free account

GDPR compliant data collection surveys

Create GDPR compliant data collection surveys using QuestionPro

Get Your Free Account Now

Join over
10 million users

GDPR data collection

The General Data Protection Regulation (GDPR) regulation will enter into effect in the European Union from May 2018 and it will have a fundamental impact on how organizations treat data from individuals in compliance with the new privacy laws.

Online surveys, which are at the forefront of any consumer, market or employee data collection, also need to be made compliant with the updated regulations. In order to make it easier for QuestionPro survey software users to create and send GDPR compliant data collection surveys, we have put in place a sophisticated process to ensure all data being collected using our platform is fully GDPR compliant.

View GDPR Survey Template

GDPR Survey

All GDPR survey settings will be under :

Account > Organization > GDPR

Checkbox : ON / OFF - GDPR Compliance.

NOTE - if we are on our EU servers a GDPR compliance will be turned on by default. All other DC - users have to turn on GDPR by choice.

GDPR is at an org level. Not user.

GDPR Survey - Data Protection Officer

Every organization that is collecting data from EU citizens must have a named DP officer. This person should be empowered within the organization and represent the organization with respect to data and privacy issues.

Account > Organization > GDPR

Field for a DP a officer, name, email and contact information.

On the survey footer - Privacy & Data Security - that goes to a page.

Enterprise customers with Edge Support agreements may ask QuestionPro’s DP officer to represent the company. This is only applicable to customers with an Edge Service Contract.

Learn more about GDPR Compliant Survey Settings

Survey data retention period

GDPR relations state that companies must make it clear how long data about the respondents and users are retained. As such, QuestionPro itself has an indefinite retention period of data collected as long as the account is active and paid for. Once an account is cancelled voluntarily or involuntarily (due to non-payment) - we have a 30 day grace period after which we remove all data from our servers. This however is OUR data retention policy.

GDPR regulations require that each company outline its own data retention policy, and more specifically, how long is data retained for.

QuestionPro will provide language and details about its own data expiry policy. We recommend that our customers either adapt or refine their own data retention period and state it clearly.

We will provide the language to be editable and available for respondents - when they take the survey.

This would satisfy the principle of informed consent of subjects and respondents with regards to expiry of data.

Right to look at all survey data collected

GDPR calls for allowing citizens and users to be able to look at and download all the data collected on a user. GDPR advices machine readable format for downloading the data for respondents.

QuestionPro will provide a mechanism for respondents to download not only the survey data, but also metadata associated with the user while we are in the process to collecting their responses. This includes details about the IP address, browser information etc.

The respondents will be able to see that and download it in PDF as well as JSON format - to make it compliant with the spirit of GDPR.

Respondents- when they click on I Privacy and Data Security will see a list of all the surveys that they have taken. They can download a PDF copy of the data that has been collected from them.

Survey Data breaches and Supervising Authority

GDPR calls for a legal obligation for the notification to supervisory authority regarding a data breach within 72 hours of knowing about it.

As such, due to the fact that QuestionPro operates pan-Europe and most companies collect data and impact citizens of multiple countries within the EU, GDPR allows for selecting a “Lead Supervising Authority” - QuestionPro has selected the Dutch - DPA as the lead supervisory authority that governs data collected by QuestionPro. This is partly because our physical servers are located in the Netherlands.

In case of a data breach, at QuestionPro, we will be obligated to notify and DPA in the Netherlands.

In some cases, each of our clients may want to select their own Supervisory Authority. Our customers must then use their own supervisory authority and can notify them about a data breach as soon as we notify you.

In cases where there is a data breach without our involvement - example a laptop with data from survey respondents gets stolen, it is up to our clients to notify their own supervisory authority regarding the breach.

QuestionPro will provide a mechanism to select the Supervisory Authority that each of our clients in the EU want.

Learn more about GDPR Data Collection

Notification to subjects - regarding breaches

Processor Agreements

QuestionPro will have a standard processor agreement for all customers. We will have a standard agreement that lists our obligations as data processors.

We realize that enterprises may have their own DPA’s / data processor agreements that QuestionPro will need to sign and agree to. This will only be available to our Enterprise License Customers - where we agree and look at your DPA.

For all other customers, QuestionPro will have a standard DPA and we will not modify or negotiate the language of the agreement.

Right to be forgotten

When users click on privacy and data protection, they can request that their data - on an individual response level be deleted. They can also delete all survey responses. Further - they can also ask for the system to completely “forget” - including all cookies about the user. QuestionPro will automatically remove all references to the user from its servers.

Research and acknowledgement

When users click on data and privacy - the stated purpose of research and data use will be presented.

Questionpro offers default language that includes;

  1. Use of data for research purposes only.
  2. No commercial sale of the data.
  3. Individual users will not be contacted for marketing or sales purposes.

Each of these are encapsulated in a paragraph. QuestionPro will offer default language that our customers can use. However, it's up to the customers to decide which options to choose. They may edit the content and language also.

The default options will be available in English, Spanish, French, German, Arabic, Hebrew, Japanese and Chinese. Other languages can be added - however the customers will have to provide the content and translations.

GDPR and Data Processing Agreements

There are two kinds of entities as far as GDPR is concerned.

  1. Collectors
  2. Processors

In most cases - there will be a single data collection entity that uses one or more processors. Processors may in turn use other data processors also. In order to protect the chain of command, GDPR envisions that DPA (Data Processing Agreements) will be entered into between processors and sub-processors.

QuestionPro has DPA agreements with all the companies (including data center providers and cloud infrastructure providers) - as DPA’s. This ensures that all our contracts are GDPR compliant.

Furthermore, QuestionPro has a standard GDPR compliant DPA agreement that we will provide. This form / template agreement is a standard form that QuestionPro provides to all our clients - that want to be GDPR compliant. No changes to this agreement will be allowed. Clients with an Enterprise License may request changes to the standard DPA agreement - however It will take 30-60 days for approval of changes to our standard DPA.

List of EU GDPR authorities by nation

Dr Andrea Jelinek,
Director, Austrian Data Protection Authority
  : +43 1 531 15 202525
  : +43 1 531 15 202690
Dietmar Wagner,
Compliance-Officer of the FMA
  : ,
  : (+43-1) 249 59-6112
  : Not available
Not available
Not available
  : +32 2 274 48 00
  : 32 2 274 48 10
Mr Ventsislav Karadjov,
Chairman of the Commission for Personal Data Protection
  : +359 2 915 3523
  : +359 2 915 3525
Director of the Croatian Data Protection Agency
  : +385 1 4609 000
  : +385 1 4609 099
  : +357 22 818 456
  : +357 22 304 565
Ms Ivana JANŮ,
President of the Office for Personal Data Protection
  : +420 234 665 111
  : +420 234 665 444
Czech Republic
Ms Cristina Angela GULISANO,
Director, Danish Data Protection Agency
  : +45 33 1932 00
  : +45 33 19 32 18
Mr Viljar PEEP,
Director General, Estonian Data Protection Inspectorate
  : +372 6274 135
  : +372 6274 137
Mr Reijo AARNIO,
Ombudsman of the Finnish Data Protection Authority
  : +358 10 3666 700
  : +358 10 3666 735
President of CNIL
  : 01 47 22 43 34
  : 01 47 38 72 43
Federal Commissioner for Freedom of Information
  : +49 228 997799 0
  : +49 228 997799 550
President of the Hellenic Data Protection Authority
  : +30 210 6475 600
  : +30 210 6475 628
President of the National Authority for Data Protection and Freedom of Information
  : +36 1 3911 400
  : Not available
Ms Helen DIXON,
Data Protection Commissioner
  : +353 57 868 4800
  : +353 57 868 4757
Mr Antonello SORO,
President of Garante per la protezione dei dati personali
  : +39 06 69677 1
  : +39 06 69677 785
Director of Data State Inspectorate
  : +371 6722 3131
  : +371 6722 3556
Mr Algirdas KUNČINAS,
Director of the State Data Protection Inspectorate
  : +370 5 279 14 45
  : +370 5 261 94 94
Ms Tine A. LARSEN,
President of the Commission Nationale pour la Protection des Données
  : +352 2610 60 1
  : +352 2610 60 29
Mr Saviour CACHIA,
Information and Data Protection Commissioner
  : +356 2328 7100
  : +356 2328 7198
Chairman of Autoriteit Persoonsgegevens
  : +31 70 888 8500
  : +31 70 888 8501
Inspector General for the Protection of Personal Data
  : +48 22 53 10 440
  : +48 22 53 10 441
Ms Filipa CALVÃO,
President, Comissão Nacional de Protecção de Dados
  : +351 21 392 84 00
  : +351 21 397 68 32
Ms Ancuţa Gianina OPRE,
President of the National Supervisory Authority for Personal Data Processing
  : +40 21 252 5599
  : +40 21 252 5757
President of the Office for Personal Data Protection of the Slovak Republic
  : + 421 2 32 31 32 14
  : + 421 2 32 31 32 34
Information Commissioner of the Republic of Slovenia
  : +386 1 230 9730
  : +386 1 230 9778
Ms María del Mar España Martí,
Director of the Spanish Data Protection Agency
  : +34 91399 6200
  : +34 91455 5699
Director General of the Data Inspection Board
  : +46 8 657 6100
  : +46 8 652 8652
Ms Elizabeth DENHAM,
Information Commissioner
  : +44 1625 545 745
  : Not available
United Kingdom