebrew, Japanese and Chinese. Other languages can be added - however the customers will have to provide the content and translations.

GDPR and Data Processing Agreements

There are two kinds of entities as far as GDPR is concerned.

1. Collectors
2. Processors

In most cases - there will be a single data collection entity that uses one or more processors. Processors may in turn use other data processors also. In order to protect the chain of command, GDPR envisions that DPA (Data Processing Agreements) will be entered into between processors and sub-processors.

QuestionPro has DPA agreements with all the companies (including data center providers and cloud infrastructure providers) - as DPA’s. This ensures that all our contracts are GDPR compliant.

Furthermore, QuestionPro has a standard GDPR compliant DPA agreement that we will provide. This form / template agreement is a standard form that QuestionPro provides to all our clients - that want to be GDPR compliant. No changes to this agreement will be allowed. Clients with an Enterprise License may request changes to the standard DPA agreement - however It will take 30-60 days for approval of changes to our standard DPA.