GDPR Surveys - Be GDPR compliant with your surveys & research

GDPR Survey

The General Data Protection Regulation (GDPR) went into effect in the European Union in May 2018. The regulation has a fundamental impact on how organizations are allowed to treat data from individuals to stay compliant with the new privacy laws.

Online surveys need to be compliant with these laws and regulations. Both your survey and GDPR survey data must be compliant. At QuestionPro, we want to make the online survey process as smooth as possible for both our users and the people they survey. We have created a sophisticated process to ensure all data being collected using our platform is fully GDPR compliant.

View GDPR Survey Template

GDPR compliant survey

Follow this path to open the GDPR settings in QuestionPro:

Account > Compliance > GDPR

Checkbox : ON / OFF - GDPR Compliance.

NOTE – For users on our EU servers, GDPR compliance is turned on by default. All other DC users must turn on GDPR compliance by choice.

GDPR survey settings are organizational and limited to a single user.

GDPR survey - Data Protection officer

Organizations that collect data from EU citizens are required to name a Data Protection (DP) officer. The DP officer represents the organization in any data or privacy issues. Within the QuestionPro platform, you can input the name and contact information of your organization’s DP officer. You can access this field by going to:

Account > Compliance > GDPR

Field for a DP officer, input name, email, and contact information.

A new link will appear on survey footers (privacy & data security) that goes to a page with GDPR compliance data.

Customers with Edge Support agreements may ask QuestionPro’s DP officer to represent the company. This is only applicable to customers with an Edge Service Contract.

Learn more about GDPR Compliant Survey Settings

GDPR survey data retention period

Under GDPR, companies collecting data from users must make it clear how long collected data will be retained. QuestionPro has an indefinite retention period so long as your account is active and paid in full. Once an account is canceled voluntarily or involuntarily (due to non-payment), we have a 30-day grace period, after which we remove all data from our servers.

This is our data retention policy. The GRPR regulations require that each company outlines its data retention policy. The most important part of your data retention policy is stating how long you plan to retain the collected data.

We recommend that QuestionPro users either adapt our data retention policy to fit their needs or create a new policy. You should state your policy clearly on your privacy policy page. Encourage survey respondents to set the language of their choice before answering survey questions. This satisfies the principle of informed consent of respondents in regards to the expiration of collected data.

Right to look at all GDPR survey data collected

The GDPR legislation states that organizations must make collected data available for viewing and download for each user. You should use a machine-readable format when offering your data for download.

QuestionPro provides a tool for users to download survey data as well as metadata associated with the user while collecting their responses. This includes details about their IP address and browser information.

The users can view and download GDPR survey data in PDF as well as JSON format for it to be a GDPR compliant survey.

When respondents click on Privacy and Data Security, they see a list of all the surveys they have taken. They can then download a PDF copy of the data that has been collected from them.

GDPR survey data breaches and supervising authority

QuestionPro provides a highly secure survey platform for your online surveys. However, in the unlikely event of a data breach, you should know your organization’s responsibilities to notify authorities.

According to the data regulation, an organization is legally responsible for notifying a supervisory authority within 72 hours after learning of a data breach.

GDPR regulations allow the selection of a Data Protection Authority (DPA) to supervise the application of the data protection law. QuestionPro has selected the Dutch DPA as the lead supervisory authority that governs data collected by QuestionPro.

In some cases, each of our clients may want to select their own Supervisory Authority. If you choose to use your supervisory authority, you are responsible for reporting any data breaches to that authority as soon as we notify you.

If there is a data breach without our involvement, it is up to our clients to notify their supervisory authority regarding the breach. For example, if a laptop containing survey data from respondents is stolen, it is your responsibility to inform the proper supervisory authority.

With QuestionPro, EU users can select the specific supervisory authority they want.

Learn more about GDPR Data Collection

Notification to subjects - regarding breaches

Processor agreements

QuestionPro has a standard processor agreement for all customers. This standard agreement lists our obligations as data processors.

We realize that enterprises may have their data processor agreements that QuestionPro needs to sign. Contact our sales representative to learn more about them.

For all other customers, QuestionPro has a standard DPA, and we will not modify or negotiate the language of the agreement.

Right to be forgotten

When users click on privacy and data protection, they can request that their data be deleted on an individual response level. They can also delete all survey responses. Users may choose to have the platform completely “forget” their user data, including cookies. With this feature, QuestionPro automatically removes all references to the user from its servers.

Research and acknowledgement

Users can find the stated purpose of research and data use by clicking on the data and privacy link.

QuestionPro offers default language that includes;

1. Use of data for research purposes only.
2. No commercial sale of the data.
3. Individual users will not be contacted for marketing or sales purposes.

While we provide default language for your GDPR compliant survey, it's up to you to decide which options to choose. You can then edit the content and language to meet your organization’s standards.

The default options are available in English, Spanish, French, German, Arabic, Hebrew, Japanese, and Chinese. We are happy to add other languages of our customers, but you will need to provide the correct content translation.

GDPR and Data Processing Agreements

There are two kinds of entities as far as GDPR is concerned.

1. Collectors
2. Processors

In most cases, there is a single data collection entity that uses one or more processors. Processors may, in turn, use other data processors.

To protect the chain of command, GDPR requires that DPA (Data Processing Agreements) be entered into between each processor and sub-processors.

QuestionPro has DPA agreements with all companies that process data collected in your GDPR survey, including Cloud infrastructure management and service centers. This ensures that all our contracts are GDPR compliant.

We also provide a standard GDPR compliant agreement. This agreement template is a standard form that QuestionPro provides to all our clients that want to be GDPR compliant. No changes to this agreement are allowed.

Clients may request changes to the standard DPA agreement. Please note, however, that it will take 30-60 days for approval of changes to our standard DPA. Contact our sales representative to learn more about DPA.

Learn more about QuesionPro and our GDPR survey data compliance methods with a tour of our survey platform.