GDPR Surveys - Be GDPR compliant with your surveys & research

Learn how GDPR affects your survey data collection and how to create & send a GDPR compliant survey.

GDPR Survey
client toyota
client samsung
client usps
client hyatt
client siemens
client stanford
Home GDPR GDPR Survey

GDPR Survey

GDPR data collection

The General Data Protection Regulation (GDPR) went into effect in the European Union in May 2018. The regulation has a fundamental impact on how organizations are allowed to treat data from individuals to stay compliant with the new privacy laws.

Online surveys need to be compliant with these laws and regulations. Both your survey and GDPR survey data must be compliant. At QuestionPro, we want to make the online survey process as smooth as possible for both our users and the people they survey. We have created a sophisticated process to ensure all data being collected using our platform is fully GDPR compliant.

View GDPR Survey Template

GDPR compliant survey

Follow this path to open the GDPR settings in QuestionPro:

Account > Compliance > GDPR

Checkbox : ON / OFF - GDPR Compliance.

NOTE – For users on our EU servers, GDPR compliance is turned on by default. All other DC users must turn on GDPR compliance by choice.

GDPR survey settings are organizational and limited to a single user.

GDPR survey - Data Protection officer

Organizations that collect data from EU citizens are required to name a Data Protection (DP) officer. The DP officer represents the organization in any data or privacy issues. Within the QuestionPro platform, you can input the name and contact information of your organization’s DP officer. You can access this field by going to:

Account > Compliance > GDPR

Field for a DP officer, input name, email, and contact information.

A new link will appear on survey footers (privacy & data security) that goes to a page with GDPR compliance data.

Customers with Edge Support agreements may ask QuestionPro’s DP officer to represent the company. This is only applicable to customers with an Edge Service Contract.

Learn more about GDPR Compliant Survey Settings

GDPR survey data retention period

Under GDPR, companies collecting data from users must make it clear how long collected data will be retained. QuestionPro has an indefinite retention period so long as your account is active and paid in full. Once an account is canceled voluntarily or involuntarily (due to non-payment), we have a 30-day grace period, after which we remove all data from our servers.

This is our data retention policy. The GRPR regulations require that each company outlines its data retention policy. The most important part of your data retention policy is stating how long you plan to retain the collected data.

We recommend that QuestionPro users either adapt our data retention policy to fit their needs or create a new policy. You should state your policy clearly on your privacy policy page. Encourage survey respondents to set the language of their choice before answering survey questions. This satisfies the principle of informed consent of respondents in regards to the expiration of collected data.

Right to look at all GDPR survey data collected

The GDPR legislation states that organizations must make collected data available for viewing and download for each user. You should use a machine-readable format when offering your data for download.

QuestionPro provides a tool for users to download survey data as well as metadata associated with the user while collecting their responses. This includes details about their IP address and browser information.

The users can view and download GDPR survey data in PDF as well as JSON format for it to be a GDPR compliant survey.

When respondents click on Privacy and Data Security, they see a list of all the surveys they have taken. They can then download a PDF copy of the data that has been collected from them.

GDPR survey data breaches and supervising authority

QuestionPro provides a highly secure survey platform for your online surveys. However, in the unlikely event of a data breach, you should know your organization’s responsibilities to notify authorities.

According to the data regulation, an organization is legally responsible for notifying a supervisory authority within 72 hours after learning of a data breach.

GDPR regulations allow the selection of a Data Protection Authority (DPA) to supervise the application of the data protection law. QuestionPro has selected the Dutch DPA as the lead supervisory authority that governs data collected by QuestionPro.

In some cases, each of our clients may want to select their own Supervisory Authority. If you choose to use your supervisory authority, you are responsible for reporting any data breaches to that authority as soon as we notify you.

If there is a data breach without our involvement, it is up to our clients to notify their supervisory authority regarding the breach. For example, if a laptop containing survey data from respondents is stolen, it is your responsibility to inform the proper supervisory authority.

With QuestionPro, EU users can select the specific supervisory authority they want.

Learn more about GDPR Data Collection

Notification to subjects - regarding breaches

Processor agreements

QuestionPro has a standard processor agreement for all customers. This standard agreement lists our obligations as data processors.

We realize that enterprises may have their data processor agreements that QuestionPro needs to sign. Contact our sales representative to learn more about them.

For all other customers, QuestionPro has a standard DPA, and we will not modify or negotiate the language of the agreement.

Right to be forgotten

When users click on privacy and data protection, they can request that their data be deleted on an individual response level. They can also delete all survey responses. Users may choose to have the platform completely “forget” their user data, including cookies. With this feature, QuestionPro automatically removes all references to the user from its servers.

Research and acknowledgement

Users can find the stated purpose of research and data use by clicking on the data and privacy link.

QuestionPro offers default language that includes;

  1. Use of data for research purposes only.
  2. No commercial sale of the data.
  3. Individual users will not be contacted for marketing or sales purposes.

While we provide default language for your GDPR compliant survey, it's up to you to decide which options to choose. You can then edit the content and language to meet your organization’s standards.

The default options are available in English, Spanish, French, German, Arabic, Hebrew, Japanese, and Chinese. We are happy to add other languages of our customers, but you will need to provide the correct content translation.

GDPR and Data Processing Agreements

There are two kinds of entities as far as GDPR is concerned.

  1. Collectors
  2. Processors

In most cases, there is a single data collection entity that uses one or more processors. Processors may, in turn, use other data processors.

To protect the chain of command, GDPR requires that DPA (Data Processing Agreements) be entered into between each processor and sub-processors.

QuestionPro has DPA agreements with all companies that process data collected in your GDPR survey, including Cloud infrastructure management and service centers. This ensures that all our contracts are GDPR compliant.

We also provide a standard GDPR compliant agreement. This agreement template is a standard form that QuestionPro provides to all our clients that want to be GDPR compliant. No changes to this agreement are allowed.

Clients may request changes to the standard DPA agreement. Please note, however, that it will take 30-60 days for approval of changes to our standard DPA. Contact our sales representative to learn more about DPA.

Learn more about QuesionPro and our GDPR survey data compliance methods with a tour of our survey platform.

List of EU GDPR authorities by nation

Below is the contact information for the EU GDPR authorities. You can reach out to the contacts at your preferred authority to learn more about GDPR and stay compliant in all of your data collection efforts.

Dr Andrea Jelinek,
Director, Austrian Data Protection Authority
: +43 1 531 15 202525
: +43 1 531 15 202690
Dietmar Wagner,
Compliance-Officer of the FMA
: (+43-1) 249 59-6112
: Not available
Mr. Willem Debeuckelaere
President of the Data Protection Authority
: +32 (0)2 274 48 00
: +32 (0)2 274 48 35
Mr Ventsislav Karadjov,
Chairman of the Commission for Personal Data Protection
: +359 2 915 3523
: +359 2 915 3525
Director of the Croatian Data Protection Agency
: +385 1 4609 000
: +385 1 4609 099
: +357 22 818 456
: +357 22 304 565
Ms Ivana JANŮ,
President of the Office for Personal Data Protection
: +420 234 665 111
: +420 234 665 444
Czech Republic
Ms Cristina Angela GULISANO,
Director, Danish Data Protection Agency
: +45 33 1932 00
: +45 33 19 32 18
Mr Viljar PEEP,
Director General, Estonian Data Protection Inspectorate
: +372 6274 135
: +372 6274 137
Mr Reijo AARNIO,
Ombudsman of the Finnish Data Protection Authority
: +358 10 3666 700
: +358 10 3666 735
Marie-Laure DENIS,
President of CNIL
: 01 47 22 43 34
: 01 47 38 72 43
Mr. Ulrich Wolfgang Kelber,
Bundesbeauftragter für den Datenschutz und die Informationsfreiheit
: +49 228 997799 0
: +49 228 997799 550
Prof. Dr. Johannes Caspar,
Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
: +49 40 428 54 4040
: +49 40 428 54 4000
Dr. Stefan Brink,
Datenschutzbeauftragte Baden Württemberg
: +49 711 615541 0
: +49 711 615541 15
Prof. Dr. Thomas Petri,
Datenschutzbeauftragter Bayern
: +49 89 212672-0
: +49 89 212672-50
Helga Block,
Country Representative for Data Protection and Freedom of Information North Rhine-Westphalia
: +49 02 11 384 240
: NA
Sächsische Datenschutzbeauftragte,
Der Sächsischer Datenschutzbeauftragter
: +49 0351 493-5401
: +49 0351 493-5490
Prof. Dr. Michael Ronellenfitsch,
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
: +49 611 1408 0
: +49 611 1408 611
Mrs. Barbara Thiel,
Die Landesbeauftragte für den Datenschutz Niedersachsen
: 0511-120 4500
: 0511-120 4599
Datenschutzbeauftragter Bayerisches Landesamt
Datenschutzbeauftragter Bayerisches Landesamt
: +49 (0) 981 180093-0
: +49 (0) 981 180093-800
President of the Hellenic Data Protection Authority
: +30 210 6475 600
: +30 210 6475 628
President of the National Authority for Data Protection and Freedom of Information
: +36 1 3911 400
: +36 1 391 1410
Ms Helen DIXON,
Data Protection Commissioner
: +353 57 868 4800
: +353 57 868 4757
Mr Antonello SORO,
President of Garante per la protezione dei dati personali
: +39 06 69677 1
: +39 06 69677 785
Director of Data State Inspectorate
: +371 6722 3131
: +371 6722 3556
Mr Algirdas KUNČINAS,
Director of the State Data Protection Inspectorate
: +370 5 279 14 45
: +370 5 261 94 94
Ms Tine A. LARSEN,
President of the Commission Nationale pour la Protection des Données
: +352 2610 60 1
: +352 2610 60 29
Mr Saviour CACHIA,
Information and Data Protection Commissioner
: +356 2328 7100
: +356 2328 7198
Chairman of Autoriteit Persoonsgegevens
: +31 70 888 8500
: +31 70 888 8501
Inspector General for the Protection of Personal Data
: +48 22 53 10 440
: +48 22 53 10 441
Ms Filipa CALVÃO,
President, Comissão Nacional de Protecção de Dados
: +351 21 392 84 00
: +351 21 397 68 32
Ms Ancuţa Gianina OPRE,
President of the National Supervisory Authority for Personal Data Processing
: +40 21 252 5599
: +40 21 252 5757
President of the Office for Personal Data Protection of the Slovak Republic
: + 421 2 32 31 32 14
: + 421 2 32 31 32 34
Information Commissioner of the Republic of Slovenia
: +386 1 230 9730
: +386 1 230 9778
Ms María del Mar España Martí,
Director of the Spanish Data Protection Agency
: +34 91399 6200
: +34 91455 5699
Director General of the Data Inspection Board
: +46 8 657 6100
: +46 8 652 8652
Mr John Edwards,
Information Commissioner
: +44 0303 123 1113
: Not available
United Kingdom