GDPR Frequently asked questions

Our recommendation is to at least translate it in all the languages the survey is deployed in. For example, if you are deploying surveys in English, French and German - our recommendation is that the GDPR privacy and compliance be translated in those 3 languages at least. This is not a hard requirement, but it's our recommendation. This effectively captures the spirit if the “Informed Consent” articles of GDPR.

We think that this does apply. The EU courts have ruled that IP address is “Personal Data” - so it would almost impossible to do an online survey where IP address is not used or collected.

Yes. Our position is that, if you are contracting with Panel Providers to redirect users - they must have a DPA with you. In cases where you are already using QuestionPro Audience to fill out your surveys, you don’t need one - because the overall DPA with QuestionPro and you will cover that automatically.

No - If you are based in the US and all your respondents are in the US - GDPR does not really apply to you. That is why, we’ve made the GDPR compliance an optional feature on our system. This is typically mandatory for EU companies or companies collecting data from EU residents.

In general, this becomes a matter of jurisdiction. GDPR applies to all EU residents - independent of citizenship. So, if you have EU citizens in - say Singapore - they will not have the same protection. We would argue that you exclude EU residents from your sample, if you don’t want to have GDPR affect your research.

The QuestionPro DPO is listed here : https://www.questionpro.com/gdpr

So far US State and Local governments are not materially affected by GDPR. Partially because most United States state, local and federal agencies have their own data-protection and human subjects research rules that they need to abide by. In many cases this might even conflict with GDPR regulations. Therefore, we would advise that US Gov agencies (Federal, State and Local) continue to look to internal legal counsel for guidelines.

Yes - You do. We have screens for you to enter in your Data Protection Officers’ contact information. This will be displayed to the survey respondent if they choose to contact you regarding their data or privacy.

GDPR does not really go into the mechanisms that must be in place for identifying breaches like IDS (Intrusion Detection Services) devices. It however mandates that consumers / affected parties be notified within 72 hours of a company identifying a breach. The regulation is around disclosure of the breach. It is expected that companies take security precautions and have a layered security approach to data - but that’s a technical issue and not a regulatory issue.

We store cookies on the respondent’s browser instance. Not all surveys are sent via emails. We consider this as the point of interaction - the online browser experience. Using the cookies, we identify all the surveys the respondent has taken - and give them the option of requesting a delete or even view the data that the respondent has provided.

At this point - No. We are intentionally making the process manual when we start off. Over time, as the GDPR regime take hold and depending upon the volume of RTBF (Right to be Forgotten) requests that come through, we probably will enable tools for our customers to auto-approve requests.

When a respondent see’s all the surveys - that he/she has taken via QuestionPro, they have the option of deleting a single response or all their data.
If its a single response - then the workflow for that Survey Admin will be triggered i.e. an email will be sent to the QuestionPro customer that own and administers that survey.
If the respondent requests all his data be removed, multiple workflow emails will be sent - depending upon, if each of the QuestionPro customers have turned on GDPR compliance or not.
In all cases however, QuestionPro will automatically remove all the cookies associated with user immediately.

GDPR specifically does not require a standard for storage of data and more importantly any threshold for encryption. However, GDPR states that there must be “data protection by design” - we interpret that to be encryption both at rest as well as in-flight. What this means is that data moving between systems must be encrypted and then when data is stored in any system, it must be encrypted at rest. We believe that if those two roles are followed, then we comply with the “data protection by design” mandate.
Some practical considerations are - using SSL and SSL ONLY for all data transfers - this includes SFTP and HTTPS as the two dominant protocols for moving data between systems. When data is stored (in databases or hard drives) - there must be protections in place for that data not to be visible or available without a user generated key or at least a system generated key.
At QuestionPro, we have automatically moved all our Survey URL’s to SSL. So any data that the respondent gives is via a secure channel. All data that gets transmitted from QuestionPro servers to local machines (customer) is also secure via the same SSL mechanism. Data that is stored in QuestionPro servers are automatically encrypted at the database/storage level. So, data is only available and exposed through the os/application layer.
If customers are downloading data into laptops/computers, we recommend that clients use local storage encryption for encrypting the files / file-system that can only be unlocked based on a login/password. This will fulfill the “protection by design” philosophy.

The respondents can not directly delete the data. They can submit a request for deletion which the survey owner can then approve.

No, GDPR compliance is available for all users.

Yes. You can assign your own DPO from My Account -> Compliance -> GDPR

No.

No.

No, they survey owner will have to approve the deletion request, then the response will be deleted from the data center

Yes, the administrator will get an email notifying about the deletion request.

Yes.

We’re tracking the responses based on cookies, so the respondents will see all their responses for which cookies are present.